SAML

CloudShark supports authenticating against a SAML 2.0 identity provider. This identity provider may be a server in your own network or it may be an external SAML service such as OneLogin, PingOne or others.

Enabling and Configuring Single Sign-On

Single Sign-On is enabled on the Authentication page of the Administration menu. After enabling External Authentication with Single Sign-On the configuration for Single Sign-On will become available:

CloudShark supports the HTTP Redirect SAML 2.0 Binding. The Identity Provider URL should be configured as the URL the Identity Provider will use to authenticate a user. CloudShark will redirect the users browser to this URL to authenticate the user against your IdP (Identity Provider). After the user has authenticated against the IdP the IdP will then redirect the users browser back to CloudShark with an authenticated session.

CloudShark must be able to validate the SAML Response provided by the IdP. The SAML Response will be signed by a certificate on the IdP and CloudShark requires the certificates fingerprint to validate the SAML Response. If you have the public certificate of the IdP you can upload it using the Browse button and CloudShark will determine the SHA1 fingerprint.

If you only have the fingerprint of the IdP certificate, or wish to use a SHA256 fingerprint instead of SHA1, you can enter this value manually.

The SSO Homepage is an optional configuration item that will redirect the user to a specific URL after logging out. If this is not specified then after logging out the user will be returned to the CloudShark login page. A typical configuration might be to redirect the user to the Single Sign-On Dashboard page provided by the IdP.

User Attributes

In addition to authenticating the user the IdP might return SAML attributes which can be mapped to CloudShark specific attributes for a user. The CloudShark user attributes that can be configured by the IdP are:

  • Unique ID
  • First Name
  • Last Name
  • Groups

The Unique ID will become the users login and the First and Last Names will be combined to create a Full Name for the User. Groups will become a list of the external groups that the User is in. Please see the groups article for more information on external groups.

User attributes configured using SAML are only be updated when a user logs into CloudShark using Single Sign-On. For example if a user has logged onto CloudShark and before the user logs out they are removed from a group with administrative rights the user will retain admin privileges on CloudShark until they have logged out. The user will be removed from the group the next time the user logs in.