ZCSPM
Configuring SAML for SSO
You can configure ZCSPM as the service provider (SP) and user Security Assertion Markup Language (SAML) Single-Sign-On (SSO) for authenticating and provisioning users. To learn more about SAML, see About SAML.
Configuring SAML
To configure SAML based SSO with ZCSPM:
- 1. Download Metadata from the ZCSPM Admin Portal
- Go to Configurations > Identity Providers.
- Click Add IdP Configuration.
- Click Download XML Metadata.
The XML Metadata contain the following information which you need to submit at your IdP:
- Name Identifier Format: ZCSPM only supports email address as the Name ID format.
- Entity ID: A unique identifier for a SAML entity.
- Assertion Consumer Service (ACS) URL: ZCSPM destination URL where the SAML response must be sent to by the IdP.
- 2. Configure the IdP for SAML
Follow the relevant configuration guides to configure ZCSPM as an SP for your IdP:
- Okta
- Log in to Okta with admin privileges.
- From the left-pan menu, click Applications.
- Click Create App Integration.
- Select SAML 2.0, then click Next.
- In the General Settings tab, enter your App name and click Next.
- Enter the ACS URL from the downloaded metadata at the Single sign on URL.
- Enter the Entity ID from the downloaded metadata at the Audience URI.
- From the Name ID format drop-down menu, select EmailAddress.
- Under Attribute Statements, add attributes with the following Attribute Values:
- user.firstName
- user.lastName
- Click Next.
- Select I'm an Okta customer adding an internal app, then click Finish.
- In the Sign On tab, click View Setup Instructions. You can view the following information which you need to submit at ZCSPM:
- Identity Provider Single Sign-On URL
- Identity Provider Issuer
- X.509 Certificate
- PingOne
- Log in to PingOne with admin privileges.
- Go to Connections > Applications.
- Click Add Application, then select WEB APP.
- Choose SAML as your connection type.
- Enter the Application Name, then click Next.
- Click Import Metadata, then upload the XML metadata you downloaded from the ZCSPM Admin Portal.
- Enter the Assertion Validation Duration, then click Save and Continue.
- From the PingOne User Attribute drop-down menu, select Family Name.
- Click Save and Close.
- Select your application, then click the Configuration tab.
- Download the Metadata. The metadata contains the following information which you need to submit at ZCSPM:
- Identity Provider Single Sign-On URL
- Identity Provider Issuer
- X.509 Certificate
- OneLogin
- Log in to OneLogin with admin privileges.
- Click Applications, then click Add App.
- Search for SAML, then select the SAML Test Connector (Advanced) connector.
- Enter the Display Name, then click Save.
- In the Configuration tab:
- Enter the ACS URL from the downloaded metadata at the ACS (Consumer) URL.
- Enter the following URL at the ACS(Consumer) URL Validator:
https:\/\/app.cloudneeti.com\/auth\/saml\/acs
- Enter the Entity ID from the downloaded metadata at the Audience (EntityID) field.
- Go to the SSO tab. You can view the following information which you need to submit at ZCSPM:
- Identity Provider Single Sign-On URL
- Identity Provider Issuer
- X.509 Certificate
- Okta
- 3. Add the IdP in the ZCSPM Admin Portal
- Go to Configurations > Identity Providers.
- Click Add IdP Configuration.
- Enter the IdP's Name.
- Enter the Identity Provider Issuer.
- Enter the Single Sign On URL.
- Upload the IdP Certificate.
- Click Add.
- 4. Add Users on ZCSPM
You need to add the users on ZCSPM after configuring SAML based authentication. You can add the users as a License User or an Account User.
Close
Configuring SAML Just In Time (JIT) provisioning
To configure SAML JIT provisioning with ZCSPM:
- 1. Enable JIT on the ZCSPM Admin Portal
- Go to Configurations > Identity Providers.
- Click the Update IdP icon.
- Enable JIT User Provisioning.
- Click Update.
- 2. Create two custom user attributes on your IdP
- CspmRole: Must be LicenseAdmin or LicenseReader. ZCSPM will not be able to provision the user if there are any other values.
- LicenseId: The role access will be given for this specific license. If left empty, the user will be granted permission to all the licenses in your organization.
Follow the relevant configuration guides to create the custom attributes:
- Okta
- Log in to Okta with admin privileges.
- From the left-pan menu, click Directory.
- Click Profile Editor, then click Profile next to User (default).
- Under Attributes, click Add Attributes.
- Enter the Display name and the Variable name.
- Click Save.
- Go to Directory > People.
- Select a user you want to assign the ZCSPM application.
- Click the Profile tab, then click Edit.
- For the ZCSPM Role field, enter LicenseAdmin or LicenseReader.
- From the left-pan menu, click Applications.
- Select your ZCSPM application.
- Go to the General tab, then click Edit next to SAML Settings.
- Click Next.
- Under Attribute Statements, add the CspmRole attribute with the user.CspmRole value.
- Click Next, then click Finish.
- PingOne
- Log in to PingOne with admin privileges.
- Go to Identities > Attributes.
- Click Add Attribute, then select DECLARED.
- Click Next.
- Enter CspmRole in the NAME field.
- Enter the DISPLAY NAME and DESCRIPTION.
- Click Save and Close.
- Create another attribute with LicenseId in the NAME field.
- Go to Connnections > Applications.
- Select Attribute Mappings, then click ADD ATTRIBUTE.
- Select the CspmRole attribute.
- Enter LicenseAdmin or LicenseReader.
- Click Save.
- OneLogin
- Login to OneLogin with admin privileges.
- Click Users > Custom User Fields.
- Click New User Field.
- Enter CspmRole in the Name field.
- Enter the Shortname, then click Save.
- Create another custom user field with LicenseId in the Name field.
- Click Applications, then select the ZCSPM SSO application.
- Click Users, then select a user.
- Enter LicenseAdmin or LicenseReader in the CspmRole field.
- (Optional) Enter the ZCSPM license ID in the LicenseId field.
If you are creating a new user for ZCSPM, you need to enter this information when creating the user.
- Click Save.
