Configure Ops Manager Users for SAML Authentication
On this page
You can use an Identity Provider (IdP) that runs the Security Assertion Markup Language (SAML) service to manage Ops Manager user authentication and authorization. When you try to navigate to Ops Manager without an authenticated session, Ops Manager sends you to the IdP where you log in. After you authenticate, you return to the Ops Manager Application.
This tutorial describes how to:
Configure SAML authentication for Ops Manager
Map SAML groups to Ops Manager Organization Roles and Project Roles.
Considerations
Users Remain Authenticated after SAML Activation
Once you change your Ops Manager instance to use SAML authentication, all users remain logged in to the current session. After the authentication change, users who try to log into Ops Manager are redirected to the SAML IdP.
Two-Stage Configuration
Some circular logic applies when setting up a SAML instance. To create a working integration:
The IdP needs values from the Service Provider and
The Service Provider needs values from the IdP.
To start this integration, follow the Prerequisites, then the Procedure in this tutorial.
Prerequisites
To configure SAML integration, you must perform the following actions for your SAML IdP:
Install your SAML IdP.
Verify that your Ops Manager instance can access your IdP over the network.
In the SAML IdP, you must:
Create a SAML user that maps to your Ops Manager Global Owner.
Create a SAML group that you can map to your Ops Manager Global Owner.
Assign the Global Owner SAML group to your SAML user.
Create a new application for Ops Manager representing Ops Manager.
Configure initial Ops Manager SAML values for this new application:
Set placeholder values for the following fields:
SP Entity ID or Issuer
Audience URI
Assertion Consumer Service (ACS) URL
Set real values for the following fields in your IdP:
FieldCommon ValueSignature AlgorithmYour IdP might have one or more of the following values:
rsa-sha1
dsa-sha1
rsa-sha256
rsa-sha384
rsa-sha512
Name IDEmail Address
Name ID Formaturn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Create attributes with Attribute Names for the following Attribute Values:
Email Address
First Name
Last Name
User Groups
Configure your IdP to require signed SAML Responses and Assertions.
Save these values.
Procedure
To configure SAML authentication:
Set the required SAML IdP setting values in Ops Manager.
Type the values from the IdP for the following SAML fields:
Field | Necessity | Action | Default |
---|---|---|---|
Identity Provider URI | Required | Type the URI for your IdP you use to coordinate your Single Sign-On. This URI is the IdP Entity ID or Issuer from the SAML IdP. This URI must be the same as the | None |
SSO Endpoint URL | Required | Type the Single-Sign On URL for your IdP. This URL is the SAML Login URL from your IdP. | None |
SLO Endpoint URL | Optional | Type the SAML IdP URL to be called if you want the Ops Manager user to log out of their IdP when the Ops Manager user logs out of Ops Manager. This is the SAML Logout URL from your IdP. | None |
Identity Provider X509 Certificate | Required | Paste your IdP's X.509 Certificate in this field. The IdP
provides the certificate in PEM format. Make sure you
include the entire certificate content including and starting
with This is the X.509 Certificate from your IdP. This must be the same X.509 Certificate that you use to sign SAML Responses and Assertions. | None |
Identity Provider Signature Algorithm | Required | Select the algorithm used to encrypt the signature sent to and from the IdP. The accepted values are:
This is the Signature Algorithm from your IdP. | None |
Require Encrypted Assertions | Optional | Select whether or not your IdP encrypts the assertions it
sends to Ops Manager. | false |
Global Role Owner Group | Required | Type the name of the group in the SAML Group Member
Attribute that has full privileges over this deployment,
including full access to all groups and all administrative
permissions. This group has the You added this group to your IdP settings as part of your prerequisites. This value must match the group member attribute value sent in the SAML response. If you use Azure AD as your IdP, enter the group's Object ID in this field instead of the group's name. | None |
SAML Attribute For User First Name | Required | Type the name of the SAML Attribute that contains User's
First Name | None |
SAML Attribute For User Last Name | Required | Type the name of the SAML Attribute that contains User's
Last Name | None |
SAML Attribute For User Email | Required | Type the name of the SAML Attribute that contains User's
Email Address. | None |
SAML Group Member Attribute | Required | Type the name of the SAML Attribute that contains the list
of groups Ops Manager uses to map roles to Projects and
Organizations. | groups |
Add any needed optional SAML IdP settings to Ops Manager.
Type the values from the IdP for the following SAML fields:
Field | Necessity | Action | Default |
---|---|---|---|
Path to SP Certificate PEM Key File | Optional | Type the absolute file path to the PEM-formatted certificate that the Service Provider uses to sign requests. This certificate includes the private and public key. If this field is left blank:
| None |
Password For SP Certificate PEM Key File | Conditional | If you encrypted the private key in your SP PEM file, type
its password in this field. | None |
Global Automation Admin Role | Optional | Type the name of the group whose members have the
This value must match the group member attribute value sent in the SAML response. If you use Azure AD as your IdP, enter the group's Object ID in this field instead of the group's name. | None |
Global Backup Admin Role | Optional | Type the name of the group whose members have the
This value must match the group member attribute value sent in the SAML response. If you use Azure AD as your IdP, enter the group's Object ID in this field instead of the group's name. | None |
Global Monitoring Admin Role | Optional | Type the name of the group whose members have the
This value must match the group member attribute value sent in the SAML response. If you use Azure AD as your IdP, enter the group's Object ID in this field instead of the group's name. | None |
Global User Admin Role | Optional | Type the name of the group whose members have the
This value must match the group member attribute value sent in the SAML response. If you use Azure AD as your IdP, enter the group's Object ID in this field instead of the group's name. | None |
Global Read Only Role | Optional | Type the name of the group whose members have the
This value must match the group member attribute value sent in the SAML response. If you use Azure AD as your IdP, enter the group's Object ID in this field instead of the group's name. | None |
Associate SAML groups with project roles.
To associate SAML groups with roles in a new project:
Note
You must have any global role to create a new project.
Click Admin > General > Projects.
Click Create a New Project.
In Project Name, type a name for the new Ops Manager project.
Enter the SAML groups that correspond to each project role.
Important
You must use the fully qualified distinguished name for each group. If multiple LDAP or SAML groups correspond to the same role, separate them with two semicolons (
;;
). Remove a group from a role's field to revoke the group's access for that role.Click Add Project.
To update the association of SAML groups with roles in an existing project:
Click Admin > General > Projects.
In the Actions column for a project, click , then click Edit SAML Settings.
Enter the SAML groups that correspond to each project role.
Important
You must use the fully qualified distinguished name for each group. If multiple LDAP or SAML groups correspond to the same role, separate them with two semicolons (
;;
). Remove a group from a role's field to revoke the group's access for that role.Click Save Changes.
Optional: Associate LDAP groups with organization roles.
To associate SAML groups with roles for a new organization:
Note
You must have any global role to create a new organization.
Click Admin > General > Organizations.
Click Create a New Organization.
In Organization Name, type a name for the new Ops Manager organization.
Enter the SAML groups that correspond to each organization role.
Important
You must use the fully qualified distinguished name for each group. If multiple LDAP or SAML groups correspond to the same role, separate them with two semicolons (
;;
). Remove a group from a role's field to revoke the group's access for that role.Click Add Organization.
To update the association of SAML groups with roles for an existing organization:
Click Admin > General > Organizations.
Click the Edit Org button.
Enter the SAML groups that correspond to each organization role.
Important
You must use the fully qualified distinguished name for each group. If multiple LDAP or SAML groups correspond to the same role, separate them with two semicolons (
;;
). Remove a group from a role's field to revoke the group's access for that role.Click Save Changes.
Add your MongoDB deployments.
Specify the SAML authentication settings when adding a MongoDB deployment.
Export your Ops Manager Metadata.
After you save the SAML configuration, a link to Download the Metadata XML File appears.
Click this link to download the SAML SP metadata XML file.
This metadata file should look similar to this example:
1 <?xml version="1.0"?> 2 <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2019-09-13T20:36:00Z" cacheDuration="PT604800S" entityID="http://ec2-3-88-178-252.compute-1.amazonaws.com:8080" ID="ONELOGIN_f95ad815-e8da-4ab3-a799-3c581484cd6a"> 3 <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 4 <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://ec2-3-88-178-252.compute-1.amazonaws.com:8080/saml/logout"/> 5 <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> 6 <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://ec2-3-88-178-252.compute-1.amazonaws.com:8080/saml/assert" index="1"/> 7 </md:SPSSODescriptor> 8 </md:EntityDescriptor>
Import the SAML SP Metadata into your IdP.
If your IdP offers the option, import your metadata into the IdP. Ops Manager serves as the Service Provider (SP) for your IdP.
Provide the following values in the metadata XML file to IdP:
Field | Common Value |
---|---|
SP Entity ID or Issuer | <OpsManagerHost>:<Port> |
Audience URI | <OpsManagerHost>:<Port> |
Assertion Consumer Service (ACS) URL | <OpsManagerHost>:<Port>/saml/assert |
Single Logout URL | <OpsManagerHost>:<Port>/saml/logout |
If one or more of these values are missing, use the guidelines listed in the previous table to set those values.
Save these values in your IdP.