儲存為 PDF
Configuring Federated Login 
Configuring Federated Login 

此內容是否有幫助?

Configuring Lyve Cloud as a SAML Service Provider

To configure Lyve Cloud as a SAML service provider:

  1. Obtain metadata from your IdP administrator.
  2. Configure Lyve Cloud as a service provider.
  3. Add service provider metadata to the identity provider.
  4. Configure the identity provider to send email attribute.
  5. Update the metadata file.

Obtain metadata and certificate from your IdP Administrator

Contact your organizations IdP administrator and obtain the metadata file in XML format to upload and configure Federated Login.

For more information on generating a metadata file for Okta, see Generating XML Metadata files for IdP.

Configure Lyve Cloud as a service provider

  1. Log in to the Lyve Console either as Root or an Admin user. From the top menu, select the Federated Login tab.

01-federated-login-tab

  1. On the Federated Login page, select Configure.

02-configure

  1. Select Update Metadata file.

03-update-metadata-file

  1. Navigate to the location of the XML file and select it. Select Open.
  2. After the Metadata file is uploaded successfully, the configuration data is displayed with its status ('Configured'), the name of the identity provider, and the metadata file expiry date. Example:

04-configuration-data

In addition, the identity provider configuration details are provided. The following attributes are used to configure the IdP:

  • Provider URL
  • Entity ID

Add service provider metadata to the identity provider

  1. Add some information to the IdP that allows it to receive and respond to SAML-based authentication requests from the Lyve Cloud service provider. The following instructions are generic. You will need to find the appropriate screens and fields on the identity provider.
  2. Locate the screens from the Identity Provider that allow you to configure SAML.

The IdP must know where to send the SAML assertions after it has authenticated a user. This is the Provider URL in Lyve Cloud. The IdP might call this Assertion Consumer Service URL or Application Callback URL.

https://authenticate.lyve.seagate.com/login/callback?connection=<RESELLER>-<TENANT>-saml

The connection URL parameter is required for identity provider-initiated flow.

 Note—If you have custom domains set up, use the custom domain-based URL rather than your Lyve Cloud domain in the following format:

https://authenticate.lyve.seagate.com/login/callback?connection=--saml
  1. Enter the entity ID in the Audience or Entity ID field from Lyve Cloud: urn:lyvecloud:<RESELLER>-<TENANT>-saml
  2. If IdP provides a choice for bindings, select HTTP-Redirect from the Authentication Requests dropdown.
  3. The Single Logout Service URL field contains the destination for SAML logout requests and/or responses from the identity provider. Enter https://LYVECLOUD_CONSOLE_URL/signout
 Signing Logout Requests—When configuring the IdP, make sure that SAML Logout Requests sent to the service provider are signed.

Configure the identity provider to send email attribute

Lyve Cloud reads an “email” attribute from the identity profile. Some IdPs send “email” by default, while some require you to configure it to send “email”.

Okta

Okta must be configured to send an email attribute.

  1. Select Applications from the sidebar, and then select Applications.
  2. Select an application to edit, and then select General.
  3. Select Edit in 'SAML settings'.
  4. Leave the 'General Settings' as they are and select Next.
  5. In the 'Attribute Statements (optional)' section, select Add Another. Update the attributes as follows:
    • Name = email
    • Value = user.email

05-attribute-statements.jpg

Update the metadata file

You will need to update the metadata file before the certificate expires. Contact your IdP administrator to get the updated XML file. If you make any updates and regenerate metadata.xml, you must delete the old metadata file before uploading the updated file. If you upload the file without first deleting the old file, it may not update the old file.

  1. From the top menu, select the Federated Login tab.
  2. On the Federated Login page, select Update Metadata file.
  3. Navigate to the location of the updated XML file. Select the file, and then select Open.

After the metadata file is uploaded successfully,  the configuration data is displayed along with its status ('Configured'), the name of the identity provider, and the metadata file expiry date.

Delete an existing IdP configuration

To delete an IdP configuration:

  1. From the top menu, select the Federated Login tab.
  2. On the Federated Login page, select Delete IdP.

06-delete-idp.jpg

  1. In the Delete IdP dialog, select Delete.

07-delete-idp-confirm.jpg