How to enable SAML authentication with an external Identity Provider through TAC

Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP)*. PortSys TAC extend its support to accept SAML authentication tokens from identity providers and pass it to authenticate applications that support SAML. 

TAC's role in using SAML authentication as a repository differs from one setup to another. Primarily TAC acts as a service provider for external identity providers for SAML authentication.

Additionally TAC can be used to proxy SAML token issuer for external service providers, Where the identity provider resides within the organization's network. eg: AD/ADFS servers as IdP.

To enable SAML authentication in TAC do the following:

  1. Open TAC Configuration Console and go to Authentication and Authorization Servers in the Configuration menu.
  2. In the Authentication and Authorization Servers window, select SAML from the Type dropdown list under General section.
  3. In the name field enter an identification name .
  4. Configure identity provider details under Identity Provider section
    1. Certificate: Add signin certificate to decode SAML response.
    2. Issuer URI:  Enter the URL of the service provider endpoint
    3. Login URL: The login URL that users get for the identity provider
    4. Logout URL: The logout URL that users get for the identity provider
  5. Configure User ID settings:
    1. User ID location: Select the user id recognition as subjects statement or attribute based.
    2. Validate User id: Select the checkbox if the user id needs to validate with available repository.
    3. Validation Repository: Select the validation repository from the list. This will be an existing repository in TAC.
    4. Validation Field: Field name of the user repository that will be used to find the matching User ID value from SAML.
    5. User Password: Select this option from the list if the SAML assertion needs to pass the user password. 
    6. Authenticate:  Select this checkbox if the user id and the password from SAML is used to authenticate to validation repository.
  6. Under SAML security settings:
    1. Require encryption: Select this checkbox if the SAML assertion needs to be encrypted. You may export the public key by clicking on "Export public key".
    2. Response Signature: Select the response signature algorithm .
    3. Request signature: Select the request signature algorithm.
    4. Set the max clock skew in minutes.
  7. Click Verify and Click OK

Apply the Configuration.

*Varonis