SAML Configuration for MFA and SSO

The Security Assertion Markup Language (SAML) configuration enables administrators to enforce Multi-Factor Authentication (MFA) and configure a Single Sign On (SSO) option for server users to access a server. The configuration also enables users to access the Nexus application: a secure broker that connects VPAM and CPAM servers. When administrators use SAML to enforce MFA and configure the SSO option, the configuration immediately changes the authentication methods on both types of servers.

IMPORTANT:
The SAML configuration changes the authentication method at a server-level and the change is immediate. Imprivata recommends that you follow this procedure in a schedule maintenance session to prevent down-time for your users.
TIP:
Create a local administrator to maintain access to your server in case the configuration locks you out. Remember to contact Imprivata Customer Service if you encounter any problems.

This document contains the requirements and step-by-step guide on how administrators set up SAML to enforce MFA and configure a SSO option for their users.

Requirements

To complete the configuration of SAML for enforcing MFA and providing a SSO option, ensure that you meet the following requirements. If these requirements are not met, the configuration will fail and you risk down-time for your users.

  • Permissions and Access

    • You must be an administrator at server-level to access to the SAML configuration page.

    • You must have access to your Identity Provider (IdP) configuration.

  • Authentication Methods

    • Your Identity Provider (IdP) must be able to request MFA to your users.

    • You must be able to configure MFA with your Identity Provider (IdP).

  • Server Version:

    • Your server must be version 23.1.12. Find your version at the footer of your server's Administrator Console.
      Contact success@imprivata.com to receive assistance in updating your server.

Failing to meet these requirements results in errors during the configuration.

Step-by-Step Guide

The SAML configuration has the following steps:

  1. Download your server's data.

  2. Upload your server's XML to your Identity Provider (IdP).

  3. Configure SSO and MFA in your server and IdP.

  4. Finalize the configuration.

Each step is its own process and administrators must follow each one properly to secure the configuration.

Your server's data is an XML file that contains a data schema request. The XML file contains the fields and the structure that your Identity Provider (IdP) must export. To download your server's XML file:

  1. Open the System Admin tab in your server.

  2. Hover the Settings menu.
    A drop-down list displays.

  3. Select SAML Settings.
    The SAML Settings Page displays.

  4. Click Download SP Metadata.xml at the top of the pane.
    The download starts automatically.

Wait for the download to complete. From the XML file, you can configure the specific schemas (formats) in which the attributes are pulled from your IdP.

Read the Section 3.2 of the Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0 for information on the schemas for SAML SSO and MFA.

If you are not an administrator of your Identity Provider, contact the administrator.

The process to upload your server's XML file to your IdP changes depending on which provider you use for your users. Currently, you can only configure SAML in your VPAM and CPAM servers the providers in the following list. Navigate your IdP documentation to upload your server's XML and download your IdP Metadata file.

Contact your IdP manager for assistance.

Ensure that your IDP Metadata file contains the following information:

  • EntityID

  • Endpoints

    • Single Sign On Service Endpoint

    • Single Logout Service Endpoint

  • Public X.509 Certificate

  • Name ID Format

  • Organization Information

  • Contact Information

To finalize the configuration, return to your SAML Settings Page and Upload your IDP Metadata file. Complete the SAML Settings Page considering the following table.

IMPORTANT:
Ensure that you read the Advanced Settings section to prevent errors when configuring your SAML settings.
Attribute Description
Enable SAML Authentication

Enables your server to configure SAML.
Make SSO the default login option

Enables your users to authenticate with SSO.
Require MFA Validation from IDP for SSO Users

Enforces your users to authenticate with another method defined in your IdP.

Important: When you select this option, you must provide accurate details in the Advanced Settings section.
Enable Group Sync if groups are provided Assigns new users that sign in with SAML/SSO to a User Group based on their assigned group in your IdP.
Enable Role Sync if roles are provided Assigns new users that sign in with SAML/SSO to acquire a User Role based on their assigned group in your IdP.
Sign-On URI

Define your server's entrypoint to your IdP.
Logout URI Define your server's logout URI from your IdP.
IDP Signing Certificate Define a credential (token) for your server to your IdP.
This field autocompletes when you upload your IDP Metadata.
Default Role assigned when no linked roles found Define a User Role for users users that sign in, but they don't have a role assigned in your IdP.
Default User Group assigned when no linked groups found Define a User Group for users users that sign in, but they don't have a group assigned in your IdP.

Advanced Settings

The Advanced Settings enable you to configure the MFA rules and protocols for your users to authenticate and access your server. Read the descriptions and configurations of each attribute carefully to configure MFA properly.

  • NameID Format: Define the expected schema (format) when your server's enforces MFA through your IdP.

  • Required authentication level: Define the MFA expected response from the user that attempts to sign in or log in.

  • SAML Auth Context reference: Specify the structure in which your server and your IdP relate a single user's identity and authentication.

  • Entity ID for the server: Provide the name of your server exactly as you provided it for your IdP to grant access to the user database.

  • Excluded Role Names from Role Sync: Provide the types of user roles that do not receive an automatic role when signing in to your server.

To submit the changes to your server, click Submit on the SAML Settings Page.

After your server reloads the page, ensure that your IdP manager also refreshes your IdP authorizations for previously signed on users. If you do not refresh your authorizations directly on the IdP, the system will lock.

External Links

Imprivata has curated external links that might help you set up your SAML configuration for SSO and MFA. Remember to contact success@imprivata.com for additional assistance.

Customize SAML token claims - Microsoft Entra ID

Enable SAML singe sign-on for an enterprise application - Microsoft Entra ID

REFEDS MFA Profile - REFEDS

A Quick Guide to Onboard Service Provide for SingleSignOn at Stanford - Stanford

How to Configure a Custom SAML App - Okta

Assertions and Protocols for the OASIS Security Assertion Markup Language (SAMLS) V2.0 - OASIS