Configure SAML
Configure Mobile Access to use SAML to provision and authenticate users against your Identity Provider, such as Microsoft Entra ID.
Depending on your organization, MAM or Imprivata MDA takes the role of a Service Provider (SP) and you provide a system to serve as Identity Provider (IdP). No credentials are exchanged during the setup process. Instead, a trusted relationship is established between the services.
Assumptions
The following guide assumes that you have a MAM or MDA organization, or both.
If your organization owns both of the MAM and MDA products, use the top navigation item in the Mobile Access console to switch products.
Overview
This authentication works to the Mobile Access console and to the Launchpad app (MAM only).
SAML keeps passwords internal to your network, making Mobile Access more secure. SAML also leverages single sign-on, providing a better login experience for users.
The IdP is used only for user authentication. Authorization — assigning users to Mobile Access roles — is still handled within the Mobile Access console.
When a user launches Mobile Access from their IdP, for example myapps.microsoft.com (Microsoft Entra ID), then the user will be generated at that time in Mobile Access with the default role defined in the Admin settings.
-
There is only one default role for accounts automatically created this way, but a user’s role can be modified manually after the user is created.
-
To manually add new users and assign them to a specific role, go to the Team page.
-
When a user has no assigned role, they will see an error when attempting to log in with SAML.
User Invitations
Mobile Access handles new user creation differently for SAML-enabled organizations. The differences are visible on the Team page.
-
The Reset Password button is hidden, since passwords are managed by your identity provider.
-
The system does not send an email to the new user. You are responsible for notifying new users with instructions on how to log into their Mobile Access account.
-
You can specify a default role to be assigned to new users added to the organization. This role is only assigned at this organization level in your parent/child organization tree.
Provide IdP and SP Metadata
Mobile Access (as the SP) and your Identity Provider (the IdP) need metadata from each other.
Open both consoles at the same time and import the metadata. The metadata can be provided as an XML file, a metadata URL, and specifying the metadata values manually.
-
In the Mobile Access console, go to Admin > SAML.
-
Switch the SAML Single Sign-on (SSO) setting to ON. The Configure SAML Single Sign-on dialog opens.
-
In the Identity Provider Display Name box, type a user-friendly display name for your Identity Provider (IdP).
-
In the Provide Mobile Access Management Metadata XML to your Identity Provider section, copy the file to your workstation.
-
-
In your IdP's admin console:
-
Export the IdP metadata XML file to your workstation.
-
Upload the Mobile Access metadata file saved from step 3.
Alternately, enter the Mobile Access URL and metadata values manually and save the configuration.
-
If required, copy the IdP's metadata URL and/or metadata XML contents for use in Mobile Access.
-
-
In the dialog, upload the IdP metadata XML or paste the metadata URL or XML contents:
-
To upload the metadata XML file exported from the IdP, click Upload XML file and browse to the location. Click Upload. The metadata XML file is uploaded to Mobile Access.
-
To use a metadata URL from the IdP, click Paste Metadata URL and paste the URL.
-
To use the contents of the XML from the IdP, click Paste XML contents and paste the contents of the IdP's metadata XML.
-
-
Click Save.
Configure Additional SAML Settings
In the Mobile Access console, configure additional SAML settings:
-
To set up automatic user creation, where new users are automatically assigned a role, switch the Auto-create user after SAML authentication to ON.
-
Select the default role to be assigned to the automatically created users.
-
-
To require SAML for the Mobile Access console, switch the Require SAML for Mobile Access Management admin console to ON.
SAML can be mandatory for the Mobile Access console or you can allow traditional usernames and passwords alongside SAML.
During testing, customers typically keep SAML optional during testing, then switch to required for production use.
-
In the Default role for auto-created users list, select the default role to assign to the users that are automatically created.
-
This role is only assigned at this organization level.
-
You can modify the role at any time.
-
-
MAM only. To require SAML for MAM Launchpads, switch the Require SAML for Launchpads to ON.
Many customers continue using username/password for Launchpads, even when the Mobile Access console uses SAML, because Launchpads configured for SAML prompt for user/password every time the app launches. This interrupts automatic start. On the other hand, Launchpad configured without SAML downloads a token and launch without a prompt.
-
In the Maximum authentication lifetime (in hours) box, type a value between 1 and 168 to specify the amount of time (in hours) users have before they must reauthenticate.
Imprivata recommends a setting of less than 72 hours.
SAML Certificate
Organizations can use the default Mobile Access SAML certificate. To make refreshing this certificate easier, you can set an organization-specific certificate.
If this is changed, the Identity Provider (IdP) must refresh the Mobile Access metadata XML file immediately.
Create a Certificate
Creating a certificate generates a new service provider automatically; by default it will be inactive. You must copy the Mobile Access metadata XML into your Identity Provider (IdP) before activating the new certificate.
Activating a new certificate deactivates the currently active certificate. Only one certificate may be active at a time.
-
In the Mobile Access console, click Create Certificate.
-
In the Active column, click Active for the certificate you wish to activate. The Make Certificate Active? dialog opens.
-
Click the URL to copy the Mobile Access metadata XML for use in your IdP before activating the new certificate.
-
In your IdP admin console, update the Mobile Access metadata XML and save.
-
In the Mobile Access console, click Make Active to activate the certificate.
Delete a Certificate
In the SAML Certificate list, click the delete icon next to an inactive certificate and confirm the deletion.
Certificate Expiration
Beginning 60 days before the SAML certificate expires, the Mobile Access console displays an alert warning of the expiration. The banner is only displayed when the active SAML certificate is expiring.