Setting up the SAML IdP Service

Setting up the SAML IdP Service on your Supervisor station makes it easy to configure an internal Niagara IdP that works with your SAML Authentication Scheme.

1. From the saml palette drag the SAMLIdPService component to the Supervisor station’s Services node, and when prompted, enter a name for the service. For example, Niagara IdP.
2. Open a Property Sheet view of the service and configure the following properties:
   1. IdP Signing Cert — click the drop-down list and select the existing Server Certificate from the station’s User Key Store.
   2. EntityID — enter the station’s IP address (or hostname) plus the port the WebService is running on.
      Note: The port number is required (e.g, 443 for https). It must be included in the EntityID otherwise the service will fail. Also required are the characters “/saml/” which must be appended to the EntityID value. For example, if you entered “https://192.68.19.20:443” for the EntityID, you then need to append it with “/saml/”, so that it reads: “https://192.68.19.20:443/saml/”.
   3. Time Skew — set the number of minutes to extend the validity period of the SAML request from the subordinate station. This is intended to allow SAML message to be accepted when the supervisor and subordinate stations cannot synchronize their time. Use positive values. Default value is 3 minutes.
   4. Apply Skew to Response — click the dropdown list and select “true” to apply the specified Time Skew setting to the response. For cases where a time difference exists between the Supervisor and a subordinate station, this will apply the Time Skew to the response(s).
3. Double-click Circle of Trust to open the Circle Of Trust Editor and configure the following properties.
   1. Description — (optional) enter a description for this Circle of Trust.
   2. Http Redirect Endpoint — A read-only value that shows the URL for this Circle of Trust.
4. The lower half of the view lists subordinate stations in the NiagaraNetwork. Click a checkbox for any station(s) to include it in this Circle of Trust.
   Note: You are not limited to stations in your NiagaraNetwork. Click Add Station to select a non-NiagaraNetwork station. You will be prompted to enter a Name, Server Certificate public key, and Issuer URL for the station. Any stations not already in the NiagaraNetwork cannot be configured via the Configure Niagara IdP and SAML Scheme provisioning job and the SAMLAuthenticationSchemes on the remote station must be added manually.
5. Click Users to select the user(s) from your UserService to include in this Circle of Trust. This allows those users to log into the specified stations in the COT.
6. Click Auth Schemes to specify which other authentication schemes may be used when logging in.
   Note: This is to accommodate users who may not yet exist in the Supervisor station. For example, you might specify the LdapScheme so that LDAP users can login. However, for typical (SAML Authentication Scheme) usage you can skip this step.
7. Click Prototypes to specify one or more user prototypes that may be used when logging in.
   Note: The specified prototypes should correspond to User Prototypes on the subordinate station(s). The User Prototype is used to create the user on the subordinate station on login and needs to exist on the station at that time.
   At this point you have completed configuring the SAMLIdPService and adding user prototypes to the Circle of Trust.
8. In the Supervisor’s UserService, assign a SAML Prototype to each Circle of Trust user. Do this for each Circle of Trust that the user is in.
   Note: You can choose from any of the prototype names that have been added to that Circle of Trust.