SAML Authentication Scheme (saml-SAMLAuthenticationScheme)
This component extends the SSO authentication scheme. A SAMLAuthenticationScheme component enables SAML SSO in the station. The scheme must be configured with a number of IdP configuration values. Typically these are obtained from the IdP SAML Server administrator. In Niagara 4.14 and later, there is added property Requested Authentication Type is used for the type of authentication requested to configure the station.
Most SAML IdPs require you to provide an XML file with metadata about the service provider to add it to the SAML network. In Niagara, if a station is configured with a SAMLAuthenticationScheme, you can visit the following URL to automatically generate the station's SAML metadata XML: https://host.domain.com/saml/samlrp/metadata?scheme=<schemeName> (where you replace <schemeName> with the name of the station’s SAMLAuthenticationScheme).
Since SAML is an open standard, a number of third-party SAML servers are available (for example, OpenAM, Salesforce, etc.). This example configures the authentication scheme for the OpenAm Identity Provider.
To access these properties, expand , right-click SAMLAuthenticationScheme and click .
| Property | Value | Description |
|---|---|---|
| Login Button Text | text string, “Log in with SSO” (default) | Defines the preferred text label for the SSO login button that appears on the Login window. This button always displays if the corresponding scheme is in the authentication schemes folder. |
| IdP Host URL | text string, https://idp.domain.com (default) | Configures the URL for the host of your Identity Provider that provides the IdP data. |
| IdP Host Port | 443 | Configures the port number of your Identity Provider that provides IdP data. |
| IdP Host Login Path | /path/to/login | Configures the location of the Identity Provider that you must navigate to trigger SAML authentication for the IdP provided data. |
| IdP Cert | drop-down list | Identifies the certificate required to encrypt messages sent to the IdP, and validate messages sent from the IdP for the IdP provided data. |
| SAML Server Cert | drop-down list | Identifies the certificate used by the station to sign messages that are sent back to the IdP. This certificate is also provided to the IdP SAML Server admin so that the IdP can read and validate the messages. It also decrypts messages sent from the IdP to the station. |
| Time Skew | 0000h 03m 00s (default) | Sets the number of minutes to extend the validity period of the SAML request from the subordinate station. This allows the SAML message to be accepted when the Supervisor and subordinate stations cannot synchronize their time values. Use positive values. |
| Requested Authentication Type | Config authentication scheme | Specifies the type of authentication requested to configure
the station. For example, when the controller station requests the
authentication to enforce the particular authentication type, it informs
the Identity Provider (IdP) which authentication types is allowed
with the controller during SAML authentication. By default the property
value is set to the PasswordProtectedTransport. Click the  to change and select multiple values. The following Enum lists are:
Note: We use the SAML better comparison mode, meaning that if
the IdP supports a better authentication type that those selected,
it can do so to successfully authenticate. The notion of “better”
is defined by the IdP. |