Configuring subordinate stations for SAML IdP Service and Scheme

A provisioning job can configure each remote station’s SAML (Security Assertion Markup Language) authentication scheme and local SAML IdP (Identity Provider) service. This procedure covers running a provisioning job on the Supervisor station to configure one or more remote stations with a server certificate (private and public keys) and the SAML authentication scheme configured for the internal IdP.

You are working in a Supervisor station. The SAMLIdService is installed and configured on the Supervisor station.

The NiagaraNetwork on the Supervisor contains one or more remote stations.

  1. Expand Config > Drivers > NiagaraNetwork.
  2. To open the Niagara Network Job Builder view, double-click on ProvisioningNwExt
    The Niagara Network Job Builder view opens.

  3. In the top pane, Provisioning steps to run, click add , click Configure Niagara IdP and SAML Scheme, and click OK.
    The Configure Niagara IdP and SAML Scheme window opens.

  4. Fill in the following required properties and click OK.
    • Login Button Text Format is the preferred text to display on the login button to access the subordinate station. For example, Log in to Floor1_%displayName%, where the system substitutes the name of the Circle of Trust for the BFormat script %displayName%. If multiple Circles of Trust include the subordinate station, the system creates multiple login buttons.
    • IdP Certificate Alias is the public key of the certificate configured as the IdP Signing Cert in the SAMLIdPService that the system imports to the subordinate station's User Trust Store. This property configures the alias of the resulting public key as it appears in the subordinate station, for example: niagaraIdP. Entering a value in this property activates the OK button in the window.
    • SAML Signing Certificate Alias defines the alias of the certificate to use as the subordinate station's SAML Server Certificate. If not generating a new server certificate (see option below), the certificate should already exist in the subordinate station's User Key Store.
    • Optionally, you can generate a new server certificate and/or a new remote SAML encryption certificate to use for this purpose. Click the check box to Generate new remote SAML signing certificate and/or to Generate new remote SAML encryption certificate, fill in the required data in the additional properties, and click OK.
    The provisioning application adds the step to the job builder.
  5. In the bottom pane, Stations to include in the job, click (Add).
    The Add Device window opens
  6. Select the devices (that is, stations in the NiagaraNetwork that are included in a Circle of Trust) to be added to the job, and click OK.
    The provisioning application adds the job to the step builder.
  7. To start the provisioning job, click Run Now.
  8. To view the job progress open the Job Service Job Log view.
    The Job Log opens.

This provisioning job exports the public key of the Supervisor's IdP Signing Certificate to the User Trust Store of each subordinate station in the job. For each station, it generates a unique SAML Signing Certificate in the station's User Key Store (or selects from server certificates already existing in the User Key Store). It then assigns a copy of this certificate's public key to the Station Service Provider under the Circle of Trust in the Supervisor's SAMLIdPService using certificate pinning.

Note: The signing certificates mentioned in the previous paragraph are actually Server certificates. They should not be confused with Code Signing Certificates which have a different purpose.

For each Circle of Trust that a subordinate station is a part of, the provisioning job creates a SAML Authentication Scheme in the subordinate station’s AuthenticationService.

For more information, see “About the SAML IdP Service” section of the Niagara Station Security Guide.