Aeries can be used to authenticate logins for Third-Party applications and services using SAML. SAML IDP allows Aeries to act as a SAML Identity Provider for any Third-Party service provider that supports SAML. Once configured, the user can Single Sign-On (SSO) access Third-Party applications via the Aeries Navigation Menu or users can be redirected to an Aeries login prompt when they visit a Third-Party website.
Any number of Service Providers can be configured. Each Service Provider should be able to supply the required information to enter in Aeries, including their signing certificate if applicable. If the Service Provider provides a metadata URL, Aeries can import most of the required information from that URL to get you setup quickly.
Configuring SAML
Select SAML Configuration from the main navigation menu
Collapsing the blue section bars will allow you to easily identify the 3 main areas of the form.
- System Info - Provides an overview and important information regarding configuring Aeries to provide SSO services via SAML.
- Aeries Identity Provider Configuration - Enable/Disable Aeries as a SSO SAML authentication provider (IDP) and enter required certificate information to configure the Aeries side of the SAML connection.
- Service Providers - Enable/Disable Service Providers use of SAML authentication via Aeries and enter the services provider's certificate information to configure the Service Providers side of the SAML connection.
System Information
This section contains information regarding setting up and the use of Aeries as a SAML Identity Provider (IDP). This section may be minimized after you have reviewed the information by selecting the chevron on the right side in the blue bar above the section.
Aeries Identity Provider Configuration
Configuring the IDP consists of entering settings for the Aeries side of the SAML connection as well as the Service Provider's side of the connection. This section provides information for setting the Aeries side of the connection as well as configuring certificate security for Districts that host Aeries in their own local environment. Hosted Districts should contact Aeries 2nd level support for assistance with certificate configurations for SAML IDP.
- Entity ID (Base URL) - This will be the Entity ID that Aeries uses as an identity provider. It should be a valid Aeries instance base URL. By default, the current base URL will display.
Note: The Entity ID (Base URL) may be treated as case sensitive by a service provider. The case shown here needs to match the case used on both sides of the SAML configuration.
- SSO URL and Metadata URL - Displays based on the Entity ID URL. This information is read-only and may need to be provided to service providers for configuration.
Certificate setup
A signing certificate can be provided in one of two ways:
Option 1 - Select Certificate from Server: Displays a pop-up of existing certificates on the web server. A certificate is only included if Aeries can read the private key. In this case, the certificate itself remains on the server, and the thumbprint is stored in the database so it can be looked up by the SAML service.
Option 2 - Upload a Certificate: Upload a .pfx file, which must be password-protected. In this case, the certificate is encrypted and stored entirely in the database
To use the Select Certificate from Server method, the certificate can be added to IIS by using the Microsoft Management Console (MMC).
Option 1
1. Create a self-signed Certificate in IIS using the Server Certificates. The Certificate needs to be placed in the Personal store in the Local Machine location. If you wish to use an existing certificate instead, you may choose to skip this step
2. Close IIS
3. Open the MMC select add/remove snap-ins and add the Certificates item on the server. Select Certificates, press Add> then OK.
4. Select Computer account and press Next.
5. Select Finish on the following screen and then OK.
6. Now that you have the Certificates snap-in, navigate to Certificates under Personal
7. Right click the certificate you would like to use and select Manage Private Keys
8. Add the user IIS_IUSRS for your server.
Note: The Location needs to be changed to your server. Select Check Names then press OK.
Set the account for READ permissions and press ok.
The Select Certificate from Server button can now be used to select a certificate.
Option 2
1. Create a self-signed Certificate in IIS using the Server Certificates. If you wish to use an existing certificate instead, you may choose to skip this step
2. Close IIS and open the MMC's Certificate Snap-in and navigate to the Certificate you just created. Right click the certificate and select Export.
3. Select Next on the first message that appears then select "Yes, export the private key" and click Next again.
4. Select Next on the following screen.
5. Select Password and give your certificate a password that will be used in the Aeries SAML setup and click next.
6. Give your certificate file a name and save to a location where you can later retrieve for import into Aeries.
7. Click Next and then Finish.
7. Return to Aeries SAML Configuration form
8. Enter the password you gave to your certificate first then select upload Certificate
9. The following message will appear when the certificate is successfully uploaded.
Click Save Settings to save the Aeries IDP configuration.
Service Providers
Begin by selecting the Add button in the blue Service Providers bar.
If the service provider has their metadata published online, select Import MetaData in the form that appears.
Enter the metadata URL provided by the Service Provider and click Get Metadata
The information from the Service Provider will appear in the Form. The Display Name can be changed. The Display Name set here is the name that will appear in the Aeries navigation for SSO to the Service Provider resources. If metadata was not imported, all fields will need to be populated manually
- Allow Aeries to Initiate SSO? - Must be checked for the link to appear in the Aeries Navigation Menu under Third-Party Services
- Sign SAML Response? - Normally checked - Service Provider dependent
- Sign Assertion? - Normally checked - Service Provider dependent
- Require Signed Authn Request? - Service Provider dependent
- Disabled? - When checked, item will not appear in the Aeries Navigation Menu and SAML IDP will be turned off for the current Service Provider
Security
After the Service provider has been setup in the SAML Configuration form, a new option will appear in Aeries permissions under Security for Users and Groups.
Granting the user or group READ permissions will allow SAML single sign-on for this service provider. When the user visits the third-party site to login, they will be redirected to Aeries for authentication. Also, if the Allow Aeries to Initiate SSO option was selected for this service provider, a single sign-on link will appear in the user's Aeries navigation menu under Third-Party Services.
Note: The steps required to configure the third-party service are outside the scope of Aeries support. Please consult the support resources of the third-party service for configuration instructions.
Note: The SAML selection will not appear for admin users as admin single sign-on is not permitted for security reasons
Selecting the menu option will initiate an SSO for the current user to the Service Provider's application.