1. Feature Guide
  2. DSR Features and Functions
  3. Security Assertion Markup Language (SAML)
  4. SAML Feature Description

2.18.2 SAML Feature Description

SAML Feature Description

  • DSR and SDS will act as a service provider for SAML authentication.
  • DSR/SDS SAML authentication and configuration is supported through GUI only. There is no MMI support of it.
  • DSR / SDS GUI can be accessed using XMI or VIP address for SAML version 2.0 based authentication.
  • DP provided XML metadata to be uploaded from Active NOAM screen “Administration -> Remote Servers -> SAML Authentication”. Same IDP metadata will be applicable to other OAM servers in topology.
  • DSR / SDS supports HTTP-POST and HTTP-Redirect binding when SAML request is send by SP to IDP via user agent. This information should be available in IDP provided metadata.
  • DSR / SDS supports HTTP-POST binding to be used when IDP sends SAML response to SP via user agent. This information will be available in DSR / SDS metadata.
  • No notification is sent to IDP when user accessing DSR / SDS GUI is voluntarily or forcefully logged out from DSR / SDS GUI.
  • DSR / SDS will not report any error if SAML response / assertion is not received. Few instances are:
    • User agent does not redirect SAML authentication request to IDP.
    • IDP does not send SAML response / assertion.
    • User agent does not redirect SAML response / assertion to DSR / SDS.
    • No communication between IDP and user agent.
  • Few instances of SAML authentication login failure are given below. Note this is not the complete list of potential failures.
    • SAML feature is not enabled.
    • IDP metadata is not uploaded.
    • IDP metadata is not syntactically correct.
    • Required parameters to send SAML authentication request are missing in IDP metadata.
    • SAML response does not contain required parameters.
    • Failed SAML response is received from IDP.
    • Authenticated user is not created on DSR / SDS.
    • Authenticated user account is disabled on DSR / SDS.
  • Below URL is used to access GUI for SAML based authentication. Each NOAM/SOAM has different IP and will be authenticated separately.
    • https://<XMI OR VIP IP>?auth=SAML
DSR / SDS has no control over communication between IDP and user agent.

Note:

IDP configuration OR configuring DSR or SDS metadata on IDP is out of scope of DSR and SDS.

Figure 2-70 SAML Call Flow

SAML Call Flow