1. Cloud Native Core Console User's Guide
  2. Setting up CNC Console IAM
  3. Integrating SAML SSO with CNC Console IAM

Integrating SAML SSO with CNC Console IAM

Overview

Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). The identity provider authenticates the user and returns the assertion information about the authenticated user and the authentication event to the application. If the user tries to access any other application that uses the same identity provider for user authentication, the user shall not be required to log in a second time and will be granted access. This is the principle of SSO (Single Sign On).

CNCC supports SAML 2.0.

Configuring SAML Identity Provider in CNCC IAM

  1. To configure SAML identity provider (IdP) in CNCC IAM, login to CNCC IAM Console using admin credentials provided during installation of CNCC IAM . 
    http://<cncc-iam-ingress-extrenal-ip>:<cncc-iam-ingress-service-port> 
Example: http://cncc-iam-ingress-gateway.cncc.svc.cluster.local:30085/

    img/saml1.png

  2. Select Cncc realm and the Identity Provider tab in the left pane. Identity Providers screen appears in the right pane.

    img/saml2.png

  3. From the Add provider drop down list select the saml entry and the Add Identity Provider screen appears.

    img/3sso.png

    Note:

    • Give an appropriate name for the field Alias.
    • At Import External IDP Config, upload the 'idp-metadata.xml' file that is exported from SAML client in the IdP.

    Click Import and Save.The other required fields will be filled in automatically.

  4. To create custom 'First Login Flow', click Authentication tab In the left pane. The Authentication screen appears.

    img/saml5.png

  5. Click New at the right pane. Create Top Level Form screen appears.

    img/saml6.png

    Enter the appropriate alias and click Save.

  6. The Authentication screen with the newly created custom flow selected in the drop down list appears. Click Add Execution in the right pane .

    img/saml7.png

  7. Create Authenticator Execution screen appears.

    img/saml8.png

    Select Create User If Unique from the Provider drop down list. Click Save.

  8. The Authentication screen with the newly created custom flow selected in the drop down. Under Requirement section, select Alternative.

    img/saml9.png

  9. Select Identity Provider in the left pane. Select the custom flow from First Login Flow drop down list.

    img/5sso.png

Mapping SAML IdP roles with CNCC IAM API roles

  1. After saving SAML IdP configurations in CNCC IAM, select Identity Providers in the left pane and clock Mappers tab in the right pane. Click Create.

    img/25.png

  2. Add Identity Provider Mapper Screen appears.

    img/26.png

    • Give an appropriate name for the field Identity Provider Mapper.
    • Select 'SAML Attribute to Role' from Mapper Type drop down.
    • Enter the Attribute Value as the one of the roles added in SAML IdP. Example: 'NRF', 'SCP', etc.
    • Click Select Role to select the API roles to be enabled for this mapping.
    • Click Save.
  3. User can create any number of mapping as per the requirements.

    img/27.png

Accessing CNCC Core Application

  1. To login to CNCC Core, browse tot he application using hostname and port. The user will be redirected to CNCC IAM (broker). 
    http://<cncc-iam-ingress-extrenal-ip>:<cncc-iam-ingress-service-port> 
Example: http://cncc-core-ingress-gateway.cncc.svc.cluster.local:30075/

    img/12sso.png

  2. Click Single Sign On(SSO) to authenticate using SAML SSO. The user is redirected to SAML IdP login. Enter user details to access CNCC Core application.