Configure SAML SSO for the Organization

1. Go to Organization > MSP Portal > Teams > Team Management and find the SAML SSO section.

2. Enable SAML SSO.

1. Click on Add to create a new “IdP" to input SAML identity provider details:

• Upload the Identity Provider (IdP) Metadata file, which you can extract from your ADFS server.

• Provide a Name that helps to identify this IdP.

• Provide the Login URL, which is the URL of the existing ADFS login page.

1. Upon creation of IdP, the system auto-generates the Consumer URL for where the IdP user data will be sent post-IdP authentication.

1. Customize the EnGenius SSO Login URL: Adjust the ending URL for easier recall. It serves as a direct link to the default IdP and is unique to a single IdP.

1. Select a Default IdP from the IdP list, it will associate to EnGenius Cloud SSO page as the redirect IdP when user tries to login through SSO URL.

Create SAML Roles

Navigate to Organization > MSP Portal > Teams > Team Privilege to access the SAML administrator roles. Use this to assign user group privileges. SAML users receive permissions based on the 'role' attribute in their SAML token from the IdP.

To set up a new role for the IdP:

1. Click "Add Team".

2. Assign managed scope and permissions as you would for standard users.

3. To finalize, click "Create admin" and "Save changes".

Introduction

This guide details setting up Active Directory Federation Services(ADFS) as a SAML SSO identity provider(IdP) for EnGenius Cloud - MSP Portal. Prior reading on SAML integration is advised. It assumes existing ADFS setups.

Refer to Microsoft's guide for detailed ADFS configuration. The integration steps presented may vary by environment, but the SAML assertion must include specific usernames and role attributes.

SAML SSO Intro

SAML (Security Assertion Markup Language) is a protocol for authentication and authorization that allows users to securely access multiple applications with a single set of credentials. It strengthen security and simplify the sign-in process that makes organizations easier to deploy SSO (Single Sign-On) across their systems or applications.

The feature integrates SAML SSO with ADFS to streamline user authentication across different services that an organization uses.

At its core, SAML involves three participants:

• The User - This is the individual trying to access a service (the EnGenius Cloud).

• The Identity Provider (IdP) - This is the trusted entity that verifies the user's credentials, like usernames and passwords, and any associated groups or attributes. It's usually a login portal.In this context, is the ADFS

• The Service Provider (SP) - This is the service or application the user is trying to use, which, in this context, is the EnGenius Cloud.

SAML Login Options

EnGenius Cloud provides two SAML login options with ADFS integration: IdP-Initiated and SP-Initiated. The choice depends on your administrators' preferred user experience and your business's IdP protocols. Both methods are compatible and can be used together. This article explains the SAML setup compatible with both IdP-Initiated and SP-Initiated SAML.

IdP-Initiated SAML

IdP-Initiated SAML is ideal for organizations with a standard login portal for app and service access. This guide outlines the fundamental setup for the IdP-Initiated SAML with ADFS.

User Flow for IdP-Initiated SAML:

1. Log in through the ADFS portal

2. Choose the desired service (such as the EnGenius Cloud)

3. User authentication by ADFS

4. Get redirected to the EnGenius Cloud

SP-Initiated SAML

Choose SP-Initiated SAML for direct login via the EnGenius Cloud (SSO URL), especially if you don't use a separate login portal.

SP-Initiated SAML User Flow:

1. Begin at the EnGenius Cloud (SSO URL)

2. Get redirected to your IdP (ADFS login portal)

3. Choose the desired service (such as the EnGenius Cloud)

4. User authentication by ADFS

5. Get redirected to the EnGenius Cloud

Create “Relying Party Trust”

1. Launch the AD FS management console from Start > Administrative Tools > AD FS Management.

2. Select 'AD FS' at the top and from the Actions menu, choose 'Add Relying Party Trust'.

1. Click 'Start' to configure a new trust for Dashboard.

2. Opt to 'Enter data about the relying party manually' and click 'Next'.

1. Provide a 'Display name' such as "EnGenius Cloud" for identification in the console and for users, then proceed with 'Next'.

1. Bypass the 'Configure Certificate' step by selecting 'Next'.

2. Check the box to Enable support for the SAML 2.0 WebSSO protocol. Input the EnGenius Cloud's 'Consumer URL' into the text field and click 'Next'.

1. For 'Relying party trust identifier', input "https://msp-sso.engenius.ai", click 'Add', then 'Next'.

1. Set default authorization rules; for this guide, choose 'Permit everyone' and click 'Next'.

Configure Username Attributes (email)

1. Open the 'Edit Claim Rules' dialog and go to the 'Issuance Transform Rules' tab, then click 'Add Rule'.

1. Choose 'Send LDAP Attributes as Claims' as the template and click 'Next'.

1. To configure a username attribute for SAML:

• Name the claim rule "Email".

• Choose 'Active Directory' for the attribute store.

• Select a unique LDAP Attribute, like E-Mail-Addresses that will be sent to the EnGenius Cloud as the username.

• Set the Outgoing Claim Type to "email"

• Click 'Finish'.

Configure Role Attributes (Team Privilege)

1. Open 'Edit Claim Rules', navigate to 'Issuance Transform Rules', and select 'Add Rule'.

2. For the template, select 'Send Group Membership as a Claim'.

3. Name the claim rule "Teams" for assigning user roles.

4. Use 'Browse' to pick a group for the role assignment.

5. Set the Outgoing claim type to "msp_teams".

6. Enter the matching Role/Team value from The MSP Portal’s Teams role in 'Outgoing claim value' to grant access.

1. Click 'Finish'.

Accessing EnGenius Cloud with ADFS Authentication

Users authenticated via ADFS can now sign into the "EnGenius Cloud".