You can configure your Organization to utilize a SAML Identity Provider for quick and secure access. In this documentation we will show how to configure with EvolveIP's Identity and Access Management. Other vendors can be configured with the same general settings, however their support team might need involved if there are issues during the setup.
Configuring SAML is comprised of these steps:
When an imported user attempts to log in, the system extracts the following attributes from the SAML token, if available, and uses them for interpreting the corresponding pieces of information about the user:
Group information is used if the user is not directly imported but is expected to log in by being a member of an imported group. A user can belong to multiple groups, so can have multiple roles during a session.
If an imported user or group is assigned the Defer to Identity Provider role, the roles are assigned based on the information gathered from the Roles attribute in the token. If a different attribute is used, this attribute name can be configured using API and only the Roles attribute is configurable. If the Defer to Identity Provider role is used, but no role information can be extracted, the user can log in but has no rights to perform any activities. With that information, we typically recommend against importing users or groups using the Defer to Identity Provider role.
You should keep an enabled local Org Admin account in case you need to bypass SAML. If you subscribe to Self-Service BaaS, SAML credentials cannot be used to log into your Self-Service portal. You will NEED to use a local (non-SAML) Org Admin account when logging into your BaaS Self-Service portal. |
This operation requires the rights included in the predefined Organization Administrator role or an equivalent set of rights.
This operation requires you have administrative rights to create SAML applications within your Identity Provider.
You should now be able to authenticate utilizing your SAML IDP into vCloud. If you run into any issues please contact EvolveIP Support.
In the event that there is an issue with either the IDP or Service Provider preventing sign in via SAML authentication, you can bypass SAML authentication.
To do this, manually enter the tenant URL of your vCloud Organization adding "/login" to the end of the URL.
For example, if your vCloud URL is https://vcloud.evolveip.net and your Organization Name is "Test".
The URL used to bypass SAML would be https://vcloud.evolveip.net/tenant/test/login
You will then be presented with the local username and password prompt. You will need to provide local credentials in order to access the system.