Configure Single Sign-On

You can configure, activate, or deactivate single sign-on (SSO) on the Single Sign-On Configuration page.

To access this page, click Administration > Single Sign-On.

This SSO configuration components are:

Identity Provider (IdP)—An external server that manages user identities and authentication, such as Okta or Microsoft Azure.
Service Provider—Juniper ATP Cloud acts as the service provider that receives and validates the SAML assertion sent by the IdP in response to a login request.

The IdP and the service provider establish mutual trust and share configuration details to enable secure SSO authentication.

Before you begin:

Ensure SSO is configured with a SAML 2.0 compliant IdP. For more information, see Set Up Single Sign-on with SAML 2.0 Identity Provider.
Ensure IdP is already configured with the required SAML settings.

You must configure SSO settings for each organization.

Do not configure the same user or email address in both Juniper ATP Cloud and the IdP. Duplicate user accounts can cause SSO authentication failures or unexpected login behavior.

To configure SSO settings:

Select Administration > Single Sign-On.

Complete the configuration according to the guidelines provided below.

Table 1: SSO Settings
Field	Description
Service Provider Settings
Display Name	Enter a display name for the SSO setting.
Entity ID	Enter the unique identifier for Juniper ATP Cloud customer portal.
Username Attribute	Enter the username attribute for SAML. Username attribute is mandatory and must be in e-mail address format. The username attribute is mapped to the user data, which is provided by IdP in the SAML assertion response.
Sign Authentication Requests	Enable the toggle button to sign the SAML authentication requests sent from Juniper ATP Cloud to IdP. If you enable sign authentication requests, you must provide both private key and public key certificate.
Encrypt SAML Response	Enable the toggle button to specify that the SAML assertion returned by the IdP is encrypted. If the encrypt SAML response is enabled, you must provide both private key and public key certificate. If SAML response encryption is enabled in Juniper ATP Cloud but the IdP does not encrypt SAML responses, SAML authentication fails.
Private Key	Enter the private key. The private key is generated locally by the user. In Juniper ATP Cloud, the private key is used to sign SAML authentication request. The private key is not shared with IdP.
Public Key Certificate	Enter the public key certificate. The public key certificate is generated locally by the user. You must upload the same public key certificate in IdP portal. In IdP, the public key certificate is used to validate the SAML authentication request sent by Juniper ATP Cloud.
Role Options	Choose Use default role or Enter IdP specific role.
Use default role
Default Role	Select a default role for the SAML user in the organization. If you haven't entered the role under Role Mapping section, you must specify the default role for the organization. Select the default role from the list. System Administrator—Full privileges Operator—Full privileges but cannot create users Observer—Read only privileges None—No default role You must configure either a role attribute or a default role to log in to the SSO page.
First Name	Enter the first name attribute of the SAML user. The first name attribute is used to create the user profile. If you do not provide the first name, then a part of the e-mail address is used as the first name to create the user profile.
Last Name	Enter the last name attribute of the SAML user. The last name attribute is used to create the user profile. If you do not provide the last name, then a part of the e-mail address is used as the last name to create the user profile.
Enter IdP specific role
Group Attribute	(Optional) Enter the group attribute that is configured in IdP. Example: role
Administrator	(Optional) Enter the IdP specific role that must be mapped to the Juniper ATP Cloud Administrator role. Example: role_admin
Operator	(Optional) Enter the IdP specific role that must be mapped to the Juniper ATP Cloud Operator role. Example: role_operator
Observer	(Optional) Enter the IdP specific role that must be mapped to the Juniper ATP Cloud Observer role. Example: role_observer
First Name	Enter the first name attribute of the SAML user. The first name attribute is used to create the user profile. If you do not provide the first name, then a part of the e-mail address is used as the first name to create the user profile.
Last Name	Enter the last name attribute of the SAML user. The last name attribute is used to create the user profile. If you do not provide the last name, then a part of the e-mail address is used as the last name to create the user profile.
Export SP Metadata	Click Export SP Metadata to download service provider metadata in XML format. The administrator can download and use the service provider metadata to dynamically configure all service provider settings in IdP portal, at a time. The administrator need not manually configure individual service provider settings.
Identity Provider Settings
IdP Settings	Select Import Settings to import the IdP metadata in one go. To manually configure the IdP settings, select Enter settings manually.
Import	Select the IdP metadata in XML format and click Import.
Entity ID	Enter the unique identifier for the IdP. If you import IdP metadata, the information will be updated automatically.
Login URL	Enter the redirect URL for user authentication in IdP. If you import IdP metadata, the information will be updated automatically.
IdP Certificate	Enter the IdP certificate to decrypt the SAML response. If you import IdP metadata, the information will be updated automatically.

Click Save.
The SSO settings are saved.

After configuring both the service provider settings and the IdP settings, you can activate SSO. To activate SSO, click Activate. To deactivate the existing SSO, click Deactivate.

Configure Single Sign-On

Related Documentation