Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure SSO Settings

To access this page, click Administration > Single Sign-On Settings. You can configure, activate, or deactivate Single sign-on (SSO) from the Single Sign-On Configuration page.

The entities involved during the SSO configuration are:

  • Identity Provider (IdP)—An external server that handles management of user identities. For example, Okta, and Microsoft Azure.
  • Service Provider (SP)—Juniper ATP Cloud acts as an SP that receives the SAML assertion sent by IdP in response to a login request.

Both IdP and SP trust each other and share configurations.

Before you begin:
Note:

You must configure the SSO setting per realm.

To configure SSO settings:

  1. Select Administration> Single Sign-On Settings.
  2. Complete the configuration by using the guidelines in Table 1.
  3. Click Save.

After configuring the SP settings and the IdP settings, you can activate SSO. To activate SSO, click Activate.

To deactivate existing SSO, click Deactivate.

Table 1: SSO Settings

Field

Description

Service Provider Settings

Display Name

Enter a display name for the SSO setting.

Entity ID

Enter the unique identifier for Juniper ATP Cloud customer portal.

Username Attribute

Enter the username attribute for SAML. Username attribute is mandatory and must be in e-mail address format. The username attribute is mapped to the user data, which is provided by IdP in the SAML assertion response.

Sign Authentication Requests

Enable the toggle button to sign the SAML authentication requests sent from Juniper ATP Cloud to IdP.

If you enable sign authentication requests, you must provide both private key and public key certificate.

Encrypt SAML Response

Enable the toggle button to specify that the SAML assertion returned by the IdP is encrypted.

If you have enabled encrypt SAML response, you must provide both private key and public key certificate.

Note:

If you have enabled encryption for SAML response in Juniper ATP Cloud customer portal but the SAML responses from your IdP are not encrypted, then SAML authentication will be rejected.

Private Key

Enter the private key. The private key is generated locally by the user. In Juniper ATP Cloud, the private key is used to sign SAML authentication request. The private key is not shared with IdP.

Public Key Certificate

Enter the public key certificate. The public key certificate is generated locally by the user. You must upload the same public key certificate in IdP portal. In IdP, the public key certificate is used to validate the SAML authentication request sent by Juniper ATP Cloud.

Role Options Choose Use default role or Enter IdP specific role.

Default Role

Default Role

Select a default role for the SAML user in the realm. If you haven't entered the role under Role Mapping section, you must specify the default role for the realm. Select the default role from the list.

  • System Administrator-Full privileges
  • Operator-Full privileges but cannot create users
  • Observer-Read only privileges
  • None-No default role
Note:

You must configure the role attribute or the default role to log into the SSO page.

First Name

Enter the first name attribute of the SAML user. The first name attribute is used to create the user profile. If you do not provide the first name, then a part of the e-mail address is used as the first name to create the user profile.

Last Name

Enter the last name attribute of the SAML user. The last name attribute is used to create the user profile. If you do not provide the last name, then a part of the e-mail address is used as the last name to create the user profile.

IdP Specific Role

Group Attribute

(Optional) Enter the group attribute that is configured in IdP.

Example: role

Administrator

(Optional) Enter the IdP specific role that must be mapped to the Juniper ATP Cloud Administrator role.

Example: role_admin

Operator

(Optional) Enter the IdP specific role that must be mapped to the Juniper ATP Cloud Operator role.

Example: role_operator

Observer

(Optional) Enter the IdP specific role that must be mapped to the Juniper ATP Cloud Observer role.

Example: role_observer

Last Name

Enter the last name attribute of the SAML user. The last name attribute is used to create the user profile. If you do not provide the last name, then a part of the e-mail address is used as the last name to create the user profile.

First Name

Enter the first name attribute of the SAML user. The first name attribute is used to create the user profile. If you do not provide the first name, then a part of the e-mail address is used as the first name to create the user profile.

Export SP Metadata

Click to download SP metadata in XML format. The administrator can download and use the SP metadata to dynamically configure all SP settings in IdP portal, at a time. The administrator need not manually configure individual SP settings.

Identity Provider Settings

IdP Settings

Select Import Settings to import the IdP metadata in one go. To manually configure the IdP settings, select Enter settings manually.

Import

Select the IdP metadata in XML format and click Import.

Entity ID

Enter the unique identifier for the IdP. If you import IdP metadata, the information will be updated automatically.

Login URL

Enter the redirect URL for user authentication in IdP. If you import IdP metadata, the information will be updated automatically.

IdP Certificate

Enter the IdP certificate to decrypt the SAML response. If you import IdP metadata, the information will be updated automatically.