Problem

You want to set up a SAML Relying Party within the PortalGuard Identity Provider 

Requirements:

• Metadata from the Service Provider (the application that you are integrating with)

• Required Claims for the Service Provider

  • Either from SAML Configuration Documentation OR from the Service Provider Support Contact

• PortalGuard Single Sign-On Pre-Requisites have been met

Solution

1. Navigate to the PortalGuard server and open the Identity Provider Configuration Editor.

2. Navigate to the 'SAML Websites' tab and click 'Create' on the right-hand side

3. Open

   

   On the 'General' tab, provide a 'Name' and 'Description' for the new Relying Party

4. Click the 'Add' button next to the 'Identifiers' label

5. In the space the appears, add the 'entityID' value for the SP.  Click 'okay' to add this identifier.

   • This can be found in the metadata from the SP, usually near the top.

     • In the screenshot below, the 'entityID' is 'https://saml.istation.com'

6. Open

   

   For the 'Assertion Consumer URL', you will need to search the SP Metadata again.

   • Search the file for 'AssertionConsumerService' and copy the URL listed as the 'Location'.

     • If multiple lines are present for 'AssertionConsumerService', the appropriate location will come from the line with a 'binding' value of 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'

7. Your final result should resemble the following screenshot, based on the examples above:

8. Navigate to the 'Identity Claims' tab.

9. Ensure that the 'Attribute Store' dropdown is configured to the appropriate attribute store for this configuration.  The attribute store is where PortalGuard will search for attributes to populate the claims. 

10. Click the 'Create' button to configure your first claim.

    • For this example, we will be sending a single claim as 'NameID'.  For your Relying Party, you will need to know what claims to configure prior to this step. 

11. The 'Name' value here is simply for you to use as a quick reference.  This value is only used within the relying party configuration and is NOT sent along with the SAML.

12. If the claim needs to be sent as 'NameID', check the 'Send As NameID?' box here.

    • Only one claim should be sent as 'NameID'

13. The 'Schema Type' corresponds to the attribute 'Name' value that the SP is looking for. 

    • Oftentimes, the SP will require the claim to be sent with an attribute 'Name' formatted with 'urn...'

    • If you are unsure, click the 'Pre-defined Types' button and choose an option from the dropdown.

14. The 'Value Type' for a standard claim should remain as 'String Field'.

    • If you need to add static text to an attribute before it is sent to the SP as a claim OR you need to send Groups, you may update the 'Value Type' accordingly.  Otherwise, leave it as a 'String Field'. 

      • For additional information on sending Groups as a SAML Claim, please refer to our KB Article on How to Send Groups Within a Claim for SAML SSO

      • For additional information on utilizing a formatted string, please refer to our KB Article on Modifying a Single Sign-On Claim Using Static Text with a Formatted String

15. The 'Field Name' value should be set to the attribute that you wish to pull from the Attribute Store

    • For this example, we will be sending the 'sAMAccountName' from AD as a NameID

16. Navigate to the 'IdP-Initiated' tab.

17. Enter some 'Display Text' for this Relying Party.

    • This is the label that users will see on the tile for this SP if they navigate to the PortalGuard SSO Jump Page.

18. Enter some 'Help Text' for this Relying Party.

    • This text will appear next to the user's cursor if they hover over the tile but not click on it. 

19. Click 'Choose Image' next to 'Display Image' and then 'Browse' to choose a thumbnail to display on the PortalGuard SSO Jump Page.

    • You may add a custom thumbnail to the C:\inetpub\PortalGuard\SSO\img folder

      • Ensure that the thumbnail sizes remain around 100 pixels by 100 pixels to prevent any slowdown when the server attempts to load the images.  Larger images will be resized to fit, however. 

    • If you do not have a custom thumbnail, feel free to use one of the existing options included with the PortalGuard Install

20. If the SP you are integrating with does not support IdP-Initiated Single Sign-On, click the 'IdP-Initiated SSO not directly supported by RP' box here and provide a 'Default URL' that will initiate SSO from the SP.

    • If you are unsure, leave this box unchecked.

21. Navigate to the 'Authorization' tab.

    • By default, the Relying Party will be accessible to anyone who can authenticate via PortalGuard.  If you would like to restrict access, simply click the 'Add' button here and search for an AD User, Group, or OU.

      • As soon as an entry is defined here, only users that match the entries on the 'Authorization' tab will be allowed to access the Relying Party via SAML.

22. Save the Relying Party Configuration.

23. Apply and Sync the changes to test. 

24. If you are unable to finalize the SAML, please submit a ticket (LINK) or reach out to techsupport@portalguard.com for additional assistance. 

    • When submitting a support request, please ensure that you have a screenshot of the error you are seeing, as well as the PG_Log and IdP_Log files from the PortalGuard Server.  This information will ensure a rapid response to your support request!