SAML

What is SAML?¶
SAML stands for Security Assertion Markup Language (SAML) and is a standard which Identity
Providers use to communicate authorization credentials to different Service Providers. This
enables users to manage one set of credentials to authenticate with different services.
SAML enables federated login to several services by passing authorization credentials between
services. A SAML flow has three main roles:
 End User: A user who is trying to access a service using federated login credentials
 Identity Provider (IDP): An identity provider performs the authentication about the end
users identity and sends the necessary data to the service provider along with any other
access control data in the form of SAML Assertions. Popular examples are Azure Active
Directory and Okta.
 Service Provider (SP): A service provider is the system that requests authentication from
an identity provider to authorize an end user. Anyware Manager plays the role of a SP
SAML Assertions¶
SAML Assertions are XML documents that the IDP sends to a given SP to validate user
authorization. There are three different types of SAML Assertions:
 Authentication: This assertion provides user identity and the time at which a user was
authenticated and the method of authentication that was used.
 Attribute: This assertion passes the SAML attributes about the user to the service
provider. There can be more than one attribute assertions in a SAML response.
 Authorization: This assertion is the decision that determines if the user was successfully
authorized to access the service or not by the IDP. Most common causes of failed
authorization are incorrect password and/or insufficient access to the service the end user
tried to access.
Configure Anyware Manager as a SAML Service Provider to Enable Multi-Admin¶
The following section outlines the steps to setup and configure SAML for Anyware Manager
using the Anyware Manager Admin Console:
1. From the account icon click Multi Admin Settings to create a new multi-admin
configuration.
2. Register Anyware Manager as a SP with your IDP. You can obtain the Assertion
Consumer Service URL and Audience URL from the Configuration Info section. This
information should be used to configure your IDP to recognize Anyware Manager as a
SP.
 3. Configure Anyware Manager to be able to connect to your IDP. Obtain the Identity
Provider Login URL and Identity Provider Certificate from your IDP and configure
the IDP Settings section accordingly. Alternatively you can also upload an IDP XML
Metadata file in the IDP Settings section.
4. Enable Multi-Admin configuration to use configured IDP. Make sure that your
configuration is enabled by toggling the switch at the bottom of the Configuration
Info section and confirm that you see the Configuration is enabled message.
5. Configure Anyware Manager Assertion Attributes:
 To allow individual user as admin, go to the Allowed Admins section and add the
UPN associated to that user. Anyware manager validates the UPN against
the NameId SAML assertion attribute in the SAML response received from the
IDP.
 To allow user groups. Go to the Allowed Groups section and configure
the Group Attributes accordingly. This configures Anyware Manager to validate
the Group Name and/or Group ID SAML attribute assertions in the SAML
response received from the IDP.
 You can configure either Allowed Admins or Allowed Groups or both in
the Multi-Admin Settings.
6. Allowed users can now access Anyware Manager by opening the Anyware Manager
login page URL which is available in the Configuration Info section. Alternatively,
users can also directly login via the IDP using the Direct login via identity
provider URL also available on the Configuration Info section.
Configuration Information¶

 Anyware Manager login page: A link to the page for multi-administrator login to the
Admin Console. This is the SSO link used by the end user in Step 1 of SAML auth flow
diagram
 Direct login via identity provider: An endpoint to which multi-admin sign-in requests
can be sent. This is the login page for the configured IDP.
 Assertion Consumer Service URL: The callback URL provided to the IDP to which
user information is sent once the IDP has authorized the user. This is the Anyware
Manager endpoint that the IDP sends the SAML response to in Step 5 of the SAML auth
flow diagram
 Audience URL: The entity ID that the IDP can use to identify the Admin Console.
IDP Settings¶
This section contains IDP settings that can be updated to manage the SAML configuration within
Anyware Manager:
 Identity Provider Login URL: The IDP endpoint to which SAML authentication
requests are sent. This endpoint is the one that Anyware Manager sends the SAML login
request to in Step 2 of SAML authentication flow diagram above.
 Identity Provider Certificate: The public certificate of the IDP used to verify the
signature of the IDP.
You can also upload a .xml file that contains your IDP information.
Allowed Admins¶
This section enables you to add new admins and displays all existing admins that are allowed to
login via your IDP. To add a new admin, enter their e-mail, and click the Add Admin button.
Allowed Groups¶
This section enables you to add new groups and displays all existing groups that are allowed to
login via your IDP. To enable the access for a group of users, enter the claim type and group
claim and click Add Group.
 The claim type informs Anyware Manager how the group is returned in the SAML
attribute assertions in the SAML response received from your IDP.
 The group claim matches against the group either in the Group Name claim or in
the Group ID claim received in the SAML attribute assertions for a user based on
the claim type defined for the group.