Configure CSM as a SAML Service Provider
Use the Service Provider page in the SAML Settings window to configure CSM as a SAML Provider.
To configure CSM as a SAML Service Provider:
- In CSM Administrator, create a Blueprint.
- From the menu, select Tools > Edit SAML settings.
- Select the Service Provider page.
- Provide CSM identity information:
Option Description Entity URL Provide the URL that identifies the service provider. The entity and service URLs should use the same domain as specified in the signing certificates. Organization name (Optional) Provide the service provider organization name used only for display. Organization URL (Optional) Provide the URL of the service provider organization used only for display. Web service URL Provide the Cherwell web service URL (example: https://host.domain/CherwellAPI).
If you are upgrading CSM, the existing SAML web service URL is automatically updated to match the Cherwell REST API URL that us entered in the upgrade prompt. For example, if the REST API URL is https://host.domain/CherwellAPI/api/, the web service URL will be updated to https://host.domain/CherwellAPI (without the /api at the end of the path).
CSM default startup URL Provide the CSM Client or CSM Portal URL for the site to be redirected to after logging in using SAML Identity-Provider initiated authentication. Validate SAML authentication
After a user is successfully authenticated through SAML, CSM receives a response that the user is valid. To verify that the user valid response is itself is valid, CSM sends a request to a CSM web service to authenticate the response. Select whether the request is sent:
From Server (recommended)
From Client: Provided for backwards compatibility and in cases where the from server option might be incompatible with the network configuration. This is a less secure option.
In most configurations, this option only impacts the behavior of the CSM Desktop Client.
Signature algorithm Select the Secure Hash Algorithm to use for signing SAML messages between CSM applications and your identity provider. SHA-1 and SHA-256 are supported, but SHA-256 is the default and recommended option, particularly for customers who operate under General Data Protection Regulation (GDPR) jurisdiction.
- Import the Private Certificate: Personal Information Exchange Format (.pfx) file containing a certificate with a private key. This certificate must be issued by a trusted certificate authority. To import a private certificate, select Import and select the .pfx file. There is a prompt to enter the password for the file.
Signing certificates are normally managed by network IT staff; IT should be knowledgeable about the procedure for obtaining new certificates. Certificates must be obtained from trusted certificate authorities (such as VeriSign, Thawte, Go Daddy, and more).
- Export the service provider settings to a metadata file.
Use this file later to import the service provider metadata into the identity provider.
- Select Export Metadata to open the Export File window.
- Select a name and location for the metadata .xml file.