Advanced: SAML

Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP).

This section contains the following topics:

Use this feature to allow local administrator users to use single-sign on for the Admin Portal and self-service user portal. This feature also allows administrators to automatically redirect authentication for the Admin Portal and the user portal to your external IdP.

Enabling SAML restarts Core, which disrupts services until the configuration is complete. Therefore, access to the Admin Portal and self-service user portal is not available until after the SAML/IdP configuration is successfully completed. Furthermore, user name/password authentication and certificate authentication to the Admin Portal and the self-service user portal will be disabled.

SAML is not supported on the System Manager portal. However, when SAML is enabled, local users can authenticate to the System Manager with a user ID and password, but not with certificate authentication.

NOTE: If you set up SAML after setting the Admin Portal to run on port 8443, automatic redirection to the Admin Portal and to the self-service user portal will succeed. If you set up SAML after setting the Admin Portal to 443 redirection will not succeed until you reconfigure the Admin Portal to run on port 8443.

You must reconfigure SAML using the System Manager if both of the following are true:

  • You upgraded to this version of Core from a version of Core prior to 10.0.0.0.
  • You had configured SAML using the command line on Core. Note that configuring SAML from the command line is not supported from Core 9.7 through the current Core release.

Contact MobileIron Technical Support if you have authentication failures in this scenario.

Configuring SAML/IdP support

This topic describes how to configure SAML over IdP. For more details, refer to Microsoft documentation.

Before you begin 

  • Create at least one SAML user, with associated permissions.
  • Sign up with an external IdP.
  • Be able to export the metadata file from the IdP.

Procedure 

  1. Log into the System Manager Portal.
  2. Go to Security > Advanced > SAML.
  3. Click the box to Enable SAML.

  4. Read the warning message and click Yes to restart Core and turn on SAML.

    This can take a few minutes. The Configuration Status changes from Restarting Tomcat… to In Progress, followed by Completed.

  5. Click Download to download the XML metadata file from MobileIron Core that was created as part of the Core restart process.

  6. Save this file locally.

  7. After downloading and saving the metadata from Core, upload the Core metadata files to your IdP:

    1. Export those metadata files from your idP, and upload them to Core.
    2. Click Done > OK.

    3. Verify the IdP hostname/URL and modify it, if necessary.

      System Manager extracts the hostname or URL from the IdP metadata file and auto-populates these fields.

  8. Click Apply.
NOTE: If you do not complete configuring SAML, reboot Core by selecting Maintenance > Reboot > Reboot in the System Manager.

Deactivating or deleting the IdP metadata file

This topic describes how to deactivate or delete the SAML/IdP option.

Procedure 

  1. Log into the System Manager Portal.
  2. Go to Security > Advanced > SAML.
  3. Click the box to Disable SAML to deactivate SAML or click Delete to delete the SAML file.

There is no option to delete the IdP metadata file - they upload a new one which replaces the previous one

Related topics