Hub 2018.2 Help

SAML 2.0 Auth Module

A SAML 2.0 authentication module lets you configure Hub as a SAML Service Provider (SAML SP). SAML supports single sign-on (SSO) across multiple domains.

When you enable an SAML 2.0 authentication module in Hub:

  • Your users log in to Hub with the credentials that are managed in a specified third-party identity provider (SAML IdP).
  • Your Hub users have fewer accounts and passwords to remember.
  • New users with accounts in the connected service can create their own accounts in Hub.

Hub can also be set up as a SAML IdP, however, the instructions for the identity provider setup are not described here. To learn how to use Hub as a SAML IdP, see SAML 2.0.

Add a New SAML2.0 Authentication Module

To add a SAML2.0 Authentication module:

  1. In a service that you plan to use as a SAML identity provider for Hub, retrieve its parameters as the IdP:
  2. If the IdP service does not provide a fingerprint of their certificate, create it applying SHA256. For example, you can use SAML Tool
  3. In Hub, open admin menu > Auth modules page. Click the Add auth module button and select SAML 2.0 in the drop-down list.
  4. In the displayed dialog, specify parameters of the IdP service.
  5. Configure created auth module: Provide the names of the SAML attributes of the user accounts.

Sample Configurations

Use Okta as SAML Identity Provider in Hub

Configuring Okta as a SAML IdP in Hub is an easy but not a straight forward process. The trick is that to create an Auth module in Hub, you need to provide a unique URL for the IdP. However, in Okta, the IdP URL is specific for an application, and is generated when you create the application for the SAML SP. And to create an application for Hub as a SAML service provider in Okta, you need the unique URL that is generated in Hub only when you create the Auth module for Okta. This "URLs loop" results in the loop in the configuration procedure: You create an application in Okta with a fake URL for Hub to generate the IdP URL, then you create an auth module in Hub to generate the SP URL, and after that you can provide the actual SP URL from Hub in the Okta application.

To use use Okta as IdP for Hub

  1. In Okta, create a new application for Hub service. Use any URLs for Hub as the SP. You need to correct it later. See the Okta documentation for setting up SAML application.
  2. When you created the application, click the View Setup Instructions button to open a page with the parameters of your Okta IdP:
    Parameters for Okta IdP
  3. Download the certificate of your Okta IdP.
  4. Create a fingerprint for the Okta certificate applying SHA256. For example, you can use SAML Developer Tools.
  5. In Hub, open Auth Modules page.
  6. Click the New module button, then select SAML 2.0 in the drop-down list.
    • A New Module dialog is displayed in the right side-panel.
  7. In the displayed dialog, specify the parameters of your Okta IdP. Click Create.
    okta idp create new auth module hub
  8. Configure the new module: Set up the SAML attributes.
    okta idp configure auth module hub
  9. Switch back to Okta. In Okta, edit the Hub application: Provide URLs that are generated during the creation of the new auth module.
  10. Assign the Hub application to groups and users that should be able to log in to Hub with Okta credentials.

That's it. Now the users can log in to Hub and connected services with their Okta credentials.

Use Hub as SAML Identity Provider in Hub

If you have two Hub services, you can use one of them as a SAML Identity Provider and another one — as the service provider.

  1. In the Hub that you use as Saml IdP, open admin menu > SAML 2.0 page.
    saml hub hub idp parameters
    For details about Hub as a SAML 2.0 Identity Provide, see Parameters of Hub as SAML2.0 Identity Provider.
  2. In Hub that you use as SAML service provider, open Auth Modules page.
  3. Click New module, then, select SAML 2.0....
    • A New Module dialog is displayed in the right side-panel.
  4. In the displayed dialog, provide parameters of the Hub service that you use as IdP:
    saml hub2hub auth module create
    Click Create.
    • The new module is created. You are navigated to the settings page the created module:
      saml hub hub module created
  5. Configure SAML attributes:
    saml hub hub module attributes
  6. In the IdP, open Admin menu > SAML 2.0 > Registered services tab. Register the Hub SAML service provider:
    saml hub2hub auth module sp register
    As SAML Attributes, provide the same values that you have set up in the Attributes section of the auth module settings page. For more details, see Register a Service Provider.

You are all set! Now your users can log into the Hub SP with the credentials from the Hub service that you use as SAML IdP.

Last modified: 3 September 2018