SAML Authentication

The integration of SAML (Security Assertion Markup Language) provides an authentication method for users. Centralized user management systems, known as identity providers (IDPs), can be integrated into G-SIM via SAML. This allows the use of existing user accounts in the Operator Console and other applications that have SAML integration.

Install SAML Authentication

Install the SAML authentication and the Operator Console using the G-SIM installer on each server that is to have the external login function.

  1. Run the G-SIM_Installer_xxx.exe file on the Operator Console server.

  2. In the License Agreement dialog window, select the option I Accept the agreement and click Next.

  3. In the Select Components dialog window, select SAML Authentication and Operator Console Files.

  4. Click Next and follow the further installation steps (see Software Installation).

  5. In the Ready to Install dialog window, click Install.

SAML Authentication and the Operator Console are installed. The GSIMSAML service starts automatically on the Operator Console server.

Configure SAML Authentication

Specify the SAML Support settings in the Management Console and add a specific user for the SAML authentication.

  1. Navigate to Server Setup > System Settings > SAML Support.

  2. Enable the Active slider to activate the SAML authentication.

  3. Specify the SAML authentication settings:

    Setting

    Description

    Certificate Validation Mode

    Select the mode used to validate a certificate.

    Issuer

    Specify the application-defined unique identifier that is the intended audience of the SAML assertion. In most cases, this is the identity provider entity ID of your application.

    Metadata URL

    Specify the URL of the metadata from the identity provider (mandatory).

    Revocation Mode

    Select the mode used to check the revocation of X509 certificates.

    Service Provider URL

    Specify the URL of the SAML authentication service provider that is installed on the Operator Console computer. The default URL is https://localhost:7191.

  4. Navigate to Users and security > Users.

  5. Add a user and enable the user privilege Allow Connection to G-SIM Web API for this user (see Users).

    If this privilege is enabled for a user, all other privileges are disabled and the user cannot log in to the Management Console and make changes.

  6. Click Save.

The external login function in the Operator Console is enabled (see Log In with SAML Authentication) and a user group named Default IDP Users has been created for external users . Adjust the permissions for the user group. By default, this group has no permissions assigned. External users are automatically assigned to this group after their first login. You can change this assignment.

Log In with SAML Authentication

  1. Open the Operator Console.

  2. In the login window, click Settings. The Settings dialog window opens.

  3. In the Additional Settings tab, specify the SAML Settings.

    Setting

    Description

    Username

    Enter the login name of the user for the SAML authentication.

    The user privilege Allow Connection to G-SIM Web API must be enabled for this user.

    Password

    Enter the password of the user for the SAML authentication.

  4. Click Save. The login window opens.

  5. Click the External Login button to log in to the Operator Console with your SAML credentials.

  6. The identity provider login page opens. Enter your login data to log in.

  7. After successfully logging in, you are logged in as SAML user in the Operator Console.

    These external users are added in the Management Console and marked as SAML users. These users are automatically assigned to the Default IDP Users user group after their first login. You can change this assignment.

G-SIM SAML-Configuration Tool

You can use the G-SIM SAML-Configuration tool to check the communication of you SAML authentication.

  1. Open the URL https://localhost:7191. on the Operator Console server. The G-SIM SAML-Configuration tool opens and displays the current SAML authentication settings of the G-SIM server.

  2. Click the Retrieve SAML Authentication Settings button to manually retrieve the SAML authentication settings from the G-SIM server. This allows you to check the communication between the G-SIM SAML authentication service and the G-SIM server.

  3. Click the Metadata button to retrieve the metadata from the identity provider. This allows you to check the communication between the G-SIM SAML authentication service and the identity provider server. The metadata file opens.

  4. Click the IDP Login button to log in to the identity provider. The identity provider login page opens.

  5. Enter your login data to log in. This allows you to check whether external users can log in. If the login was successful, you are logged in as an external user.