Configuring single sign-on (SSO) with SAML

You can configure Management Station as a service provider through the SAML (Security Assertion Markup Language) standard. To set up single sign-on, you must first register Management Station as a trusted service provider with an Identity Provider (IdP) such as Active Directory, and then configure your chosen Identity Provider as the SAML IdP with Management Station.

Registering Management Station as a Service Provider

Follow the instructions for your chosen Identity Provider to register Management Station a trusted service provider. During the registration, you will need to provide basic SAML configuration information, add the users granted access to Management Station, and also obtain the SAML Signing Certificate and the Metadata URL or XML file you will need when you configure Management Station.

When you provide the basic SAML configuration information, you will need the following URLs:

  • The Identifier (Entity ID): use https://MS_hostname:port/mserver/saml/metadata
  • Reply URL (Assertion Consumer Service URL): use https://MS_hostname:port/mserver/saml/SSO
  • Sign on URL: use https://MS_hostname:port/mserver/
  • Logout URL: use https://MS_hostname:port/mserver/saml/logout

Where port is the HTTPS port number configured on Management Station (default 8444) and MS_hostname is the name of the host running Management Station. To determine the correct hostname for the URLs, open a command-line interface to log in to Management Station with an Adminstrator user and type hostname to display the correct value.

When you create the SAML signing certificate, make sure you obtain the following information for use when you configure Management Station:

  1. Copy the Metadata URL or download the Metadata XML file and save it on the Management Stationhost. For example, C:\tmp\MSTATION.xml.
  2. Download the SAML Signing Certificate and save it on the Management Stationhost. For example, C:\tmp\MSTATION.cer.

Configuring Management Station to use single sign-on using SAML

After you have registered Management Station as a Service Provider, you must configure Management Station to use the Identity Provider for authentication.

To configure single sign-on:

  1. Configure HTTPS for Management Station. See Configuring HTTPS for Management Station.
  2. Test Management Station to ensure that it is installed correctly and is using a secure Administrator password. Do not leave the Administrator password at the default. Confirming that Management Station is functioning correctly before configuring single sign-on simplifies troubleshooting if a problem occurs.

  3. Run the script to create the keystore, create the self-signed certificate, and configure single sign-on. Make sure you have the path to the SAML Signing Certificate, and either the Metadata URL or the path to the Metadata XML file ready when you run the script. If you want to use a certificate obtained from a Certificate Authority instead of a self-signed certificate, please contact Nuance technical support.

    1. Open an SSH client such as PuTTY.
    2. Navigate to the $MSTATION_HOME/mserver/webapps/mserver/scripts directory.

    3. Run the following command:

      # ./samlssoconfig.sh
    1. Open a command prompt window with the Run as Administrator option.
    2. Navigate to the %MSTATION_HOME%\mserver\webapps\mserver\scripts directory.

    3. Run the following command:

      # samlssoconfig.bat

Removing single sign-on

To remove single sign-on:

  1. Open a SSH client such as PuTTY.
  2. Navigate to the $MSTATION_HOME/mserver/webapps/mserver/scripts directory.

  3. Run the following command:

    # ./samlssoconfig.sh -r
  1. Open a command prompt window with the Run as Administrator option.
  2. Navigate to the %MSTATION_HOME%\mserver\webapps\mserver\scripts directory.

  3. Run the following command:

    # samlssoconfig.bat -r