Configure SSO Settings

To access this page, click Administration > Single Sign-On. You can configure, activate, or deactivate Single sign-on (SSO) from the Single Sign-On Configuration page.

The entities involved during the SSO configuration are:

Identity Provider (IdP)—An external server that handles management of user identities. For example, Okta, and Microsoft Azure.
Service Provider (SP)—Juniper ATP Cloud acts as an SP that receives the SAML assertion sent by IdP in response to a login request.

Both IdP and SP trust each other and share configurations.

Before you begin:

See Set Up Single Sign-on with SAML 2.0 Identity Provider.
Ensure that IdP is already configured with SSO SAML settings.

Note:

You must configure the SSO setting per realm.

To configure SSO settings:

Select Administration> Single Sign-On.
Complete the configuration by using the guidelines in Table 1.
Click Save.

After configuring the SP settings and the IdP settings, you can activate SSO. To activate SSO, click Activate.

To deactivate existing SSO, click Deactivate.

Table 1: SSO Settings
Field	Description
Service Provider Settings
Display Name	Enter a display name for the SSO setting.
Entity ID	Enter the unique identifier for Juniper ATP Cloud customer portal.
Username Attribute	Enter the username attribute for SAML. Username attribute is mandatory and must be in e-mail address format. The username attribute is mapped to the user data, which is provided by IdP in the SAML assertion response.
Sign Authentication Requests	Enable the toggle button to sign the SAML authentication requests sent from Juniper ATP Cloud to IdP. If you enable sign authentication requests, you must provide both private key and public key certificate.
Encrypt SAML Response	Enable the toggle button to specify that the SAML assertion returned by the IdP is encrypted. If you have enabled encrypt SAML response, you must provide both private key and public key certificate. Note: If you have enabled encryption for SAML response in Juniper ATP Cloud customer portal but the SAML responses from your IdP are not encrypted, then SAML authentication will be rejected.
Private Key	Enter the private key. The private key is generated locally by the user. In Juniper ATP Cloud, the private key is used to sign SAML authentication request. The private key is not shared with IdP.
Public Key Certificate	Enter the public key certificate. The public key certificate is generated locally by the user. You must upload the same public key certificate in IdP portal. In IdP, the public key certificate is used to validate the SAML authentication request sent by Juniper ATP Cloud.
Role Options	Choose Use default role or Enter IdP specific role.
Default Role
Default Role	Select a default role for the SAML user in the realm. If you haven't entered the role under Role Mapping section, you must specify the default role for the realm. Select the default role from the list. System Administrator-Full privileges Operator-Full privileges but cannot create users Observer-Read only privileges None-No default role Note: You must configure the role attribute or the default role to log into the SSO page.
First Name	Enter the first name attribute of the SAML user. The first name attribute is used to create the user profile. If you do not provide the first name, then a part of the e-mail address is used as the first name to create the user profile.
Last Name	Enter the last name attribute of the SAML user. The last name attribute is used to create the user profile. If you do not provide the last name, then a part of the e-mail address is used as the last name to create the user profile.
IdP Specific Role
Group Attribute	(Optional) Enter the group attribute that is configured in IdP. Example: role
Administrator	(Optional) Enter the IdP specific role that must be mapped to the Juniper ATP Cloud Administrator role. Example: role_admin
Operator	(Optional) Enter the IdP specific role that must be mapped to the Juniper ATP Cloud Operator role. Example: role_operator
Observer	(Optional) Enter the IdP specific role that must be mapped to the Juniper ATP Cloud Observer role. Example: role_observer
Last Name	Enter the last name attribute of the SAML user. The last name attribute is used to create the user profile. If you do not provide the last name, then a part of the e-mail address is used as the last name to create the user profile.
First Name	Enter the first name attribute of the SAML user. The first name attribute is used to create the user profile. If you do not provide the first name, then a part of the e-mail address is used as the first name to create the user profile.
Export SP Metadata	Click to download SP metadata in XML format. The administrator can download and use the SP metadata to dynamically configure all SP settings in IdP portal, at a time. The administrator need not manually configure individual SP settings.
Identity Provider Settings
IdP Settings	Select Import Settings to import the IdP metadata in one go. To manually configure the IdP settings, select Enter settings manually.
Import	Select the IdP metadata in XML format and click Import.
Entity ID	Enter the unique identifier for the IdP. If you import IdP metadata, the information will be updated automatically.
Login URL	Enter the redirect URL for user authentication in IdP. If you import IdP metadata, the information will be updated automatically.
IdP Certificate	Enter the IdP certificate to decrypt the SAML response. If you import IdP metadata, the information will be updated automatically.

Configure SSO Settings

Related Documentation