SSO Integration with Safeconsole 5.3+


SSO allows admins to easily login to SafeConsole using 3rd party authentication. With Single Sign On enabled, SafeConsole Admins can be synced from a centrally managed repository of users that allows for easier review and management. 


SafeConsole has the potential to integrate with an SSO solution that utilizes a SAML 2.0 connector. 


Solutions that have been tested and confirmed by the Datalocker Team: 

  1. PingOne

  2. OneLogin

  3. PingFederate

  4. ADFS


Important Information for Integration


Entity ID


The entity ID is also considered the Identifier of the SSO connector. This allows SafeConsole to determine which connector to use within your SSO solution. 


SSO URLs


Login URL Example - https://SSOsolutionServer.com/adfs/ls/ (This will vary depending upon your SSO solution.)


Default Logout URL -  https://safeconsoleserver.com/safeconsole/?logout (This URL will log you out of the SafeConsole server and not your entire SSO solution.) 


Assertions


An assertion is the open standard for exchanging authentication and authorization data between the SafeConsole server and the SSO solution. The assertion would be implemented into the settings of the SSO connector. This allows the connector to know which solution to communicate with.


Example: https://safeconsoleserver.com/safeconsole/login/acs


Required Attributes


memberOf - Sets the group memberships that are identified by SafeConsole. See Privileged Access Groups below to determine the level of group access.


Name ID - The LDAP attribute that is used to Authenticate into the SafeConsole Server. 


Privileged Access Groups - By default, SafeConsole has three levels of user console access. The access level will need to be defined in the SSO connector during setup.  The three default access levels are as follows: 


  • ADMINISTRATOR - Can Purchase Licenses, add administrators, configure devices, monitor audit logs and perform device actions

  • MANAGER - Can configure devices, monitor audit logs and perform device actions

  • SUPPORT -  Can perform a limited number of device actions, such as password resets. Cannot change device configurations


Certificates:


You will need two certificates to complete the integration between SafeConsole and your SSO solution: The Public Signing Certificate of your SafeConsole Server and the SSL certificate that is associated with your SSO Solution. 


The SafeConsole certificate will be used as a signature certificate within the connector of the SSO solution. The SSO certificate will be used by SafeConsole to create a secure trust between both parties. You will need to be able to extract the x509 data of your SSO Certificate. 


To obtain the Public Signing Certificate of your SafeConsle server you will need to Login to your console and locate the following path: Help > Quick Connection Guide > Legacy Devices. Click on Server Certificate and the download will begin. 


SSO Settings within the SafeConsole:


Login to your SafeConsole and navigate to Server Settings > Single Sign On. 


Method 1:


  1. Check the box to enable SSO

  2. Select SAML2 from the drop down

  3. Enter the identifier of your SSO Connector

  4. Input the SSO Endpoint URL

  5. Input the SLO Endpoint URL 

  6. Input the X509 Data

  7. Click Save. 


Method 2: 


  1. Check the box to enable SSO

  2. Select SAML2 from the drop down 

  3. Upload the METADATA file that can be obtained from your SSO solution 

  4. Click Save