SAML 2.0 Authentication

Kasm offers SAML configurations for authorization through SAML 2.0 Identity Providers. This gives users a single sign on experience and improves security.

Configuration

Saml configuration can be found under the Authentication tab in the Admin Navigation Bar.

Service Provider

We automatically generate the Service Provider Entity ID, single login url and single logout URL when you submit a configuration as this is based on the hostname of your server.

  • Enabled

    This checkbox will enable this configuration to be seen by the users. It is not the same as the Servers enable_saml setting which turns off all SAML capabilities. This will allow one specific configuration to be shown on the login page to allow multiple configurations to be added but not shown to users until enabled.

  • Display Name

    This is the name shown to the users in a login button on the login page. e.g. ‘OneLogin’, ‘Okta’

  • Host Name

    The URL hostname (e.g kasm.example.com) of the deployment. This SAML config will only function when the deployment is accessed via this URL host name. This allows for a single deployment to service multiple tenants who may need different SAML configurations. If Default is defined, this config will apply regardless of the host name.

  • Entity ID

    This is the URL that identifies the Service Provider. It may be called a Provider Issuer or something similar. The URL is automatically created by Kasm for this configurations sign on.

  • Single Sign On Service

    This is the URL used for the response from the Idp to login. The URL is automatically created by Kasm to connect to the specific configuration.

  • Single Logout Service

    This is the URL provided for the logout of the user. It may be provided by the IDP but is not required

  • Relay State

    The Relay state must be set to https://hostname/#/sso

  • Auto Login

    Used in conjunction with Host Name. When checked this config will apply regardless if what Host name the user is accessing the server with.

  • Auto Login

    This setting will automatically launch this saml configuration from the default login page. Only one configuration should be set to auto login. If this is set the normal login page may still be accessed at /#/staticlogin

  • Group Member Attribute

    This setting maps the attribute from the Idp to the Kasm group. The group must be enabled for kasm and given the name under the individual group edit.

  • NameID

    This attribute is used as the identifier for the user. The Idp may specify it is set to “emailAddress” or something similar but it may also be blank.

  • ADFS

    if using Active Directory Federation Services select this checkbox

  • x509 Certificate

    This is an Optional Certificate that can be provided for signature verification of the SP

  • Private Key

    This will be generated along with the optional x509 certificate above

  • Debug

    This will enable the response to show the specific saml error that is occuring. It is useful during setup of the configuration.

Identity Provider

  • Entity ID *Required

    This is the URL provided by the IDP that identifies the provider. It may be called a Provider Issuer or something similar. This URL must be configured for the Login to work properly.

  • SingleSignOnService/SAML 2.0 Endpoint *Required

    This is the URL provided by the IDP used for the login. This URL must be configured for the Login to work properly.

  • SingleLogoutService/SLO Endpoint

    This is the URL provided for the logout of the user. It may be provided by the IDP but is not required

  • x509 Certificate

    This is the certificate used to verify the signature of the application and it is required.

  • Attributes

    One attribute must be provided by the IDP. It should be a unique identifier like username or email

Advanced Settings

These options can be configured to meet the security requirements needed.

  • Want Attribute Statement

    Indicates a requirement for the AttributeStatement element

  • Name Id Encrypted

    Indicates that the nameID of the <samlp:logoutRequest> sent by this SP will be encrypted.

  • Authn Requests Signed

    Indicates whether the <samlp:AuthnRequest> messages sent by this SP will be signed.(Metadata of the SP will offer this info)

  • Logout Request Signed

    Indicates whether the <samlp:logoutRequest> messages sent by this SP will be signed

  • Logout Response Signed

    Indicates whether the <samlp:logoutResponse> messages sent by this SP will be signed.

  • Want Messages Signed

    Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and <samlp:LogoutResponse> elements received by this SP to be signed.

  • Want Assertions Signed

    Indicates a requirement for the <saml:Assertion> elements received by this SP to be signed.(Metadata of the SP will offer this info)

  • Want Assertions Encrypted

    Indicates a requirement for the <saml:Assertion> elements received by this SP to be encrypted.

  • Want Name Id

    Indicates a requirement for the NameID element on the SAMLResponse received by this SP to be present.

  • Want Name Id Encrypted

    Indicates a requirement for the NameID received by this SP to be encrypted.

  • Signature Algorithm

    Algorithm that the toolkit will use on signing process.

  • Digest Algorithm

    Algorithm that the toolkit will use on digest process.

SAML Setup

For general SAML configuration:

  • Copy the Service Provider Entity ID, Single Sign On, (optionally) Single Logout Service to the Identity Provider.

Note

if the single logout service field is left blank then there will be no logout redirection on users logout.

  • The Identity Provider must also be given the Relay State provided

  • a NameID attribute must be set to return the specific attribute of the user. (e.g. ‘emailAddress’, ‘transient’) A default of Unspecified is used when not present.

The Identity Provider should then return these same settings to be put under the Identity Provider section in the configuration settings.

  • The metadata button should return the Service Provider information.

If the Test SSO button is working the ‘enable_saml’ setting may then be set to true. This allows all users to be redirected to the Single Sign On portal.

Some of the specific IDP setups below may help in setting up SAML as they are sometimes similar

Note

A non redirecting login page is at https://hostname/#/staticlogin when auto login is enabled.

Group Assignment

Groups for saml users are automatically assigned if group has “saml group” attribute set in group edit. This will allow automatic provisioning of groups to saml users but will not unassign non-saml groups.

To automatically assign groups to saml users:

  • Navigate to the Groups tab in the admin navigation bar

  • Select edit of desired group

  • Check SAML Group

  • Enter SAML Group Name as the name the IDP has for this group

../_images/group_attributes.png

  • Navigate to the SAML configuration

  • Change the Group Member Attribute to the corresponding group attribute of the IDP

Known Issues

Configuration Examples