The steps to configure your Identity Provider (IdP) are specific to each IdP product, such as Okta, OneLogin, and PingFederate. The terminology may vary, but you will need to create one SAML 2.0 application (or SP connection) for each Delphix Engine, The engine does not expose a metadata document. The following attributes must be entered :
- ACS URL (Assertion Consumer Service URL): http(s)://<delphix-engine>/sso/response
Delphix strongly recommends that HTTPS be used instead of HTTP for all UI and API communication with the Delphix Engine. If you are planning to use HTTPS or the automatic HTTP to HTTPS redirect, use the https:// scheme in the ACS URL, otherwise use the http:// scheme. Refer to the Changing HTTP and HTTPS Web Connections on how to set up HTTPS. - SAML Bindings: Delphix engines support the POST and Redirect bindings.
- Audience Restriction (SP entity ID, Partner’s Entity ID): The audience restriction must be set to the Delphix Server ID. It is a 36-character hexadecimal string of the form xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx. The Delphix Server ID is shown in the information section in the SAML/SSO settings block in the server setup app.
Or refer to Determining the Delphix Server ID and Host Name to find the Delphix Server ID.
If the Delphix Engine does not exist or is unreachable, you can enter a temporary value (such as delphix-sp-id) which must later be replaced by the actual Delphix Server ID. - Signature policy:
- The Delphix Engine does not sign authentication requests.
- The Delphix Engine requires that either the responses or the assertions be signed (or both). There is no difference whether the responses or assertions are chosen for signing, but either the responses or the assertions must be signed.
- Name ID: The SAML NameID attribute must be set to the email address of the user. See User management when SSO is enabled for more information.
The SP initiated flow must be enabled in the IdP.