How to Configure Single Sign-On to the Silverline Portal

What Happened?

• Customers have the capability to configure Single Sign-on (SSO) settings to allow for IdP federated access to the Silverline Portal
• Users who will have access to the Silverline Portal through the Federated service must have an account created in the Silverline Portal. 

 

Environment

• Silverline Portal
• Single Sign-On
• Silverline WAF
• Silverline DDoS

 

Resolution/Answer

To configure Single Sign-On within the Portal, follow the steps as listed above. Please note that only a user with a Customer Admin Role (What are the User Roles in Silverline Portal?) can configure this integration:

How to Configure SSO with IdP

1. To configure the feature in the Silverline portal, navigate to Config > SSO Integration
2. Click the "+Add" button to add an SSO config.
3. Complete required fields:
   • Name
   • Identity-Provider (IdP) Certificate (in PEM format)
   • IdP Single Sign-On Target URL (E.g.: https://sub.domain.com/uri)
   • IdP Single Logout Target URL (E.g.: https://sub.domain.com/uri)
4. Portal creates 3 values that are unique to each specific SSO Config in the portal (more than 1 SSO Config can be created.)
5. Use these 3 values to create the necessary configuration in the IdP that is going to be utilized.
   • F5 Silverline Assertion Consumer URL
   • F5 Silverline Issuer ID
   • Name Identifier Format
6. Click Save to save the SSO configuration.

 

How to Require SSO Provider (IdP) for User Sign-In

1. Navigate to the 'Customer Details' page by clicking on your Company Name, just between the 'Support' button and the current user's name, in the top-right portion of the portal.
2. Click the 'Edit Customer' button.
3. In the middle column, near the bottom, select the SSO config created in the previous step from the dropdown labeled: Required SSO Provider for User Sign-in.

For Users: How to Use SSO Login to Access Portal

Once SSO config is enabled, users attempting to log in to the Portal will follow this workflow:

Successful Login

1. User enters their Silverline Portal Email address. No password is needed.
2. If the provided e-mail address DOES match an existing user, the user will be automatically redirected to their IdP's authentication page.
3. Upon successful authentication at the IdP, the user will then be redirected and single-signed on to the Silverline portal.

Login Error

1. If the provided e-mail does NOT match an already-created Silverline user, the user is given an 'Invalid email or password' error."
2. The network administrator should check that this user's email is included in the IdP.

Troubleshooting: IdP OUTAGE or SSO Config ISSUE

In the event that an IdP is experiencing issues, or an SSO config in the Silverline portal becomes non-operational:

1. Contact the SOC  to temporarily disable the 'Required SSO Provider for User Sign-in'
   • Allows for authentication directly against the Silverline portal user database
2. If necessary, the SOC could trigger the 'Reset Password' functionality
   • Initiates a Reset Password e-mail for a user, to allow for direct login to the Silverline portal.
3. Then either upon the correction of the SSO config within Silverline, or the restoration of the customer's IdP's services, the 'Required SSO Provider for User Sign-in' can be reconfigured to use the correct setting.

 

Related Content

• How to set up SSO with Microsoft ADFS 3.0 (Windows Server 2012 r2)
• How To Set Up SSO SAML with AZURE AD
• How To Integrate Silverline SSO with Okta