SAML and SSO

PacketFabric uses SAML to provide single sign-on (SSO) functionality.

Most of the SAML configuration is done from the identity provider (IdP) side. As each IdP is different, you should refer to their documentation for configuration instructions.

Add an SAML identity provider (IdP)

  1. From the Admin > SAML & SSO page, complete the following fields under Add Identity Provider:

    • Header row
      • Field
      • Description
    • Row 1
      • Title
      • Enter a name for this identity provider (IdP). This is for your reference and does not need to match the actual name of the IdP.
    • Row 2
      • Metadata File

      • Upload the metadata file provided by your IdP.

        This is should be available for download in XML format from your IdP, and includes all relevant information such as tenant names and certificates.

    IMPORTANT: These fields cannot be changed after they are saved. If you want to change the IdP name or update the metadata, you will need to delete this entry and create a new one.
  2. Click Create Identity Provider.

IdP-specific metadata retrieval

Google

Auth0

Okta

Azure

NOTE: PacketFabric support is not limited to the IdPs listed above; these are only the providers we have been able to test and document.

IdP-side configuration

Once you have created the identity provider entry, you can expand Identity Provider Settings to view additional attributes. You will use these when configuring SAML from the IdP side.

  • Header row
    • Field
    • Description
  • Row 2
    • Assertion Consumer Services (ACS) URL

    • This is the endpoint your IdP must redirect to with its authentication response.

      There should be a field in your IdP’s configuration interface in which to provide this URL. Depending on the provider, it might be called an Application Callback URL, a Callback URL, a Post-back URL, or an Assertion Consumer Services (ACS) URL.

  • Row 3
    • Entity ID

    • A globally unique string that is specific to this PacketFabric IdP entry.

      Some IdPs (such as Google) require the entity ID, while others do not.

  • Row 3
    • Name Identifier Attribute Mapping
    • PacketFabric requires that the name identifier attribute is set to email. Some IdPs set the default name identifier to User ID.
  • Row 3
    • Response Signing
    • PacketFabric requires that the responses are signed. By default, some IdPs sign the assertion but not the response. Some sign both.

IdP-specific configuration notes

Google

Auth0

Okta

Azure

Enable SAML and log in

When you have configured the IdP, click Enable.

Once configured and enabled, provide your users with the User Login URL that is generated with the PacketFabric SAML settings

  • Header row
    • Field
    • Description
  • Row 1
    • User Login URL
    • This is the URL that users can use to log in to PacketFabric through the IdP. It does not need to be configured on the IdP side.

User permission groups

When you enable SAML, the following changes take place:

Existing users: Regular and Read Only
Regular and Read-Only users will no longer be able to log in through the PacketFabric login page using their PacketFabric credentials. They must go to the User Login URL and use their IdP credentials.
Existing users: Admin
For troubleshooting purposes, Admin users can still log in using their PacketFabric credentials via the PacketFabric login page.
New users
If a user has not yet been added to your PacketFabric account and they sign in via the IdP, then they are added as a new user with Read Only permissions.

Troubleshooting

Redirect error

The following error appears if the IdP is disabled in the PacketFabric portal:

Whoops, an error occurred while redirecting you to your login page. Please, try again or contact your administrator.

Signed response error

Some IdPs will sign the SAML assertion rather than the response. However, PacketFabric requires that the response be signed.

If this is the case, you will see the following login error:

The Message of the Response is not signed and the SP require it

The IdP should have a configuration setting allowing you to enable signed responses.

Invalid user login

Some IdPs set the name identifier to user_id rather than email.

By default, PacketFabric uses email addresses as user IDs, so the nameIdentifier attribute should be set accordingly.

Look for the following rule in your IdP’s configuration settings and set it to email:

'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier':'email'

Cannot parse metadata file

The most frequent cause of this error is the metadata missing the following:

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

If you have validated that everything in your metadata file is seemingly correct and are still getting this error, open a support ticket by emailing support@packetfabric.com.

Disable and delete an IdP

Click Disable to disable the IdP. When disabled, users cannot sign in through the identity provider.

You are prompted to confirm:

screenshot of disable prompt

Note: Users who were added by signing in via SAML will lose access to the portal, as PacketFabric does not save their IdP password. To regain access, they can use the password reset action available from the PacketFabric login page.

Once disabled, you are given the options to delete or re-enable the IdP:

screenshot of disable button