Matrix42 Software Asset and Service Management (SASM) supports identity federation with Security Assertion Markup Language 2.0 (SAML 2.0). This feature enables federated single sign-on (SSO) – session and user authentication service that permits a user to use one set of login credentials to access multiple applications like Matrix42 Software Asset and Service Management, Matrix42 MyWorkspace, Matrix42 MarketPlace.
To use an Azure Active Directory with Software Asset and Service Management, MyWorkspace and universal STS/SAML2 authentication you need:
- Matrix42 MyWorkspace subscription and administrator account
- Access to your Azure Active Directory and administrator account
- Access to your Software Asset and Service Management and administrator account
If you have no MyWorkspace subscription you can create it for free under https://myworkspace.matrix42.com/app/
Azure and Office 365 subscribers don't need to buy Azure Active Directory Premium P1 or P2 license for the following feature.
Connect Microsoft Azure Active Directory with MyWorkspace
- Go to https://myworkspace.matrix42.com/app/ and sign in with your administrator account.
- Go to "Administration" and "Connectors" and click to "+" Button on the bottom right and choose "Azure Active Directory".
- In the new windows click "CREATE".
- You will be redirected to the Azure Active Directory landing page. Please sign in with your Azure Active Directory administrator account.
- After sign in you will be prompted to accept the authorization for MyWorkspace. Please accept it.
- Now the Azure Active Directory is configured in MyWorkspace and you will see "MyWorkspace Connector" as Enterprise Application in your Azure Active Directory.
- Go to "Administration" and "Security" in MyWproskace and enable "Azure Active Directory" as identity provider and click "SAVE".
- Now MyWorkspace is connected with your Azure Active Directory and can be used as identity provider for MyWorkspace applications.
Configuring MyWorkspace application for SSO
- Go to https://myworkspace.matrix42.com/app/ and sign in with your Matrix42 administrator account.
- Go to “Applications” and add new “Custom Saml2 Service Provider” application:
- Enter Application name;
- Enter Service Provider URL;
- Enter Service Provider Issuer name;
- Enter Saml2 client name;
- Set the NameId format to the nameid-format:emailAddress (Saml 2.0)
- Check “If set to true, then the Saml2 response will be signed.”
- Check “If set to true, then the Saml2 assertion section will be signed.”
- Check the “If set to true, then the Saml2 response will be encoded and sent in base 64 format” checkbox.
- Set the Saml2 response validation url to the https://SERVICENAME.m42cloud.com/m42.../api/sts/login
- Set the Logout Url to the: https://SERVICENAME.m42cloud.com/m42...api/sts/logout
- Choose the algorithm to be used to sign your Saml2 response. Select SHA256 and save the application.
- Now you should be able to download The Integration Guide.
Identity Provider enabled login
You can launch an application directly from MyWorkspace. You have to uncheck "Identity provider initiated single sign-on" and provide as the service provider URL the "SingleSignOnService location" from the Integration Guide.
In the background, the system will initiate an IdP initiated SAML2 flow and will send a SAML2 reply to the SAML2 response validation URL.
Configuring login page to support different login methods
In the Administrative area of the Matrix42 Workspace Management you are allowed to:
- Enable single sign-on
- Enable browser credentials
- Enable SAML2
Configuring SAML2 Authentication
To enable SAML2 authentication you should specify:
On the SAML2 Identity provider side:
- Set the Saml2 response validation url to https://SERVICENAME.m42cloud.com/m42.../api/sts/login
- Set the Logout Url to: https://SERVICENAME.m42cloud.com/m42...api/sts/logout
- Choose the algorithm to be used to sign your Saml2 response. SHA256 should be specified.
On the Service Store side:
- SAML2 Login Button Title - it will be visible on the “Sign In” page.
- SAML2 Identity Provider ID – use the same as it was specified in the SAML2 identity provider side application for the “Service Provider URL” field (for MyWorkspace this is normally https://accounts.matrix42.com).
- SingleSignOn/Out URI Endpoints - use the ones that are provided by the identity provider (for MyWorkspace you can find them under integration guide).
- Service Provider Issuer Name – use the same as it was specified in the SAML2 identity provider side application for the “Service Provider Issuer name (Unique Resource ID)” field.
- Identity provider certificate - use the x509 Certificate provided by your SAML2 provider (in case of myworkspace you can use one from the Integration guide).
- SAML2 Name Id Policy - your SAML2 provider will provide you with a Name Id after login, the SAML2 specification allows different kinds of the Name ID. Some providers expect that an application asks for a specific kind in the initial request; here you can set this policy for the Name Id field.
- SAML2 Name Id Allow Create: In the initial SAML2 request an "AllowCreate" attribute for the Name Id can be set. Different providers expect different settings or not providing this attribute at all.
- Disable logout from Saml2 provider: If the user logs out of the application, you can specify whether you want to keep your session with your SAML2 provider or also send a logout request to your SAML2 provider.
In the image below, you can see an example of how to configure SAML2 on the service store side in case Myworkspace.matrix42.com is used as the SAML2 identity provider:
The Single Sign On Uri Endpoint can be copied from the Metadata .xml document. To download it open the MyWorkspace Integration Guide for the created application and follow the link from Step 2.
Bypass Automatic Login
It may happen that for some reason your SAML2 authentication no longer works. In case of Single sign-on enabled, you now have the issue that you are no longer able to enter the application to change your configuration, maybe to update the certificate. In this case you can force the system to show you the login page to make it possible to login with a non SAML2 account. You have to add the predefined parameter "ForceLoginPage" to your url, like this: https://SERVICENAME.m42cloud.com/wm?ForceLoginPage