Using SAML 2.0 For Single Sign-On To the CTERA Portal
  • 20 Apr 2022
  • 2 Minutes to read
  • Dark
  • PDF

Using SAML 2.0 For Single Sign-On To the CTERA Portal

  • Dark
  • PDF

Article Summary

You can define Single Sign-On, SSO, to a team or reseller CTERA Portal either in Active Directory using the Kerberos protocol or using an external identity provider providing support for Security Assertion Markup Language, SAML 2.0. For details, refer to Team Portal Administration.

CTERA Portal supports user identity federation over SAML 2.0. SAML enables you to provide Single Sign-On (SSO) capabilities for the global administrators. To set SSO for global administrators, you must create global administrators that have user names corresponding to the SAML identity provider user names. For details about adding global administrators, see Adding and Editing Global Administrators.

Global administrator are defined locally on the CTERA Portal and the passwords are stored on CTERA Portal to enable the administrator to bypass the SAML authentication in the event of misconfiguration of the identity provider’s login page or in case the identity provider’s login page is temporarily unavailable. For details, see Bypassing SAML Authentication.

Enabling SAML SSO for a global administrator does not enable SAML SSO for team and reseller portals. To set up SS for team and reseller portals, refer to the CTERA Portal Team Administrator Guide.

To configure SAML SSO, you need a SAML identity provider. CTERA Portal SAML single sign-on has been certified with the following identity providers:

  • Okta
  • OneLogin
  • Microsoft Active Directory Federation Services (ADFS)
  • Microsoft Azure Active Directory
  • Swivel AuthControl Sentry

Before setting up SAML in the CTERA Portal:

  • The global administrators must be defined. For details, see Adding and Editing Global Administrators.
  • You have to define access to the CTERA Portal on the identity provider side. Although each identity provider can have a different procedure for setting this up, the SAML protocol requires the following information:

    Entity ID – A globally unique name for a SAML entity. This entity is defined at the identity provider, IdP, side.
    Sign-in page URL – The location where the SAML assertion is sent with HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for the SAML endpoint at the IdP side.
    Log-out page URL – The location where the logout response will be sent.
    Identity Provider Certificate – The authentication used by the identity provider.
    The terms used for this information can vary between the different identity providers.

    If you want to use a different identity provider, contact CTERA to validate the provider.

    You need to enable SSO on the portal and specify the identity provider's parameters. Once configured, the provider handles the sign-in process for all portal users, including access from mobile devices. The provider is also responsible for authentication credentials for the users.

Was this article helpful?