SAML and Orchestrator

IBM Aspera Orchestrator 3.0.4 supports Security Assertion Markup Language (SAML) 2.0, an XML-based standard that allows secure web domains to exchange user authentication and authorization data. With the SAML model, you can configure Orchestrator as a SAML online service provider (SP) that contacts a separate online identity provider (IdP) to authenticate users. Authenticated users can then use Orchestrator to access secure content.

With SAML enabled, Orchestrator redirects a user to the IdP sign-on URL. The user signs in with the IdP and the IdP sends a SAML assertion back to Orchestrator, which grants the user access to Orchestrator. When a SAML user logs in to Orchestrator for the first time, Orchestrator automatically creates a new user account based on the information provided by the SAML response. Any changes subsequently made to the account on the DS server are not automatically picked up by Orchestrator. For more information about user provisioning for SAML users, see User Accounts Provisioned by Just-In-Time (JIT) Provisioning.

IdP Requirements

To use SAML with Orchestrator, you must already have an identity provider (IdP) that meets the following requirements:

Supports SAML 2.0
Able to use an HTTP POST Binding.
Able to connect to the same directory service that Orchestrator uses.
Not configured to use pseudonyms.
Can return assertions to Orchestrator that include the entire contents of the signing certificate.
If prompted, set to sign the SAML response. (Signing the SAML assertion is optional.)

Configure the SAML IdP

Before configuring SAML in Orchestrator, make sure you configure your IdP to send a correct SAML response to Orchestrator. For more information, see Configuring Your Identity Provider (IdP).

For instructions on configuring SAML, see Configuring SAML in Orchestrator.

Note: Orchestrator users with SAML accounts are affected by Orchestrator session timeouts configured on the User Security page (Admin > Security > User Security). After session timeout, SAML users are redirected to the local login page. To log in again, click Log in using SAML Identity Provider.

SAML and Directory Services

Orchestrator supports the use of both SAML and directory services. If you configure both services to Orchestrator, ensure the services use different Active Directory domains. Aspera advises against configuring LDAP directly to Orchestrator if the SAML IdP acts as a frontend for the same Active Directory domain.

Bypassing the Default SAML IdP

Orchestrator provides a mechanism for users to bypass the SAML redirect and log in using a local username and password. This feature allows admins to correct server settings, including a mis-configured SAML setup, without logging in through SAML.

To bypass the SAML login, add logon?local=true to the end of the login URL. For example:

https://198.51.100.48/logon?local=true