Pandora: Documentation en: saml
1 SAML Single Sign-On with Pandora FMS
SAML is an XML-based open standard for authentication and authorization. Pandora FMS Enterprise can work as a service provider with your internal SAML identity provider.
1.1 Configuring Pandora FMS
Go to Administration -> Setup -> Authentication and select SAML under Authentication method.
1.2 Configuring the service provider
Download SimpleSamlphp and install it in /opt/simplesamlphp/.
Make sure the file named /opt/simplesamlphp/lib/_autoload.php exists.
Follow the SimpleSAMLphp Service Provider QuickStart guide and configure the service provider. You will need your identity provider metadata.
Once the simplesamlphp is installed, check whether the login works properly directly in the saml. To that end, access the following IP and select the authentication source.
A login screen like the following one will appear and once there, enter the saml user and password that you have previously created.
If the login is correct an overview screen with all the user attributes will appear.
1.3 Configuring your identity provider
For saml users to be correctly generated in Pandora FMS, it is necessary to define in each and every one of them the following identifying attributes that appear in SAML configuration:
- Failback to local authentication: If it is disabled, it will not allow any user that does not exist in saml to log in (except tool administrator users). In case the authentication against saml fails and this option is disabled, it will not check the server database.
- Automatically create remote users: It will create users automatically when logging in the tool for the first time through saml. In case of it being disabled, it must have been previously created manually.
- SimpleSAML path: Path, not indicating the simplesamlphp in the path, where the simplesamlphp is installed on the server. As it was remarked in the documentation, it must be installed in the /opt/simplesamlphp path and it must be indicated in /opt/.
- SAML Source: Name of the SAML source where queries will be send to. The name must match the source selected in:
- SAML user id attribute: Name of the SAML attribute that will match Pandora FMS user names.
- SAML mail attribute: Name of the SAML attribute that will match the Pandora FMS user mail when being created.
- SAML group name attribute: Name of the SAML attribute that will match the group with which the users will be created in Pandora FMS.
- Simple attribute / Multivalue attribute: Option that allows to select a simple attribute for Profile and Tag fields in Pandora FMS or a multivalue attribute.
In case of using Simple attribute, two new fields called Profile attribute and Tag attribute will appear, where to select the names of the SAML attributes that match the Profile and Tag name in Pandora FMS when created.
When selecting Multivalue attribute, use an attribute that follows this format:
<Attribute Name="MULTIVALUE_ATTRIBUTE"> <AttributeValue>PREFIX:role:rolename</AttributeValue> <AttributeValue>PREFIX:tag:tagname</AttributeValue> </Attribute>
Once this attribute is created in SAML and selected in such a manner, together with the Pandora FMS configuration, it will indicate the following parameters:
- SAML profiles and tag attribute: Name of the multivalue attribute.
- SAML profile and tags prefix: Prefix that will precede the role and tag key in the value attribute. In case it is urn:artica:role:<rolename> and urn:artica:tag:<tagname> the urn:artica prefix must be configured.
1.4 Logging in
Go to Pandora FMS Console and click on the Login button. You will be redirected to your identity provider.
After a successful login, you will be redirected back to the Pandora FMS Console.