Set up Federated Identity
Dell Technologies enables you to access Cloud Snapshot Manager using Federated Identity with Security Assertion Markup Language (SAML) authentication.
About this task
With the introduction of SAML, it is easier for organizations to access Cloud Snapshot Manager securely without creating an account in Dell. Any user in the organization is authenticated by the organization's Identity Provider (IdP) instead of Dell SSO.
You can initiate Federated Identity support for your organization by creating a service request with Cloud Snapshot Manager on the Support page. The following workflow enables organizations to access Cloud Snapshot Manager using Federated Identity:
- Your organization must provide the Identity Provider (IdP) metadata. The following is an example of Dell IdP metadata. Replace relevant fields with organization-specific details:
<?xml version="1.0" encoding="UTF-8"?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_8db3b2e5-32c9-49f0-a370-5f57257a5d2e" entityID="http://www.dell.com/identity/"> <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthenticationRequestsSigned="False"> <KeyDescriptor use="signing"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <PUBLIC CA Certificate> </X509Data> </KeyInfo> </KeyDescriptor> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.dell.com/Identity/global/Login/6c352f9b-7272-4646-85a8-fb4db5d25a2b" /> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.dell.com/Identity/global/Login/6c352f9b-7272-4646-85a8-fb4db5d25a2b" /> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.dell.com/Identity/global/Login/6c352f9b-7272-4646-85a8-fb4db5d25a2b" /> <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="ProfileId"> <AttributeValue>http://www.dell.com/identity/claims/profile/id</AttributeValue> </Attribute> <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="Username"> <AttributeValue> http://www.dell.com/identity/claims/profile/username </AttributeValue> </Attribute> <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="FirstName"> <AttributeValue> http://www.dell.com/identity/claims/profile/firstname </AttributeValue> </Attribute> <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="LastName"> <AttributeValue> http://www.dell.com/identity/claims/profile/lastname </AttributeValue> </Attribute> <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="EmailAddress"> <AttributeValue> http://www.dell.com/identity/claims/profile/emailaddress </AttributeValue> </Attribute> <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="AuthenticationType"> <AttributeValue> http://www.dell.com/identity/claims/authentication/type </AttributeValue> </Attribute> <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="AuthenticationStatus"> <AttributeValue> http://www.dell.com/identity/claims/authentication/status </AttributeValue> </Attribute> <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="AuthenticationSource"> <AttributeValue> http://www.dell.com/identity/claims/authentication/source </AttributeValue> </Attribute> <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="AccountId"> <AttributeValue>http://www.dell.com/identity/claims/accountid</AttributeValue> </Attribute> <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="SessionInstanceId"> <AttributeValue> http://www.dell.com/identity/claims/session/instanceid </AttributeValue> </Attribute> <Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="SessionId"> <AttributeValue>http://www.dell.com/identity/claims/session/id</AttributeValue> </Attribute> </IDPSSODescriptor> <ContactPerson contactType="administrative"> <Company>Dell</Company> <EmailAddress>OCSAuthentication@Dell.com</EmailAddress> </ContactPerson> </EntityDescriptor> - You can send the signing certificate public key in email to an authorized recipient according to the instructions in the service request. Contact Cloud Snapshot Manager to provide the certificate information.
- Your organization needs to ensure that a valid Certification Authority(CA) issues the SAML token.
- The IdP needs to ensure that the SAML token contains the user email ID, the first and last name, and the company unique ID which can be shared in public. This ID is used internally to recognize the user.
- The service provider metadata is provided to your organization to configure. The following is an example of Dell service provider metadata:
<?xml version="1.0"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://console.dell.com"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://console.dell.com/acs" index="1" /> </md:SPSSODescriptor> <md:Organization> <md:OrganizationName xml:lang="en-US">Dell EMC</md:OrganizationName> <md:OrganizationDisplayName xml:lang="en-US">Dell EMC</md:OrganizationDisplayName> <md:OrganizationURL xml:lang="en-US">https://www.dell.com</md:OrganizationURL> </md:Organization> <ContactPerson contactType="administrative"> <Company>EMC</Company> <EmailAddress>OCSAuthentication@Dell.com</EmailAddress> </ContactPerson> </EntityDescriptor> </md:EntityDescriptor> - Your organization configures Dell service provider metadata.
- Your organization and Dell perform testing to ensure that federation is working fine.