These steps outline the process required to enable SAML authentication for the ProfileUnity Console web UI. This can be useful for environments that already have a centralized identity provider handling authentication and authorization to applications or servers and want to extend this to include the administrator logins to the ProfileUnity Console.
The example Identity Provider used in this section is Microsoft Entra ID, but any SAML-compatible Identity Provider can be used for authentication and authorization to the ProfileUnity Console if they are able to provide the necessary information required in ProfileUnity.
It is recommended for the ProfileUnity Console server to be domain-joined, have an Active Directory service account created and configured under the Roles and Responsibilities section of the Administration, Access and Authentication tab if SAML users require access to Windows file shares for browsing purposes or Configuration file deployments to INI paths hosted on a Windows file share. Environments using only cloud-based storage would not benefit from using a service account.
These steps do not enable the ability to use Microsoft Entra ID security groups as a filter condition in your ProfileUnity Configurations. For that feature, refer to the Configuring Microsoft Entra ID for use with Security Group-Based Filters chapter in this document.
Configure Entra ID for SAML Authentication in the Azure Portal
Note: These steps are used to set up authentication to be able to create a new Enterprise application in your Microsoft Entra ID tenant.
- Log in to the Azure Portal > Microsoft Entra ID blade > Enterprise applications page with appropriate Azure Administrator-level credentials.
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBladeNote: If you are not already in your correct Tenant, Directory and Subscription, then use the Switch directory link after clicking on your login name at the top-right.
- On the Enterprise applications screen, click New application button at the top of the screen, click Create your own application at the top, provide a Name (e.g., ProfileUnity SAML Authentication), select Integrate any other application you don't find in the gallery (Non-gallery), and click the Create button.
- Navigate to Users and groups on the left, click Add user/group at the top, click None selected under Users and groups, search for select users or groups (groups preferred) that should have authorization to login to the ProfileUnity Console web UI and click the Select button followed by the Assign button.
- Navigate to Single sign-on on the left, click SAML, click Edit in the Basic SAML Configuration box, and provide the following information.
- Identifier = such as, profileunity-saml-support
- Reply URL = Click Add reply URL and enter:
https://<f.q.d.n>:8000/saml/assertionconsumerservice- Where
<f.q.d.n>is the fully qualified domain name of the ProfileUnity Console server and is resolvable by your web browser. - Sign on URL =
https://<f.q.d.n>:8000/ - Relay State = Leave blank.
- Logout URL =
https://<f.q.d.n>:8000/logout
- Click Save at the top of the screen.
- Close the Basic SAML Configuration blade and select No if asked to test authentication.
- Click Edit in the Attributes & Claims box, click Add a group claim, select Security groups, and click the Save button.
- Navigate back to the Single sign-on page, click the Download link next to Federation Metadata XML in the SAML Signing Certificate box, and save the file to be used later.
Configure the ProfileUnity Console for SAML Authentication
Note: These steps require the account logging in to the ProfileUnity Console to have the Administrator role assigned in the Administration, Access and Authentication tab.
- Login to the ProfileUnity Console web UI as an Administrator-level account and navigate to the Administration > Access and Authentication tab, in upper-right of the screen.
- In the Authentication section, put a check next to SAML, and in the Configure SAML Identity Provider dialog box, click the Import Metadata button.
- In the Import SAML Metadata dialog box, browse for the XML downloaded in Step 8 of the Configure Entra ID for SAML Authentication in the Azure Portal instructions above, and click the Import button.
- In the Identity Entity Id field, enter the Identifier used in Step 4 of the Configure Entra ID for SAML Authentication in the Azure Portal instructions above, and click the Update button on this screen followed by the Update button at the top-right of the Administration page.
Note: The following optional items may be selected according to your specific requirements:
User Account Must Match Active Directory requires the logging in SAML user to match a corresponding on-prem Active Directory user and requires the ProfileUnity Console server be joined to the corresponding on-prem Active Directory domain.
Auto Add User To ProfileUnity will allow any SAML user to login, add to the ProfileUnity Console, and add them to the user list with the role of User, as long as the Identity Provider has authorized the user access to the ProfileUnity application. An existing Administrator-level account in ProfileUnity is then needed to set the new SAML user to have the Administrator role, if required.
