If your Identity Provider system supports it, you can use the Metadata from Yarkon and ingest it directly. Otherwise, you can manually enter the required details:
Callback URLis the Yarkon end point the Identity Provider should call once identity is confirmed. It will be auto populated for you, based on the host name you designated for the Yarkon server in your environment.
IdP Login URLis the end point in the Identity Provider domain Yarkon should defer to. It depends on the system you have. In this sample, using our Auth0 provider, the end point is
IdP Public Certis the security key used to ensure the communication between all parties of the system is secure and is not tampered with. It must be PEM-encoded X.509 format, and will be available for you from the Identity Provider interface once you set up the integration.
If you are using the Pass Through mode, you need to provide the following as well:
IAM Typeyou are using in your organization – by role, group or username.
IAM Property, specify the name of the SAML attribute your Identity Provider would use to communicate the value.
In the image above you can see how the form should look like when set up with Auth0. In this specific case, we define the user’s permissions based on the IAM Group they belong to. Of course, different users can belong to different groups.
When you are done, Save the settings in Yarkon, and you should be all set. When users are now trying to access the main application page of Yarkon, they would be redirected to the login page presented by the Identity Provider. It should properly handle their session information as well. Once login is verified, through the redirect scheme described in the image above, the Yarkon Web Application would be opened.
The set-up on the IdP side depends on the one you have. Yarkon expects one of the following SAML attributes to be used:
When not using the Pass Through option, the value passed in it must be the username used in Yarkon, the email of the user.
Note that the standard
Name Idattribute should be used when using Active Directory, and you are setting up for the SP initiated SAML process, as it is required for session handling.
When using the Pass Through option, you also have to set the IAM entity name at the user record. See below for an example of how the form should look like when using Auth0. In this specific case, we give this users the permissions of the qa-finance group. Note that the (arbitrary) property name, in this case it is awsIamGroup, must match what was previously specified in the Yarkon Admin Console; since Auth0 uses a name space for the attributes name, the full name has to be specified as “http://schemas.auth0.com/awsIamGroup”.