Single Sign-On (SAML)
Security / Single Sign-On (SAML)

There are two SAML implementations for StatusDashboard, one for user access to the status dashboard and one for administrative access to the StatusDashboard administration console.  We provide multiple, independent SAML configuration options for each service provider to allow our system to interact with all SAML2 compliant identity providers.

SAML Service Providers

Dashboard Single Sign-On


Dashboard SSO allows customers to protect dashboard pages (e.g. status.acme.com) with SAML authentication.  Once configured, any access attempts to any dashboard page will be prompted for authentication credentials from the customer's configured identity provider (IdP).  Dashboard SSO may be used in combination with a dashboard IP whitelist to require SAML authentication in addition to source IP address verification before allowing access to the customer dashboard.

In order to configure dashboard SAML authentication, browse to Security > Single Sign-On > Options > SAML SSO (Dashboard).

Administrative Single Sign-On


Administrative SSO allows StatusDashboard administrative accounts to authenticate against the customer's configured identity provider (IdP) before being provided access to the StatusDashboard administration portal.  Once configured, all users will be required to sign-in to the StatusDashboard administration portal with their IdP credentials (unless the user account has been configured for SSO bypass).  Administrative SSO may be used in combination with an admin login whitelist to require SAML authentication in addition to source IP address verification before allowing access to the StatusDashboard administration portal.  With Administrative SSO, user accounts and permissions are still configured within the StatusDashboard administration portal, but all authentication is handled by the customer's IdP.  When creating StatusDashboard user accounts, the email address within StatusDashboard must match the email address within the customer's IdP.  SAML authentication cannot be enabled for administrative logins if Google OAuth2 is also enabled for administrative logins.

In order to configure admin SAML authentication, browse to Security > Single Sign-On > Options > SAML SSO (Admin).


Service Provider Options

The following information/options are available when configuring the Service Provider (SP).  There are no required fields within the SP configuration.

Metadata

Once the required fields are entered and saved, a metadata link will be visible that will provide SAML metadata configuration, in XML format.

Entity ID / Issuer

The EntityId of the StatusDashboard service provider.  This value cannot be modified.

Assertion Consumer Service (ACS)

The ACS URL of the StatusDashboard service provider.  This value cannot be modified.

ACS Binding

The ACS binding for the SP.  This value cannot be modified, and the only binding currently supported is HTTP-POST.

Single Logout Service (SLO)

If the IdP supports SLO, this is the URL that should be used.  This value cannot be modified.

SLO Binding

The SLO binding for the service provider.  This value cannot be modified and the only binding currently supported is HTTP-REDIRECT.

Name ID Format

The Name ID format required by this service provider.  This value cannot be modified and the only Name ID Format supported is email address.

x509 Certificate

The x509 certificate of the service provider. If your IdP implementation requires a trusted certificate, then choose the Comodo signed certificate (assuming your IdP trusts the Comodo CA certificate). If your IdP does not require a trusted certificate, then choose the StatusDashboard self signed certificate.  The StatusDashboard self signed certificate is the preferred option because it has a long expiration time and will not be refreshed whereas the Comodo certificate could be refreshed periodically (requiring you to update your IdP configuration).

Current x509 Certificate Details

The currently chosen x509 certificate of the service provider, in PEM format.  Certificate details for both certificate options are shown below:

StatusDashboard Signed

-----BEGIN CERTIFICATE-----
MIIFDDCCA/SgAwIBAgIJAKFzX66by7UnMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j
aXNjbzEYMBYGA1UEChMPU3RhdHVzRGFzaGJvYXJkMRQwEgYDVQQLEwtFbmdpbmVl
cmluZzEcMBoGA1UEAxMTc3RhdHVzZGFzaGJvYXJkLXNzbzEqMCgGCSqGSIb3DQEJ
ARYbc3VwcG9ydEBzdGF0dXNkYXNoYm9hcmQuY29tMB4XDTE3MDUyNzAxNTg1OFoX
DTQ3MDUyMDAxNTg1OFowgbQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9y
bmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRgwFgYDVQQKEw9TdGF0dXNEYXNo
Ym9hcmQxFDASBgNVBAsTC0VuZ2luZWVyaW5nMRwwGgYDVQQDExNzdGF0dXNkYXNo
Ym9hcmQtc3NvMSowKAYJKoZIhvcNAQkBFhtzdXBwb3J0QHN0YXR1c2Rhc2hib2Fy
ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgXuLYHc+FEa6I
iUSH2ox8J6O3/kYMg/J+rMUpvEUEt5h60AcnyFnfrRf5ZfjtTon89AacTHKDr67v
XVuH0b5usOeQuLDsA8YSk4ExszG0HKPcJA68xzwVBJwJ0ePuWV7bPBftWLPeNz3q
N0uevjLK3KE5+JwAyj1QKXxf/59KwdU+LUQhF3JOQBmVNkkckr3sPNw3lWsNbqaj
n0Gd9xpI4HMPUcRBillL9Qx0HKSPq3fFL6sY+m2Cdq5uSHexno4JaFqsa7TQ9FIr
TVCKEz82MA2ReEMveZQUPgQf52t5G24ektmngG+bi8JCyiqkB+ptqOoZfks/AE8l
8eU31d6LAgMBAAGjggEdMIIBGTAdBgNVHQ4EFgQUoaQ6gD1u3lQ8kqGTCjFpaAKn
DawwgekGA1UdIwSB4TCB3oAUoaQ6gD1u3lQ8kqGTCjFpaAKnDayhgbqkgbcwgbQx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4g
RnJhbmNpc2NvMRgwFgYDVQQKEw9TdGF0dXNEYXNoYm9hcmQxFDASBgNVBAsTC0Vu
Z2luZWVyaW5nMRwwGgYDVQQDExNzdGF0dXNkYXNoYm9hcmQtc3NvMSowKAYJKoZI
hvcNAQkBFhtzdXBwb3J0QHN0YXR1c2Rhc2hib2FyZC5jb22CCQChc1+um8u1JzAM
BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAWjOzP7nXSCqO7t9H7MePR
6cj2P/ML64/EuLOCBMEeH5M6hf1WtikxkzOAhknWCfJSanjeLTe8eSQ4ntQTmxdg
eZ7Mr+lfR8vjjSqRszAFYFRjtWVlovU/dKaDcYy6dwE/JBTb41ojSoT7hAmJSFBF
dhlhxWxjBEXFGCFJ/UFXVwjidy2F1b9TSF0OE7xscXgM3CFTSGSFchta/x+4Nv2C
0EUGUMu7pfftkjxb858QI4erNJxuyE5yMTZS0I8yO6kNGaVfxjg/tBWtTVL2FIPF
ny+PFqvzL+MUD1Fo2Y4naX87eQqOY+HrppL86Knj1ji/t/0dvZ7CBUkhQlCfzdqP
-----END CERTIFICATE-----

Comodo Signed

-----BEGIN CERTIFICATE-----
MIIFtzCCBJ+gAwIBAgIQExO5jk9CCWZ/FJvK4qOq7TANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNzA3MTgwMDAwMDBaFw0xODA3MjUyMzU5NTlaMG8xITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEqMCgGA1UECxMhQ09NT0RPIFNTTCBVbmlm
aWVkIENvbW11bmljYXRpb25zMR4wHAYDVQQDDBUqLnN0YXR1c2Rhc2hib2FyZC5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtAHXR76R7YybLbO16
wOHVh/jG4ospEEUeuLKPxg/3l3fRjFz8FGgWfWTRcngjfbjgaAvEmzJHBsx5i2M3
hnw0J26BylrWw0bYnADxF+3ZsKuRDTjzi5utGlW88PYp5o5pZI2Xbz85+0sZcUxV
tRFhjH8tHNRT1Atl1rQnWOId66EZqJxgu0cftUfhITdUVRBe9pv5THGMY6bbr/R5
4VYvDWX5GDEGqTF80FYZhObZsjTjyklg7W28JtwKEg/Dz0GVorI7S7FGjUyHX3MO
nRx9tW3n7YG/m0VyyfYs3lYRdbFD3S3VQ1MvdIBzVq0fpivDYGIgNgFY5Rg4sJ7I
nmAnAgMBAAGjggIrMIICJzAfBgNVHSMEGDAWgBSQr2o6lFoL2JDqElZz30O0Oija
5zAdBgNVHQ4EFgQUU3NR6r5W/A9pgIeK8xlilWMlRBMwDgYDVR0PAQH/BAQDAgWg
MAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8G
A1UdIARIMEYwOgYLKwYBBAGyMQECAgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9z
ZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBHoEWG
Q2h0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRp
b25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUGCCsGAQUFBwEBBHkwdzBPBggrBgEFBQcw
AoZDaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRh
dGlvblNlY3VyZVNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Au
Y29tb2RvY2EuY29tMHkGA1UdEQRyMHCCFSouc3RhdHVzZGFzaGJvYXJkLmNvbYIR
c3RhdHVzLmNpc2lvbi5jb22CFXN0YXR1cy53b25kZXJ3YXJlLmNvbYITc3RhdHVz
ZGFzaGJvYXJkLmNvbYIYdXB0aW1lLnNvbGFyd2luZHNtc3AuY29tMA0GCSqGSIb3
DQEBCwUAA4IBAQAJprqufAm+a+UIAB6ptDrvDTH0M47BFzfK1gVBw2GJqvfU/5+y
lWQTIiYVPoPV2QwWkeDvMAPUpicFRnYvL1GJ8eaWtNG5T+IE7/mmOqLPunGd3t9b
gPnTAGeN8iMBurFy0/goxB6f6mRgMHJ+V1yd7GglFkMvAn6SaxM9p0jWXY31TXX3
uwAKYFpwZb0k+UaQLrmsxMc4ZpByt3oTqsMRXuM9ykEET8wLiAZR8wZ+imgJtQNm
WAGOARlGU/nxveF57hN/QTwrg0gln2lVjfzylPmiLW2g7QyXqQWGOfP0AiQoCM1m
tGgCOJSGtEHsmCoEoezIfaB0AKHmxky40421
-----END CERTIFICATE-----

Sign AuthN Request

Sign the <samlp:AuthnRequest> messages sent by the service provider.

Sign Logout Request

Sign the <samlp:logoutRequest> messages sent by the service provider.

Sign Logout Response

Sign the <samlp:logoutResponse> messages sent by the service provider.

Sign Metadata

Sign the metadata presented by the service provider.

Signature Algorithm

The signature algorithm that will be used by the service provider.

Digest Algorithm

The digest algorithm that will be used by the service provider.

Encrypt Name ID

Encrypt the nameID of the <samlp:logoutRequest> sent by the service provider.

Include Authentication Context

When enabled, the <samlp:requestedauthncontext comparison> will be set to 'exact' and the <saml:authncontextclassref> will be set to 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'.  When disabled, no AuthnContext will be sent in the AuthnRequest sent by the service provider.


Identity Provider Options

The following information/options are available when configuring the Identity Provider (IdP).  The only required fields are Entity ID / Issuer and Single Sign-On (SSO) Service URL.  If IdP signature verification is desired, then the x509 Certificate is also required.

Entity ID / Issuer

The EntityId of the customer's identity provider.

Single Sign-On (SSO) Service URL

The SSO URL of the customer's identity provider.

SSO Binding

The SSO binding for the customer's identity provider.  This value cannot be modified, and the only binding currently supported is HTTP-POST.

Single Logout Service (SLO) URL

If the customer's identity provider supports single logout, this is the SLO URL of the identity provider.

SLO Binding

The SLO binding for the customer's identity provider.  This value cannot be modified, and the only binding currently supported is HTTP-REDIRECT.

IdP Logout URL

When not using SLO, this is a URL on the customer's identity provider that will end the identity provider session upon logout from StatusDashboard.

Logout Redirect URL

When no final redirect URL is provided by the customer's identity provider, this is a URL where users will be redirected after logout.

x509 Certificate

The x509 certificate of the customer's identity provider, in PEM format.

Require Message Signature

Require the <samlp:Response>, <samlp:LogoutRequest> and <samlp:LogoutResponse> elements sent from the customer's identity provider to be signed.

Require Assertion Signature

Require the <saml:Assertion> elements sent by the customer's identity provider to be signed.

Require NameID Encryption

Require the NameID sent by the customer's identity provider to be encrypted.


Required Permissions RoleAdministrator or User Management

Still have questions?  Contact our support team.  We're always happy to help with any questions you might have.