This page details how to enable logins using SAML.
There are two places that this needs to be enabled. Either in System for both Busby Admin / Config Editor (which share a config), or in each Selector service to allow each Selector to have a different provider.
A third party authenticator is also required to validate the responses and provide the user information to the authentication service.
Selector has the same configutation options as Busby Admin/Config Editor but has an additional check box to allow usage of the system config or can have its own separate config. See below for all the options.
To allow SAML logins for Config Editor and Busby Admin the configuration is under System -> System
Check the Enabled
checkbox and fill in the reevant details.
-1
= disabled.There are then several options available
<issuer>/<service>
. Examples:
http://saml.demo.busby.local/configEditor
http://saml.demo.busby.local/busbyAdmin
http://saml.demo.busby.local/selector
You can also add additional parameters which are added to the requests. In the above example it adds the param whr
which for Entra ID (and likely other WS-Federation SAML servers) sets the home realm which allows to auto pick an account if logged in to multiple accounts at a provider. login_hint
or domain_hint
may also work for certain providers.
Most if not all the information the provider will need can be obtained from the metadata xml which once the above is set up on a service can be obtained by going to /saml/metadata
at the relevant server for Config Editor / Busby Admin / Selector. This will include the certificate if signing needs to be verified at the Provider end. You can also retireve the certificate from /saml/cert
to get the certificate as a separte file.
The provider will need to add all the required Assertion Consumer Service URLs. Not all providers allow multiple to be specified so you may need to set up multiple SAML applications in your server to allow multiple applications to be consumed, assuming they use the same IdP certificate then you should enable the append service id option.