Configure SAML Single Sign-On (SSO) Authentication

By default, the Aperture service uses local (database) authentication which requires you to create Aperture sign in accounts for each Aperture administrator. These accounts are stored in a local database separate from your enterprise login accounts. If your organization has standardized on SAML SSO authentication, you can eliminate duplicate accounts by configuring Aperture as a SAML service provider so that Aperture administrators can use their enterprise credentials to access the service. You must be an Aperture Super Admin to set or change the authentication settings on the Aperture service.
  1. Enable SSO authentication on Aperture service.
    You must be an Aperture Super Admin to configure SSO authentication.
    1. Select SettingsAuthentication.
    2. Select Enable Single Sign-On and Save.
      enable-single-sign-on.png
    3. Make a note of the Aperture Entity ID and ACS URL provided.
      The Identity Provider needs this information to communicate with the Aperture service.
      sso-aperture-info.png
  2. Configure the Aperture service on your SAML Identity Provider.
    This example uses Okta as your Identity Provider.
    1. Add the Aperture Entity ID.
    2. Add the Aperture ACS URL.
    3. Obtain the IDP certificate from the Identity Provider and install the certificate on the IDP server. If you do not know where to obtain the certificate, contact your IDP administrator or vendor.
      okta-sso-example.png
    4. Save the Aperture configuration for your chosen Identity Provider and collect setup information provided.
      okta-aperture-settings.png
  3. Configure SSO authentication on Aperture.
    1. Enter the Identity Provider SSO URL.
    2. Browse to add an Identity Provider Certificate. The identify provider uses this certificate to sign SAML messages. Alternatively, you can disable Require valid certificate for login.
    3. Enter the SAML Identity Provider ID.
      sso-identity-fields.png
    4. Save your changes.
  4. Select SSO as the authentication type for Aperture administrators.
    After SSO is configured on the Aperture service and the identity provider, you can configure the authentication type for each Aperture administrator.
    As an Aperture Super Admin, you can change the Authentication Type for any account except your own. To change your Authentication Type, another Super Admin must configure your account.
    1. Select SettingsAdmin Accounts.
    2. Create a new Admin Account or edit an existing one.
    3. For the Authentication Type, select Single Sign-On (SSO).
      When accessing the Aperture service, Administrators will automatically logged in and see the following message at the top of the screen.
      sso-authenticated.png
      When the Administrator has both an account in the Aperture local database and SSO, the following sign on screen displays.
      sso-signin.png

Related Documentation