SAML Authentication


Using the TCPWave IPAM 11.23 P1 (Santa Renata), organizations can leverage the single-sign-on (SSO) login standard with SAML authentication. SAML provides a single point of authentication, which happens at a secure identity provider. Then, SAML transfers the identity to service providers. This form of authentication ensures that credentials don't leave the firewall boundary.

Architecture Overview

The architectural diagram above illustrates how user authentication can be done with a single sign-on login with SAML support. SAML SSO works by transferring the user‘s identity from the identity provider(IDP) to the service provider (TCPWave IPAM). This is done through an exchange of digitally signed XML documents.

When a user is logged into an identity provider, the user wants to log in to TCPWave IPAM.

The following happens:

  • The user accesses the IDP using a link on an intranet, a bookmark, or similar, and the application loads.
  • The application identifies the user's origin (by application subdomain, user IP address, or similar) and redirects the user back to the identity provider, asking for authentication. This is the authentication request.
  • The user's identity is established, and the user is provided with application access. The user either has a current active browser session with the identity provider or establishes one by logging into the identity provider.
  • The identity provider builds the authentication response in an XML document containing the user's user name or email address, signs it using an X.509 certificate, and posts this information to the TCPWave IPAM. The service provider, which already knows the identity provider and has a certificate fingerprint, retrieves the authentication response and validates it using the certificate fingerprint.
  • The user's identity is established, and the user is provided with application access.
IDP Configuration

The general flow is to define an application and users in Identity Provider( IDP ) and associate the users with the application. The IDP will generate a unique entity ID and single sign-on and logout URLs, as well as a certificate that needs to be used by the TCPWave IPAM, in our case TCPWave IPAM, to integrate with IDP. As part of this process, the IDP should also be configured with the Assertion Consumer Service (ACS) URL, the Single Logout (SLO) URL, and the TCPWave IPAM metadata URLs. The IDP is configuration can be modified with different IDP providers in TCPWave IPAM using Global options. The procedure to integrate with Okta and OneLogin providers is described below.

OKTA - IDP Configuration

The following steps will enable the integration of TCPWave IPAM with Okta

  • Log in to the Okta dashboard with Administrator credentials. Select Classical UI from the Developer Console dropdown at the top left of the screen.
  • Click on the Admin menu item, Select the Applications menu and click on Add Application button.
  • Select Create new App, and in the popup, select the “SAML 2.0” radio button for the Sign method option.
  • Enter the application name, select an optional logo, and click next.
  • In the SAML settings, add the following values:
    Single sign on URL = https:// host>:<port>/tims/acs
    Audience URI (SP Entity ID) = https://<host>:<port>/tims/metadata
    Name ID format = EmailAddress
    Add the following attributes in the Attributes sections
    FirstName user.firstName
    LastName user.lastName
  • Once the application is created, configure the TCPWave IPAM global options with IDP provider details.
  • Users can see the Okta IDP login screen while accessing the TCPWave IPAM application.
ONELOGIN - IDP Configuration


The following steps will enable OneLogin integration with TCPWave IPAM.

  • Login to OneLogin dashboard with administration credentials. Select Administration menu.
  • Click on Add App, and select SAML Test Connector (Idp w/attr)
  • Select Create new App, and in the popup select “SAML
  • Use the following values for the application configuration parameters
    Audience: https:// <host>:<port>/tims/metadata
    Recipient: https://<host>:<port>/tims/acs
    ACS (Consumer) URL Validator: .*
    ACS(Consumer) URL: https:// <host>:<port>/tims/acs
    Single Lougt URL: https:// <host>:<port>/tims/sls
  • Once the application is created, configure the TCPWave IPAM global options with IDP provider details.
  • User can see the One Login IDP login screen while accessing the TCPWave IPAM application.
Business Advantage

Organizations using TCPWave DDI can now seamlessly integrate with SAML Identity providers and configure many commercial solutions like Okta, OneLogin, Shibboleth, Gluu, etc., with endless possibilities to accomplish 100% safe and secure DDI Workflow Automation.

The screenshots posted in this page belong to the Identity Providers. Enterprises are expected to have a contract with Identity Provider to leverage this technology. TCPWave provides Global options to configure with IDPs. TCPWave does not provide any bundled software with any Identity Provider.