SAML Authentication


Enterprises using the TCPWave IPAM 11.23 P1 (Santa Renata) can leverage the single-sign-on (SSO) login standard with SAML authentication. SAML provides a single point of authentication, which happens at a secure identity provider. Then, SAML transfers the identity to service providers. This form of authentication ensures that credentials don't leave the firewall boundary.

Architecture Overview

The architectural diagram above illustrates how user authentication can be done with Single sign on login with SAML support. SAML SSO works by transferring the user‘s identity from the identity provider(IDP) to service provider (TCPWave IPAM). This is done through an exchange of digitally signed XML documents.

When a user is logged into a identity provider. The user wants to log in to TCPWave IPAM.

The following happens:

  • The user accesses the IDP using a link on an intranet, a bookmark, or similar and the application loads.
  • The application identifies the user‘s origin (by application subdomain, user IP address, or similar) and redirects the user back to the identity provider, asking for authentication. This is the authentication request.
  • The user either has an existing active browser session with the identity provider or establishes one by logging into the identity provider.
  • The identity provider builds the authentication response in the form of an XML-document containing the user‘s user name or email address, signs it using an X.509 certificate, and posts this information to the TCPWave IPAM. The service provider, which already knows the identity provider and has a certificate fingerprint, retrieves the authentication response and validates it using the certificate fingerprint.
  • The identity of the user is established and the user is provided with application access.
IDP Configuration

The general flow is to define an application and users in Identity Provider( IDP ) and associate the users to the application. The IDP will generate a unique entity ID and single sign on and logout URLs, as well as a certificate that needs to be used by the TCPWave IPAM, in our case TCPWave IPAM, to integrate with IDP. As part of this process the IDP also should be configured with the Assertion Consumer Service (ACS) URL and the Single Logout (SLO) URL, and the TCPWave IPAM metadata URLs. The IDP is configuration can be modified with different IDP providers in TCPWave IPAM using Global options. Procedure to integrate with Okta and OneLogin providers is described below

OKTA - IDP Configuration

The following steps will enable integration of TCPWave IPAM with Okta

  • Login to Okta dashboard with Administrator credentials. Select Classical UI from the Developer Console dropdown at the top left of the screen.
  • Click on Admin menu item, Select Applications menu and click on Add Application button.
  • Select Create new App, and in the popup select “SAML 2.0” radio button for Sign on method option.
  • Enter application name, select an optional logo, and click next.
  • In the SAML settings add the following values:
    Single sign on URL = https:// <host>:<port>/tims/acs
    Audience URI (SP Entity ID) = https://<host>:<port>/tims/metadata
    Name ID format = EmailAddress
    Add the following attributes in the Attributes sections
    FirstName user.firstName
    LastName user.lastName
  • Once the application is created, configure the TCPWave IPAM global options with IDP provider details.
  • User can see the Okta IDP login screen while accessing the TCPWave IPAM application.
ONELOGIN - IDP Configuration


The following steps will enable OneLogin integration with TCPWave IPAM.

  • Login to OneLogin dashboard with administration credentials. Select Administration menu.
  • Click on Add App, and select SAML Test Connector (Idp w/attr)
  • Select Create new App, and in the popup select “SAML
  • Use the following values for the application configuration parameters
    Audience: https:// <host>:<port>/tims/metadata
    Recipient: https://<host>:<port>/tims/acs
    ACS (Consumer) URL Validator: .*
    ACS(Consumer) URL: https:// <host>:<port>/tims/acs
    Single Lougt URL: https:// <host>:<port>/tims/sls
  • Once the application is created, configure the TCPWave IPAM global options with IDP provider details.
  • User can see the One Login IDP login screen while accessing the TCPWave IPAM application.
Business Advantage

Enterprises using TCPWave DDI can now seamlessly integrate with SAML Identity providers and configure many commercial solutions like Okta, OneLogin, Shibboleth, Gluu etc with endless possibilities to accomplish 100% safe and secure DDI Workflow Automation.

The screenshots posted in this page belong to the Identity Providers. Enterprises are expected to have a contract with Identity Provider to leverage this technology. TCPWave provides Global options to configure with IDPs. TCPWave does not provide any bundled software with any Identity Provider.