Configure Generic SAML Integration¶
Ensure that you have Administrator access to your SAML Account and Privacera.
Follow these steps to set up SAML-based Single Sign-On (SSO) with any Identity Provider (IdP) supporting SAML 2.0.
Step 1: Configure Identity Provider Details¶
- Enter below details in your Identity SAML settings:
| Field | Value Example |
|---|---|
| Identity Provider URL | Self-Managed: https://PORTAL_HOST/saml/SSO PrivaceraCloud: https://privaceracloud.com/SingleSignOnService/receiveResponse |
| Audience URI (SP Entity ID) | privacera_portal |
Step 2: Map User Attributes¶
In the Attribute Statements section, map user attributes as follows:
| Name | Value | Optional/Required |
|---|---|---|
UserId | userName | Required |
Email | email | Required |
FirstName | firstName | Optional |
LastName | lastName | Optional |
Step 3: Optional - Configure Group Attribute¶
In the Group Attribute Statements, map group attributes as follows:
| Name | Filter Value | Example Description |
|---|---|---|
Group | group_name | Matches only the group group_name |
Step 4: Obtain Identity Provider Metadata and Embed Link¶
- Obtain the Identity Provider Metadata URL and download the Metadata XML file from your Identity Provider.
- Use this metadata to configure the SSO settings in your Privacera.
By following these generic steps, you can seamlessly integrate any Identity Provider (e.g., Okta, Ping Identity, OneLogin) that supports the SAML 2.0 protocol.
Configure SAML in Your Privacera Account¶
The steps to configure Generic SAML are as follows.
Step 1: SSH into Privacera Instance¶
SSH into the instance where Privacera is installed.
Step 2: Navigate to Privacera Manager Directory¶
| Bash | |
|---|---|
Step 3: Copy the saml Sample Configuration File¶
Copy the sample saml configuration file to the custom configuration directory.
| Bash | |
|---|---|
Step 4: Edit the Configuration File¶
Open the configuration file using a text editor and update the required fields.
| Bash | |
|---|---|
Uncomment and edit the following properties:
If you have configured Group Attribute, uncomment and edit the following properties:
| YAML | |
|---|---|
Step 5: Rename the downloaded metadata XML file¶
- Locate the metadata file downloaded in Step 4, (usually in your
Downloadsfolder or the folder where you saved it). - Rename the file to
privacera-portal-aad-saml.xml
Step 6: Upload or Copy the File to Privacera Manager’s custom properties folder¶
Option 1: Using SCP (for Remote Servers)¶
- Open a terminal and run the following command to upload the file to the Privacera Manager’s custom properties folder: Replace
Bash <server-ip>with your server’s IP address anduserwith your username.
Option 2: Copy-Paste Locally¶
-
If the file is on the same server, move the
privacera-portal-aad-saml.xmlfile to the home directory. -
Use the following command to copy it to the custom properties folder
Ensure theBash privacera-portal-aad-saml.xmlfile is in the correct directory before running thecpcommand.
Step 7: Update Privacera Manager¶
Step 8: Optional - Restart Privacera Portal in Azure Kubernetes Environment¶
If you are configuring SSL in an Azure Kubernetes environment, restart the Privacera Portal to apply the changes.
| Bash | |
|---|---|
Step 9: Role Mapping For SAML (Optional)¶
Role mapping allows you to translate roles or groups from your SAML Identity Provider (IdP) into specific roles within Privacera. This ensures that users have the correct permissions and access when they log into Privacera.
What is Role Name Attributes?¶
This attribute in your Identity Provider (IdP) contains the user's roles or group information. It identifies the roles or groups the user belongs to in the IdP.
What is Role Mapping?¶
This configuration maps Identity Provider roles/groups to Privacera Portal roles. Matching roles are assigned to users; otherwise, the default role configured in the PORTAL_SSO_DEFAULT_USER_ROLE property in Privacera Manager is applied, or ROLE_USER if unspecified.
Tip
Assign SAML Identity Provider (IdP) roles or groups for the Privacera Portal roles.
In Privacera, follow these steps to access the SAML Role mapping settings:
- Go to the Settings menu.
- Navigate to SSO Role Mapping.
- Click on SAML tab.
Reference image of Role Mapping form Privacera: 
Example:¶
- Mapped Privacera Role:
ROLE_SYS_ADMIN - Identity Provider (IdP) Role or Group:
saml_admin
In this example, if a user has the saml_admin role in the SAML Identity Provider, they will automatically be assigned the ROLE_SYS_ADMIN role in Privacera.
Step 10: Verify SSO Login¶
Once the setup is complete, navigate to the Privacera Portal login page. You should see an SSO Login button. Use this to log in with your SSO credentials.
In PrivaceraCloud, follow these steps to configure a Generic SAML-based Single Sign-On (SSO):
- Go to the Settings menu.
- Navigate to Identity.
- Click on Single Sign-On.
| Display Name | Description | Example Value | Optional/Required |
|---|---|---|---|
Entity Id | Entity ID for SAML configuration | privacera_portal | Required |
Identity Provider Url | Identity Provider (IdP) URL for SSO login | https://your-idp-domain/sso/saml | Required |
Identity Provider Metadata | Metadata XML file for the IdP | https://your-idp-domain/metadata.xml | Required |
UserId | Attribute representing the user's username | userName | Required |
Email | Attribute representing the user's email | email | Required |
firstName | Attribute representing the user's first name | firstName | Optional |
lastName | Attribute representing the user's last name | lastName | Optional |
Important
- Entity ID: Used to configure the Identity Provider (IdP).
- Identity Provider URL: The URL obtained in Step 4, where users will be redirected for SSO login.
- Identity Provider Metadata: Use the Metadata XML file downloaded in Step 4 for seamless SSO configuration.
- User Attributes: Ensure that the correct user attributes (
UserId,Email,FirstName,LastName) are mapped from Generic SAML to Privacera.
These variables ensure seamless integration between Generic SAML and Privacera for SAML-SSO.
Role Mapping For Generic SAML¶
Role mapping allows you to translate roles or groups from your SAML Identity Provider (IdP) into specific roles within Privacera. This ensures that users have the correct permissions and access when they log into Privacera.
What is Role Name Attributes?¶
This attribute in your Identity Provider (IdP) contains the user's roles or group information. It is used to identify the roles or groups the user belongs to in the IdP.
What is Role Mapping?¶
This configuration maps roles or groups from the Identity Provider (IdP) to corresponding roles in Privacera.If a specific role from the Identity Provider (IdP) matches a role defined in the role mapping configuration, that role is assigned to the user in Privacera. If no mapping is defined, the default role, ROLE_USER, is automatically assigned to the user.
| Variable Name | Description | Example |
|---|---|---|
Role Name Attribute | Role name attributes for user. | Group |
Role Mapping | Role mapping for user. | Identity Provider (IdP) Role: example_role → Example Role: ACCOUNT_ROLE |
Reference image of Role Mapping form PrivaceraCloud: 
Example:¶
- IdP Role or Group:
example_role - Mapped Privacera Role:
ACCOUNT_ADMIN
In this example, if a user has the role example_role in Generic SAML, they will automatically be assigned the ACCOUNT_ADMIN role in Privacera.
Important
New Users:
Role mapping only applies to newly created users after the mapping has been configured.
By properly configuring role mapping, you ensure that users are granted appropriate access levels within Privacera based on their roles or group memberships from the Identity Provider (IdP). This simplifies user management and ensures seamless integration with your organization’s existing identity infrastructure.
Once the configuration is complete, you can test the setup by attempting to log in to PrivaceraCloud using your SSO credentials. This will help verify that the Single Sign-On (SSO) integration is working correctly.