Prepare Venafi Platform for SAML SSO

Venafi Platform supports a number of popular SAML single sign-on (SSO) identity providers for modern SSO user authentication.

Configuring SAML single sign-on (SSO) is a multi-step process that involves getting your Venafi instance ready, configuring your identity provider, and then incorporating your identity provider's data in Venafi Configuration Console.

This topic is part of Phase One in Configuring SAML SSO authentication. For an overview of the complete process, see Working with SAML for single sign-on (SSO).

Phase One of SAML SSO configuration can be broken down into the following processes:

  1. Configure your FQDN in Venafi Platform's Platform tree so it knows what URL people are using to access its services. This is required because the signed SAML Response is linked to the FQDN, and if this isn't configured properly, SSO won't work.
  2. Ensure you have an LDAP or Active Directory (AD) connection to an identity directory that is connected to your SAML Identity Provider (IDP).
  3. Configure the User Search Expression for you identity store (LDAP or AD). This step uniquely links users in your directory with users in Venafi Platform via a specific user identifier, like UPN.
  4. Export your Venafi Service Provider Metadata XML file. This file (or the data it contains) will be required for phase two: configuring your IDP.

Each of these processes is described in the sections below.

What's next?

When you've completed all four steps in phase one, you're ready to move on to phase two where you will configure your IDP.

While you should be able to connect Venafi Platform with any IDP that supports the SAML 2.0 standard, Venafi has tested and is providing guidance on using the following identity providers:

NOTE  Venafi Platform23.3 only supports a single identity provider connection at a time. Multiple IDP connections may be considered for a future release.