Importing Identity Provider Metadata XML into Venafi Configuration Console for SAML

After you configure your identity provider (IDP), you are ready to go back into the Venafi Configuration Console to finalize the configuration. During this process, you will upload the IDP Metadata XML. This file contains configuration information that Venafi Platform needs to properly configure your SAML connection to the IDP.

This topic is part of Phase Three in Configuring SAML SSO authentication. For an overview of the complete process, see Working with SAML for single sign-on (SSO).

To import IDP Metadata XML into Venafi Platform

  1. Use Remote Desktop to connect to your Venafi server, and open Venafi Configuration Console.
  2. Click the Authentication node.
  3. Click the SAML component.
  4. In the Actions panel, click Properties.
  5. [Conditional] If requested, enter a master administrator username and password for Venafi Platform.
  6. [Conditional] If not previously selected, choose your IdP Vendor from the drop-down list.

  7. In the Export and import SAML metadata section, click Import identity provider file

  8. Browse to the location of the IdP SAML file on your system, click the file, then click Open.

  9. If your IDP support it, you can provide a Logout URL.

    If a value is not provided, you won't see a Logout link in the menu. Of the IDPs tested by Venafi, only Azure supports logging out by URL.

    If there is no Logout link, users will close their browser to terminate a session.

  10. Click Save.

    The SAML Properties window closes.

  11. In the Actions panel, click Enable.

Managing the SAML certificate in TLS Protect

The IdP Metadata XML file contains a TLS certificate that is automatically enrolled in TLS Protect at the monitoring level. This means you can see the SAML certificate in the policy tree, and you can see (and monitor) its expiration like you do for your other certificates.

The enrollment level is monitoring because TLS Protect can't renew and provision a new certificate. To renew this certificate, you must export a new IdP Metadata XML file from your identity provider and upload it into the Venafi Configuration Console. When you import a replacement IdP Metadata XML file, the old certificate is placed in the history of the new certificate.

The location of the certificate in the policy tree is shown in the SAML Properties panel after you upload your IdP Metadata XML.

What's Next

If everything is configured correctly, SAML authentication should now work. We recommend opening another browser or incognito window and open Aperture. You should be redirected to your IDP login page. If you enter valid credentials, you should be taken to Aperture.

If you are having troubles, check out some SAML troubleshooting tips.