Single Sign-On

Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with a single set of log in credentials. GigaVUE-FM provides the following Single sign-on options:

• Internal IdP
• External IdP

Internal IdP

GigaVUE-FM uses Shibboleth SAML 2.0 identity provider (open source IdP ) as an internal IdP for authentication and authorization. Shibboleth reads the data from GigaVUE-FM’s local database and performs the authentication based on the authentication mechanism selected in the Authentication Type settings. GigaVUE-FM is independent of the authentication mechanism (as Shibboleth takes care of authentication and authorization).

Notes:

• GigaVUE-FM starts with internal IdP, by default.
• When you access GigaVUE-FM, you will be navigated to the IdP's URL. You must then log in with your user name and password.
• If you cannot access GigaVUE-FM (due to server issues or any other issues), you can use the special access provided (https://<fm ip address/dns name>/admin). This access is applicable only for local users with super admin privileges.
• You must restart GigaVUE-FM every time you configure IdP.

External IdP

ADFS is the only external IdP that has been qualified to be operational with GigaVUE-FM. To configure ADFS as external IdP you must perform the following:

1. Configure GigaVUE-FM in ADFS. Refer to Configure GigaVUE-FM in ADFS for details.
2. Configure external IdP, that is ADFS, in GigaVUE-FM. Refer to Configure ADFS in GigaVUE-FM for details.
3. Install IdP signing certificates (ADFS) in GigaVUE-FM. Refer to the "Trust Store" on page 1.

Note:  When you access GigaVUE-FM using the external IdP, you will be navigated to the external IdP URL (Microsoft ADFS). You must then log in using the external IdP user name and password for logging in to GigaVUE-FM.

Refer to the following figure:

Configure GigaVUE-FM in ADFS

Prerequisite:

You must retrieve the Service Provider metadata (which is GigaVUE-FM’s metadata) from https://<FM IP Address>/saml/metadata. This will serve as the sp metadata file to configure in IDP.

To configure GigaVUE-FM in ADFS as Relying Party:

1. From the windows server, select Start > Administrative Tools > ADFS Management. The ADFS administrative console appears.
2. Select ADFS folder. Go to the Actions menu and select Add Relying Party Trusts.

3. Select Data Source: Select the Import Data About the Relying Party from a File option. Browse for the SAML metadata file as mentioned in the prerequisites.

4. Specify a Display Name that identifies the application, example, FM.gigamon.com. Click Next.

5. Select the option I do not want to configure MFA and click Next.

6. Select Permit all users to access this relying party. Click Next.

7. Review the data available in preview section and add the relying party.
8. Open Edit Claim rules to grant user access:

1. Add a New claim rule to transform UserPrincipalName as NameId:
   1. Choose the option send LDAP Attributes as claims.
   2. Specify claim rule name and choose the required LDAP store.
   3. Select LDAP Attribute as UserPrincipalName and outgoing claim type as NameId.
2. Add a New Claim Rule to specify user specific access:
   1. Choose the option send Group Membership as claim.
   2. Specify claim rule name and select AD user group for which FM roles/user Groups must be assigned.
   3. Enter outgoing claim type as SAML User Group value configured in GigaVUE-FM (default value is eduPersonAffiliation) and outgoing claim value as one of the following:
   • GigaVUE-FM specific user groups (Super Admin Group or Admin Group or User Group)
   • Organizational specific user group. If organizational specific user group is provided, then you must enable Organizational Group Mapping.