Generic SAML

Prerequisites

  • Administrator access to the Harmony SASE Administrator Portal.

  • Administrator account with the Identity Provider Management Portal.

High-Level Procedure

Step 1 - Configure the SAML Identity Provider

To integrate Harmony SASE with a Generic SAML IdP, create a dedicated Harmony SASE Application in your SAML Identity Provider using these values:

  • Single Sign-On URL: https://auth.perimeter81.com/login/callback?connection={{WORKSPACE}}-oc where {{WORKSPACE}} refers to your Harmony SASE workspace name.

  • Audience URI (SP Entity ID): urn:auth0:perimeter81:{{WORKSPACE}}-oc where {{WORKSPACE}} refers to your Harmony SASE workspace name.

  • Map these user attributes to Harmony SASE:

    User Attributes

    Harmony SASE Mapping

    IdP Attribute

    IdP Object

    Email Address

    -

    email

    First Name

    -

    given_name

    Last Name

    -

    family_name

    -

    Groups

    groups

After creating the application, copy these values:

  • Identity Provider Sign-in URL

  • X.509 Certificate

Step 2 - Configure the Harmony SASE Administrator Portal

  1. Log in to the Harmony SASE Administrator Portal with a administrator account.

  2. Go to Settings > Identity Providers.

  3. Click Add Provider.

    The Add identity provider pop-up appears.

  4. Select SAML 2.0 Identity Providers and click Continue.

  5. In the Sign in URL field, enter the Identity Provider Sign-in URL from your SAML Identity Provider.

    Identity Provider

    Sign in URL

    Generic SAML

    Identity Provider Sign in URL

    Active Directory Federation Services (AD FS)

    https://{{Your ADFS Domain}}/adfs/ls

    Auth0

    Auth0 login URL

    OneLogin

    SAML 2.0 Endpoint (HTTP) value

    PingOne

    https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid={{idpid}}

    PingFederate

    https://sso.{{Your PingFederate Domain}}.com/idp/SSO.saml2

    Rippling

    Rippling IdP Sign-in URL.

    JumpCloud

    JumpCloud IDP URL

    Okta

    Okta Sign on URL

    Google Applications

    SSO URL

  6. In the Domain Aliases field, enter the business domain names separated by commas or space.

  7. In the X509 Signing Certificate field, enter the X.509 signing certificate for the application from the SAML Identity Provider.

    If you have the signing certificate as PEM/CERT file, click Upload PEM/CERT File and select the file.

  8. Click Done.

Note - After the first successful authentication of a member with SAML, Harmony SASE does this:

  • Assigns the member with the appropriate role.

  • Adds the member to the groups related to Identity Provider.

  • Applies the relevant configuration profiles to the member.