How Can We Help?
How to set up SSO in Pure Using SAML2 (Pure 5.30 and later)How to set up SSO in Pure Using SAML2 (Pure 5.30 and later)
This guide describes the steps needed to set up SSO for Pure using SAML2.
Prerequisites
- Administrator or Technical administrator role in Pure
- Pure version 5.30 or later
- Access to the Identity Provider (IdP) you plan to integrate with (e.g., Okta, Azure AD, ADFS, etc.).
Understanding SSO and SAML2 Terminology
When working with SSO you will stumble-upon the following terminology which is good to know.
| Term | Definition |
|---|---|
| Single Sign-On (SSO) | A system that lets you access multiple applications with just one login. |
| SAML2 | A method used to enable SSO, allowing different systems to share login information securely. |
| Identity Provider (IdP) | The service that checks and confirms who you are when you log in. Examples include Okta, Azure AD, and ADFS. |
| Service Provider (SP) | The application or service you want to access using your single login. In this case, Pure is the Service Provider. |
| Entity ID | A unique name or ID given to the login service (IdP) or the application (SP) so they can recognize each other. In Pure, you can define this in the field “Unique identifier for the Service Provider/SP” |
| Assertion | A message from the IdP to the SP confirming your identity and any other necessary information. |
| Metadata | Files that contain setup details for the IdP and SP, like URLs and encryption keys. These files help both sides understand how to communicate. |
| Assertion Consumer Service (ACS) URL | The web address on the SP where the IdP sends the confirmation message about your login. |
| Single Logout (SLO) | A feature that allows you to log out from all applications at once when you log out from one. |
| X.509 Certificate | A digital certificate used to secure and verify the information exchanged between the IdP and SP during the SSO process. |
| Attributes | Pieces of information about the user (like email, username, or role) that the IdP sends to the SP along with the login confirmation. |
Step 1 - Create a Pure Application in Your IdP
This can be done in many different ways depending on your permissions in the IdP and the IdP that you choose to use.
We have created the following guides on how to set up specific IdPs:
- Microsoft Entra ID / Azure AD
- Google Authentication
- SURFconext ID mgmt. service in Pure [NL] - setup guide
Here you will get an overall guide to set up an IdP.
- Access your IdP
- Open your IdP's Admin console (e.g.,m Okta, AzureAD)
- Create a new SAML application
- Navigate to the section for creating a new application.
- Select the option to create a new SAML application or set up SSO.
- Please note you might be asked to provide information in advance such as Identifier (Entity ID) Reply URL etc. (See the FAQ)
- Provide Attributes & Claims which you want the IdP to send to Pure
- Get the IdP metadata by either
- Copy the link to the metadata.xml
- Download the metadata.xml
Step 2 - Configure Pure
Access your Pure instance and navigate to Administrator→Security→Authentication Configuration
Select SAML in the Dropdown menu
Copy the link to the IdP metadata in the Metadata field or drag and drop the IdP metadata.xml file in the Upload metadata XML file
Make sure the Metadata Information box does not contain an error.
Provide a Unique identifier for the Service Provider/SP (Also known as the EntityID) - This can be the URL to your Pure instance or a name, i.e. https://my-Pure-Instance.uni.edu or pure-uni-prod.
In the same time, write the SAML attribute used to extract the username - This is the value (or attribute) from the IdP which Pure will be using to match on a username.
Provide or generate Certificate by using the button Generate Certificate/Key pair - If you choose to use your own, make sure to put your public key in Certificate for the Service Provider/SP's signing credential and your Private key in Private key for the Service Provider/SP's signing credential.
You are now done and can save your changes by pressing Save. If you are saving your configuration for the first time, you would most likely be met by the prompt asking to confirm your changes.
When you confirm this, SAML2 will now be enabled in Pure, and it will require you to login using your IdP. However, there is one step left before you can log in, as you would need to upload the metadata from Pure in the IdP.
Step 3 - Upload SP metadata in the IdP
Download Pure's metadata.xml file from https://<your hostname>/admin/saml2/service-provider-metadata/pure.
Find the upload metadata button (or the page where you can upload the SP metadata) and select the file you just downloaded from Pure.
Step 4 - Test the SSO Setup
You can test the SSO setup using the functionality in the IdP or by accessing https://<your hostname>/admin in an incognito or in-private window.
If you encounter an error you would need to look at logging in the authentication configuration or see the message from the IdP.
FAQ
What is the default Reply URL (Assertion Consumer Service URL) for my Pure?
The Assertion Consumer Service URL is: https://<your hostname>/admin/login/saml2/sso/pure.
Where can I download Pure's SP metadata.xml?
You can download it here: https://<your hostname>/admin/saml2/service-provider-metadata/pure.
When does my certificate expire, which I got using the Generate Certificate/Key Pair button?
The certificate is set to expire after 5 years.
The Metadata Information box contains the following error: "Metadata source is unavailable" what should I do?
This error means that Pure could not download the IdP metadata file. You might want to check if you have inputted the correct URL (in Azure you would need to use the URL in found in App Federation Metadata Url to find the IdP metadata.xml).
The URL in the EntityID is our old url to Pure - What should I do?
Nothing - The EntityID is an identifier which is used by Pure when requesting a login from IdP. Then the IdP knows who is requesting a login and where it should redirect the user after the user have logged in.
I have updated my certificate or Unique identifier for the Service Provider/SP (Entity ID) or CNAME for Pure and I cannot log in any more
If you change certificates, the Entity ID or CNAME in Pure you would need to update those values in the IdP as well. One way this can be done is by downloading the SP metadata from Pure and re-uploading it in the IdP. After changing the values, do wait a couple of minutes up to one hour for the changes to take effect in the IdP. This varies depending on the IdP.
Updated at September 19, 2024