You are here: Pulse Connect Secure > Pulse Connect Secure Administration Guide > Access Management Framework > SAML Single Sign-on > SAML 2 0 Configuration Tasks > Configuring System-Wide SAML Settings > Configuring Global SAML Settings

Configuring Global SAML Settings

The system-wide SAML settings impact all SAML service provider and identity provider instances.

To configure global SAML settings:

  1. Select System > Configuration > SAML.
  2. Click the Settings button to display the configuration page.
  3. Complete the settings described in Table 36.
  4. Click Save Changes.

Table 36: SAML Global Configuration Guidelines

Settings

Guidelines

Timeout value for metadata fetch request

Specify the number of seconds after which a download request is abandoned. If the peer SAML entity publishes its metadata at a remote location, the system downloads the metadata file from the specified location.

Validity of uploaded/downloaded metadata file

Specify the maximum duration for which the system considers the metadata file of the peer SAML entity to be valid. If the metadata file provided by the peer SAML entity contains validity information, the lower value takes precedence.

Host FQDN for SAML

Specify the fully qualified domain name for the Connect Secure host. The value you specify here is used in the SAML entity ID and the URLs for SAML services, including:

  • Entity ID for SAML service provider and SAML identity provider instances. The SAML entitiy ID is the URL where the system publishes its SAML metadata file.
  • Single sign-on service URL
  • Single logout service URL
  • Assertion consumer service URL
  • Artifact resolution service URL

BEST PRACTICE: The system uses HTTPS for these services. Therefore, we recommend that you assign a valid certificate to the interface that has the IP address to which this FQDN resolves so that users do not see invalid certificate warnings.

Alternate Host FQDN for SAML

Optional.

If you have enabled the Reuse Existing NC (Pulse) Session on the SAML Identity Provider Sign-In page, specify the fully qualified domain name used to generate the SSO Service URL.

Set up your DNS service to ensure that the alternate hostname resolves to a different IP address when a session is established and when not established. We recommend the following DNS behavior:

  • If the NC (Pulse) session is not established, the IP address of the alternate hostname should resolve to the public IP address on the device external port.
  • If the NC (Pulse) session is established, the IP address of the alternate hostname should resolve to the private IP address on the device internal port.

BEST PRACTICE: The system uses HTTPS for this service. Therefore, we recommend that you assign a valid certificate to the interface that has the IP address to which this FQDN resolves so that users do not see invalid certificate warnings.

Update Entity IDs

Use this button to regenerate the SAML entity IDs of all configured service providers and identity providers. Typically, you take this action when the Host FQDN for SAML is changed.

Related Topics