Overview

RightScale can act as a SAML 2.0 Service Provider (SP), enabling Single Sign-On (SSO) for enterprise by initiating a login from a SAML Identity Provider (IdP) of your choice.

To take advantage of SAML SSO, you will first create a trust relationship between RightScale and your Identity Provider (ADFS, AzureAD, Okta, OneLogin, PingOne, Google, etc). To do this, you must be an Enterprise Manager for your organization in RightScale and must have administrative privileges in your organization's Identity Provider.

This page provides the essential settings that you need to configure a trust relationship, gives a broad overview of the procedure, and links to vendor-specific guides for various brands of IdP software.

For a more general discussion of RightScale's SAML capabilities, refer to our SAML documentation.

Service Provider Metadata

The RightScale metadata URL is https://login.rightscale.com/login/saml2/metadata

Provide this URL to your IdP if it supports metadata-based configuration of SP trust relationships. The metadata contains the settings below in addition to information about requested attributes, NameID format and other details.

You may still need to configure attribute mappings by hand; see Step 2 below.

SAML 2.0 Settings

If your IdP requires manual setup, you can use the values here to describe RightScale's SP. You will additionally need to configure attribute mappings; see Step 2 below.

Setting Value
Entity ID https://login.rightscale.com/login/saml2/metadata
ACS URL https://login.rightscale.com/login/saml2/consume
X509 Certificate click to download Fingerprint=7A:C4:A4:E5:06:61:8B:01:93:8A:A3:06:16:32:4C:09:05:66:B7

Some IdPs, especially web-based SaaS products, have additional compatibility settings which are less critical but sometimes cause problems if misconfigured:

Setting Value
Default Relay State optional; see supported values
Signature / Digest Algorithm RSA_SHA1 / SHA1
Request Compression Yes or No (changeable via setting in RightScale UI)
Signed Requests Yes
Encrypted Requests No
Signed Assertions Yes
Encrypted Assertions Yes or No (RightScale accepts either)

Detailed Instructions

Step 1: Setup trust relationship between IdP and RightScale

First, configure your Identity Provider to respond to authentication requests from RightScale. If your IdP vendor has an app dashboard, then you will also end up with a button that your users can employ to perform IdP-initiated login to RightScale.

If you are unfamiliar with your IdP's administration functions, consult one of the vendor-specific guides below.

Identity Provider Guide
ADFS Configuring a RightScale trust relationship in ADFS
AzureAD Configuring a RightScale trust relationship in AzureAD
Okta Configuring a RightScale trust relationship in Okta
OneLogin Configuring a RightScale trust relationship in OneLogin
PingOne Configuring a RightScale trust relationship in PingOne
Google Configuring a RightScale trust relationship in Google

Step 2: Set up attribute mappings

The SAML Name ID is a string that uniquely identifies an authentication principal; it is a core part of SAML assertions and is always required in addition to the three attribues. RightScale is agnostic to the Name ID format used by your IdP, but we recommend choosing a time-invariant Name ID such as an LDAP DN, Active Directory objectSid, or numeric user ID. Choosing a value that can change over time may cause odd behavior.

In addition, we require three user metadata attributes (claims) in the SAML assertion. RightScale accepts either the short-form or the long-form name of each attribute.

Short Name Long Name
email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Step 3: Test IdP-Initiated Single Sign-On

Please refer to your Identity Provider's documentation for how to initiate an SSO login. You should be able to assign the application created in Step 1 within your IdP to your test user and then initiate the SSO by clicking the app's button or the equivalent in your IdP.

That's it! Congratulations on successfully configuring your SSO in RightScale.

Step 4: (Optional) Configure LDAP Group Sync

You can integrate your Directory service further into RightScale by configuring group sync between your Directory Service and RightScale.

For further details, please visit the LDAP Group Sync tool page here.