cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ISmith
Level 10
Report Inappropriate Content
Message 1 of 7

ePO on-premise SAML configuration

Jump to solution

With ePO 5.10.0 CU11, the SAML SSO extension is available, but the documentation is far too sparse.

Product Documentation | McAfee Enterprise

I have setup quite a few SAML configurations using ADFS and Azure, but there are missing pieces here.

Maybe someone knows the answers.

What ePO user config needs to be created in order for the identity provider?

--authentication type? ePO, windows auth or certificate?

For the SAML claim, which value in the identity provider needs to be sent and which field in the ePO user record does it need to match?

Labels (1)
1 Solution

Accepted Solutions
ISmith
Level 10
Report Inappropriate Content
Message 6 of 7

Re: ePO on-premise SAML configuration

Jump to solution

Adding steps for clarity:

Beginning with (The test user does not exist in ePO.)

  • Add Enterprise App in Azure.
  • Under "Basic SAML Configuration"
  • Identifier (Entity ID) = https://_epo_server_FQDN_:_port_
  • Reply URL (Assertion Consumer Service URL) = https://_epo_server_FQDN_:_port_/core/orionNavigationExtLogin.do
  • Under "Attribute and Claims" I left the values alone, but the key value is the unique user ID (nameID)
    • Unique User Identifier =user.userprincipalname (This UPN value may or may not be formatted like an email address)
  • Save
  • Export federation metadata XML file.
  • Click on the app properties and copy the User Access URL (https://myapps.microsoft.com/signin/_appid_?tenantId=_tenantid_)
 
In ePO:
  • Server Settings > IDP SAML Settings > configure
  • Import the XML file.
  • Add the friendly name "whatever you want sso"
  • Change the "Identity Provider SSO Url" to the copied "User Access URL" from Azure
  • Service Provider Assertion Consumer Service Url = https://_epo_server_FQDN_:_port_core/orionNavigationExtLogin.do
  • I changed the "Logout redirect URL" to https://_epo_server_FQDN_:_port_
  • Save
 
For a test user:
  • Navigate to the User Access URL or to the ePO logon screen and click the "Log On With IDP" button
  • The user receives a message:
  • "SAML authentication is successful. Close your browser to end your session and contact your administrator for ePO permissions grant."
 
At this point, an ePO administrator needs to edit the newly created ePO user record and add permissions.
 

View solution in original post

6 Replies
aguevara
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: ePO on-premise SAML configuration

Jump to solution

You need to configure first your IdP application and then once configured you will see the option to log in with a user, when you do you need to follow this instructions:

Using the Logon with IdP feature

After a successful configuration, you can click the Log On with IDP option on the McAfee ePO logon page (Service Provider initiated SSO), or click the configured application in the IdP console (Identity Provider initiated SSO), to test the logon option.

On successful authentication, you are navigated to a page that displays the following message — SAML authentication is successful. Close your browser to end your session and contact your administrator for ePO permissions grant..

You need to request the McAfee ePO administrator to grant the required permissions.
A new user is created in McAfee ePO with a user name which is similar to the email address used in your IdP application, the authentication type is set to SAML authentication and no permission sets are assigned.


https://docs.mcafee.com/bundle/epolicy-orchestrator-5.10.0-product-guide/page/GUID-7C2A3DB7-B0E0-46C...

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

ISmith
Level 10
Report Inappropriate Content
Message 3 of 7

Re: ePO on-premise SAML configuration

Jump to solution

That helps in terms of the username, though the SAML claims are not specified, I assume nameID is the email address/username... BUT. there is no SAML authentication type available in ePO.

The only options are ePO, Windows and Certificate auth.

Setting an existing administrator user name to email address/UPN format does not work. I assume because I am missing the SAML auth type.

 

 

aguevara
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: ePO on-premise SAML configuration

Jump to solution

correct, there is no option as you wont have to create a user manually, the user will be created automatically with the SAML authentication type once you finish the configuration

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

 

ISmith
Level 10
Report Inappropriate Content
Message 5 of 7

Re: ePO on-premise SAML configuration

Jump to solution

I re-imported the federation xml file and re-adjusted the IdP URL.

It works. meh.

ISmith
Level 10
Report Inappropriate Content
Message 6 of 7

Re: ePO on-premise SAML configuration

Jump to solution

Adding steps for clarity:

Beginning with (The test user does not exist in ePO.)

  • Add Enterprise App in Azure.
  • Under "Basic SAML Configuration"
  • Identifier (Entity ID) = https://_epo_server_FQDN_:_port_
  • Reply URL (Assertion Consumer Service URL) = https://_epo_server_FQDN_:_port_/core/orionNavigationExtLogin.do
  • Under "Attribute and Claims" I left the values alone, but the key value is the unique user ID (nameID)
    • Unique User Identifier =user.userprincipalname (This UPN value may or may not be formatted like an email address)
  • Save
  • Export federation metadata XML file.
  • Click on the app properties and copy the User Access URL (https://myapps.microsoft.com/signin/_appid_?tenantId=_tenantid_)
 
In ePO:
  • Server Settings > IDP SAML Settings > configure
  • Import the XML file.
  • Add the friendly name "whatever you want sso"
  • Change the "Identity Provider SSO Url" to the copied "User Access URL" from Azure
  • Service Provider Assertion Consumer Service Url = https://_epo_server_FQDN_:_port_core/orionNavigationExtLogin.do
  • I changed the "Logout redirect URL" to https://_epo_server_FQDN_:_port_
  • Save
 
For a test user:
  • Navigate to the User Access URL or to the ePO logon screen and click the "Log On With IDP" button
  • The user receives a message:
  • "SAML authentication is successful. Close your browser to end your session and contact your administrator for ePO permissions grant."
 
At this point, an ePO administrator needs to edit the newly created ePO user record and add permissions.
 
aguevara
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: ePO on-premise SAML configuration

Jump to solution

Great, thanks for the update

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community