Configure Security Assertion Markup Language (SAML) trust between HYPR-SP and Certificate Authority (CA) Single Sign-on (SSO). CA SSO will be configured as a federation Identity Provider (IdP) for HYPR-SP.
- Access to the CA SSO administrative console.
- Access to HYPR Control Center (Vault).
- HYPR-SP installed and HYPR-SP service running. Ensure HYPR-SP SAML metadata is available in a web browser with the following URL:
- CA SSO local SAML2 IDP Entity configured.
These instructions assume you have CA SSO Policy Server and CA Secure Proxy Server (CA Access Gateway) installed and federation/SAML configured.
CA SSO Configuration
Configure HYPR-SP as Remote Entity
Open following URL for your HYPR server and download the HYPR-SP metadata file:
Name the file
Log into the CA SSO administration console and navigate to Federation > Entities, then click Import Metadata.
Click Browse and
select hyprSP_metadata.xmlthat you created in Step 2.
- For Import As, select Remote Entity.
- For Operation, select Create New.
- Click Next.
- On the Choose Entity screen, enter an Entity Name; for example: HYPR-SP.
- Click Next.
- On the Import Certificates screen, enter the certificate alias information.
- Click Next.
- Review the Confirm screen and click Finish.
The new HYPR-SP will show up in Federation Entity List.
Update Certificate and Private Key List
Navigate to Infrastructure > X509 Certificate Management > Trusted Certificates and Private Keys and click Get Updates. This will update the certificate list. Ensure that HYPR-SP signing certificate is listed.
Create a new Federation Partnership
- Navigate to Federation > Partnership Federation > Partnerships.
- Click Create Partnership and select SAML2 IDP -> SP.
- Configure Partnership: Enter values as shown below, then click Next when you are done.
|Partnership Name||Provide a name for this federation partnership.|
|Local IDP||Select CA SSO local IDP Entity.|
|Remote SP||Select HYPR-SP created in the previous step.|
|Skew Time (Seconds)||Keep default.|
|User Directories and Search order||Select user directory that contains user accounts.|
- Federation Users: Select federated user accounts, then click Next.
- Assertion Configuration: Configure as per your environment, and click Next.
- SSO and SLO: Provide values per your environment, then click Next.
- Signature and Encryption: Select the IdP signing private key and SP signing certificate, then click Next.
- Confirm. Click Finish.
Activate the Partnership
Activate the new federation partnership.
Export SAML IdP Metadata
From the Federation Partnership List, select Action > Export Metadata to download the CA SSO IdP metadata file.
SCP (secure copy) the CA SSO IdP metadata file to the HYPR Server and place it in
- Log into HYPR Control Center Vault administrator console.
- Navigate to samlSPConfigs settings.
- Edit the following values as shown here:
- Restart the HYPR-SP service.
Test Device Registration
In a web browser, enter the HYPR-SP URL. It should be in the following format:
Click Get Started to start the SP-initiated SAML authentication flow to CA SSO.
Once CA SSO performs successful user authentication, it will respond back with a valid SAML token. This SAML token is consumed by HYPR-SP to create a user session and display the User Device Registration Portal to the user.
Follow the on-screen instructions for device registration.
Updated about 1 month ago