SAML Configuration


Configure Security Assertion Markup Language (SAML) trust between HYPR-SP and Certificate Authority (CA) Single Sign-on (SSO). CA SSO will be configured as a federation Identity Provider (IdP) for HYPR-SP.


  • Access to the CA SSO administrative console.
  • Access to HYPR Control Center (Vault).
  • HYPR-SP installed and HYPR-SP service running. Ensure HYPR-SP SAML metadata is available in a web browser with the following URL:
  • CA SSO local SAML2 IDP Entity configured.


These instructions assume you have CA SSO Policy Server and CA Secure Proxy Server (CA Access Gateway) installed and federation/SAML configured.

CA SSO Configuration

Configure HYPR-SP as Remote Entity

  1. Open following URL for your HYPR server and download the HYPR-SP metadata file:

  2. Name the file hyprSP_metadata.xml.

  3. Log into the CA SSO administration console and navigate to Federation > Entities, then click Import Metadata.

  4. Click Browse and select hyprSP_metadata.xml that you created in Step 2.

  1. For Import As, select Remote Entity.
  2. For Operation, select Create New.
  3. Click Next.
  4. On the Choose Entity screen, enter an Entity Name; for example: HYPR-SP.
  5. Click Next.

  1. On the Import Certificates screen, enter the certificate alias information.
  2. Click Next.

  1. Review the Confirm screen and click Finish.

The new HYPR-SP will show up in Federation Entity List.

Update Certificate and Private Key List

Navigate to Infrastructure > X509 Certificate Management > Trusted Certificates and Private Keys and click Get Updates. This will update the certificate list. Ensure that HYPR-SP signing certificate is listed.

Create a new Federation Partnership

  1. Navigate to Federation > Partnership Federation > Partnerships.
  2. Click Create Partnership and select SAML2 IDP -> SP.
  1. Configure Partnership: Enter values as shown below, then click Next when you are done.
Partnership NameProvide a name for this federation partnership.
Local IDPSelect CA SSO local IDP Entity.
Remote SPSelect HYPR-SP created in the previous step.
Skew Time (Seconds)Keep default.
User Directories and Search orderSelect user directory that contains user accounts.

  1. Federation Users: Select federated user accounts, then click Next.

  1. Assertion Configuration: Configure as per your environment, and click Next.

  1. SSO and SLO: Provide values per your environment, then click Next.

  1. Signature and Encryption: Select the IdP signing private key and SP signing certificate, then click Next.

  1. Confirm. Click Finish.

Activate the Partnership

Activate the new federation partnership.

Export SAML IdP Metadata

From the Federation Partnership List, select Action > Export Metadata to download the CA SSO IdP metadata file.

SCP (secure copy) the CA SSO IdP metadata file to the HYPR Server and place it in /opt/hypr.

HYPR Configuration

  1. Log into HYPR Control Center Vault administrator console.
  2. Navigate to samlSPConfigs settings.
  3. Edit the following values as shown here:

  1. Restart the HYPR-SP service.

Test Device Registration

In a web browser, enter the HYPR-SP URL. It should be in the following format:

Click Get Started to start the SP-initiated SAML authentication flow to CA SSO.

Once CA SSO performs successful user authentication, it will respond back with a valid SAML token. This SAML token is consumed by HYPR-SP to create a user session and display the User Device Registration Portal to the user.

Follow the on-screen instructions for device registration.