0

Axiom SAML Configuration for SSO (version 22)

The Canary suite includes additional parameters for configuring Axiom to work with SAML. These settings are not configurable via the Canary Admin; they are only available through the xml in the AxiomService.exe.admin file. The attached pdf is a sample development version of the CanaryAxiomService.exe.admin with the new settings outlined.

Configuration

  1. Retrieve the IDP descriptor file (.xml) from the identity provider (i.e. Azure AD) for your company.
  2. Place the xml file in the Axiom executable install directory (C:\Program Files\Canary [Labs]\Axiom). The name of the file does not matter as it will be configured in another step.
  3. Create 2 local groups on the server (one for users and one for admins).
  4. Open the C:\Program Files\Canary [Labs]\Axiom\CanaryAxiom.exe.admin file in a text editor.
  5. Configure the following settings and values:
    • samlEnabled = true
    • samlIssuer = url of your axiom server starting with https
    • samlIDPDescriptorFileName = name of the .xml file from the IDP
    • samlCreateUserPassword = generate a long random password (20+ characters)
    • samlCreateUserAdminGroup = name of admin group created
    • samlCreateUserUserGroup = name of user group created
    • samlIDPUserGroupIDs = <GroupID>user</GroupID>. This is just a placeholder.
    • samlIDPAdminGroupIDs = <GroupID>admin</GroupID>. This is just a placeholder.
  6. Save this file and restart the Axiom service.
  7. Open a browser and access <your axiom server domain>/saml2/servicemetadata.xml and save this file
  8. Use the service metadata file to setup an application in your identity provider for Canary.
  9. Turn on Trace logging for Axiom from the Canary Admin.
  10. Access Axiom from the browser. You should be redirected to your identity provider for sign-in. If you’re already signed in, you should not be prompted.
    • If you receive an error from the identity provider, there’s most likely an error in the setup of the application within the provider.
    • If you get to a blank screen with a SAML failed message, then the IDP sign-in was successful, but Axiom doesn’t have the correct groups. Proceed to configure the groups.
  11. Within the groups are assigned a Guid. Enter the Guid into the users or admin group config in the CanaryAxiom.exe.admin file and restart Axiom and try the login again.
  12. If you want to see the raw SAML requests/responses, open the Canary Admin and view the message log. Filter the messages to only Axiom. and choose SAML as the category.
  13. Look for an AuthnResponse message. There may be multiple messages. These will have the SAML assertion response with the info returned from the IDP server. You can confirm the groups that are being sent and modify the configuration and re-attempt the sign-in.
  14. Once configured, turn trace logging off for Axiom.
  15. The automatically generated local user accounts will look like this:

Reply

null