How should the Entity ID be configured for SAML Authentication in Automation Suite for both the host and tenant levels, and what are the implications of each configuration?

This article addresses the capability of implementing dual-level configuration for SAML Authentication in Automation Suite, specifically at the 'Host' and 'Tenant' levels. We provide guidance on utilizing the deprecated global identifier option to enable this dual-level configuration without needing to create separate applications in the Identity Provider (IdP). However, it's important to note that the global identifier option is slated for removal in future versions of Automation Suite. As a result, we recommend preparing for this change by adopting the approach of using the global identifier option in conjunction with setting up two distinct application entries within the IdP - one for host level access and another for tenant level access.

Resolution:

1. Host-Level Configuration:

   • The Entity ID is defaulted to a global identifier due to the absence of a unique identifier for the host.
   • Example: For the FQDN https://dev.env, the Entity ID would be https://dev.env/identity_

2. Tenant-Level Configuration:

   • Two options are available in the drop-down menu:
     • Global Identifier: This option allows for a single application to be created within the IdP as it uses the same Entity ID as the host.
       • Example: https://dev.env/identity_

• Org Specific Identifier: Set up separate applications in the IdP for host and tenant level access. This approach aligns with the recommended Org Specific Identifier method and appends the organization identifier to the Entity ID.
  • Example: https://dev.env/d0c5a324-aa1d-4fd6-9331-e61f41276d34/identity_

• As the 'Global Identifier' option is on a deprecation path, it’s advisable to start setting up separate applications in the IdP for host and tenant level access and using 'Org Specific Identifier'.