Setup UltraDNS SAML

This article explains how to configure SAML Single Sign-On (SSO) for UltraDNS. 

It includes required setup steps, metadata handling, user provisioning behavior, and important API access considerations.

When to Use This Article

• You are configuring SAML authentication for UltraDNS.
• You want to federate users through your Identity Provider (IdP).
• You are migrating users from standard login to SAML.

Step 1: Review the SAML Quick Start Guide

To begin the process, please follow this guide first as it will provide answers to most questions:

https://ultra-portalstatic.ultradns.com/static/docs/SAML-Quick_Start_Guide.pdf 

Step 2: Access and Configure SAML in UltraDNS

1. Login to your UltraDNS account.
2. Click on Accounts.
3. Click on the blue hyperlinked Account Name.
4. Select SAML (4th tab from left).
5. Submit the data being requested in the following sections. 
   1. There is a blue circle with a white question mark next to each section title which provides further details:
      • Customer Contact Information
      • Federation Related Information
      • DNS Related Information

User Provisioning and Metadata Handling

After you go through the provisioning above, it will populate the UI with all of your users and their email addresses. There's the name, email and phone section. 

The important thing is the email because additional instructions will be sent regarding configuration on your side.

IDP-initiated SAML is optional and most users skip it.

For the NameID field, you are going to be using either:

1. nameid username
2. nameid email address

You will manually update all of the values for userid and check the email values to update if needed. 

The usernames and emails show up on the screen after you submit your request.

You may upload your XML metadata if your application exports it. You may also download UltraDNS metadata for reference. 

There are three important values in the metadata file which help ensure your configuration is appropriate.

Important: SAML and API Access Behavior

If a user is moved to SAML, the user can no longer access APIs. A SAML-Federated user can't login to API.

A user that needs access to both API and UI must have:

• A SAML-Federated user (email address)
• An API-only user (any format is fine as it isn't using SAML) for accessing REST API

Neither account can use the same email address.

API-Only Configuration Options

Set those users to "Is API Only" on the permissions mapping page.

The consequence of this is they get converted to API-only and immediately lose UI access (even to https://portal.ultradns.com) and only have REST API access.

OR

Migrate them to SAML and create new API-only users as needed.

The consequence of this approach is that API access will be lost as soon as the user logs in via the new URL and gets converted to SAML-Federated. A new API-only user can then be created.

Verification

After completing SAML configuration and user mapping, perform a test login using your Identity Provider. 

Confirm that users authenticate successfully and that API-only users behave according to the selected configuration model.

FAQs

https://dns.ultraproducts.support/hc/en-us/articles/28906848135835-SAML-FAQ 

Related Articles

• SAML Troubleshooting in UltraDNS
• Removing User Access to UltraDNS Portal
• Change Primary Account User – Owner Account