Configure SSO via SAML

Cisco Provider Connectivity Assurance can be configured to allow Single Sign-On (SSO) via SAML authentication. This integration enables centralized user management and enhances security for your deployment.

Step 1: Log In to the Identity Access Management (IAM) UI

Access the IAM interface (Zitadel) as the administrator for your deployment. The URL depends on whether you are using DNS for your deployment:

Administrator Credentials: The administrator user was created during installation. It follows this format:

Note: The default password for the administrator can be viewed in the Admin Console and must be changed upon first login.

Step 2: Edit Default Settings

1. Click the Default Settings button in the top-right corner.

            

2. In the Login Behavior and Security settings, ensure the External login allowed option is enabled.

          

Step 3: Add the SAML Identity Provider

1. In the Identity Provider settings, select Add a new SAML provider.

            

2. Name your SAML provider and enter your Base64 encoded metadata XML SAML configuration file.

            

3. Expand the Optional settings and ensure Account linking allowed (manually) and Check for existing Email are enabled before creating the provider.

            

Step 4: Activate Provider for the Organization

1. Navigate to the PCA organization and choose Modify the Login and Access settings.

            

2. In the Identity Providers section, mark your created SAML provider as Available.

Important Note on User Provisioning

At this point, SAML-based SSO is configured. However, you must create a user in the Provider Connectivity Assurance UI using the user’s exact email address for your tenant before they can log in via SAML. When the user first logs in, they will be able to link their PCA account to their SAML provider account.