Integration via SAML#

If your identity management system does not support OpenID Connect or OAuth 2.0, the integration with NVIDIA can be based on SAML V2.0. In this case, the NVIDIA identity federation system is the Service Provider (SP) and your identity management system is the Identity Provider (IdP).

../../_images/ovc_saml_overview.png

The NVIDIA identity federation system uses the SP-initiated SSO with Redirect/POST binding option as specified in section 5.1.2 of the SAML Technical Overview.

Service Provider Configuration#

The NVIDIA identity federation system uses the following identifiers and URLs:

NVIDIA environment

Entity ID

Assertion Consumer Service URL

Production

https://login.nvidia.com

https://login.nvidia.com/saml2/redirect

Pre-integration tests

https://stg.login.nvidia.com

https://stg.login.nvidia.com/saml2/redirect

If possible, please enable both NVIDIA environments in your identity management system. If you have a test environment for your identity management system, you can enable the NVIDIA pre-integration environment in your test environment.

Otherwise, you can enable the integration only for the production environment if you prefer so.

Identity Provider Metadata#

NVIDIA can receive your IdP metadata both as an XML file (preferred) or as individual parameters. Either way, please make sure that the following information is included:

  • Entity identifier

  • SSO URL

  • X.509 certificate

Attribute Mappings#

With SAML, only the <Subject> element is mandatory and any <Attribute> element is optional in the response from the IdP. However, the NVIDIA identity federation system requires that the response from your identity management system includes at least one <Attribute> element with the user email address.

The NVIDIA identity federation system can flexibly map the attributes returned by your identity management system. If possible, please provide the list of attribute names that you expect NVIDIA to receive.

If your identity management system supports user groups, please consider the possibility to return the groups relevant for NVIDIA as one of the attributes. This will allow certain NVIDIA services to use your groups to control the privileges of your users. In other words, your will be able to manage yourself the roles that you want your users to have when they access certain NVIDIA services.

Information to Be Provided to NVIDIA#

The following table specifies the information that NVIDIA needs to set up the integration:

Info

Comments

IdP metadata

Refer to the Identity Provider Metadata section for more details.

List of email domains in use at your company

NVIDIA will direct all the users with those email domains to log in with your identity management system. Refer to the Integration via OpenID Connect > Email Domains section for more details.

List of attribute names

See the Attribute Mappings section for more details.

Test account that NVIDIA can use to verify the integration

If possible, please provide the username and password of one test account