# SP side configuration (RAS side)

On the service provider side (the Parallels RAS side), you need to enable Web (SAML) authentication and add the identity provider to the RAS Farm.

## **Enable Web (SAML) authentication**

1. In the RAS Console, navigate to **Connection** > **Authentication**.
2. In the **Allowed authentication types** section, select the **Web (SAML)** option.

## **Adding an IdP to the RAS Farm**

To add an IdP:

1. In the RAS Console, navigate to **Connection** > **SAML**. If the tab page is disabled, make sure you enabled Web (SAML). See above.
2. Click **Tasks** > **Add**.
3. In the **Add Identity Provider** wizard, specify a provider name.
4. In the **Use with Theme** drop-down list, select a [Theme](https://download.parallels.com/ras/v19/docs/en_US/Parallels-RAS-19-Administrators-Guide/43381.htm) to which the IdP will be assigned. If you don't have a specific Theme yet, you can use the default Theme or you can select "\<not used>" and assign a Theme later. Note that there can be multiple IdPs configured in the same RAS Farm. However, at this time, one IdP can be assigned to one Theme.
5. Select one of the following methods that the wizard will use to obtain the IdP information:
   * **Import published IdP metadata**: Import from an XML document published on the Internet. Specify the document URL taken from the IdP side configuration.
   * **Import IdP metadata from file**: Import from a local XML file downloaded from the IdP application. Specify the file name and path in the field provided.
   * **Manually enter the IdP information:** Select this option and then enter the information manually on the next wizard page.
6. Click **Next**.
7. If the configuration was imported in the previous step, the next page will be populated with data obtained from the XML file. If you've selected to enter the IdP data manually, you'll have to enter the values yourself:

   * **IdP entity ID:** Identity provider entity ID.
   * **IdP certificate:** Identity provider certificate data. To populate this field, you need to download the certificate from the IdP side, then open the downloaded file, copy its contents and paste it into this field.
   * **Logon URL:** Logon URL.
   * **Logout URL:** Logout URL.

   Select the **Allow unencrypted assertion** option if needed.

{% hint style="info" %}
**Note:** By default, the **Allow unencrypted assertion** option is disabled. Ensure that the IdP configuration is set to encrypt assertion or change the default setting within the RAS configuration.
{% endhint %}

8. At this point, you can configure service provider (SP) settings to be imported on the IdP side (IdP portal). You can do it now or you can do it later. To do it now, follow the steps below. To do it later, click **Finish** and then, when needed, open the identify provider object properties, select the **SP** tab and do the same steps as described below.
9. To configure SP settings, click the **Service provider information** button.
10. In the dialog that opens, enter the host address. The IdP will redirect to this address, which should be accessible from the end user browser.
11. The other fields including **SP Entity ID**, **Reply URL**, **Logon URL** and **Logout URL** are prepopulated based on the host address. The SP Certificate is autogenerated.
12. Next step is to complete the IdP configuration based on the values above. These values can be manually copied or exported as a metadata file (XML). Click the **Export SP metadata to file** link. Save the metadata as an XML file. Import the XML file into your IdP.
13. Close the dialog and click **Finish**.

## **Configuring user account attributes**

When user authentication is performed by the IdP, user account attributes in Active Directory are compared with the matching attributes in the IdP user database. You can configure which attributes should be used for comparison as described below.

The following table lists available attributes:

<table><thead><tr><th width="204">RAS name</th><th>SAML name *</th><th>AD name</th><th>Description</th></tr></thead><tbody><tr><td>UserPrincipalName</td><td>NameID</td><td>userPrincipalName</td><td>User Principal Name (UPN) is the name of a system user in an email address format.</td></tr><tr><td>Immutable ID</td><td>ImmutableID</td><td>objectGUID</td><td>A Universally Unique Identifier.</td></tr><tr><td>SID</td><td>SID</td><td>objectSid</td><td>An ObjectSID includes a domain prefix identifier that uniquely identifies the domain and a Relative Identifier (RID) that uniquely identifies the security principal within the domain.</td></tr><tr><td>sAMAccountName</td><td>sAMAccountName</td><td>sAMAccountName</td><td>The sAMAccountName attribute is a logon name used to support clients and servers from previous version of Windows, such as Windows NT 4.0 and others.</td></tr><tr><td>Custom</td><td>Email</td><td>Mail</td><td>A custom attribute that can be used to allow any SAML attribute name to match any AD attribute value. By default, it is the email address.</td></tr></tbody></table>

**\*** The attributes in the **SAML name** column are editable and can be customized based on the IdP that you are using.

To configure attributes:

1. In the RAS Console, right-click an IdP that you've added in previous steps.
2. In the IdP **Properties** dialog, select the **Attributes** tab. On this tab, you can select or clear the attributes to be used for comparison or create custom ones:
   * Attributes that are selected will be compared for a match.
   * The names of all of the preconfigured SAML attributes (the IdP side) can be modified to match the AD attributes as required.
   * The custom attribute can be used to allow any SAML attribute name to match any AD attribute value. By default, it is the email address.
3. Configure and enable the desired attributes as needed based on the attributes configured on the IdP side.
4. Click **OK** to close the dialog.

{% hint style="info" %}
**Note 1:** Multiple attributes are used in the presented order. If an attribute fails, the next configured attribute is used. Only one attribute is used at a time (in either/or fashion).
{% endhint %}

{% hint style="info" %}
**Note 2:** If multiple AD users are configured with the same AD attribute value, user matching will fail. For example, if the email attribute is chosen and different AD users have the same email address, attribute matching between IdP account and AD User account will not be successful.<br>
{% endhint %}

## **Attributes configuration tips**

* When possible, use automation for user synchronization (such as Microsoft Azure AD Connect for Azure IdP configuration) between your Active Directory and the IdP to minimize user identity management overhead.
* Choose a user identification attribute that is unique to your environment, such as the User Principal Name (UPN) or Immutable ID (ObjectGuid) when possible. Alternatively, you can use other unique identifiers such as email address. In this case make sure that the **Email address** field in the user object in the AD is configured. If you use Microsoft Exchange Server, use the **Exchange Addresses** tab and Exchange policies.
* If using UPN as an attribute, you can also configure alternative UPN suffixes. This can be done from Active Directory Domains and Trusts (select root > right-click to open the **Properties** dialog). Once a new alternative UPN suffix is created, you can change the UPN on the user object properties from Active Directory Users and Computers.

## **Adding an account picture**

For additional personalization, you can add a custom account picture which will be shown on the Windows logon screen during the user login when using Single Sign-On. This can be done as described in <https://kb.parallels.com/en/129028>.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.parallels.com/landing/ras-admin-guide/parallels-ras-21-administrators-guide/saml-sso-authentication/saml-configuration/sp-side-configuration-ras-side.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.