Authentication Portal Service Provider Configuration

From idenprotect Knowledge Base
Jump to: navigation, search

If you have not made any configuration changes yet, please see How to make configuration changes

If you have not yet verified that the idenprotect Authentication Portal has been configured correctly. Please complete Authentication Portal Configuration first.

Introduction

idenprotect Core Platform can be used to enable Single Sign-On with external Service Providers. The idenprotect Authentication Portal (sometimes referred to as IDP) acts as a gateway to users to allow them to authenticate once and then access any Service Providers which have been set up. This article discusses the configuration of the Service Providers.

Service Provider Configuration

Service Providers are configured in:

  • Authentication Portal section in the idenprotect Core Platform Admin Console Config Tab

There are a number of different types of service providers supported and the type of service provider determines the parameters required to configure it.

SAML Service Provider

A SAML service provider will integrate with the Authentication Portal using the SAML V2.0 protocol

Parameters for SAML Service Provider Authentication Portal
Parameter Description
Name Friendly name for the Service Provider
Type SAML
Entity ID The ID used by SAML between idenprotect Core Platform and the Service Provider to verify they are talking to the correct system
ACS Assertion Consumer Service - The location at a Service Provider which accepts SAML messages
SSO URL The URL to the Single Sign On page for the Service Provider
SAML Sign On Binding The binding to use when completing a SAML Sign On (HTTP-Post or HTTP-Redirect)
Authentication Portal Initiated URL The URL to start the Single Sign On process from the Authentication Portal side instead of calling the Single Sign On page for the Service Provider
Single Log Out URL The URL to the Single Sign Out page for the Service Provider
SAML Log Out Binding The binding to use when completing a SAML Log Out (HTTP-Post or HTTP-Redirect)
Country Whitelist A list of countries (by Country Code) where you permit a user to access the Service Provider from. Only this or the Blacklist should be completed. You do not need to complete both
Country Blacklist A list of countries (by Country Code) where you do not permit a user to access the Service Provider from. Only this or the Whitelist should be completed. You do not need to complete both
Logo This will show a thumbnail of an image you have uploaded against a Service Provider
Group If an LDAP Group is assigned, only members of this group will be able to view and access this Service Provider. Leave blank to enable all users.
Permitted authentication types Multiple checkboxes, check each authentication type a user can use to view and access this Service Provider.

Using SP Metadata

Some service providers provide metadata files to make integration a little easier.

From version 3.16 it is possible to populate most of the SAML service provider config items by uploading the SAML Metadata associated with the service provider if available.

Uploadmetadata.png

Simply select the Upload Metadata option and select the file that contains the metadata. The core platform will process the metadata and use it to populate fields for that service provider. The service provider's name will still need to be set, as will any other settings not covered by the metadata.

HTTP Post

An HTTP Post Service Provider integrates with the Authentication Portal by the Authentication Portal creating and submitting a login form (using cached password) to the Service Providers login url.

Parameters for HTTP Post Service Provider Authentication Portal
Parameter Description
Name Friendly name for the Service Provider
Type HTTP POST. HTTP POST has been added to support legacy applications where a username and password are required to login
SSO URL The URL to to which the login form is to be submitted
Country Whitelist A list of countries (by Country Code) where you permit a user to access the Service Provider from. Only this or the Blacklist should be completed. You do not need to complete both
Country Blacklist A list of countries (by Country Code) where you do not permit a user to access the Service Provider from. Only this or the Whitelist should be completed. You do not need to complete both
Logo This will show a thumbnail of an image you have uploaded against a Service Provider
Group If an LDAP Group is assigned, only members of this group will be able to view and access this Service Provider. Leave blank to enable all users.
Permitted authentication types Multiple checkboxes, check each authentication type a user can use to view and access this Service Provider.

Additional Parameters

The login for may require additional parameters in addition to username and password.

These can be defined in two way.

From version 3.14 you can select the auto-build form option. In this case the SSO URL should be the URL of the page that hosts the login form. The Authentication Portal will read the login form from that url and recreate the login form with the extra parameters set, it will also read the action of the form so that the users credentials are posted to the correct URL.

The other way is to define parameters for the service provider (on the 2nd page of the service configuration) and these name and value pairs will be added to the submitted login form

RADIUS

If deployed with the iDENprotect RADIUS server, Service Providers that use RADIUS can be integrated.

Parameters for RADIUS Service Provider Authentication Portal
Parameter Description
Name Friendly name for the Service Provider
Type RADIUS
NAS IP/Host The Host Name or IP address of the server that will submit the RADIUS request (NAS).
Radius Shared Secret The shared secret that the RADIUS NAS will use.
SSO URL The URL to to which the user will be redirected to to complete the authentication, ie the login page of the RADIUS service.
Country Whitelist A list of countries (by Country Code) where you permit a user to access the Service Provider from. Only this or the Blacklist should be completed. You do not need to complete both
Country Blacklist A list of countries (by Country Code) where you do not permit a user to access the Service Provider from. Only this or the Whitelist should be completed. You do not need to complete both
Logo This will show a thumbnail of an image you have uploaded against a Service Provider
Group If an LDAP Group is assigned, only members of this group will be able to view and access this Service Provider. Leave blank to enable all users.
Permitted authentication types Multiple checkboxes, check each authentication type a user can use to view and access this Service Provider.

Additional Parameters

Services may require additional parameters to be specified.

When the Authentication Portal issues a SAML response it will add any attributes defined for that service provider to the SAML response it issues.

When the Authentication Portal build and submits a login form for RADIUS or HTTP post it will any attributes defined for that service provider to the form it posts.

These parameters are set on IDP Service Provider Attributes screen

These parameters can be set to LDAP attributes that are read in the sync job or to literal values or a combination of both. Literal values are within double quotes.

For example if a user had a cn of test and a Attribute was defined as cn"@domain" the value test@domain would be returned to the service provider for that user.


SAML

When the Authentication Portal issues a SAML response it will add any attributes defined for that service provider to the SAML response it issues. For example if the SAML response requires the user's mail address to be returned in an attribute called UserEmail then you would create an entry with an Attribute Name of UserEmail and the LDAP Friendly Name that maps to the user's email address.

HTTP Post / RADIUS

When the Authentication Portal posts a login form to the Service Provider, it adds any attributes that have been defined for that Service Provider. If an attribute called username is defined, then this will be used as the username for the login form, for example if the login form required a user's common name rather than their email address to authenticate.

For example when integrating to the Pulse VPN the form needs to include the realm to which the user is authenticating to and a timezone offset. So this requires to attributes to be specified

realm maps to "radius" (or whatever the realm is called that the user is attempting to access) tz_offset maps to "0"


Authportalattr.png

If the page form uses labels other than username and password within the form, you can specify this using attribute values. For example, if the login form used "user" and "credential" as fields for the username and password two attributes should be defined as follows 

usernameLabel : "user"
passwordLabel : "credential"

There is an option when creating an HTTP Service Provider to automatically build the login form. This attempts to scrape the login form and use the parameters that are there. This will work with a simple form setup but if there are additional parameters or the labels are non-standard this may not work.

NOTE: In addition to the form, you may also need to disable CSRF protection in order for posting the form to work. This can only be done by adding a property into web-security.properties in the /etc/idenprotect folder called csrf.protection with a value of false. If this properties file does not exist, it may need to be created first. The idenprotect Core Platform will require a restart in order to pick up this new configuration

Example Service Providers

The examples below have been taking from real working examples (with our specific host removed). This information should give you a good base on how to configure your own Service Providers

BlackBerry Workspaces

Please note that the BlackBerry configuration is completed by BlackBerry themselves. In order to facilitate this, you will need to provide BlackBerry with the Metadata for your Authentication Portal which you can find by visiting https://{Host}:{Port}/metadata

Example idenprotect Core Platform Configuration

idenprotect Core Platform Parameters
Parameter Description
Name BlackBerry Workspaces
Entity ID https://{yourDomain}.eu.ws.blackberry.com/saml-idp/saml/metadata
ACS https://www.eu.ws.blackberry.com/saml-idp/saml/SSO/alias/defaultAlias
SSO URL https://{yourDomain}.eu.ws.blackberry.com/


Pulse Secure

Please note that you will also need to upload a valid certificate to the Service Provider

Example idenprotect Core Platform Configuration

idenprotect Core Platform Parameters
Parameter Description
Name Pulse Secure
Entity ID https://pulse.{yourDomain}.net/dana-na/auth/saml-endpoint.cgi?p=sp1
ACS https://pulse.{yourDomain}.net/dana-na/auth/saml-consumer.cgi
SSO URL https://pulse.{yourDomain}.net/saml

Example Pulse Secure Configuration

To find the specific settings you need for Pulse you must first create an Authentication Server via the Pulse Admin console and use the details from the idenprotect Authentication Portal Metadata. We have created a step-by-step guide for how to Integrate Pulse Secure

Pulse Secure Parameters
Parameter Description
Server Name iden
SAML Version 2.0
Connect Secure Entity Id https://pulse.{yourDomain}.net/dana-na/auth/saml-endpoint.cgi?p=sp1
Configuration Mode Manual
Authentication Portal Entity Id https://{Host}/idp
Authentication Portal Single Sign On Service URL https://{Host}/idp/SingleSignOnService
Authentication Portal Single Logout Url Service URL https://{Host}/idp/SingleLogoutService
Allowed Clock Skew 300
SSO Method Post


Salesforce

Please note the additional following requirements for Salesforce Configuration:

  • The User in Salesforce will need to have a Federation ID assigned.
  • You will need to have set up your custom domain and set your Authentication Service to the Single Sign On profile
  • You will need to upload a valid certificate.

Example idenprotect Core Platform Configuration

idenprotect Core Platform Parameters
Parameter Description
Name Salesforce
Entity ID https://{yourDomain}.my.salesforce.com
ACS https://{yourDomain}.my.salesforce.com?so={so_ID}
SSO URL https://{yourDomain}.my.salesforce.com?so={so_ID}

Note that the so_ID will come from your SAML Single Sign-On Settings in the Endpoints section

Example Salesforce Configuration

Salesforce Parameters
Parameter Description
Name iden
API Name iden
Entity ID https://{yourDomain}.my.salesforce.com
Request Signature Method RSA-SHA256
Assertion Decryption Certificate Assertion not encrypted
SAML Identity Type Assertion contains the Federation ID from the User object
SAML Identity Location Identity is in the NameIdentifier element of the Subject statement
Service Provider Initiated Request Binding HTTP POST
Authentication Portal Login URL https://{Host}/idp/SingleSignOnService
Custom Logout URL https://{Host}/idp/SingleSignOnService
Retrieved from "https://idenprotectwiki.com/index.php?title=Authentication_Portal_Service_Provider_Configuration&oldid=3195"