Authentication Portal Service Provider Configuration
If you have not made any configuration changes yet, please see How to make configuration changes
If you have not yet verified that the idenprotect Authentication Portal has been configured correctly. Please complete Authentication Portal Configuration first.
Introduction
idenprotect Core Platform can be used to enable Single Sign-On with external Service Providers. The idenprotect Authentication Portal (sometimes referred to as IDP) acts as a gateway to users to allow them to authenticate once and then access any Service Providers which have been set up. This article discusses the configuration of the Service Providers.
Service Provider Configuration
Service Providers are configured in:
- Authentication Portal section in the idenprotect Core Platform Admin Console Config Tab
There are a number of different types of service providers supported and the type of service provider determines the parameters required to configure it.
SAML Service Provider
A SAML service provider will integrate with the Authentication Portal using the SAML V2.0 protocol
Parameter | Description |
---|---|
Name
|
Friendly name for the Service Provider |
Type
|
SAML |
Entity ID
|
The ID used by SAML between idenprotect Core Platform and the Service Provider to verify they are talking to the correct system |
ACS
|
Assertion Consumer Service - The location at a Service Provider which accepts SAML messages |
SSO URL
|
The URL to the Single Sign On page for the Service Provider |
SAML Sign On Binding
|
The binding to use when completing a SAML Sign On (HTTP-Post or HTTP-Redirect) |
Authentication Portal Initiated URL
|
The URL to start the Single Sign On process from the Authentication Portal side instead of calling the Single Sign On page for the Service Provider |
Single Log Out URL
|
The URL to the Single Sign Out page for the Service Provider |
SAML Log Out Binding
|
The binding to use when completing a SAML Log Out (HTTP-Post or HTTP-Redirect) |
Country Whitelist
|
A list of countries (by Country Code) where you permit a user to access the Service Provider from. Only this or the Blacklist should be completed. You do not need to complete both |
Country Blacklist
|
A list of countries (by Country Code) where you do not permit a user to access the Service Provider from. Only this or the Whitelist should be completed. You do not need to complete both |
Logo
|
This will show a thumbnail of an image you have uploaded against a Service Provider |
Group
|
If an LDAP Group is assigned, only members of this group will be able to view and access this Service Provider. Leave blank to enable all users. |
Permitted authentication types
|
Multiple checkboxes, check each authentication type a user can use to view and access this Service Provider. |
HTTP Post
An HTTP Post Service Provider integrates with the Authentication Portal by the Authentication Portal creating and submitting a login form (using cached password) to the Service Providers login url.
Parameter | Description |
---|---|
Name
|
Friendly name for the Service Provider |
Type
|
HTTP POST. HTTP POST has been added to support legacy applications where a username and password are required to login |
SSO URL
|
The URL to to which the login form is to be submitted |
Country Whitelist
|
A list of countries (by Country Code) where you permit a user to access the Service Provider from. Only this or the Blacklist should be completed. You do not need to complete both |
Country Blacklist
|
A list of countries (by Country Code) where you do not permit a user to access the Service Provider from. Only this or the Whitelist should be completed. You do not need to complete both |
Logo
|
This will show a thumbnail of an image you have uploaded against a Service Provider |
Group
|
If an LDAP Group is assigned, only members of this group will be able to view and access this Service Provider. Leave blank to enable all users. |
Permitted authentication types
|
Multiple checkboxes, check each authentication type a user can use to view and access this Service Provider. |
Additional Parameters
The login for may require additional parameters in addition to username and password.
These can be defined in two way.
From version 3.14 you can select the auto-build form option. In this case the SSO URL should be the URL of the page that hosts the login form. The Authentication Portal will read the login form from that url and recreate the login form with the extra parameters set, it will also read the action of the form so that the users credentials are posted to the correct URL.
The other way is to define parameters for the service provider (on the 2nd page of the service configuration) and these name and value pairs will be added to the submitted login form
RADIUS
If deployed with the iDENprotect RADIUS server, Service Providers that use RADIUS can be integrated.
Parameter | Description |
---|---|
Name
|
Friendly name for the Service Provider |
Type
|
RADIUS |
NAS IP/Host
|
The Host Name or IP address of the server that will submit the RADIUS request (NAS). |
Radius Shared Secret
|
The shared secret that the RADIUS NAS will use. |
SSO URL
|
The URL to to which the user will be redirected to to complete the authentication, ie the login page of the RADIUS service. |
Country Whitelist
|
A list of countries (by Country Code) where you permit a user to access the Service Provider from. Only this or the Blacklist should be completed. You do not need to complete both |
Country Blacklist
|
A list of countries (by Country Code) where you do not permit a user to access the Service Provider from. Only this or the Whitelist should be completed. You do not need to complete both |
Logo
|
This will show a thumbnail of an image you have uploaded against a Service Provider |
Group
|
If an LDAP Group is assigned, only members of this group will be able to view and access this Service Provider. Leave blank to enable all users. |
Permitted authentication types
|
Multiple checkboxes, check each authentication type a user can use to view and access this Service Provider. |
Additional Parameters
Services may require additional parameters to be specified.
When the Authentication Portal issues a SAML response it will add any attributes defined for that service provider to the SAML response it issues.
When the Authentication Portal build and submits a login form for RADIUS or HTTP post it will any attributes defined for that service provider to the form it posts.
These parameters are set on IDP Service Provider Attributes screen
These parameters can be set to LDAP attributes that are read in the sync job or to literal values or a combination of both. Literal values are within double quotes.
For example if a user had a cn of test and a Attribute was defined as cn"@domain" the value test@domain would be returned to the service provider for that user.
SAML
When the Authentication Portal issues a SAML response it will add any attributes defined for that service provider to the SAML response it issues. For example if the SAML response requires the user's mail address to be returned in an attribute called UserEmail then you would create an entry with an Attribute Name of UserEmail and the LDAP Friendly Name that maps to the user's email address.
HTTP Post / RADIUS
When the Authentication Portal posts a login form to the Service Provider, it adds any attributes that have been defined for that Service Provider. If an attribute called username is defined, then this will be used as the username for the login form, for example if the login form required a user's common name rather than their email address to authenticate.
For example when integrating to the Pulse VPN the form needs to include the realm to which the user is authenticating to and a timezone offset. So this requires to attributes to be specified
realm maps to "radius" (or whatever the realm is called that the user is attempting to access) tz_offset maps to "0"
Example Service Providers
The examples below have been taking from real working examples (with our specific host removed). This information should give you a good base on how to configure your own Service Providers
BlackBerry Workspaces
Please note that the BlackBerry configuration is completed by BlackBerry themselves. In order to facilitate this, you will need to provide BlackBerry with the Metadata for your Authentication Portal which you can find by visiting https://{Host}:{Port}/metadata
Example idenprotect Core Platform Configuration
Parameter | Description |
---|---|
Name
|
BlackBerry Workspaces |
Entity ID
|
https://{yourDomain}.eu.ws.blackberry.com/saml-idp/saml/metadata
|
ACS
|
https://www.eu.ws.blackberry.com/saml-idp/saml/SSO/alias/defaultAlias
|
SSO URL
|
https://{yourDomain}.eu.ws.blackberry.com/
|
Pulse Secure
Please note that you will also need to upload a valid certificate to the Service Provider
Example idenprotect Core Platform Configuration
Parameter | Description |
---|---|
Name
|
Pulse Secure |
Entity ID
|
https://pulse.{yourDomain}.net/dana-na/auth/saml-endpoint.cgi?p=sp1
|
ACS
|
https://pulse.{yourDomain}.net/dana-na/auth/saml-consumer.cgi
|
SSO URL
|
https://pulse.{yourDomain}.net/saml
|
Example Pulse Secure Configuration
To find the specific settings you need for Pulse you must first create an Authentication Server via the Pulse Admin console and use the details from the idenprotect Authentication Portal Metadata. We have created a step-by-step guide for how to Integrate Pulse Secure
Parameter | Description |
---|---|
Server Name
|
iden |
SAML Version
|
2.0 |
Connect Secure Entity Id
|
https://pulse.{yourDomain}.net/dana-na/auth/saml-endpoint.cgi?p=sp1
|
Configuration Mode
|
Manual |
Authentication Portal Entity Id
|
https://{Host}/idp
|
Authentication Portal Single Sign On Service URL
|
https://{Host}/idp/SingleSignOnService
|
Authentication Portal Single Logout Url Service URL
|
https://{Host}/idp/SingleLogoutService
|
Allowed Clock Skew
|
300 |
SSO Method
|
Post
|
Salesforce
Please note the additional following requirements for Salesforce Configuration:
- The User in Salesforce will need to have a Federation ID assigned.
- You will need to have set up your custom domain and set your Authentication Service to the Single Sign On profile
- You will need to upload a valid certificate.
Example idenprotect Core Platform Configuration
Parameter | Description |
---|---|
Name
|
Salesforce |
Entity ID
|
https://{yourDomain}.my.salesforce.com
|
ACS
|
https://{yourDomain}.my.salesforce.com?so={so_ID}
|
SSO URL
|
https://{yourDomain}.my.salesforce.com?so={so_ID}
|
Note that the so_ID will come from your SAML Single Sign-On Settings in the Endpoints section
Example Salesforce Configuration
Parameter | Description |
---|---|
Name
|
iden |
API Name
|
iden |
Entity ID
|
https://{yourDomain}.my.salesforce.com
|
Request Signature Method
|
RSA-SHA256 |
Assertion Decryption Certificate
|
Assertion not encrypted |
SAML Identity Type
|
Assertion contains the Federation ID from the User object |
SAML Identity Location
|
Identity is in the NameIdentifier element of the Subject statement |
Service Provider Initiated Request Binding
|
HTTP POST |
Authentication Portal Login URL
|
https://{Host}/idp/SingleSignOnService
|
Custom Logout URL
|
https://{Host}/idp/SingleSignOnService
|