Integrate Pulse Secure
Contents
If you have already completed the Pulse Secure integration steps and want to set Pulse Secure up as a Service Provider. See the Authentication Portal Service Provider Configuration article
Introduction
You can use idenprotect to provide secure password-free authentication to the Pulse Secure VPN. These are the steps required to complete this integration.
Prerequisites
Installations of idenprotect Core Platform and idenprotect Authentication Portal. If you do not have these yet, see Quick Start Guide or In-Depth Guide for idenprotect Core Platform or Quick Start Guide or In-Depth Guide for idenprotect Authentication Portal
Secure VPN and admin access.
Create Authentication Server
On the Pulse Secure admin console create a new SAML Authentication Server.
Select the Manual configuration option.
The values for the various fields can be taken from your Authentication Portal metadata. The metadata can be read from https://<serverurl>/idp/metadata
For example the entity ID
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_06310a70-fa6a-4fdb-830c-4257bf157e78" entityID="http://iden-eng-001.idenprotect.net/idp" validUntil="2019-10-25T09:37:28.149Z">
The Authentication Portal Single Sign On Service URL
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://iden-eng-001.idenprotect.net/idp/SingleSignOnService/"/>
You can also enable Single Logout and enter the LogoutService URL
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://iden-eng-001.idenprotect.net/idp/SingleLogOutService/"/>
You can then take the certificate from the metadata (Not including XML tags) and save it as .cer or .pem file. (If you view the metadata in a browser you may need to right-click ->view source to get a version with the correct format
MIICpjCCAY6gAwIBAgIEXaBmYzANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApjaHJpc2xvY2Fs
MB4XDTE5MTAxMTExMjQxOVoXDTIwMTAxMDExMjQxOVowFTETMBEGA1UEAwwKY2hyaXNsb2NhbDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKSUqMMx7a+Rp2zwnUtFkftgtZ0L+2+sDAe9
lEIUn2PsnDuKF6N7s0QlpXnPf/sp+ewalayvPZZ2NtRSZrOh1T0e9jWsFrwRDfblB7PcBIE+JHgO
5xZJDudkAldEJ9XoLc4+mZ4/M7CVv4HIjww1u6J52KtUy1Zky8wO2m00lG3gEp/ELwmTCCRfGFV3
iide7zU5xVrxsFjxStO1Clb0TRmzqnBbRA85CHruVBM2PFCFmCf3E4/oBsRvLPjWt7hkZ/tfJbX0
PPJjm4PmmwjzqCKLoJQOHKeuG7Ze7o2K/a7LSAIPuIrii0cglRm+hJs50yFGBH5w2sFV4B5UtiIZ
4p8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAaP/C+mnPi6+gCgSaJfIYJ2WHZXIpQ15jvC7qqemo
etOXp7qR3oQEi6WllTrTtped7GhOm7TcJTUf4XD3HSI8THsiOcHrv30DXbXNavI9C2HpLr9fOfMd
FgTPLRfOljuGTXwe78uPV4KcokNNKtRe4Ap0CI6g6a9itmie5WcrE5kFzlVGspiW9h8YLg7gkoUo
rzXOLTAUbvpPeY4LRu5lksvYuF/03WHyKI5VykuTWQv3k4SvC9qIpLBJuOXlyQqj8lT91k0CxcFp
FAFwU25ULujhkzlHoTHGWGGAJJajQxVWaCg18iaPDK+EBX9/i7EW3gKxj/SbVpwkQrYo+aM0gA==<
And upload this as the Certificate to use to validate SAML signatures.
Save these changes.
Once the Authentication Server has been created on the Pulse VPN you can use the Download Metadata option that will give the details of the URLs to be used on the iDENprotect Configuration.
For example
entityID="https://pulse.idenprotect.net/dana-na/auth/saml-endpoint.cgi?p=sp7" SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://pulse.idenprotect.net/dana-na/auth/saml-logout.cgi?SpId=sp7" AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://pulse.idenprotect.net/dana-na/auth/saml-consumer.cgi"
Create Authentication Realm
Once the Auth Server has been created, a User Realm can be created that uses this server. Simply create a user realm and specify the server created in the previous section as the Authentication Server and if necessary create a simple role mapping.
Create Authentication Policy
A sign-in URL for idenprotect authentication can now be created that users the previously created authentication realm
You can keep using the Default Sign In pages as the users do not actually see any Pulse sign-in pages in this configuration.
To force users to use idenprotect on this URL the configuration should be set to "User Picks from a list of Realms" and the idenprotect realm should be the only available Realm.