Integrate Pulse Secure

From idenprotect Knowledge Base
Jump to: navigation, search

If you have already completed the Pulse Secure integration steps and want to set Pulse Secure up as a Service Provider. See the Authentication Portal Service Provider Configuration article


You can use idenprotect to provide secure password-free authentication to the Pulse Secure VPN. These are the steps required to complete this integration.


Installations of idenprotect Core Platform and idenprotect Authentication Portal. If you do not have these yet, see Quick Start Guide or In-Depth Guide for idenprotect Core Platform or Quick Start Guide or In-Depth Guide for idenprotect Authentication Portal

Secure VPN and admin access.

Create Authentication Server

On the Pulse Secure admin console create a new SAML Authentication Server.


Select the Manual configuration option.

The values for the various fields can be taken from your Authentication Portal metadata. The metadata can be read from https://<serverurl>/idp/metadata

For example the entity ID

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_06310a70-fa6a-4fdb-830c-4257bf157e78" entityID="" validUntil="2019-10-25T09:37:28.149Z">

The Authentication Portal Single Sign On Service URL

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=""/>

You can also enable Single Logout and enter the LogoutService URL

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=""/>

You can then take the certificate from the metadata (Not including XML tags) and save it as .cer or .pem file. (If you view the metadata in a browser you may need to right-click ->view source to get a version with the correct format













And upload this as the Certificate to use to validate SAML signatures.

Save these changes.

Once the Authentication Server has been created on the Pulse VPN you can use the Download Metadata option that will give the details of the URLs to be used on the iDENprotect Configuration.

For example

SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="" 
AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=""

Create Authentication Realm

Once the Auth Server has been created, a User Realm can be created that uses this server. Simply create a user realm and specify the server created in the previous section as the Authentication Server and if necessary create a simple role mapping.


Create Authentication Policy

A sign-in URL for idenprotect authentication can now be created that users the previously created authentication realm


You can keep using the Default Sign In pages as the users do not actually see any Pulse sign-in pages in this configuration.

To force users to use idenprotect on this URL the configuration should be set to "User Picks from a list of Realms" and the idenprotect realm should be the only available Realm.