Integrate Pulse Secure

From iDENprotect Knowledge Base
Jump to: navigation, search

If you have already completed the Pulse Secure integration steps and want to set Pulse Secure up as a Service Provider. See the Authentication Portal Service Provider Configuration article

Introduction

You can use idenprotect to provide secure password-free authentication to the Pulse Secure VPN. These are the steps required to complete this integration.


Prerequisites

Installations of idenprotect Core Platform and idenprotect Authentication Portal. If you do not have these yet, see Quick Start Guide or In-Depth Guide for idenprotect Core Platform or Quick Start Guide or In-Depth Guide for idenprotect Authentication Portal

Secure VPN and admin access.

Create Authentication Server

On the Pulse Secure admin console create a new SAML Authentication Server.

PulseAuthServer.png

Select the Manual configuration option.

The values for the various fields can be taken from your Authentication Portal metadata. The metadata can be read from https://<serverurl>/idp/metadata

For example the entity ID

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_06310a70-fa6a-4fdb-830c-4257bf157e78" entityID="http://iden-eng-001.idenprotect.net/idp" validUntil="2019-10-25T09:37:28.149Z">

The Authentication Portal Single Sign On Service URL

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://iden-eng-001.idenprotect.net/idp/SingleSignOnService/"/>

You can also enable Single Logout and enter the LogoutService URL

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://iden-eng-001.idenprotect.net/idp/SingleLogOutService/"/>

You can then take the certificate from the metadata (Not including XML tags) and save it as .cer or .pem file. (If you view the metadata in a browser you may need to right-click ->view source to get a version with the correct format

MIICpjCCAY6gAwIBAgIEXaBmYzANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApjaHJpc2xvY2Fs

MB4XDTE5MTAxMTExMjQxOVoXDTIwMTAxMDExMjQxOVowFTETMBEGA1UEAwwKY2hyaXNsb2NhbDCC

ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKSUqMMx7a+Rp2zwnUtFkftgtZ0L+2+sDAe9

lEIUn2PsnDuKF6N7s0QlpXnPf/sp+ewalayvPZZ2NtRSZrOh1T0e9jWsFrwRDfblB7PcBIE+JHgO

5xZJDudkAldEJ9XoLc4+mZ4/M7CVv4HIjww1u6J52KtUy1Zky8wO2m00lG3gEp/ELwmTCCRfGFV3

iide7zU5xVrxsFjxStO1Clb0TRmzqnBbRA85CHruVBM2PFCFmCf3E4/oBsRvLPjWt7hkZ/tfJbX0

PPJjm4PmmwjzqCKLoJQOHKeuG7Ze7o2K/a7LSAIPuIrii0cglRm+hJs50yFGBH5w2sFV4B5UtiIZ

4p8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAaP/C+mnPi6+gCgSaJfIYJ2WHZXIpQ15jvC7qqemo

etOXp7qR3oQEi6WllTrTtped7GhOm7TcJTUf4XD3HSI8THsiOcHrv30DXbXNavI9C2HpLr9fOfMd

FgTPLRfOljuGTXwe78uPV4KcokNNKtRe4Ap0CI6g6a9itmie5WcrE5kFzlVGspiW9h8YLg7gkoUo

rzXOLTAUbvpPeY4LRu5lksvYuF/03WHyKI5VykuTWQv3k4SvC9qIpLBJuOXlyQqj8lT91k0CxcFp

FAFwU25ULujhkzlHoTHGWGGAJJajQxVWaCg18iaPDK+EBX9/i7EW3gKxj/SbVpwkQrYo+aM0gA==<


And upload this as the Certificate to use to validate SAML signatures.

Save these changes.

Once the Authentication Server has been created on the Pulse VPN you can use the Download Metadata option that will give the details of the URLs to be used on the iDENprotect Configuration.

For example

entityID="https://pulse.idenprotect.net/dana-na/auth/saml-endpoint.cgi?p=sp7"
SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://pulse.idenprotect.net/dana-na/auth/saml-logout.cgi?SpId=sp7" 
AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://pulse.idenprotect.net/dana-na/auth/saml-consumer.cgi"


Create Authentication Realm

Once the Auth Server has been created, a User Realm can be created that uses this server. Simply create a user realm and specify the server created in the previous section as the Authentication Server and if necessary create a simple role mapping.

PulseRoleMapping.png

Create Authentication Policy

A sign-in URL for idenprotect authentication can now be created that users the previously created authentication realm

PulseAuthPolicy.png

You can keep using the Default Sign In pages as the users do not actually see any Pulse sign-in pages in this configuration.

To force users to use idenprotect on this URL the configuration should be set to "User Picks from a list of Realms" and the idenprotect realm should be the only available Realm.