Connected Data. Connected Data requirements for SSO

(1)

Con

Configuring

figuring

figuring Connected Data

figuring

Connected Data

The following is an overview of the steps required to configure the Connected Data Web

application for single sign-on (SSO) via SAML. Connected Data offers both IdP-initiated

SAML SSO (for SSO access through the user portal or Centrify mobile applications) and

SP-initiated SAML SSO (for SSO access directly through the Connected Data web

application). You can configure Connected Data for either or both types of SSO. Enabling

both methods ensures that users can log in to Connected Data in different situations such as

clicking through a notification email.

1111

Prepare Connected Data for single sign-on (see

"Preparing for

Configuration" on page 40-1

).

2222

In the Centrify Cloud Manager, add the application and configure

application settings.

Once the application settings are configured, complete the user account mapping and

assign the application to one or more roles. For details, see

"Configuring Connected Data

in Cloud Manager" on page 40-2

.

After you have finished configuring the application settings in the Cloud Manager, users

are ready to launch the application from the Centrify user portal.

Preparing for Configuration

Connected Data

Connected Data requirements for SSO

requirements for SSO

Before you configure the Connected Data web application for SSO, you need the following:

An active Connected Data account with administrator rights for your organization.

A signed certificate.

You can either download one from Cloud Manager or use your organization’s trusted

certificate.

Setting up the certificates for SSO

(2)

If you use your own certificate, you upload the signing certificate and its private key in a

.pfx or .p12 file to the application settings in Cloud Manager. You also upload the public

key certificate in a .cer or .pem file to the web application.

To download an application certificate from Cloud Manager (overview):

1111

In the Apps page, add the application.

2222

Click the application to open the application details.

3333

In the Application Settings tab, click Download Signing Certificate to download and

save the certificate.

What you need to know about

What you need to know about Connected Data

Connected Data

Each SAML application is different. The following table lists features and functionality

specific to Connected Data.

Configuring

Configuring Connected Data

Connected Data

Connected Data in

Connected Data

in

in Cloud Manager

in

Cloud Manager

To add and configure the Connected Data application in Cloud Manager:

1111

In Cloud Manager, click Apps.

2222

Click Add Web Apps.

Capability

Capability Capability

Capability Supported?Supported?Supported?Supported? Support detailsSupport detailsSupport detailsSupport details Web browser client Yes

Mobile client No

SAML 2.0 Yes

SP-initiated SSO Yes IdP-initiated SSO Yes

Force user login via SSO only No Administrators and users can still log in with a user name and password after SSO is enabled.

Separate administrator login after SSO is enabled

No

User or Administrator lockout risk No User name and password login is always available. Automatic user provisioning No

Self-service password Yes Users can reset their own passwords. Resetting another user’s password requires administrator rights.

Access restriction using a corporate IP range

(3)

The Add Web Apps screen appears.

3333

On the Search tab, enter the partial or full application name in the Search field and click

the search icon.

4444

Next to the application, click Add.

5555

In the Add Web App screen, click Yes to confirm.

Cloud Manager adds the application.

6666

Click Close to exit the Application Catalog.

The application that you just added opens to the Application Settings page.

7777

Configure the following:

Field FieldField

Field Required or Required or Required or Required or optional optional optional optional Set it to Set it toSet it to

Set it to What you doWhat you doWhat you doWhat you do SAML Consumer URL Required

https://YOUR- CONNECTED-DATA-ACS-URL

Copy the value from Organization Preferences > Manage IdP Integration > SAML Consumer URL on the Connected Data website and paste it here. This is set the Fully Qualified Domain Name (FQDN) for your instance of the Connected Data server.

Issuer URL Required The cloud service automatically generates the content for this field.

Copy this value and then paste it into the Organization Preferences > Manage IdP Integration > Issuer URL on the Connected Data website. SAML 2.0 Endpoint (HTTP) Required The cloud service

automatically generates the content for this field.

Copy this value and then paste it into the Organization Preferences > Manage IdP Integration > SAML 2.0 Endpoint (HTTP) on the Connected Data website. SLO Endpoint (HTTP) Required The cloud service

automatically generates the content for this field.

Copy this value and then paste it into the Organization Preferences > Manage IdP Integration > SLO Endpoint (HTTP) on the Connected Data website. Download Signing

Certificate

Required The cloud service automatically generates the content.

Download the signing certificate and then upload the certificate to

Organization Preferences > Manage IdP Integration > X.509 Certificate on the Connected Data website.

To use a certificate with a private key (pfx file) from your local storage, see Step 8

below.

(4)

8888

On the Application Settings page, expand the Additional Options section and

specify the following settings:

9999

(Optional) On the Description page, you can change the name, description, and logo

for the application. For some applications, the name cannot be modified.

The Category field specifies the default grouping for the application in the user portal.

Users have the option to create a tag that overrides the default grouping in the user portal.

Option OptionOption

Option DescriptionDescriptionDescriptionDescription

Application ID Configure this field if you are deploying a mobile application that uses the Centrify mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The cloud service uses the Application ID to provide single sign-on to mobile applications. Note the following:

• The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.

• There can only be one SAML application deployed with the name used by the mobile application.

The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters. Show in User app list Select Show in User app list Show in User app list Show in User app list Show in User app list to display this web application in the user

portal. (This option is selected by default.)

If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won’t display for users in the user portal.

Security Certificate These settings specify the security certificate used for secure SSO authentication between the cloud service and the web application. Select an option to change the security certificate.

• Use existing certificateUse existing certificateUse existing certificate displays beneath it the certificate currently in Use existing certificate use. The DownloadDownloadDownload button below the certificate name downloads the Download current certificate through your web browser to your computer so you can supply the certificate to the web application during SSO

configuration. It’s not necessary to select this option—it’s present to display current status.

• Use the default tenant signing certificate Use the default tenant signing certificate Use the default tenant signing certificate selects the cloud service Use the default tenant signing certificate standard certificate for use. This is the default setting.

(5)

10

10 On the User Access page, select the role(s) that represent the users and groups that have

access to the application.

When assigning an application to a role, select either Automatic Install or Optional

Install:

Select Automatic Install for applications that you want to appear automatically for

users.

If you select Optional Install, the application doesn’t automatically appear in the

user portal and users have the option to add the application.

11

11 (Optional) On the Policy page, specify additional authentication control for this

application.You can select one or both of the following settings:

Restrict app to clients within the Corporate IP Range: Select this option to

prevent users outside the company intranet from launching this application. To use this

option, you must also specify which IP addresses are considered as your intranet by

specifying the Corporate IP range in Settings > Corporate IP Range.

Require Strong Authentication: Select this option to force users to authenticate

using additional, stronger authentication mechanisms when launching an application.

Specify these mechanisms in Policy > Add Policy Set > Account Security Policies >

Authentication.

You can also include JavaScript code to identify specific circumstances when you want

to block an application or you want to require additional authentication methods. For

details, see Specifying application access policies with JavaScript.

12

12 On the Account Mapping page, configure how the login information is mapped to the

application’s user accounts. The options are as follows:

Use the following Directory Service field to supply the user name: Use this

option if the user accounts are based on user attributes. For example, specify an Active

Directory field such as mail or userPrincipalName or a similar field from the Centrify user

service.

Everybody shares a single user name: Use this option if you want to share access

to an account but not share the user name and password. For example, some people

share an application developer account.

Use Account Mapping Script: You can customize the user account mapping here

by supplying a custom JavaScript script. For example, you could use the following line

as a script:

LoginUser.Username = LoginUser.Get('mail')+'.ad';

The above script instructs the cloud service to set the login user name to the user’s mail

attribute value in Active Directory and add ‘.ad’ to the end. So, if the user’s mail

attribute value is [email protected] then the cloud service uses

(6)

13

13 (Optional) On the Advanced page, you can edit the script that generates the SAML

assertion, if needed. In most cases, you don’t need to edit this script. For more

information, see the SAML application scripting guide.

Note NoteNote

Note

On the Changelog page, you can see recent changes that have been made to the

application settings, by date, user, and the type of change that was made.

14

14 Click Workflow to set up a request and approval work flow for this application.

The Workflow feature is a premium feature and is available only in the Centrify Identity

Service App+ Edition. See Configuring Workflow for more information.

15

15 Click Save.

After configuring the application settings (including the role assignment) and the

application’s web site, you’re ready for users to launch the application from the user

portal.

Configuring

Configuring Connected Data

Connected Data

Connected Data on its web site

Connected Data

on its web site

To configure the Connected Data application on its web site:

1111

In your web browser, go to the Connected Data URL and sign in with your administrator

credentials.

2222

Navigate to Organization Preferences and click Manage IdP Integration.

3333

On the Identity Provider Integration page, configure the following settings (also see

"Configuring Connected Data in Cloud Manager" on page 40-2):

Field FieldField

Field What you doWhat you doWhat you doWhat you do

SAML 2.0 Endpoint (HTTP) Copy the contents of the SAML 2.0 Endpoint (HTTP) SAML 2.0 Endpoint (HTTP) SAML 2.0 Endpoint (HTTP) field SAML 2.0 Endpoint (HTTP) in Cloud Manager > Application Settings and paste it here.

SLO Endpoint (HTTP) Copy the contents of the SLO Endpoint (HTTP) SLO Endpoint (HTTP) SLO Endpoint (HTTP) SLO Endpoint (HTTP) field in Cloud Manager > Application Settings and paste it here. Issuer URL Copy the contents of the Issuer URL Issuer URL Issuer URL Issuer URL field in Cloud

Manager> Application Settings and paste it here. X.509 Certificate Upload the certificate Signing Certificate that you

downloaded from the Cloud Manager > Application Settings.

SCIM Base URL Not applicable.

(7)

4444

Click Save Identity Provider Settings.

For more information about

For more information about Connected Data

Connected Data

Contact Connected Data for more information about configuring Connected Data for SSO.

Also see:

http://www.connecteddata.com/contact-support/

SAML SLO URL Not applicable.

Custom Headers Not applicable.

Field FieldField

(8)