SAML Authentication Quick Start Guide

(1)

Authentication Service Delivery Made EASY™

SAML Authentication

Quick Start Guide

(2)

2

Copyright © 2013 SafeNet, Inc. All rights reserved.

All attempts have been made to make the information in this document complete and accurate. SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice.

SafeNet and SafeNet Authentication Service are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners.

SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications.

Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification.

Support

SafeNet technical support specialists can provide assistance when planning and implementing SafeNet Authentication Service. In addition to aiding in the selection of the appropriate authentication products, SafeNet can suggest deployment procedures that will provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment.

SafeNet works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a SafeNet channel partner, please contact your partner directly for support needs.

To contact SafeNet Authentication Service support directly:

Europe / EMEA North America

Freephone: 0800 694 1000 (UK) Telephone: +44 (0)1276 608 000 (Int’l) E-mail: [email protected] Toll Free: 800-307-7042 Telephone: +1 613 599 2441 E-mail: [email protected] Technical Support Customer Portal https://serviceportal.safenet-inc.com

(3)

3

Publication History

Date Description Revision

2013.11.04 Changes for Salesforce’s new SAML configuration interface, and minor corrections

1.5

2013.02.26 Correction to “Add Google Apps as a SAML Service Provider” process. 1.4

2012.06.30 Updates for SafeNet Branding 1.3

2012.04.02 Minor changes to Salesforce screenshots 1.2

2012.01.16 Add “My Domain” step to Salesforce configuration 1.1

(4)

4

Applicability

The information in this document applies to:  SafeNet Authentication Service (SAS)

A Cloud service of SafeNet, Inc.

 SafeNet Authentication Service – Service Provider Edition (SAS-SPE) The software used to build an authentication service.

 SafeNet Authentication Service – Private Cloud (SAS-PC)

(6)

Introduction 6

Introduction

Purpose of this Guide

This guide describes the application, configuration and use of SafeNet Authentication Service as a SAML Identity Provider (IdP) to relying SAML Service Providers (SP). It describes:

 How to configure a Virtual Server to be an IdP.

 How to use the SAML Provisioning Rules module introduced in SafeNet Authentication Service and LDAP to automate the configuration of individual user accounts to permit authentication for designated SPs such as Google Apps.

 How to customize logon and other pages presented to the user during SAML authentication.  Examples of SAML configurations for:

o Configuring SAML Authentication in Salesforce (see page 22) o Configuring SAML Authentication in Google Apps (see page 25) o Configuring SAML Authentication in Symplified Web SSO (see page 28)

Readers are encouraged to read this guide in the order in which information is presented, as successive chapters often rely on information and concepts presented in prior chapters.

Audience

This guide is intended for SafeNet Authentication Service administrators responsible for how managed authentication services are delivered and responsible for configuring the Service to reflect the internal business processes, service level agreements and management hierarchy.

Customer Feedback

(7)

SafeNet Authentication Service and SAML 7

SafeNet Authentication Service and SAML

Figure 1: SafeNet Authentication Service’s Various Authentication Options

SafeNet Authentication Service now offers SAML authentication to its Cloud Subscribers. This means that enterprises can:

 Extend strong authentication beyond the enterprise perimeter to include Cloud Apps such as Salesforce, Google Apps, etc.

 Use SafeNet Authentication Service to protect internal applications, such as SAP, that support SAML authentication.

 Use SafeNet Authentication Service with perimeter devices, such as SSL VPNs, that support SAML authentication.

 Enable authorized users to authenticate to Cloud apps in a simple, familiar and consistent manner using the same token/authentication method they use for VPN and other traditional access.  Automate Cloud app authorization.

(8)

Traditional RADIUS Scenario without SAML 8

Traditional RADIUS Scenario without SAML

In a traditional RADIUS scenario, a user is prompted to provide authentication credentials (UserID and password) to an access point, such as a VPN. The VPN uses the RADIUS protocol to pass the credentials to the authentication service for validation. The authentication service in turn sends an accept or reject message via RADIUS back to the VPN.

Figure 2: RADIUS Authentication User Experience

The standardized RADIUS allows an organization to choose any vendor’s RADIUS client, such as VPN, and be assured that it could use any other vendor’s RADIUS Server, such as SafeNet Authentication Service. However, RADIUS has rarely been adopted outside of network perimeter devices. Much like the days before the adoption of RADIUS, applications have each tended to have their own authentication mechanism. As a result, users tended to have many passwords and had to log in to individual applications.

(9)

Introduction to SAML 9

Introduction to SAML

SAML (Security Assertion Markup Language) is an XML (Extensible Markup Language) standard for exchanging authentication and authorization data between two security domains:

A. an identity provider (IdP) such as SafeNet Authentication Service B. a service provider (SP), typically a web application such as Google Apps

SAML allows a user to log on once for affiliated but separate web sites or web applications. SAML has three components:

1 Assertions are of three different statement types: authentication, attribute, and authorization

decision.

 Authentication assertion validates the user's identity.

 Attribute assertion contains specific information about the user.

 Authorization decision assertion identifies what the user is authorized to do.

2 Protocol defines how SAML asks for and receives assertions.

3 Binding defines how SAML message exchanges are mapped to Simple Object Access Protocol (SOAP)

exchanges. SAML works with multiple protocols including Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), File Transfer Protocol (FTP), and also supports SOAP, BizTalk, and Electronic Business XML (ebXML).

(10)

How SAML Works With SAS 10

How SAML Works With SAS

The SAML Service Provider, such as Google Apps, Salesforce, or SSL VPN, “relies” on SafeNet Authentication Service as the SAML identity provider (IdP) to present the logon page and to authenticate users. The SAML “assertion” generated by the IdP in response to a successful authentication is used by the Service Provider to grant the user access to the application.

When a user attempts to log on to an application that supports SAML, they are redirected to SafeNet Authentication Service where they must authenticate. If the authentication is successful, the user is redirected to their Cloud app where access is granted.

Figure 3: SAML Authentication General User Experience - illustrates SAML’s net effect on the user logon experience

Web Application SSO

When separate web sites or applications are affiliated, the successful SAML authentication results in user access to the affiliate without requiring an additional user logon. This is essentially web SSO. Figure

3: SAML Authentication General User Experience illustrates a possible affiliation between Google Apps

(11)

Managing Cloud Identities

It is not uncommon for individual Cloud applications to impose specific requirements for UserID. For example, a user may require a gmail account (e.g. [email protected]) to log on to Google Apps, whereas Salesforce may require a domain specific email address (e.g. [email protected]). If there is no affiliation between the web apps, the user would be required to log on separately to each application using different credentials. These may be in addition to the UserID required for logon through the corporate VPN (e.g. blaham).

This can become confusing and unmanageable for users and administrators. Fortunately there are a couple of solutions:

1. Normalizing User Credentials using SafeNet Authentication Service 2. Using SafeNet Authentication Service with Cloud SSO Service Providers

Normalizing User Credentials using SafeNet Authentication Service

Use SAS to normalize the user’s logon credentials across corporate and Cloud applications and services. One of the capabilities of SafeNet Authentication Service is to authenticate a user with a single

credential set – the UserID and One-Time Password, but provide a different, specific credential required by the Cloud app service. On successful authentication, SAS replaces the UserID provided during

authentication with the UserID required by the Cloud application in the SAML assertion. This is

illustrated in Figure 4: Normalizing User Credentials using SafeNet Authentication Service. For the user, this delivers a consistent logon methodology (such as UserID: Bill, Password: OTP), and insulates the user from any other credential management requirements.

(12)

Using SafeNet Authentication Service with Cloud SSO Service Providers

Cloud SSO Service Providers, such as Symplified (www.symplified.com), provide a front end for managing multiple Cloud Service Providers and applications. Typically, these front ends support SAML authentication and can therefore use SafeNet Authentication Service as the IdP.

The Cloud SSO can be configured as a SAML SP, relying on SafeNet Authentication Service to authenticate the user. Once authenticated, the user has access to Cloud applications and services configured for their personal Cloud SSO account.

Figure 5: SafeNet Authentication Service and Cloud SSO

Automatic Cloud App Authorization

One of the challenges facing administrators of large user populations is efficient and timely activation of SAML authentication. As the number of users and Cloud apps grow, so does the challenge of timely activation and deactivation.

(13)

Configuring SAML Authentication in SAS 13

Configuring SAML Authentication in SAS

Configuring SAS for SAML authentication requires the following steps:  Configuring SAML Service Providers in SAS

Configure the virtual server to process authentication requests received from specific SAML Service Providers.

 Click Apply to save the new Service Provider.  Configuring SAML Services in SAS

Manually enable SAML authentication for your users to one or more of the SAML Service Providers that were configured on the virtual server.

 Click Add to save the new SAML service.  Configuring SAML Provisioning Rules in SAS

Automatically enable SAML authentication for users in specific containers or groups to one or more of the SAML Service Providers configured on the virtual server. SAML Provisioning Rules can be used instead of, or in addition to, configured SAML services.

Configuring SAML Service Providers in SAS

(14)

Note: After a Service Provider has been configured in SAS, information is displayed in the SAML 2.0 Settings area fields. You will need these values when you configure the Service Provider to use SAS as a SAML identity provider.

In the Add SAML 2.0 Settings area:  Entity ID

This is the “Entity ID” of the SAML Service Provider, typically (but not always) in the form of a URL. This value will be provided by the Service Provider, or it can be extracted from the metadata (XML file) provided by the Service Provider.

For example:

<?xml version="1.0" encoding="UTF-8"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID=https://mycompany.salesforce.com

 Friendly Name

This is a name you assign to the SAML Service Provider for easy identification. This name will appear in the SAML Services list displayed in Assignment | SAML Services and Policies | Automation Policies | SAML Provisioning Rules.

 SAML 2.0 Metadata

o Upload Existing Metadata File

(15)

o Create New Metadata File

Some SAML Service Providers do not provide a metadata file but instead provide only their Entity ID and Location (essentially the resource being accessed). This option instructs the virtual server to create and add a metadata file based on this information. The remaining options are used to customize the appearance of the logon page presented to the user.

 Custom Logo

This is a customized logo that will appear on the logon form presented to your users during authentication.

 Custom CSS

This is a customized CSS (Cascading Style Sheet) for the logon form presented to your users during authentication. If no file is chosen, the following default CSS is used:

(16)

Configuring SAML Authentication in SAS 16 border-collapse: separate; background-color: white; padding: 0px; } .tdTopSpaceAboveBanner {

height: 50px; text-align: center; }

.tdBanner {

.tdSpaceBelowBanner {

.tdLoginHeader {

height: 50px; text-align: center; font-size: 28px; color: white; background-color: #4682B4; padding-left: 0px; padding-right: 0px;

}

.tdLoginMessage {

(17)

.textUserName {

width: 225px; height: 20px; text-align: left; border-color: #4682B4; border-width: 1px; } .tdPasswordLabel { text-align: right; font-size: 15px; color: #4682B4; padding-left: 70px; } .textPassword {

width: 225px; height: 20px; text-align: left; border-color: #4682B4; border-width: 1px; } .tdUserName { padding-left: 60px; } .tdPassword { padding-left: 60px; } .td20PxSpace { height: 20px; } .td40PxSpace { height: 40px; } .tdUserErrorMessage {

height: 40px; color: red; text-align: center; font-size: 14px; }

(18)

text-align: center; height: 30px; }

.buttonSubmit {

background-color: white; background-repeat:no-repeat; border-width: 0px; width: 120px; height: 28px; text-align: center; font-size: 14px; color: white;

} .tdSpaceBelowLoginWindow { height: 80px; } .relayingParty {

text-align: center; font-size: 10px; color:darkblue; height: 20px; }

.sessionTimeout {

text-align: center; font-size: 12px; color:blue; }

.sessionWarning {

text-align: center; font-size: 14px; color:crimson; }

.copyRight {

text-align: center; font-size: 8px; color: darkblue; height: 20px; }

.td404Error {

height: 40px; color: red; text-align: left; font-size: 28px; }

.tdError {

(19)

{

height: 40px; color: brown; text-align: left; font-size: 28px; }

.tdInformation {

height: 40px; color: darkblue; text-align: left; font-size: 28px; }

.tdSignoutMessage {

.tdErrorMessage {

 Custom Button Image

This defines the image to be used for the logon button.  Custom Page Title

This is the page title to be displayed on the browser tab.  Custom Icon

This is the icon to be displayed on the browser tab.  Custom Login Header Text

This is the text to be displayed in the header of the logon form.  Custom Login Button Text

This is the text to be displayed on the logon button.  Login Message

This is the text, usually containing instructions, to be displayed between the Logon Header Text and the Username field.

 Custom Username Field

This is the text to be displayed for the user name field.  Custom Password Text

(20)

Configuring SAML Services in SAS

Manually enable a user to authenticate against one or more configured SAML Service Providers.

From the Assignment tab of your virtual server, select SAML Services, and click Add to add a new SAML service.

 Service

This lists all of the SAML Service Providers that were already configured in SAS.  SAML Login ID

This is the UserID that will be returned to the Service Provider in the SAML assertion on successful authentication.

For example, if your Service Provider requires a UserID of [email protected], which is identical to the user’s email address, choose the E-mail option. Doing so allows the user to consistently use their UserID to authenticate regardless of the Service Providers’ requirements. In most cases, a Service Provider will require either the UserID or the E-mail. For all other cases, choose the Custom option and enter the field containing the UserID to be returned.

Note: You can automate the creation and removal of SAML Services for users by creating a SAML provisioning rule. See Click Add to save the new SAML service.

Configuring SAML Provisioning Rules in SAS. Click Add to save the new SAML service.

Configuring SAML Provisioning Rules in SAS

You can automate the granting and revocation of permissions for user authentication to SAML Service Providers.

(21)

 Rule Name

This is a friendly name that describes the rule.  User is in container

Only users in the selected container are affected by this rule.  Groups Filter: Search for Virtual Server groups

Optionally enter text in the Groups Filter box to narrow the search.  Groups: Virtual Server groups

Users in these groups are not affected by this rule.  Groups: Used by rule

Only users in one or more of these groups are affected by this rule.  Parties: Relying Parties

Lists the Service Providers that are not affected by this rule.  Parties: Rule Parties

Lists the Service Providers which this rule enables the users to authenticate to.  SAML Login ID

(22)

Sample SAML Configurations 22

Sample SAML Configurations

The following examples illustrate how to configure various SAML Service Providers to use SafeNet Authentication Service as a SAML IdP.

Note: The data used in these examples is for illustration purposes only!

Be sure to use the actual data displayed in your SafeNet Authentication Service and SAML Service Provider.

Configuring SAML Authentication in Salesforce

To use SAML with Salesforce you must configure “My Domain” in Salesforce. Refer to Salesforce Administration Setup | Company Profile | My Domain.

Part 1: Configuring Salesforce for Single Sign-On

We recommend opening the virtual server to COMMS | SAML Service Providers | SAML 2.0 Settings. Some of the values displayed in that window are needed during this configuration.

Figure 6: SAML configuration information displayed in SafeNet Authentication Service

(23)

2 Enable SAML.

Figure 7: SAML configuration information displayed in Salesforce 3 Entity Id

This is a unique ID created by Salesforce for your organization. This information, usually in the form of a URL, must be entered into the virtual server’s COMMS | SAML Service Providers | SAML 2.0 Settings | Entity ID field in SafeNet Authentication Service. See Part 2: Adding Salesforce as a SAML

Service Provider, step ‎8.

4 Identity Provider Certificate

Obtain this certificate from the link displayed in the virtual server’s COMMS | SAML Service Providers | SAML 2.0 Settings | Download URL for Identity Provider Certificate.

5 Identity Provider Login URL

Use the value displayed in the virtual server’s COMMS | SAML Service Providers | SAML 2.0 Settings | Identity Provider AuthRequest login URL.

6 Identity Provider Logout URL

Use the value displayed in the virtual server’s COMMS | SAML Service Providers | SAML 2.0 Settings | Identity Provider logout URL.

7 Select Download Metadata

Download the metadata file from Salesforce and save to a convenient location. You will need to upload this file to SafeNet Authentication Service. See Part 2: Adding Salesforce as a SAML Service

(24)

Part 2: Adding Salesforce as a SAML Service Provider

From the COMMS tab of your virtual server, select SAML Service Providers, and click Add to configure a new SAML Service Provider.

Figure 8: Configuring Salesforce as a SAML Service Provider 8 Entity ID

Copy the Entity Id value displayed in Salesforce. See Part 1: Configuring Salesforce for Single

Sign-On, step ‎3.

9 Friendly Name

This is a name you assign to the SAML Service Provider for easy identification. This name will appear in the SAML Services list displayed in Assignment | SAML Services and Policies | Automation Policies | SAML Provisioning Rules .

10 SAML 2.0 Metadata

Select Upload Existing Metadata File, and upload the Salesforce metadata file to SafeNet Authentication Service. See Part 1: Configuring Salesforce for Single Sign-On, step ‎7. 11 Customize

(25)

Configuring SAML Authentication in Google Apps

Part 1: Configuring Google Apps for Single Sign-On

Log in to Google Apps | Advanced tools |Authentication| Set up single sign-on (SSO).

(26)

2 Sign-in page URL

Use the value displayed in the virtual server’s COMMS | SAML Service Providers | SAML 2.0 Settings | Identity Provider HTTP-Redirect login URL.

3 Sign-out page URL

Use the value displayed in the virtual server’s COMMS | SAML Service Providers | SAML 2.0 Settings | Identity Provider logout URL.

4 Change password URL

Use the value displayed in the virtual server’s COMMS | SAML Service Providers | SAML 2.0 Settings | Identity Provider HTTP-POST login URL.

5 Verification certificate

Upload the certificate from the link displayed in the virtual server’s COMMS | SAML Service Providers | SAML 2.0 Settings | Download URL for Identity Provider Certificate.

6 Use a domain specific issuer Ensure that this value is checked.

A value is generated by Google Apps, typically google.com/a/<mycompany> where <mycompany> is your domain registered in Google Apps. This information must be entered into the virtual server’s COMMS | SAML Service Providers | SAML 2.0 Settings | Entity ID field in SafeNet Authentication Service. See Part 2: Adding Google Apps as a SAML Service Provider, step ‎7.

Part 2: Adding Google Apps as a SAML Service Provider

(27)

7 Entity ID

Copy the issuer value displayed in Google Apps, typically google.com/a/<mycompany> where <mycompany> is your domain registered in Google Apps. See Part 1: Configuring Google Apps for

Single Sign-On, step ‎6.

8 Friendly Name

Google Apps does not generate metadata. Select Create New Metadata File, and enter the following information:

 Entity ID

Copy the issuer value displayed in Google Apps, typically google.com/a/<mycompany> where <mycompany> is your domain registered in Google Apps. See Part 1: Configuring Google Apps

for Single Sign-On, step ‎6.

 Location

This is the SAML assertion consumer URL. Copy the Entity ID, preceded by https://www , and followed by: /acs.

For example, https://www.google.com/a/<mycompany>/acs where <mycompany> is your domain registered in Google Apps.

10 Customize

(28)

Configuring SAML Authentication in Symplified Web SSO

Part 1: Configuring Symplified for Single Sign-On

Log in to Symplified | Identity Providers | New Identity Provider | SAML2Generic IdP Handler. 1 Click the New Identity Provider icon.

(29)

2 Name

Enter a friendly name for SAS as the Identity Provider: SafeNet Authentication Service. 3 SP Entity ID

A unique value is generated Symplified. This information must be entered into the virtual server’s COMMS | SAML Service Providers | SAML 2.0 Settings | Entity ID field in SafeNet Authentication Service. See Part 2: Adding Symplified as a SAML Service Provider, step ‎8.

4 SP ACS URL

A unique location value is generated Symplified. This information must be entered into the virtual server’s COMMS | SAML Service Providers | SAML 2.0 Settings | Entity ID field in SafeNet Authentication Service. See Part 2: Adding Symplified as a SAML Service Provider, step ‎10. 5 IdP Entity ID

Use the URL value displayed in the virtual server’s COMMS | SAML Service Providers | SAML 2.0 Settings | Entity ID.

6 IdP URL

Use the value displayed in the virtual server’s COMMS | SAML Service Providers | SAML 2.0 Settings | Identity Provider HTTP-POST login URL.

7 Public Key

Upload the certificate from the link displayed in the virtual server’s COMMS | SAML Service Providers | SAML 2.0 Settings | Download URL for Identity Provider Certificate.

Part 2: Adding Symplified as a SAML Service Provider

(30)

8 Entity ID

Copy the SP Entity ID displayed in Symplified. See Part 1: Configuring Symplified for Single Sign-On, step ‎3.

9 Friendly Name

Google Apps does not generate metadata. Select Create New Metadata File, and enter the following information:

 Entity ID

Copy the SP Entity ID displayed in Symplified. See Part 1: Configuring Symplified for Single

 Location

Copy the SP ACS URL displayed in Symplified. See Part 1: Configuring Symplified for Single

11 Customize

SAML Authentication Quick Start Guide

Authentication Service Delivery Made EASY™