SAM Context-Based Authentication Using Juniper SA Integration Guide

(1)

SAM Context-Based

Authentication Using

Juniper SA

(2)

SAM Context-Based Authentication Using Juniper SA

2

All attempts have been made to make the information in this document complete and accurate. SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice.

SafeNet, SafeNet Authentication Manager and SafeNet Authentication Client are either

registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks

referenced in this Manual are trademarks of their respective owners.

SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications.

Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification.

(3)

3 Contacting SafeNet

We work closely with our reseller partners to offer the best worldwide technical support services. Your reseller is the first line of support when you have questions about products and services. However, if you require additional assistance you can contact the SafeNet technical support team help-desk which is available 24 hours a day, seven days a week:

Country/Region Telephone

USA +1-800-545-6608

International +1-410-931-7520

For further assistance submit additional questions to the SafeNet technical support team at the following web page:

http://c3.safenet-inc.com/secure.asp

(4)

4 About This Guide ... 5

Intended Audience ... 5

Additional Information ... 5

Software Requirements ... 5

Overview ... 6

Security Assertion Markup Language... 6

Context-Based Authentication ... 6

Context-Based Authentication Flow ... 7

Pre-Configuration ... 8

Preparing the Entity Id ... 8

Preparing the Identity Provider URL and the Signing Certificate ... 9

SAM Portal Configuration for SA... 11

SA Configuration as a Service Provider ... 14

Creating an Authentication Server ... 14

Setting the User Authentication Realm ... 15

KCD Configuration ... 17

Configuring the User Account ... 17

Creating a KCD User Account in Active Directory ... 17

Defining the Delegated Authentication Services ... 19

Configuring the Exchange Server ... 22

Configuring SA ... 24

Configuring Web SSO ... 24

Configuring the Constrained Delegation Service List ... 26

Configuring SSO Policies ... 28

Running the Solution ... 32

User Authentication Scenario ... 32

(5)

5 About This Guide

The goal of this document is to provide guidance for setting up and managing SafeNet’s context-based authentication solution in a Juniper Networks’ Junos Pulse Secure Access Service (SA) environment based on SAML 2.0.

The information in this guide includes the following:



Solution requirement outline, and deployment scenarios for SafeNet’s context-based authentication solution



Step-by-step instructions for implementing Juniper Networks’ Junos Pulse Secure Access

Service in a SAML solution

Intended Audience

The guide is intended for Information Technology professionals responsible for the organization’s network security.

Additional Information

For a detailed explanation of SafeNet Authentication Manager (SAM) 8.0 SP4 and the other infrastructure components involved in the solution, or any other SafeNet products mentioned in this guide, refer to SafeNet’s product documentation.

For additional information on Microsoft or Juniper Networks software and hardware components mentioned in this guide, refer to the relevant manufacturers’ documentation.

Software Requirements

For this scenario, the working environment must include the following software:



Juniper Networks Junos Pulse Secure Access Service Version 7.1 R5 or later



Microsoft Active Directory

(6)

6 Overview

Security Assertion Markup Language

Security Assertion Markup Language (SAML) 2.0 is a standard for exchanging authentication and authorization data between security domains.

SAML 2.0 is an XML-based protocol that uses security tokens (information packets) containing assertions to pass information about a principal (usually an end-user) between an identity provider (IdP) and a web service. SAML 2.0 enables web-based scenarios including single sign-on (SSO) authenticatisign-on.

SAML 2.0 is supported by Juniper Networks’ Junos Pulse Secure Access Service (SA), enhancing the SSL VPN’s ability to securely integrate single sign-on authentication and authorization with external applications, such as cloud application providers.

In this SAML scenario, SA is the service provider, and SafeNet Authentication Manager (SAM) is the Identity Provider. SA implements the authentication result determined by SAM.

UNTRUSTED NETWORK e.g. INTERNET

Federation Trust

SAML 2.0 Service Provider (SP)

SAML 2.0 Identity Provider (IdP)

SAM 8.0 SP4 CONSOLE MGT SA6000 LINKTX/RX 1000100 1 0(INT.) 2 3TX/RX LINK TX/RX LINK TRAFFIC PWRHDTEMPPS FAIL Juniper SA Gateway OWA 2010

Context-Based Authentication

Context rules define the conditions for determining the authentication risk level. For more information, see the SAM 8.0 SP4 Administrator’s Guide.

The context-based authentication policies define which authentication information users must provide for each risk level.

(7)

7 Context-Based Authentication Flow

The following describes the process of SafeNet’s SMS Messaging OTP solution. a. The user connects to SA using a web browser.

b. SA redirects the user to the SafeNet Authentication Manager (SAM) Authentication Portal.

c. The Authentication Portal displays a webpage requesting the authenticating user name. d. The user enters her user name.

e. SAM uses its context rule policy configuration to determine the user’s authentication risk level.

f. If SAM determines that additional user credentials are required, the Authentication Portal displays a new page requesting those credentials.

g. The user enters her credentials in the authentication fields. h. SAM verifies the user’s credentials.

i. SAM sends the SAML token to SA which redirects the user to the SA SSO website. j. The user selects a secure site, such as Outlook Web Access (OWA).

(8)

8 Pre-Configuration

To retrieve information required for this solution:



Use the SA administrator’s console for Preparing the Entity Id, on page 8.



Use the SAM Configuration Manager for Preparing the Identity Provider URL and the

Signing Certificate, on page 9.

Preparing the Entity Id

Retrieve the Entity Id from SA’s SAML settings.

To prepare the Entity Id:

1. In the SA administrator’s console, go to System > Configuration > SAML > Settings.

2. In the Host FQDN for SAML field, enter the host name for SA when using SAML. 3. Click Save Changes.

4. Click Update Entity Ids.

The Confirm Update Entity Ids message is displayed.

5. Click Update Entity Ids.

(9)

9

7. Select the Sign-in SAML tab, and record the Entity Id value.

You will need it for step

‎

7

‎

a of SAM Portal Configuration for SA, on page 12.

Preparing the Identity Provider URL and the Signing

Certificate

Use the SAM Configuration Manager to retrieve the sign-in page URL, and the signing certificate.

To prepare the sign-in page URL and the signing certificate:

1. From the Start menu, go to All Programs > SafeNet > SafeNet Authentication

Manager> Configuration Manager.

The Configuration Manager window opens.

(10)

10

3. Select the Info for Service Provider tab.

4. Complete the Domain URL of your company’s SAM portals. The Single Sign-On URL fields are displayed.

5. Record the Sign-in page URL value.

‎

5

‎

b of Creating an Authentication Server, on page 15. 6. Click Export Certificate, and save the certificate file to a known location.

(11)

11 SAM Portal Configuration for SA

SAM’s Token Policy Object (TPO) policies include Application Authentication Settings for

Juniper SA. These settings are used by the SAM portal to communicate with SA.

N o t e

See the SAM 8.0 SP4 Administrator’s Guide for general portal configuration.

To configure the SAM portal:

1. Open the Token Policy Object Editor for the appropriate group. See the SAM 8.0 SP4 Administrator’s Guide for more information. The Token Policy Object Editor window opens.

2. In the left pane, go to Protected Application Settings > User Authentication. Policies are displayed in the right pane.

3. In the right pane, double-click Application Authentication Settings. The Application Authentication Settings Properties window opens.

(12)

12

5. Click Definitions.

The Application Authentication Settings window opens.

6. In the left pane, select Juniper SA. Policies are displayed in the right pane.

7. In the right pane, double-click the following policies, and enter the appropriate information: a. Application Issuer: Enter the Entity Id that was prepared in step ‎7 of Preparing the

Entity Id, on page 9.

b. SAM Issuer: Set this to any value. The default value is SAM.

You will need this value for step

‎

5

‎

a of Creating an Authentication Server, on page 15. c. Application’s login URL: Enter the Juniper SA login URL. This is the

AssertionConsumerService > Location value that was recorded in step

‎

11 of

Creating an Authentication Server, on page 15, from the SAML Server’s metadata file.

(13)

13 N o t e

This example assumes that SAM has been configured for context-based authentication, and that the portal will use context-based authentication.

i. Select Define this policy setting.

ii. For each Risk Level, open the Authentication Method drop-down menu, and select which authentication information users must provide for that level.

N o t e

Selecting Blocked as the authentication method for one risk level automatically sets the higher risk levels to Blocked.

iii. Click OK.

(14)

14 SA Configuration as a Service Provider

Configure SA so that it is recognized by SAM as a SAML service provider.

Creating an Authentication Server

To create an Authentication Server:

1. In the SA administrator’s console, go to Authentication > Auth. Servers.

(15)

15

4. Set the Server Name to any value.

‎

3 of Setting the User Authentication Realm, on page 16. 5. In the Settings area, do the following:

a. Enter the Identity Provider Entity Id. This is SAM Issuer that was set in step

‎

7

‎

b of

SAM Portal Configuration for SA, on page 12.

The default value is SAM.

b. Enter the Identity Provider Single Sign On Service URL. This is the Sign-in page

URL that was prepared in step

‎

5 of Preparing the Identity Provider URL and the

Signing Certificate, on page 10.

6. In the SSO Method area, do the following:

 Next to Upload Certificate, click Choose File, and upload the certificate that was prepared in step ‎6 of Preparing the Identity Provider URL and the Signing Certificate, on page 10.

7. In the Service Provider Metadata Settings area, do the following:

 In the Metadata Validity field, enter the number of days for which the metadata will be valid.

8. Click Save Changes.

9. In the Service Provider Metadata Settings area, click Download Metadata, and download the metadata xml file.

10. Use a text editor to open the downloaded metadata file.

11. Record the metadata file’s AssertionConsumerService > Location value, which is the application’s login URL, in the format:

https://<host name>/dana-na/auth/saml-consumer.cgi.

‎

7

‎

b of SAM Portal Configuration for SA, on page 12.

Setting the User Authentication Realm

To set the user authentication realm:

(16)

16

2. Select the appropriate authentication realm.

In this example, the realm is Users. The realm’s properties are displayed.

3. In the General tab, in the Servers > Authentication drop-down menu, select the

authentication server that was created in step

‎

4 of Creating an Authentication Server, on page 15.

(17)

17 KCD Configuration

Juniper SA is often used to protect Web application resources, such as Outlook Web Access (OWA) and SharePoint, which are based on Windows authentication.

Kerberos Constrained Delegation (KCD) enables Single Sign On for the application resource, so that users are required to log on only once per session. The user logs on to SA, and then is not required to authenticate again when accessing Microsoft applications.

The following steps are used to authenticate a user to a Web application: 1. SA verifies the user’s identity using SAML authentication.

2. SA then impersonates the user and obtains a Kerberos service ticket.

3. The Web application resource uses the Kerberos ticket as proof of authentication, and the user is logged on.

Setting up KCD with SA involves the following steps: a. Configuring the User Account, see page 17. b. Configuring the Exchange Server, see page 22. c. Configuring SA, see page 24.

Configuring the User Account

Creating a KCD User Account in Active Directory

KCD requires an Active Directory user account that has Protocol Transition and Delegation rights. This account has rights to request a Kerberos ticket on behalf of a user signing in to SA.

To create a new user in Active Directory:

1. From the Windows taskbar, select Start > Programs > Administrative Tools > Active

Directory Users and Computers.

The Active Directory Users and Computers window opens.

(18)

18

3. In the drop-down menu, select New > User.

The New Object - User window opens.

4. Add the new user's information.

This account will be used to access Web application resources, such as OWA. You will need the User logon name value for the following steps:

 Step

‎

1 of Defining the Delegated Authentication, on page 19

(19)

19 Defining the Delegated Authentication Services

To configure the new account for Web application access, do the following:

a. Use the setspn command to enable the Delegation tab in the new user account’s

Properties window.

b. Use the Delegation tab to enable the user to be trusted for delegation to all authentication protocols.

To define the Delegated Authentication Services for the new user:

1. Open the Command Prompt window, and enter the command:

setspn -A HTTP/<user_account> <domain>\<user_account>

where:

 <user_account>is the User logon name created in step

‎

4 of Creating a KCD User

Account in Active Directory, on page 18

 <domain> is your domain

In the following example, sfnt is the domain, and samservice is the user account’s User

logon name.

(20)

20

3. Select the Delegation tab.

4. Select the following options:

 Trust this user for delegation to specified services only

 Use any authentication protocol

N o t e

Do not select Use Kerberos only because that option is not compatible with Protocol Transition and Constrained Delegation.

5. Click Add.

The Add Services window opens.

(21)

21

7. Enter the name of the protected service’s serverin the domain.

N o t e

In this example, the OWA service is hosted on the same server as Active Directory Domain Controller, so DC is selected.

In the Add Services window, the services available on the selected server are displayed.

8. Select the appropriate service type, and click OK.

N o t e

In this example, Constrained Delegation must be configured for OWA. Select http to configure for OWA and for any other Web-based applications running on this server, such as Share Point.

(22)

22

9. Click Apply, and then click OK.

Active Directory is now configured for this solution.

Configuring the Exchange Server

Configure the server hosting the web application.

N o t e

This solution can be configured for any web application hosted on any server within the domain. In this example, the selected web application is OWA, and it is hosted on the same server as the Active Directory Domain Controller.

To configure OWA and ECP:

1. Open the Microsoft Exchange console.

(23)

23

5. Right-click owa (Default Web Site), and select Properties. The owa (Default Web Site) Properties window opens.

6. Select the Authentication tab, and do the following:

a. Select Use one or more standard authentication methods. b. Select Integrated Windows Authentication.

c. Click OK.

7. In the Microsoft Exchange console, select the Exchange Control Panel tab. 8. Right click ecp (Default Web Site), and select Properties.

(24)

24

9. Select the Authentication tab, and do the following:

a. Select Use one or more standard authentication methods. b. Select Integrated Windows Authentication.

c. Click OK.

10. To restart IIS so that the configurations take effect, open a terminal and enter iisreset.

Configuring SA

Configure SA with Constrained Delegation for users connecting via SA to a selected application. This involves the following steps:

a. Configuring Web SSO, see page 24.

b. Configuring the Constrained Delegation Service List, see page 26. c. Configuring SSO Policies, see page 28.

In this example, OWA is the application to which users connect.

Configuring Web SSO

Add the Kerberos Realm to SA’s Kerberos SSO Settings.

1. In the SA administrator’s console, go to Users > Resource Policies > Web > SSO

(25)

25

The WebPolicySSOGeneral window opens.

2. Select the SSO tab.

3. Select Enable Kerberos SSO.

4. In the Realm Definition area, add the Kerberos realm.

You will need this for step

‎

11

‎

b of Configuring the Constrained Delegation Service List, on page 27.

(26)

26 N o t e

the Kerberos Realm is typically the DNS domain. 5. Click Add.

6. Click Save Changes.

N o t e

The Site Name field can be used only if your Active Directory is set up with Sites.

Configuring the Constrained Delegation Service List

Upload a text file to create a Constrained Delegation Service List.

To configure the Constrained Delegation Service List:

1. Open Notepad or similar text application, and create a file containing the DC server name.

2. Save the file.

‎

7 of this procedure.

3. In the SA administrator’s console, go to Users > Resource Policies > Web > SSO

(Single Sign-on) > General.

4. Select the SSO tab.

5. In the Constrained Delegation area, click Edit.

The Constrained Delegation Service Lists window opens.

(27)

27

7. In the Name field, enter any value.

‎

11

‎

e of this procedure.

8. ClickChoose File, and browse to the text file saved in step

‎

2 of this procedure. 9. Click OK.

The Upload Status window opens.

10. When the upload is complete, click Close.

11. In the Constrained Delegation area, do the following: a. In the Label field, enter any value.

You will need this for step

‎

10

‎

c of Configuring SSO Policies, on page 31. In this example, we enter sfnt.

b. In the Realm drop-down menu, select the Kerberos realm defined in step

‎

4 of

Configuring Web SSO, on page 25.

c. In the Principal Account field, enter the User logon name created in step ‎4 of

Creating a KCD User Account in Active Directory, on page 18.

N o t e

In the example, we enter the samservice account created in Active Directory for Constrained Delegation.

(28)

28 N o t e

Ensure that the password is entered exactly as defined in the Active Directory.

e. In the Service List drop-down menu, select the service list Name defined in step ‎7 of this procedure.

f. Click Add.

The realm is displayed in the Constrained Delegation area.

Configuring SSO Policies

Define the roles and resources for which Constrained Delegation will be performed.

To configure SSO policies for OWA:

1. In the SA administrator’s console, go to Users > Resource Policies > Web >

Kerberos/NTLM/Basic Auth.

2. Select New Policy.

(29)

29

3. In the Type drop-down-down menu, select Microsoft OWA 2010. The OWA 2010 window opens.

(30)

30

5. In the Name field, enter any value for the policy name. 6. In the Base URL field, enter the OWA site’s base URL. 7. Select Autopolicy: Web Compression.

8. In the Autopolicy: Web Compression area, d0 the following: a. In the Resource column, enter the OWA site.

b. In the Action column drop-down menu, select Compress. c. Click Add.

(31)

31

9. Select Autopolicy: Single Sign-on.

10. In the Autopolicy: Single Sign-on area, d0 the following: a. Select Constrained Delegation.

b. In the Resource field, enter the host FQDN of the web server.

c. In the Credential drop-down menu, select the Constrained Delegation’s Label defined in step

‎

11

‎

a of Configuring the Constrained Delegation Service List, on page 27.

(32)

32 Running the Solution

User Authentication Scenario

In this example, a user named John authenticates to SA in the following environment:

 An OTP (One-Time-Password) for authentication is sent to John’s mobile device as an SMS each time he needs to authenticate.

 John’s authentication conditions match a context-based authentication rule that requires him to enter an OTP Authentication Code.

How John authenticates to OWA:

1. John opens a web browser and browses to SA.

In this example, the SA site is https://Juniper.sfnt.com

SA automatically redirects the authentication request to the SAM Authentication Portal. The Authentication Portal’s User Identification window opens.

2. John enters his username, and clicks OK.

An OTP is sent as an SMS to John’s mobile device, and the SAM Authentication Portal’s

(33)

33

3. John copies the OTP from his mobile device display, together with his OTP PIN if required, to the OTP Authentication Code field, and clicks OK.

If the credentials are accepted, a message is displayed.

(34)

34

4. John clicks the OWA 2010 link.

(35)

35 Troubleshooting

Problem Possible cause Solution

The SAM Authentication Portal does not open

The URL entered is not correct.

Ensure that the URL entered is correct.

The Identity Provider

Single Sign On Service URL is not correct.

In the SA configuration, ensure that the Identity

Provider Single Sign On Service URL is correct.

An error message is displayed: “Verification cert not

available, Signature has no X509Cert”

The Response Signing

Certificate in the

authentication server is incorrect or missing.

Export the signing certificate using SAM Configuration

Manager, and import it again

in the SA configuration’s

Authentication Server page.

An error message is displayed: “Unknown issuer value in

response”

The Identity Provider

Entity Id and the SAM Issuer do not match.

Ensure that the Identity

Provider Entity Id in the SA

configuration’s Authentication

Server page, and the SAM

Issuer in the TPO are

identical. An error message is displayed:

“Your system configuration is

incorrect. Contact your administrator.”

The Application Issuer in the TPO is incorrect.

Enter the correct

Application Issuer in the

TPO setting.

After logon, an error message is displayed: “The page you

requested could not be found”

The Application’s login

URL in the TPO is incorrect.

Enter the correct

Application’s login URL in

the TPO. After logon, an error message

is displayed: “Schema

validation failed for response. Audience must have

TextContent”

The Audience URI in the TPO is not enabled or is empty.

Enable the Audience URI option in the TPO, and enter a value.

An error message is displayed: “Cloud portal authentication

is not configured. Please contact your administrator.”

Context-based authentication was not configured correctly.

(36)

36

An error message is displayed:

“The authentication service

has determined that this logon request has originated from a suspicious source. Please contact your administrator.”

The conditions of this context-based authentication attempt are defined as a higher risk level, for which authentication is Blocked.

SAM Context-Based Authentication Using Juniper SA Integration Guide