• No results found

McAfee Cloud Identity Manager

N/A
N/A
Protected

Academic year: 2021

Share "McAfee Cloud Identity Manager"

Copied!
34
0
0

Loading.... (view fulltext now)

Full text

(1)

SAML2 Cloud Connector Guide

(2)

COPYRIGHT

Copyright © 2013 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

McAfee®, the McAfee logo, Avert, ePO, ePolicy Orchestrator, Foundstone, GroupShield, IntruShield, LinuxShield, MAX (McAfee

SecurityAlliance Exchange), NetShield, PortalShield, Preventsys, SecureOS, SecurityAlliance, SiteAdvisor, SmartFilter, Total

Protection, TrustedSource, Type Enforcement, VirusScan, and WebShield are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries.

LICENSE INFORMATION License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU

PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

License Attributions

(3)

Contents

1.0 Introduction to McAfee Cloud Identity Manager ... 5

1.1 Supported environments... 6 1.2 Supported browsers ... 6 1.2.1 Application portal... 6 1.2.2 Management Console ... 6 1.3 Available documentation... 7 1.4 Technical support ... 7

2.0 Configuring a SAML2 Cloud Connector... 9

2.1 Select the Cloud Application Type ...10

2.2 Specifying an Identity Connector ...10

2.2.1 Select an Existing Identity Connector ...11

2.2.2 Create a New Identity Connector ...13

2.3 Configure SAML Credential Mapping for a SAML2 Cloud Connector...14

2.3.1 Add a New Attribute to the SAML2 Credential Map...15

2.4 Configuring SSO for a SAML2 Cloud Connector...16

2.4.1 Configure SSO for a SAML2 Cloud Connector ...16

2.5 Configure a SAML Assertion for a SAML2 Cloud Connector ...18

2.5.1 Configure a SAML Assertion — Advanced Configuration ...19

2.6 Configure SLO for a SAML2 Cloud Connector ...21

2.6.1 Configure IdP-initiated SLO for a SAML2 Cloud Connector...23

2.6.2 Configure SP-initiated SLO for a SAML2 Cloud Connector...24

2.7 Configure an Authorization Policy for a SAML2 Cloud Connector ...25

2.7.1 Configure the default policy action ...25

2.7.2 Configure policy rules and add them to the policy...26

2.7.3 Policy conditions and their Boolean expressions ...27

2.7.4 Expression editor examples...30

(4)
(5)

1.0

Introduction to McAfee Cloud Identity Manager

McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) simplifies the management and secures the use of cloud, Software as a Service (SaaS), and web applications for companies and large organizations. Service and application providers can also use Cloud Identity Manager to simplify and improve the authentication process for their customers.

Cloud Identity Manager provides support for the following features: • Extensible framework

• Web single sign on (SSO) • Multiple authentication methods

• Credential mapping and user provisioning

• Authorization policies and access control enforcement • Event auditing and monitoring

• Connectors for popular cloud services and applications • Web-based Management Console

Cloud Identity Manager runs as a stand-alone server and is configured by an administrator using a web-based Management Console accessible from a web browser. For information about installing Cloud Identity Manager as a standalone server or as a cluster of servers, see the McAfee Cloud Identity

Manager Installation Guide. For information about configuring Cloud Identity Manager in the

Management Console, see the McAfee Cloud Identity Manager Product Guide.

Cloud Identity Manager provides connectors for many popular cloud services and applications, including Google Apps and Salesforce.com. These connectors are built in to Cloud Identity Manager and simplify the deployment of the cloud service or application in an organization. Web SSO requires configuration in the Management Console and in the cloud application’s user interface. Instructions for configuring SSO on the cloud application side are included in the documentation set.

For customers who have Java-based or .NET web applications that do not support SAML2

authentication, Cloud Identity Manager provides a custom connector. For information about integrating Java-based and .NET web applications with Cloud Identity Manager, see the McAfee Cloud Identity

Manager Integration Guide.

For software developers who want to write their own cloud service connectors or authentication modules, Cloud Identity Manager provides an SDK. For more information about the SDK, see the

(6)

1.1

Supported environments

Cloud Identity Manager supports these environments.

1.2

Supported browsers

Cloud Identity Manager supports different browsers for the application portal and the Management Console.

1.2.1

Application portal

For end users who seek access to SaaS and web applications through a portal using Cloud Identity Manager identity services, Cloud Identity Manager supports the following desktop and mobile web browsers. Note that Cloud Identity Manager services are running in the background and are not visible to the end user.

• Desktop browsers — Google Chrome 16 — Mozilla Firefox 9

— Microsoft Internet Explorer 7, 8, and 9 — Safari 5.1.2

• Mobile browsers

— Android 2.0 devices and WebKit browser — iOS devices and Safari browser

1.2.2

Management Console

The Cloud Identity Manager Management Console is a web-based user interface that provides

administrators with a single, central point of management and control through a web browser on a local computer. For Management Console administrators, Cloud Identity Manager supports the following desktop and mobile web browsers.

• Desktop browsers — Firefox 9

— Internet Explorer 7, 8, and 9

• Mobile browsers — None are currently supported.

Version Architecture

IA-32 Intel® 64

Linux Operating System

Red Hat Enterprise Linux Server

and Advanced Platform 5.0 Yes Yes

Windows Operating System

Windows Server 2003 Standard Edition Yes Yes Windows Server 2003 DataCenter Edition Yes Yes Windows Server 2003 Enterprise Edition Yes Yes

(7)

1.3

Available documentation

The Cloud Identity Manager documentation set includes the following guides:

• McAfee Cloud Identity Manager Product Guide — A complete guide to the Management Console and the configuration tasks needed to administer Cloud Identity Manager

• McAfee Cloud Identity Manager Developer’s Guide — Provides information for software developers who want to write custom Java code that extends Cloud Identity Manager functionality

• McAfee Cloud Identity Manager Installation Guide — Includes the tasks and procedures that you need to install and remove Cloud Identity Manager as a standalone server on Microsoft Windows and Linux operating system platforms

• McAfee Cloud Identity Manager Integration Guide — Provides instructions on how to integrate Java-based and .NET web applications that do not support SAML2 authentication with Cloud Identity Manager

Note: In addition to these guides, there are separate guides that document how to configure the different Cloud Connectors. For more information, see the McAfee Cloud Identity Manager Product

Guide.

1.4

Technical support

For technical assistance, contact McAfee support by one of the following options: Support portal: https://mysupport.mcafee.com

(8)
(9)

2.0

Configuring a SAML2 Cloud Connector

Cloud Identity Manager provides built-in or plug-in Cloud Connectors for many SAML2 applications. For SAML2 applications that are not supported, Cloud Identity Manager provides a generic SAML2 Cloud Connector. Using the generic connector, you can configure Identity Provider (IdP)-initiated single sign-on (SSO), Service Provider (SP)-initiated SSO, or both.

A Cloud Connector is the configuration that allows Cloud Identity Manager to connect to and provide services for a cloud application. When a SAML2 Cloud Connector is configured, Cloud Identity Manager can provide identity and SSO services for users who want access to SAML2 applications.

You configure a SAML2 Cloud Connector in the Cloud Connector wizard in the Cloud Identity Manager Management Console. Configuring a SAML2 Cloud Connector in the wizard involves the following steps. For more information about each step, see the corresponding sections:

1. Cloud Application Type — See section 2.1 Select the Cloud Application Type. 2. Identity Connector — See section 2.2 Specifying an Identity Connector.

3. SAML Credential Mapping — See section 2.3 Configure SAML Credential Mapping for a SAML2 Cloud Connector.

4. SAML SSO — See section 2.4 Configuring SSO for a SAML2 Cloud Connector.

5. SAML Assertion — See section 2.5 Configure a SAML Assertion for a SAML2 Cloud Connector. 6. SAML SLO — See section 2.6 Configure SLO for a SAML2 Cloud Connector.

7. Authorization Enforcement — See section 2.7 Configure an Authorization Policy for a SAML2 Cloud Connector.

(10)

2.1

Select the Cloud Application Type

A Cloud Connector is the configuration that allows Cloud Identity Manager to connect to and provide services for a cloud application. For example, a SAML2 Cloud Connector is the configuration that allows Cloud Identity Manager to connect to a SAML2 application and to provide SSO, SLO, and other services. To select the SAML2 cloud application type

1. Select the Cloud Connectors tab in the Management Console, and then click New Cloud Connector.

The Cloud Connector wizard opens on the Cloud Application Type step. 2. Select the cloud application type: SAML2.

Note: If the application is not one of the built-in types shown in the Cloud Application Type window, click More to open the More Applications window. This window shows all plug-in cloud application types in the Cloud Identity Manager system.

3. Type a name for the SAML2 Cloud Connector in the Cloud Connector Name field.

Note: The name can contain only letters, numbers, and the following characters: “.”, “_” and “-”. The name cannot contain spaces or exceed 64 characters in length and is not case-sensitive. Specify a meaningful name. For example, a name that identifies the Cloud Connector-Identity Connector combination is more useful than a URL, which can change.

4. Click Next.

The Identity Connector step opens.

2.2

Specifying an Identity Connector

To specify an Identity Connector, you select an existing Identity Connector or create a new one. There are six types of Identity Connectors:

• LDAP

• Integrated Windows Authentication with Active Directory (IWA-AD) • ECA360 Token Authentication

• Authentication Chain • SAML2 Proxy

• Central Authentication Service (CAS)

For LDAP and IWA-AD Identity Connectors, identity information is retrieved from an identity store. To configure these Identity Connectors, you specify the ID of the identity store containing the identity information and how to search the specified identity store. To specify the search, you configure the following LDAP parameters:

• Base DN — Specifies where to start searching in the LDAP tree

• Search Attribute — Specifies the user attribute to retrieve from the identity store

• Search Scope — Specifies how many levels to search in the LDAP tree below the Base DN

(11)

2.2.1

Select an Existing Identity Connector

If the Identity Connector is already configured, you can select it on the Identity Connector step of the Cloud Connector wizard. The settings on this step depend on the Identity Connector you select. For example, the Enable Additional Authentication Module(s) area is only displayed when the following conditions are met:

• The selected Identity Connector type is an authentication chain.

• When the authentication chain was created, one or more authentication modules were configured as Determined by Cloud Connector on the Policy Setting step of the Authentication Module wizard. To enable these modules, select the checkboxes in the Enable Additional Authentication Module(s) area. For more information, see the McAfee Cloud Identity Manager Product Guide.

To select an existing Identity Connector

1. Select an existing Identity Connector from the list in the window, or click New Identity Connector to create a new one and add it to the list.

2. (Optional) To test the connection to the Identity Connector, click Test.

Note: The Test button is disabled for Identity Connectors of type authentication chain.

3. (Optional) Select a user-defined portal category from the Category drop-down list, click Manage Categories, or both. For more information, see the next section.

4. (Optional) In the Enable Additional Authentication Module(s) area, select the checkboxes corresponding to the authentication modules you want to enable.

Note: This area is only displayed when one or more modules in an authentication chain are configured as Determined by Cloud Connector.

Example: OTP () 5. Click Next.

(12)

2.2.1.1 Manage User-defined Portal Categories

On the Identity Connector step of the Cloud Connector wizard, you can assign a user-defined portal category to the Cloud Connector that you are configuring. User-defined portal categories allow you to group applications having the same category on the application portal associated with that Identity Connector. For example, all applications tagged with the Cash Management category are displayed together on the portal. Each Identity Connector has its own menu of categories.

To manage user-defined portal categories

1. To manage user-defined portal categories, click Manage Categories on the Identity Connector step of the Cloud Connector wizard.

The Manage Categories dialog box opens.

— To add a new category, click Add, provide values for the fields in the Add Category dialog box, and click Save.

URL

Specifies the portal URL that you can use to access the Cloud Identity Manager service and the category ID. This value is provided for you.

Name

Specifies the name of the new category. Description

(Optional) Specifies a description of the new category.

— To edit an existing category, click Edit, modify the values in the fields in the Edit Category dialog box, and click Save.

— To remove an existing category, select it in the Manage Categories dialog box, and click Remove.

2. Click OK.

(13)

2.2.2

Create a New Identity Connector

To create a new Identity Connector, you specify a name and an Identity Connector type. Fields open that correspond to the type that you select. To configure an LDAP or IWA-AD Identity Connector, you create a new or use an existing identity store. To configure a CAS or other Identity Connector, you specify fields specific to that connector type.

You begin this procedure on the Identity Connector step of the Cloud Connector wizard. To create a new Identity Connector

1. Click New Identity Connector.

The New Identity Connector dialog box opens.

2. Type a name in the Identity Connector field.

3. Select one of the following types from the Identity Connector Type drop-down list: — LDAP

— Integrated Windows Authentication with Active Directory (IWA-AD) — ECA360 Token Authentication

— Authentication Chain — SAML2 Proxy

— Central Authentication Service (CAS)

The New Identity Connector dialog box expands to show the parameters required to configure the selected Identity Connector type.

4. Configure the parameters required for the specified Identity Connector type. For more information, see the McAfee Cloud Identity Manager Product Guide.

5. Click Save Identity Connector.

(14)

2.3

Configure SAML Credential Mapping for a SAML2 Cloud Connector

On the SAML Credential Mapping step, you map identity information from Cloud Identity Manager to the target application. The Credential Mapping source is the user attribute name in the Cloud Identity Manager system. The target is the attribute name that you specified in the administrator’s account of the cloud application.

A SAML subject is the user whose identity is authenticated. The SAML subject type is the type of identity information. The SAML subject source is a value that corresponds to the specified subject type. For example, if the subject type is an authentication result, the subject source is an attribute value output by the Identity Connector.

Note: For instructions on how to add a new or edit an existing target-source attribute mapping, see section 2.3.1 Add a New Attribute to the SAML2 Credential Map.

To configure SAML credential mapping for a SAML2 Cloud Connector

1. Select one of the following options from the Subject Type drop-down list, and then specify the Subject Source:

— CONSTANT — Select this subject type if the identity information has a constant value, and then type the constant value in the Subject Source field.

— AUTHN_RESULT_FIELD — Select this subject type if the identity information is one of the user attributes output by the Identity Connector, and then select the user attribute from the Subject Source drop-down list.

— EXPRESSION — Select this subject type if the identity information is the result of an expression, and then type the expression in the Subject Source field.

2. In the table on the Credential Mapping step, you have the following options:

— Add — Click Add to open the New attribute dialog box, configure a new target-source attribute mapping, and add it to the table.

— Edit — Select a row in the table, and click Edit to open the editor and modify an existing target-source attribute mapping.

— Remove — Select a row in the table, and click Remove to remove the target-source attribute mapping from the table.

3. Click Next.

(15)

2.3.1

Add a New Attribute to the SAML2 Credential Map

You add a new target-source pair to the credential or user account mapping table. To edit an existing target-source pair, you follow the same steps.

To add a target-source pair to the credential or user account mapping table 1. Type the name of the attribute that SAML2 is expecting in the Target name field. 2. Select one of the following options from the Source type drop-down list:

— CONSTANT — Select this source type if the identity information has a constant value, and then type the constant value in the Constant value field.

— AUTHN_RESULT_FIELD — Select this source type if the identity information is one of the user attributes output by the Identity Connector, and then select the user attribute from the

Authentication result drop-down list

— EXPRESSION — Select this source type if the identity information is the result of an expression, and then type the expression in the Expression value field.

3. (Optional) When the SAML2 attribute mapping requires additional attributes, select the More options for attribute checkbox. In the table that opens, add the additional attribute name-value pairs.

4. Click Ok.

(16)

2.4

Configuring SSO for a SAML2 Cloud Connector

In the SAML SSO area, you have the option of configuring IdP-initiated SSO, SP-initiated SSO, or both. When Cloud Identity Manager initiates SSO, select the IDP Initiated SSO checkbox. When the SAML2 application initiates SSO, select the SP Initiated SSO checkbox.

The SAML2 cloud application supports at least one Assertion Consumer Service (ACS), which is an endpoint that consumes SAML assertions and provides the endpoint URL and binding type for each ACS service that it supports. Because more than one ACS service is supported, each one is assigned an index number.

In the SAML SSO area, you specify the endpoint URLs and binding types for all ACS services supported by the SAML2 application. Then, you select the index number corresponding to the default ACS service. To configure IdP-initiated SSO, you have the option of specifying the Relay State field. The Relay State is the URL of the application that the user is requesting.

To configure SP-initiated SSO, configure the Cloud Issuer and SSO Url fields. The cloud issuer is the X.509 certificate issuer used by the SAML2 application. The SSO URL is the SSO service URL of the SAML2 application to which Cloud Identity Manager redirects the user when SSO is SP-initiated. If the request made by the SAML2 application is signed, select the Request Verification checkbox and select a signing key pair from the X509 Certificate drop-down list. For more information about configuring SAML authentication, including instructions on how to acquire an X.509 certificate, see the

McAfee Cloud Identity Manager Product Guide.

Note: You can import SAML2 metadata from a metadata file. The metadata is saved and automatically populates the fields in the SAML SSO window.

2.4.1

Configure SSO for a SAML2 Cloud Connector

(17)

To configure SSO for a SAML2 Cloud Connector

1. (Optional) To import SAML2 metadata from a metadata file: a. Click Upload Metadata.

The Import Metadata dialog box opens.

b. Click Browse to locate and select the SAML2 metadata file. c. Click Upload metadata to upload the file.

d. Click OK to import the metadata from the file.

The metadata is saved and automatically populates the fields on the SAML SSO step. 2. For each Assertion Consumer Service supported by the SAML2 cloud application:

— Click Add in the Assertion Consumer Service area.

A row is added with sample values for the URL and type of binding.

— Click the table cell in the URL column of the new row, and replace the default URL value with the URL provided for the Assertion Consumer Service.

— Click the table cell in the Binding column of the new row, and select one of the following values from the drop-down list:

HTTP_POST

HTTP_REDIRECT

3. From the Default SSO Location drop-down list, select the number corresponding to the Assertion Consumer Service in the table that you want Cloud Identity Manager to use first. 4. The SAML2 cloud application can support one or both of the following options. Select the

checkboxes that apply:

— IDP Initiated SSO — Selecting the IDP Initiated SSO checkbox specifies that the SAML2 application supports SSO initiated by the Identity Provider.

— SP Initiated SSO — Selecting the SP Initiated SSO checkbox specifies that the SAML2 application supports SSO initiated by the Service Provider.

5. (IDP Initiated SSO) Optionally, type the URL of the application that the user is requesting in the Relay State field.

6. (SP Initiated SSO) Perform the following steps:

a. Type the URL of the X.509 certificate issuer used by the SAML2 application in the Cloud Issuer field.

b. Type the SSO service URL of the SAML2 application in the SSO Url field.

(18)

2.5

Configure a SAML Assertion for a SAML2 Cloud Connector

You configure a SAML assertion for a SAML2 Cloud Connector on the SAML Assertion step of the Cloud Connector wizard.

To configure a SAML Assertion for a SAML2 Cloud Connector

1. Select a preconfigured key pair from the Signature Keys drop-down list.

2. Type the URL of the Cloud Identity Manager service that issues the SAML assertion in the SAML assertion issuer field.

Format: https://hostname:portnumber/identityservice hostname

Specifies the name of the server on which Cloud Identity Manager is installed. portnumber

Specifies the port number of the server on which Cloud Identity Manager is installed. Default: 8443

(19)

2.5.1

Configure a SAML Assertion — Advanced Configuration

Specify the Advanced Configuration categories and fields in the SAML Assertion window. To configure the SAML assertion — Advanced Configuration

1. Open the Advanced Configuration area.

2. Open the Subject Details area.

a. Select the format of the SAML name identifier from the Name ID format drop-down list. Example: urn:oasis:names:tc:SAML:2.0:nameid-format:entity

b. Select the SAML confirmation method identifier from the Confirmation method drop-down list. Example: urn:oasis:names:tc:SAML:2.0:cm:bearer

3. Open the Authentication Statement area, and select the SAML authentication method type from the Authentication method drop-down list.

Example: urn:oasis:names:tc:SAML:2.0:ac:classes:Password

(20)

5. Open the Conditions area.

a. (Optional) To restrict the audience of the SAML assertion to a specified URL, type the URL in the Add audience field and click Add audience.

The URL is added to the Conditions area. Example: https://serviceprovider.com/service1

Note: Using the Add audience option, you can specify multiple SAML assertion recipients. If you do not specify the audience, the default value is the domain, for example,

serviceprovider.com. b. Specify the following fields:

Clock skew

Specifies a value to use when calculating the SAML assertion’s expiration time. This value is designed to offset small differences between clocks in different security domains.

Default value: 20 Units: seconds Lifetime

Specifies a lifetime value to use when calculating the SAML assertion’s expiration time. When the expiration time is exceeded, the SAML assertion is invalidated by the assertion consumer. When specifying the lifetime value, take into account the estimated transmission latency between security domains.

Default value: 60 Units: seconds

6. Open the Sign SAML Assertion area, and select one of the following options.

— Sign SAML Response — Specifies that Cloud Identity Manager sign the entire SAML response that it generates.

— Sign SAML Assertion — Specifies that Cloud Identity Manager sign just the assertion in the SAML response that it generates.

(21)

7. Open the Signature Method area.

a. Select RSA_WITH_SHA_1 from the Signature generation method drop-down list.

b. Select C_25_N_EXCLUSIVE from the Canonicalization generation method drop-down list. c. Select one of the following options from the KeyInfo Type drop-down list:

RSA_KEY_VALUE — Specifies that the SAML assertion is signed with an RSA private key.X_509_DATA — Specifies that the SAML assertion is signed with a private key associated

with an X.509 certificate. 8. Click Next.

The Configure SLO step opens.

2.6

Configure SLO for a SAML2 Cloud Connector

Whether SLO is IdP-initiated, SP-initiated, or both, Cloud Identity Manager is the Identity Provider that issues the signed SAML assertion attesting to the user’s identity. The SAML2 application uses the signing key pair configured for Cloud Identity Manager to validate the SAML assertion. Cloud Identity Manager uses the certificate issuer URL and X.509 certificate configured for the SAML2 application to verify SLO requests and responses coming from the application.

When you configure IdP-initiated SLO in this procedure, you specify values in the Request Creation and Response Verification areas. When you configure SP-initiated SLO, you specify values in the Request Verification and Response Creation areas. It helps to think of each configuration area in terms of the role played by Cloud Identity Manager.

The following table summarizes the configuration areas and roles of Cloud Identity Manager in IdP-initiated SLO.

Configuration Area Cloud Identity Manager Role in IdP-Initiated SLOSAML2 Connector Configuration

Request Creation

Cloud Identity Manager is the Identity Provider that initiates SLO and issues a signed SAML assertion and the key pair used to sign the assertion. The SAML2 application uses the signing key pair to validate the SAML assertion and the SLO request.

Response Verification

(22)

The following table summarizes the configuration areas and roles of Cloud Identity Manager in SP-initiated SLO.

Note: For more information about configuring SAML authentication, see the McAfee Cloud Identity

Manager Product Guide.

To configure SLO for a SAML2 Cloud Connector

1. If the Service Provider supports SLO, select the SAML Single Logout checkbox. SAML SLO configuration options open.

2. To configure IdP-initiated SLO, select the IDP Initiated SLO checkbox, and complete the settings that open.

Note: For more information, see section 2.6.1 Configure IdP-initiated SLO for a SAML2 Cloud Connector.

3. To configure SP-initiated SLO, select the SP Initiated SLO checkbox, and complete the settings that open.

Note: For more information, see section 2.6.2 Configure SP-initiated SLO for a SAML2 Cloud Connector.

4. Select one of the following options from the Binding drop-down list: — HTTP_POST

— HTTP_REDIRECT

5. Type the SLO URL of the cloud application in the Location field. 6. Click Next.

The Authorization Enforcement step opens.

Configuration Areas Cloud Identity Manager Role in SP-Initiated SLOSAML2 Connector Configuration

Request Verification

The SAML2 application sends an SLO request to Cloud Identity Manager. Cloud Identity Manager uses the certificate issuer URL and X.509 certificate to verify the request.

Response Creation

(23)

2.6.1

Configure IdP-initiated SLO for a SAML2 Cloud Connector

You can configure IdP-initiated SLO for a SAML2 Cloud Connector.

To configure IdP-initiated SLO for a SAML2 Cloud Connector

1. Select the Request Creation checkbox, and type the URL of the identity service provided by Cloud Identity Manager in the Issuer field.

2. Select the Signature checkbox, and select one of the following signature types:

— XML Signature — Specifies that Cloud Identity Manager sign SAML SLO requests with an XML signature.

— SAML Binding Signature — Specifies that Cloud Identity Manager sign SAML SLO requests with a SAML binding signature.

3. From the Signature Keys drop-down list, select the preconfigured key pair used by Cloud Identity Manager to sign the SAML SLO request.

4. Expand the Advanced configuration area.

5. Verify that RSA_WITH_SHA_1 is selected from the Signature generation method drop-down list.

6. Verify that C_14_N_EXCLUSIVE is selected from the Canonicalization generation method drop-down list.

7. Select one of the following options from the KeyInfo Type drop-down list:

(24)

2.6.2

Configure SP-initiated SLO for a SAML2 Cloud Connector

You can configure SP-initiated SLO for a SAML2 Cloud Connector.

To configure SP-initiated SLO for a SAML2 Cloud Connector

1. Select the Request Verification checkbox, and type the URL of the X.509 certificate issuer used by the SAML2 application in the Cloud Issuer field.

2. Select the Signature Verification checkbox, and from the X509 Certificate drop-down list, select the preconfigured key pair used by the SAML2 application to sign the SAML SLO request. 3. Select the Response Creation checkbox, and type the URL of the identity service provided by

Cloud Identity Manager in the Issuer field.

4. Select the Signature checkbox, and select one of the following signature types:

— XML Signature — Specifies that Cloud Identity Manager sign SAML SLO responses with an XML signature.

— SAML Binding Signature — Specifies that Cloud Identity Manager sign SAML SLO responses with a SAML binding signature.

5. From the Signature Keys drop-down list, select the preconfigured key pair used by Cloud Identity Manager to sign the SAML SLO response.

6. Expand the Advanced configuration area.

7. Verify that RSA_WITH_SHA_1 is selected from the Signature generation method drop-down list.

8. Verify that C_14_N_EXCLUSIVE is selected from the Canonicalization generation method drop-down list.

9. Select one of the following options from the KeyInfo Type drop-down list:

(25)

2.7

Configure an Authorization Policy for a SAML2 Cloud Connector

On the Authorization Enforcement step of the Cloud Connector wizard, you can build an

authorization policy that determines which users can access your cloud application and under what conditions. To build the policy, you configure individual policy rules and add them to the overall policy. Each rule consists of an expression, which can be made up of sub expressions.

Each rule has an action, as does the overall policy. The rule action is to permit or deny access to your cloud application when the rule evaluates to TRUE. The overall policy action — the default action — is to permit or deny access to your cloud application when none of the rules in the policy evaluates to TRUE. When the policy configuration area first opens, the default policy action is set to deny access.

2.7.1

Configure the default policy action

Configure the overall policy action for when none of the rules in the policy evaluates to TRUE. 1. Select the Enable Authorization Policy checkbox.

The policy configuration area opens.

(26)

2.7.2

Configure policy rules and add them to the policy

Each policy rule has an action and consists of an expression, which can be made up of sub expressions. 1. Click Add Rule, select an option in the Rule Action dialog box, and click OK.

The new rule is added above the Add Rule button and shown with the selected permit or deny action.

2. Configure the new rule by clicking the following options. For more information about configuring expressions, see section 2.7.3 Policy conditions and their Boolean expressions.

Table 1. Policy Rule Configuration Options

Option Description

(Permit | Deny) access to myapp

Toggles the rule’s action from permit to deny and deny to permit.

Note: myapp is the name you assign to the Cloud Connector.

Delete Rule Deletes the rule.

AND | OR

Toggles the Boolean operators that specify whether the relationship among the expressions in the group at the current level of the rule have an AND relationship or an OR

relationship.

Note: All expressions at one level in the rule have the same Boolean relationship.

+

Opens the Add Expression dialog box where you can configure an expression and add it to the rule.

Note: Clicking the + sign above a group of expressions adds the expression to the bottom of the group. Clicking the + sign to the right side of an individual expression creates a sub group that consists of the selected expression and the new expression.

!

Alternately adds the NOT operator to and removes the NOT operator from the group of expressions at the current level in the rule.

Move Down

Moves the rule down one position in the rule list in the configuration area.

Note: This option is only visible when more than one rule is added to the policy.

Move Up

Moves the rule up one position in the rule list in the configuration area.

(27)

2.7.3

Policy conditions and their Boolean expressions

When you configure an expression, you first select the expression type or condition. When the condition is met, the expression evaluates to TRUE. The conditions and their corresponding Boolean expressions are shown in the following table.

2.7.3.1 Restrict access to the specified time range

You can restrict when users are allowed to access your application to a specified time range. 1. Click + to open the Add Expression dialog box.

2. Select Access Time from the Expression Type drop-down list.

3. Select an operator from the Access Time drop-down list, and specify the required values:

— Between — Select a starting and ending time for the time range from the From and To drop-down lists, respectively.

— Greater than — Select a value from the Time drop-down list. — Less than — Select a value from the Time drop-down list.

— Greater than or equal to — Select a value from the Time drop-down list. — Less than or equal to — Select a value from the Time drop-down list. 4. Click OK to close the dialog box and add the expression to the policy rule. 2.7.3.2 Restrict access to specified days of the week

You can restrict when users are allowed to access your application to specified days of the week. 1. Click + to open the Add Expression dialog box.

2. Select Day of Week from the Expression Type drop-down list.

3. Select one or more of the checkboxes corresponding to the days of the week. 4. Click OK to close the dialog box and add the expression to the policy rule.

Condition Boolean Expression

Access Time The time of access falls within the specified time range. Day of Week The day of the week belongs to the specified set of days. Client IP Address The client IP address falls within the specified address range. Client Device The client device has one of the specified types.

(28)

2.7.3.3 Restrict access to the specified range of client IP addresses

You can restrict access to your application to users having an IP address in the specified range. 1. Click + to open the Add Expression dialog box.

2. Select Client IP from the Expression Type drop-down list.

3. Select an operator from the IP Address drop-down list, and specify the required values:

— Between — Select a starting and ending IP address for the address range from the From and To drop-down lists, respectively.

— Equals — Type a valid IP address in the IP field. — Greater than — Type a valid IP address in the IP field. — Less than — Type a valid IP address in the IP field.

— Greater than or equal to — Type a valid IP address in the IP field. — Less than or equal to — Type a valid IP address in the IP field.

— Masked IP address — Type values for the base IP address and the bit mask in the Base IP and Mask fields, respectively.

4. Click OK to close the dialog box and add the expression to the policy rule. 2.7.3.4 Restrict access to specified client devices

You can restrict access to your application to users on a personal computer or a mobile device. 1. Click + to open the Add Expression dialog box.

2. Select Client Device from the Expression Type drop-down list. 3. Select one or both of the following checkboxes:

— PC — Allows users on a personal computer to access your application. — Mobile — Allows users on a mobile device to access your application. 4. Click OK to close the dialog box and add the expression to the policy rule. 2.7.3.5 Restrict access to subjects having the specified attribute value

You can restrict access to your application to subjects or users having a specified attribute value. To do so, you specify the subject type and the subject source. The subject type is the type of identity information. The subject source is a value that corresponds to the specified subject type. For example, if the subject type is an authentication result, the subject source is an attribute output by the Identity Connector.

1. Click + to open the Add Expression dialog box.

2. Select Subject Attribute Match Expression from the Expression Type drop-down list. 3. Select an option from the Subject Type drop-down list:

— CONSTANT — Type a constant value in the Subject Source field.

— AUTHN_RESULT_FIELD — Select a user attribute from the Subject Source drop-down list. — EXPRESSION — Type an expression in the Subject Source field.

(29)

2.7.3.6 Restrict access based on the specified expression

You can restrict access to your application based on whether the expression you specify evaluates to TRUE or FALSE. To build the expression, you select and combine components from the drop-down lists with text that you type in the expression editor.

1. Click + to open the Add Expression dialog box.

2. Select Advanced Expression from the Expression Type drop-down list. 3. Click Edit to open the Expression editor.

4. Select components from the following drop-down lists, and add them to the expression. — Built-in Library Function — Select the following built-in function:

$AuthnResult.isIPInRange

Tests whether the client computer’s IP address falls within the specified range. Syntax: $AuthnResult.isIPInRange(low_IP,high_IP,target_IP)

Parameters

low_IP — Specifies the beginning value of the IP address range. high_IP — Specifies the ending value of the IP address range.

target_IP — Specifies the IP address of the client computer seeking access to the application.

Return Value

Returns one of the following values:

TRUE — The client IP address falls within the specified range.

FALSE — The client IP address does not fall within the specified range. — Built-in Library Variable — Select one of the following built-in variables:

$IP — Specifies the IP address of the client computer seeking access to the application.$UserAgent — Specifies the web browser’s user agent which provides information about

whether the browser is running on a personal computer or mobile device. — AuthnResult — Select an attribute from the AuthnResult drop-down list.

Example: mail

Expression: $AuthnResult.getField("mail")

(30)

6. Click OK to close the Expression editor.

7. Click OK to close the dialog box and add the expression to the policy rule.

2.7.4

Expression editor examples

The following examples show how to build an expression using the expression editor. Expression editor: example 1

The expression in the following example retrieves the attribute corporation from the authentication results and compares its value to the empty string on the right side of the expression. If the expression evaluates to TRUE, the user is not part of any corporation. If the Rule Effect is set to Deny, the user is denied access to the SaaS or web application.

To create this expression:

1. Select the attribute corporation from the AuthnResult drop-down list. 2. Select the operator == from the Operator drop-down list.

(31)

Expression editor: example 2

The expression in the following example uses the built-in library function $AuthnResult.isIPInRange and the built-in library variables: $IP and $UserAgent. The expression evaluates to TRUE if one or more of these conditions are met:

• The client computer IP address falls within the specified range. • The client computer IP address equals the specified value. • The web browser is running on an iPhone.

If the expression evaluates to TRUE and the Rule Effect is set to Permit, the user is granted access to the SaaS or web application.

To create this expression:

1. Select $AuthnResult.isIPInRange from the Built-in Library Function drop-down list.

2. Type the low and high IP addresses that specify the range inside the first two pairs of quotes inside the parentheses.

3. Replace the third pair of quotes with the Built-in Library Variable $IP, which is the IP address of the client computer seeking access to the application.

4. Select the operator || from the Operator drop-down list. 5. Select $IP from the Built-in Library Variable drop-down list. 6. Select the operator == from the Operator drop-down list.

7. Type an IP address enclosed in quotes in the Expression editor field. 8. Select the operator || from the Operator drop-down list.

9. Select $UserAgent from the Built-in Library Variable drop-down list. 10. Select the operator contains from the Operator drop-down list.

(32)

2.8

Review the SAML2 Cloud Connector Configuration

On the Review step of the Cloud Connector wizard, you can view the application type, application name, and the Identity Connector. You can also test the configuration with the SSO test URL that is provided. The Alias is a short name that you can use in place of the longer SSO test URL.

(33)
(34)

References

Related documents

To manage external users, the enterprise deploys McAfee Cloud Single Sign On, SaaS edition and configures the Box application to require two-factor strong authentication. This

FDP_IFF.1.1 The TSF shall enforce the P.SEPARATE policy based on the following types of subject and information security attributes: remote user identity and enclave session

Unlike many books on identity, this volume goes far beyond social and cultural aspects and touches upon the less argued spheres; it examines identity in areas such as

The work presented here supports the prevailing view that both CD and IOVD share common cortical loci, although they draw on different sources of visual information, and that

12 Data Science Master Entrepreneur- ship Data Science Master Engineering entrepreneurship society engineering. Eindhoven University of Technology

• Makes an access control decision based on the attributes and/or supplied identity information.. • Redirects the user to a login endpoint if no identity information

The following antimicrobials were tested: penicillin (Sigma Aldrich, Yongin, Korea), piperacillin-tazobactam (Yuhan, Seoul, Korea), cefoxitin (Merck Sharp & Dohme, West Point,

The aim of this 96 day feeding trial was to investigate the effects of the addition of different combinations of dietary lecithin, nucleosides, and krill to a fishmeal-based