Flexible Identity Federation
|
|
- Simon Hall
- 8 years ago
- Views:
Transcription
1 Flexible Identity Federation Administration guide version 1.0.1
2 Publication history Date Description Revision initial release minor updates Copyright Orange Business Services 2 of 89
3 Welcome Your company has chosen Flexible Identity Federation to protect online corporate identities and corporate data from unauthorized access. This guide provides: Flexible Identity Federation administration guide Identity bridge, applications and basic SSO configuration guide Troubleshooting guide Copyright Orange Business Services 3 of 89
4 Contents 1 About this document Prerequisites Purpose of this document Document convention Navigation toolbar The icons Terminology PingOne terms Orange Business Services terms Identity Federation Identity Bridge Overview of Identity bridges PingOne AD Connect PingOne AD Connect light PingOne AD Connect full with IIS Provisioning with PingOne AD Connect PingOne Directory Processing steps for authentication Set PingOne Directory as Identity Bridge Modify the password policy for the PingOne Directory users Create users in PingOne Directory Delete a user from PingOne Directory Disable a user from PingOne Directory Modify a user rd party SAML Processing steps for authentication Configuration of the 3rd party SAML IDP Set a 3rd party SAML IDP as Identity Bridge: PingFederate Processing steps for authentication Configuration of PingFederate Google Apps for business Copyright Orange Business Services 4 of 89
5 2.6.1 Processing steps for authentication Authorization for PingOne Set Google Apps as an identity provider Basic use Administrator connection to PingOne User connection to PingOne Dock PingOne administration Create administrator accounts Give access to administration portal to users With PingOne Directory as an Identity Bridge With other Identity Bridges Access to the PingOne administration environment through the PingOne Dock (for users) 62 5 Service customization Customize the PingOne dock Customize the PingOne AD Connect full with a specific IIS login page Preparing the customization archive Substitution template symbols and constructions per page Install the customization archive Managing application in PingOne Add an application Application from the PingOne Catalog SAML application Basic SSO application User management for applications Create groups in PingOne Directory Add a group in PingOne (except for PingOne Directory) Authorize Group Access to Applications PingOne Browser extension Manual setup of the PingOne Browser Extension Automatic installation through Windows GPO (on Windows domains only) Enable IWA with Browser clients (AD Connect) Enable IWA in the PingOne admin portal Enable IWA for Mozilla Firefox Copyright Orange Business Services 5 of 89
6 8.3 Enable IWA for Internet Explorer Enable IWA for Google Chrome Reports Global reports Display the global reports Download the global reports Information logged by Flexible Identity Federation service Federated SSO Transaction Basic SSO Transaction Security IP addresses used by the PingOne services PingOne endpoints Troubleshooting Authentication with PingOne AD Connect full with IIS does not working Authentication with PingOne AD Connect does not working SAML assertion SAML tracer PingOne service IP address Copyright Orange Business Services 6 of 89
7 1 About this document 1.1 Prerequisites Your PingOne environment has been set up with the help of the Orange Business Services team. Your identity bridge is configured and allows your users to connect to one SaaS application. This document is intended to be understood by readers who already have a comprehensive knowledge of identity federation in general and the Flexible Identity Federation product. If this is not the case, we strongly recommend you read the Flexible Identity Federation Quick start guide. 1.2 Purpose of this document This document gives instructions for general use of the Flexible Identity Federation service environment. You will find the information for general use, including how to add new applications and get the reporting logs. 1.3 Document convention Navigation toolbar Definition Throughout this document, navigation toolbars show you which path you must follow to access each feature Format Field Description Supported values 1 2 Environment to use Account banner options PingOne Administrator Desktop i.e. PingOne Dock (for users) i.e. Dashboard Applications Users Setup Account Customers (only with an MSP Account) 3 Too many values to be listed here The icons The Alert icon is used to draw your attention to important information. Copyright Orange Business Services 7 of 89
8 The Skip icon is used to draw your attention to chapter(s) to skip in certain circumstances. 1.4 Terminology Several terms and their meaning are important in order to understand the information presented in this document PingOne terms Ping Admin: Web portal for Flexible Identity administrators. PingOne Dock: Web portal for users that presents their cloud applications. Used to be named PingOne Desktop. Ping Backend: Ping s servers that perform backend tasks in the solution. PingOne AD Connect Agent: Lightweight agent used as an Identity Bridge to interact with the customer Microsoft Active Directory domain. Identity Bridge: Component that enables the connection from the customer corporate network to the PingOne services in the cloud. Integrated Windows Authentication (IWA): Authentication method on Windows clients and servers that does not prompt the user for their credentials. Instead it uses the current Windows user information on the client computer. PingOne CAS: Name of the Ping identity cloud solution. CAS stands for Cloud Access Service. Cloud User Service: Internal storage of identities for low range company. Federated Application: Application configured to be aware of federation protocols. Cloud Application or SaaS Application: Application hosted in the cloud, as opposed to an application hosted on the customer s premises. Can be a federated application or a previous application using login/password as credential. Single Sign-On (SSO): Property to log in once and then to have access to multiple resources without being prompted to log in again. Single Log-Out (SLO): Property to log out once from one of the federated resources and being automatically disconnected from all the other federated resources. Security Assertion Markup Language (SAML): XML-based open standard data format created to exchange authentication and authorization data between an identity provider and a service provider Orange Business Services terms Managed Service Provider (MSP): Orange Business Services Virtual Service Provider account created from the PingOne Service Provider level. For better understanding, this account is considered as a Server Provider (SP) because it Copyright Orange Business Services 8 of 89
9 is the root of the FEDID accounts hierarchy. The related Virtual Server stores Orange SP Administrator accounts. 1.5 Identity federation Before starting with the PingOne product, it is important to understand the identity federation concepts and focus on the SAML standard as it is the federation standard chosen by PingOne. Please refer to the Flexible Identity Federation Quick start guide for a better understanding of the solution and associated technologies. 2 Identity bridge 2.1 Overview of identity bridges Identity bridges are used by PingOne to match your local user accounts from your identity repositories to your cloud user accounts. Select your identity bridge depending on the type of the identity repository needed by your organization. Your identity bridge was set up initially by the Orange Business Services team. As changing the type of the identity bridge has a considerable impact on your access to cloud applications, do not change your identity bridge without contacting the Orange Business Services team. 2.2 PingOne AD Connect The PingOne AD Connect identity bridge allows you to use your corporate Active Directory as an identity repository, so your users will use their corporate credentials to connect to their PingOne dock. Furthermore, with AD Connect you can enable Integrated Windows Authentication (IWA) to automatically authenticate user requests coming from your organization s network. Two types of PingOne AD Connect are available: AD Connect light AD Connect Full with IIS It is recommended to use AD Connect light as it is easy to install and manage. With AD Connect with IIS, a load balancing infrastructure and a Public Key Infrastructure are needed PingOne AD Connect light Processing steps for user authentication without IWA PingOne AD Connect light opens a secure channel for communications with PingOne servers using the 443 port. PingOne sends authentication requests through this channel. If the PingOne AD Connect does not open the secure channel, user authentication can not be performed. These are the processing steps for authentication with AD Connect if the user is outside their corporate network: Copyright Orange Business Services 9 of 89
10 1) The user accesses the PingOne dock. 2) As the user is not authenticated, they are redirected through an HTTP redirect to the PingOne server (sso.connect.pingidentity.com). 3) The PingOne server provides a logon page and the user must enter their corporate credentials. 4) PingOne sends an authentication request to the 1st AD Connect available on your network. This request is sent through a secure channel (WebSocket SSL on port 443). 5) AD Connect authenticates the user against the corporate Active Directory and retrieves the user attributes. 6) AD Connect returns an authentication response to the PingOne server containing the authentication assertion and any additional attributes. The assertion response is sent through the secure channel. 7) The PingOne server redirects the user (with an HTTP redirect) to their PingOne dock with a token ID. This token ID is not a SAML assertion but a session ID. 8) The user gets access to their PingOne dock Processing steps for user authentication with IWA Each user's initial SSO to the PingOne dock always uses the WebSocket back channel as described in , regardless of whether or not the user is located in your organization's network. To use the Integrated Windows Authentication, the user must use a computer inside their corporate network. They must have used their corporate Active Directory credentials to log on on their computer. These are the processing steps for authentication with IWA: Copyright Orange Business Services 10 of 89
11 1) The user accesses the PingOne dock. 2) As the user is not authenticated, they are redirected through an HTTP redirect to the PingOne server (sso.connect.pingidentity.com). 3) PingOne sends (through the user browser) an authentication request to the 1st AD Connect light available on your network with a unique authentication request ID. This request ID is encrypted with the public key of the AD Connect instance. 4) AD Connect uses the user s Kerberos ticket to authenticate the user. 5) AD Connect retrieves the user attributes from the Active Directory and creates an assertion containing the set of attributes for the user. This assertion is stored in the AD Connect host with the authentication request ID from step 3. 6) AD Connect performs a simple redirect sending the user back to PingOne without any data. 7) The client browser sends (via SSL) the cookie containing the authentication request ID to the PingOne Server. 8) The PingOne server sends an assertion retrieval request to AD Connect using the WebSocket back channel and the authentication request ID. 9) AD Connect retrieves then removes the in-memory assertion and sends the response to PingOne as a signed token. 10) The PingOne server redirects the user (with an HTTP redirect) to their PingOne dock with a token ID. This token ID is not a SAML assertion but a session ID. 11) The user gets access to their PingOne dock. Copyright Orange Business Services 11 of 89
12 Prerequisites The platform must be one of the following: Microsoft Windows Server (32-bit/64-bit) Microsoft Windows Server 2008 R2 7.5 (32-bit/64-bit) Microsoft Windows Server (32-bit/64-bit) Microsoft Net 4.0 Framework installed. The framework installation file is packaged with the AD Connect distribution. The Windows Server host must be in an Active Directory domain but, for security reasons, must not be a domain controller (DC). Port 443 (HTTPS) must be open Setting AD Connect as an identity repository Do not change the type of your identity bridge as you will lose the access to your cloud applications. PingOne Administration Desktop Setup Identity repository Click on [Change User store type]. Read the warning and click on [I Understand] to remove the existing configuration. Select AD Connect on the list and then click on [Next]. Click on [Download AD Connect] to save the binary file for installation. Choose the product key in accordance with the message below and click on [Next] Copyright Orange Business Services 12 of 89
13 Store your product key, as you will be asked for it during the installation of AD Connect Store Organization ID and go to AD Connect installation in Click on Verify Installation and click on [Next] Installing the AD Connect binary You must have administrator rights on the host. Unzip the downloaded package. Right-click on the file run-as-administrator.bat and click on [Run as administrator]. Click on [Yes]. Copyright Orange Business Services 13 of 89
14 Click on [Next]. Select the installation type as [AD Connect] Ping recommends using only one AD Connect with provisioning capabilities on each Active Directory domain to avoid provisioning issues. If it is the first AD Connect in your environment, check the box Enable user provisioning. Otherwise leave this box unchecked. Then click on [Next]. Copyright Orange Business Services 14 of 89
15 Enter your activation product and the product key and then click on [Activate]. Once AD Connect has been activated, click on [Next]. Choose where PingOne AD Connect will be installed by clicking on [Change]. Then click on [Next]. Copyright Orange Business Services 15 of 89
16 Click on [Install]. Wait until the end of the installation. Copyright Orange Business Services 16 of 89
17 Click on [Finish] to close the wizard. Once installed, PingOne AD Connect light must be activated through the web interface. PingOne Administration Desktop Setup Identity repository Select PingOne AD Connect and then click-on [Setup >]. Copyright Orange Business Services 17 of 89
18 Then click on [Verify Installation]. Check the box Enable IWA if you want to enable Integrated Windows Authentication for your users. Specify your Intranet IP blocks if you have enabled IWA. CIDR notation is used (commadelimited) as the format. An example of this format is: /8, /12, /16 Click on [Finish] to validate the parameters High availability With AD Connect light, high availability (automatic failover and load balancing) is handled by the PingOne datacenters, and requires no configuration or management on your part. You just have to install multiple instances of AD Connect as you did in the previous chapter ( ). You will use the same Organization ID and the same Product Key. The status of the connection for each AD Connect instance is stored in and managed by PingOne. PingOne selects an AD Connect instance to use from the active list of instances and begins sending authentication requests to that AD Connect instance. The load is balanced among all instances of AD Connect. New instances of AD Connect are added to PingOne's active list of instances PingOne AD Connect Full with IIS Processing steps for authentication These are the processing steps for a user authentication with AD Connect Full with IIS. Copyright Orange Business Services 18 of 89
19 Prerequisites 1) The user accesses the PingOne dock. 2) As the user is not authenticated, they are redirected through an HTTP redirect to the PingOne servers (sso.connect.pingidentity.com). 3) The PingOne server redirects the user to their corporate AD Connect with an HTTP redirect. 4) If the user is already authenticated on their corporate domain, the IIS will use IWA to authenticate the user with the Kerberos ticket stored on their machine. Otherwise their AD credentials will be requested by the IIS server (basic authentication). 5) Once the user is authenticated by the IIS server, AD Connect will get the user s attributes from the Active Directory. 6) AD Connect returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. 7) The browser automatically posts the HTML form back to the PingOne servers (sso.connect.pingidentity.com). 8) The PingOne servers validate the SAML response from AD Connect and redirect the user to their PingOne dock with a token ID. This token ID is not a SAML assertion but a session ID. 9) The user gets access to their PingOne dock. The platform must be one of the following: Microsoft Windows Server 2012 with IIS 8.0 (32-bit/64-bit) Microsoft Windows Server 2008 R2 with IIS 7.5 (32-bit/64-bit) Copyright Orange Business Services 19 of 89
20 Microsoft Windows Server 2008 with IIS 7.0 (32-bit/64-bit) Microsoft Net 4.0 Framework must be installed. If needed, the framework installation file is packaged with the AD Connect distribution. The Windows Server IIS host must reside in an Active Directory domain, but for security reasons, must not be a domain controller (DC). The IIS Server role service must be installed. Windows Authentication role service and ASP.NET 4.5 (WebServer IIS -> WebServer-> Application Development ASP.NET 4.5) must be installed for IIS. Time synchronization must be set up on the Windows Server IIS host. Port 443 (HTTPS) must be the only open port. If you have users who will be using the PingOne mobile app, the IIS host name needs to be able to be resolved externally. A valid certificate issued by a well-known certification authority must be set up on your IIS server Deploying PingOne AD Connect from a DMZ If your users will access their PingOne dock from outside of your corporate network, your IIS host must be directly connected to the Internet, so you are advised to deploy the host in a DMZ. You will need to open the following ports on your DMZ/corporate network firewall: TCP and UDP are shown together in the table below. Depending on the firewall network device, you may need to add the TCP and UDP rules separately. Protocols Port numbers Description TCP/UDP 389, 636, 3268, 3269 These are the Lightweight Directory Access Protocol (LDAP) ports. AD Connect uses LDAP to access the Active Directory DC (when in-network or Windows Authentication is used). Also used for mobile authentication. UDP 138 NetBIOS name resolution. TCP/UDP 445 SAM/LSA. UDP 123 NTP W32 Time. TCP/UDP 135, RPC Endpoint Mapper. UDP 137 NetBios datagram Copyright Orange Business Services 20 of 89
21 TCP/UDP 88 This port belongs exclusively to Kerberos. AD Connect uses this port for off-network access when executing a single signon (SSO) event outside of the corporate network. TCP/UDP 464 This server port is also used by Kerberos (to set or change the password). It is of course also used to join the IIS (and AD Connect) host to the domain. TCP/UDP 53 The DNS service runs on this port. It s used to convert between URLs and IP addresses, and is also needed to join the IIS (and AD Connect) host to the domain. TCP 443 This port will receive the HTTPS requests from the users Setting AD Connect as an identity repository Do not change the type of your identity bridge as you will lose the access to your cloud applications. You can refer to the AD Connect light instructions provided in as they are the same for the two versions of AD Connect Obtaining a specific certificate for your IIS server You must have administrator rights on the host that runs AD Connect. Click on Run. Type inetmgr.exe and press [Enter]. The IIS manager console will open. Click on your IIS server name to get the Features view. Copyright Orange Business Services 21 of 89
22 On the IIS section click on the Server certificates icon: On the actions menu on the right-hand side, click on [Create Certificate Request ] Complete the field with your information. As this information will be shown on your certificate, be sure to enter the right values. In the common name field do not forget to enter the public URL of your IIS server, i.e. iisserver.mydomain.com Copyright Orange Business Services 22 of 89
23 Click on [Next]. Click on [Next]. Choose a filename for your certificate request. Click on [Finish]. Send your certificate request to a well-known public certification authority. Some charges may be applied. Once the certificate authority validates your request and sends your certificate, return to the IIS manager console. In the IIS section, click on the Server Certificates icon: Copyright Orange Business Services 23 of 89
24 In the actions menu on the right-hand side, click on [Complete Certificate Request ] Select the file containing the certificate provided by your certification authority. Enter a friendly name to identify your certificate. Select Web Hosting as a certificate store for the new certificate. Click on [OK]. Your new certificate should appear in the certificate list. Then the certificate must be set as the default certificate for https connections. On the left-hand side, expand the Sites item and click on [Default Web Site]. Then on the right-hand pane named Actions, click on [Bindings ]. Copyright Orange Business Services 24 of 89
25 Select the current line and click on [Edit ]. On the SSL certificate part, select your certificate. Click on [OK]. Now restart your IIS to validate the changes..click on your IIS server name. On the actions pane on the right, click on [Restart]. Copyright Orange Business Services 25 of 89
26 Installing the AD Connect binary You must have administrator rights on the host. Unzip the downloaded package. Right-click on the file run-as-administrator.bat and click on [Run as administrator]. Click on [Yes]. Click on [Next]. Copyright Orange Business Services 26 of 89
27 Select Full with IIS. Ping recommends using only one AD Connect with provisioning capabilities on each Active Directory domain to avoid provisioning issues. If it is the first AD Connect in your environment, check the box Enable user provisioning. Otherwise leave this box unchecked. Click on [Next]. Enter your activation product and the product key and then click on [Activate]. Copyright Orange Business Services 27 of 89
28 Once AD Connect has been activated, click on [Next]. Select the IIS Web Site to protect and click on [Next]. Copyright Orange Business Services 28 of 89
29 Choose where PingOne AD Connect will be installed by clicking on [Change]. Then click on [Next]. Click on [Install]. Copyright Orange Business Services 29 of 89
30 Wait until the end of the installation. Click on [Finish] to close the wizard. Copyright Orange Business Services 30 of 89
31 Once installed, PingOne AD Connect Full with IIS must be activated through the web interface. PingOne Administration Desktop Setup Identity repository Select PingOne AD Connect and then click on [Setup >]. Then click on [Verify Installation]. Modify the IIS Server URL to match your IIS server URL. Click on [Update]. Click on [Finish] to validate the parameters High availability If you are using AD Connect, you can skip this chapter. Copyright Orange Business Services 31 of 89
32 You must set up high availability if you expect to have large numbers of single sign-on (SSO) users for AD Connect. This chapter describes how to set up high availability for AD Connect Full with IIS using Microsoft Network Load Balancing (NLB) as the load-balancing and clustering solution. If you are using a load-balancing and clustering solution other than NLB, you can also apply these settings to your configuration by replacing the NLB-specific steps with those that match your solution. You will configure NLB clustering for AD Connect, using the example configuration shown in the illustration as a guideline. NLB is an optional Windows Server feature. Although you can use this process for other configurations, these instructions are for a minimal configuration, one Active Directory domain controller (DC) and two Windows Server IIS hosts. The IIS hosts need two NICs, one for the static IP used by NLB (NLB requires static IPs), the other for the dynamic IP used by the DC. The NLB-dedicated NICs for all IIS hosts should be in the same subnet. Install AD Connect on the IIS hosts (iis1.acme.com and ii2.acme.com). One of the IIS hosts will supply the signing certificate to be used on all other IIS hosts. We'll call this the master IIS host. On one of the IIS hosts (here we'll use iis1.acme.com), use the Services MMC to disable AD Connect Provisioner Service. This will be the master IIS host. Copyright Orange Business Services 32 of 89
33 The following steps will explain how to get the signing certificate from the master IIS host and how to import it to the other IIS hosts. On the master IIS host (iis1.acme.com), export the signing certificate. Open MMC, and from the File menu, select [Add/Remove Snap-in]. The Add or Remove Snap-ins dialog box is displayed. Select Certificates and click on [Add]. The Certificates Snap-in dialog box is displayed. Select Computer Account and click on [Next]. Copyright Orange Business Services 33 of 89
34 The Select Computer dialog box is displayed. Select Local computer. Click on [Finish]. Click on [OK]. The Certificates snap-in is displayed in MMC. Expand Certificates (Local Computer) + Personal and select Certificates. The certificates for the Local Computer account are displayed. Right-click the signing certificate (the certificate name includes the full domain name of the host) and select [All Tasks], then [Export]. The Certificate Export Wizard is displayed. Click on [Next]. Select [Yes, export the private key] and click on [Next]. Select [Personal Information Exchange PKCS #12 (.PFX)]. Check the box [Include all certificates in the certification path if possible]. Uncheck the box [Delete the private key if the export is successful]. Check the box [Export all extended properties]. Copyright Orange Business Services 34 of 89
35 Click on [Next]. Set a password to protect the private key and click on [Next]. Specify the file location and click on [Next]. Check the Certificate export wizard settings and click on [Finish] to export the certificate and the private key. The master IIS host signing certificate has been exported to the current user directory. On the other IIS hosts (iis2.acme.com), import this signing certificate. Follow the steps above to add the Certificates snap-in to MMC. Expand Certificates (Local Computer) + Trusted People. Copyright Orange Business Services 35 of 89
36 Right-click on Certificates and select All Tasks, Import. The Certificate Import Wizard is displayed. Follow the Certificate Import Wizard and select the signing certificate you exported from the master IIS host. The master IIS host signing certificate is now imported to the other IIS host. Repeat the same operations for other IIS hosts. After importing the signing certificate, it is necessary to grant the IIS process access to the signing keys. Open MMC and go to Certificates (Local Computer) + Personal + Certificates. Right-click on the master IIS host certificate that you imported and select All Tasks, then Manage private keys. The permissions dialog box is displayed. Click on Add, and in the entry box, enter the object name "IIS_IUSRS". The IIS_IUSRS is a built-in group that might be created as a local group. Change the location of the search scope to get this group from your local computer instead of your corporate Active Directory. Copyright Orange Business Services 36 of 89
37 Click on [OK]. Grant Full Control and Read permissions to IIS_IUSRS. The IIS host now has the necessary permissions to use the imported signing certificate. The AD Connect Web.config file on other IIS hosts (iis2.acme.com) must be updated to use the imported signing certificate. Edit the AD Connect file <installpath>\ping Identity\AD Connect\SSO\Web.config. Change the saml.signing.cert value to the name of the imported signing certificate, and save the file. AD Connect will now use the imported signing certificate. On each IIS host (iis1.acme.com and iis2.acme.com), install the Network Load Balancing feature. This is an optional feature for Windows Server. Copyright Orange Business Services 37 of 89
38 On each IIS host, configure network load balancing. Open Network Load Balancing Manager (in Administrative Tools) and choose to create a new cluster. Enter the static IP address (the NLB-dedicated NIC) of one of the IIS hosts. Copyright Orange Business Services 38 of 89
39 Select this interface, click on [Next], and assign a unique host ID. Click on [Add] to create a virtual cluster IP address for this interface. Specify an address in the same subnet as the NLB-dedicated NICs of your IIS hosts. The virtual cluster IP is the address you will use to access AD Connect. Do not use the IP addresses (static or dynamic) assigned to the IIS hosts. Copyright Orange Business Services 39 of 89
40 If you are deploying the IIS hosts in a VM (virtual machine), set the cluster operation mode to Multicast. Otherwise, set this mode to Unicast. Microsoft recommends using Unicast as the cluster operation mode. Unicast is compatible with all routers, switches and network devices. VMWare recommends using Multicast if you're configuring NLB clusters on VMs. Click on [Next]. (Optional) Set any port rules you consider necessary. Copyright Orange Business Services 40 of 89
41 Click on [Finish]. When the information for the new cluster node (the IIS host) indicates the node is in a Converged state, right-click on the node and select Add Host to Cluster. The IIS host is now configured for NLB. Repeat the above steps for each remaining IIS host (iis2.acme.com). You should now be able to power cycle a clustered IIS host, with automatic failover to another IIS host in the cluster. You also can add additional IIS hosts to the cluster as needed Provisioning with PingOne AD Connect With the two versions of AD Connect, it is possible to set up provisioning to automatically create/update and delete users in SaaS applications. This provisioning is enabled through group memberships. As some applications may not propose mechanisms for user provisioning (like API or SCIM messages), PingOne cannot create/update and delete users on all the SaaS applications. You will find the applications available for user provisioning in the PingOne app catalog as Copyright Orange Business Services 41 of 89
42 described in Enable provisioning in PingOne These are the steps to enable provisioning in PingOne: Configure a connection to a SaaS that supports provisioning (e.g. Salesforce) in the PingOne admin portal ( 6.1.1). Associate the connection with one or more user groups on the User Groups page ( 6.2.3). Processing steps for user provisioning in SaaS Application. This is how the provisioning works with AD Connect: 1) When a SaaS application connection with provisioning is associated with one user group in the PingOne portal, AD Connect starts monitoring the corresponding Active Directory group. 2) AD Connect sends the PingOne provisioning service all the changes in that group (user added, modified or removed) through a SCIM message. 3) When the provisioning service receives updates from AD Connect, it will send out provisioning requests to the target SaaS application based on the connection configuration specified in the admin portal. 2.3 PingOne directory In this configuration, PingOne provides you with a directory to store your user account. You will have to administer the accounts in the PingOne Administration page Processing steps for authentication These are the processing steps for user authentication with the PingOne directory. Copyright Orange Business Services 42 of 89
43 1) The user tries to access the PingOne dock. 2) As the user is not authenticated, they are redirected through an HTTP redirect to the PingOne servers (sso.connect.pingidentity.com). 3) PingOne sends a login page to the user. The user sends their credentials to PingOne for authentication. 4) Once authenticated, the user is redirected to their PingOne dock with a token ID. This token ID is not a SAML assertion but a session ID. 5) The user gets access to their PingOne dock Setting the PingOne directory as an identity bridge Go to the following page: PingOne Administration Desktop Setup Identity repository Select PingOne Directory and click on [Setup] Modifying the password policy for the PingOne directory users Once the PingOne directory is enabled in the PingOne environment, a password policy is applied for the new user accounts created. It is possible to modify it from the following page: PingOne Administration Desktop Setup Password policy Edit These are the parameters you can use for the password policy: Password Requirements Minimum Length The minimum number of characters required. Copyright Orange Business Services 43 of 89
44 Uppercase Characters Required Numbers Required The minimum number of uppercase characters required. The minimum number of numbers required. Special Required Block Words Characters Dictionary The minimum number of special characters required (such #! % &). If enabled, common dictionary words aren't allowed as passwords. Block Passwords Previous If enabled, previously used passwords aren't allowed. Password Expiry Password Duration First Notification Second Notification The number of days a password remains valid. The user will receive their first notification of an expiring password this number of days before expiry. (Days) The user will receive another notification of an expiring password this number of days before expiry. Password Lockout Failures for Lockout Lockout Duration Reset Failure Count The number of consecutive failed attempts to sign on needed to trigger an account lockout. The length of time (minutes) a user remains locked out. The length of time without user activity (in minutes) that's needed before the count of failed sign on attempts is reset to zero Creating users in the PingOne directory Manually creating a user from the administration portal If the user account access is a single sign-on (SSO) application, skip this chapter and go to the next chapter Use your Administrator account to connect to your PingOne Administration Desktop. PingOne Administration Desktop Users User directory Users Click on [Add Users]. Copyright Orange Business Services 44 of 89
45 Click on [Create New User]. Enter the following information: o New Password * o Confirm New Password * o Username * o Title o First Name o Middle Name o Last Name o Suffix o Formatted Name o (work) * The fields with a red star (*) are mandatory. To add groups to the new user, click on [Add]. Search the groups needed and check the boxes to select them. Copyright Orange Business Services 45 of 89
46 Click on [Add]. Click on [Save]. The new user will receive an . They will have to activate their account and set up a new password. After that, they will be marked as ACTIVE in PingOne. Once their account is activated, the user will receive a new to confirm the activation Manually inviting a user from the administration portal (alternate address possible) Using an alternate address for the user is useful if the user account access is a single sign-on (SSO) application protected by PingOne. Use your Administrator account to connect to your PingOne Administration Desktop. PingOne Administration Desktop Users User directory Click on [Add Users]. Click on [Invite New User]. Enter the following information: o Address (*) o Alternate Click on the small arrow next to [Send Invitation]. The user will receive a new from PingOne with a unique link to create their account. If an alternate address was entered, they will receive this mail in their alternate mailbox. They will have to create their account by entering mandatory attributes and set up a new password. After that, they will be marked as ACTIVE in PingOne. Copyright Orange Business Services 46 of 89
47 Re-sending an invitation for a newly created user If the user account access is a single sign-on (SSO) application, skip this chapter and go to the next chapter. If a user doesn t receive their invitation, PingOne can resend it. However, before doing this, be sure that the PingOne notification has not been sent to the spam folder. Use your Administrator account to connect to your PingOne Administration Desktop. PingOne Administration Desktop Users User directory Type the first letters of the username in the search field. When you find the required user, click on [Edit] at the end of the line. Click on [Resend ] Re-sending an invitation to an alternate address for a newly created user These instructions are useful if the user account access is a single sign-on (SSO) application. If a user doesn t receive their invitation, PingOne can resend it. However, before doing this, be sure that the PingOne notification has not been sent to the spam folder. Use your Administrator account to connect to your PingOne Administration Desktop. PingOne Administration Desktop Users User directory Type the first letters of the username in the search field. When you find the required user, click on [Edit] at the end of the line. Click on [Resend invitation to alternate address]. Enter the alternate address. Click on [Send]. Copyright Orange Business Services 47 of 89
48 2.3.5 Deleting a user from the PingOne directory Use your Administrator account to connect to your PingOne Administration Desktop. PingOne Administration Desktop Users User directory Type the first letters of the username in the search field. When you find the required user, click on the small arrow near the [Edit] button at the end of the line. Click on [Delete] Disabling a user from the PingOne directory Only Active users can be disabled. Disabled users are not removed from the PingOne directory, but they are no longer allowed to connect to PingOne. Use your Administrator account to connect to your PingOne Administration Desktop. PingOne Administration Desktop Users User directory Type the first letters of the username in the search field. When you find the required user, click on the small arrow near the [Edit] button at the end of the line. Click on [Disable] Modifying a user You can modify a user and change their first name, last name or address. Use your Administrator account to connect to your PingOne Administration Desktop. PingOne Administration Desktop Users User directory Type the first letters of the username in the search field. When you find the required user, click on [Edit]. Modify the necessary information. Click on [Save]. Copyright Orange Business Services 48 of 89
49 2.4 3rd party SAML Processing steps for authentication These are the processing steps for user authentication with a 3 rd Party SAML. 1) The user accesses the PingOne dock. 2) As the user is not authenticated, they are redirected through an HTTP redirect to the PingOne servers (sso.connect.pingidentity.com). 3) The PingOne server redirects the user to the 3 rd party SAML IDP specified in PingOne with an HTTP redirect. 4) The 3 rd party SAML IDP authenticates the user. 5) The 3 rd party SAML IDP will get the user s attributes from the corporate user repository to build a valid SAML assertion. 6) The 3 rd party SAML IDP returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. 7) The browser automatically posts the HTML form back to the PingOne servers (sso.connect.pingidentity.com). 8) The PingOne servers validate the SAML response from the 3 rd party SAML IDP and redirect the user to their PingOne dock with a token ID. This token ID is not a SAML assertion but a session ID. 9) The user gets access to their PingOne dock Configuration of the 3rd party SAML IDP As the configuration on the 3rd party SAML IDP side can be very complex and depends on the SAML IDP product, please contact the Orange Business Services team if you want to set Copyright Orange Business Services 49 of 89
50 up a 3rd party SAML IDP as your identity bridge Setting a 3rd party SAML IDP as identity bridge: PingOne Administration Desktop Setup Identity repository Select 3 rd Party SAML and click on [Setup]. Select the checkbox labeled Enable an account-specific Entity ID. Click on [Download PingOne metadata] and save the xml file. Send this metadata xml file to the 3rd party SAML IDP to enable the circle of trust. For more details about the circle of trust, go to the Flexible Identity Federation Quick start guide. The 3rd party SAML IDP must provide a new metadata file containing its information. Once you get this file, upload it to PingOne. PingOne Administration Desktop Setup Identity repository Select 3 rd Party SAML and click on [Edit]. Click on upload to send the file sent by the 3 rd party SAML IDP. Click on [Save configuration]. 2.5 PingFederate Processing steps for authentication The processing steps for user authentication with PingFederate are similar to those for user authentication with 3 rd party SAML IDP. These processing steps are described in Configuration of PingFederate As the configuration of PingFederate can be very complex, please contact the Orange Business Services team if you want to set up PingFederate as your identity bridge. Copyright Orange Business Services 50 of 89
51 2.6 Google Apps for Work When Google Apps for Work is selected as an identity provider, OpenID Connect protocol is used instead of SAML for user authentication. This federation protocol is quite similar to SAML but based on JSON/REST protocol. OpenID Connect was designed for native apps and mobile applications whereas SAML was designed for web-based applications. The user experience is the same as the experience with SAML, but the user must authorize the service provider to access their information on the first connection Processing steps for authentication These are the processing steps for a user authentication with Google Apps for Work. 1) The user accesses the PingOne dock. 2) As the user is not authenticated, they are redirected through an HTTP redirect to the PingOne servers (sso.connect.pingidentity.com). 3) The PingOne server redirects the user to the Google Apps server for authentication. 4) The user enters their credentials in the login page provided by Google. 5) On the 1st connection, the user needs to authorize PingOne to access their Google Apps information (i.e.: their address, full name and groups). 6) Google Apps provides an OpenID token and redirects (via HTTP redirect) the user to the PingOne servers. 7) The browser automatically posts the HTML form back to the PingOne servers (sso.connect.pingidentity.com). 8) The PingOne servers validate the OpenID token by contacting the Google Apps servers. 9) The Google Apps servers validate the OpenID token. 10) Once the OpenID token is validated, PingOne servers redirect the user to their PingOne dock with a token ID. This token ID is not a SAML assertion but a session ID. 11) The user gets access to their PingOne dock. Copyright Orange Business Services 51 of 89
52 2.6.2 Authorization for PingOne When the user authenticates the first time, they will be asked by Google Apps for Work to authorize PingOne to access their information. This is the validation page: Without these authorizations, the user can not access the PingOne services Setting Google Apps as an identity provider Preparing the Google Apps environment To enable SSO with Google Apps, some operations must be carried out on the Google Apps environment. Connect to the Google Apps environment. Go to the admin interface: On the admin console, click on [Security]. Copyright Orange Business Services 52 of 89
53 On the Security menu, go to Advanced settings-> Authentication and click on [Federated Login using OpenID]. Select the checkbox labeled Allow users to sign in to third party websites using OpenID. Click on [Save changes]. On the Security menu, go to Advanced settings and click on [Manage API client access]. In the Client Name field, enter the following value: o sso.connect.pingidentity.com Copyright Orange Business Services 53 of 89
54 In the One or More API Scopes field, enter the following value: Click on [Authorize]. o On the Security menu, go to API reference -> API access and select the checkbox labeled Enable API access. Click on [Save changes]. Go to the admin interface: Click on [More controls] and then on [Admin Roles]: Click on [Create a new role]. In the name field, enter the following value: o ProvisioningAPI In the description field, enter the following value: Click on [Create]. o This is the admin role to enable the Provisioning API. Scroll down until you find the Provisioning APIs section, select the checkbox next to Groups and then the checkbox beneath Read. Copyright Orange Business Services 54 of 89
55 Click on [Save changes]. For every user in the Google Apps for Work domain, you must assign them to this new ProvisioningAPI role. Select Users from the menu bar. Select the user to which you want to assign the role. Click on [Admin roles and privileges]. Click on [Manage roles]. Select the ProvisioningAPI role from the dropdown list. Click on [Update roles]. Create a group named PingOne Users. Click on [More controls] and then on [Groups]: Click on [Create group]. In the name field, enter the following value: o PingOneUsers Copyright Orange Business Services 55 of 89
56 In the mail field, enter the following value: o pingoneusers@yourdomain.com In the description field, enter the following value: o This is the group for the PingOne users. Select the checkbox labeled Add all users within yourdomain.com to this group. Click on [Create] Preparing the PingOne environment Create the following group in PingOne: PingOne Administration Desktop Users User groups Click on [Add new group]. Enter PingOneUsers as the group name. Click on [Save]. Set Google Apps as identity bridge: Copyright Orange Business Services 56 of 89
57 PingOne Administration Desktop Setup Identity repository Select Google Apps and click on [Setup]. Enter your Google Apps domain name in the field labeled Google Apps Domain Name. Click on [Configure OAuth]. A pop-up window will open asking you to authenticate with your Google account: Enter the and password of the Google domain administrator account and click on [Sign in]. The pop-up windows will ask for permissions: Copyright Orange Business Services 57 of 89
58 Click on [Accept]. The OAuth Configuration must be seen as Complete: Click on [Save]. 3 Basic use 3.1 Administrator connection to PingOne To connect to your administrator environment, go to the following URL: Enter your credentials Click on [Sign-On]. You will access the dashboard of your PingOne environment: Copyright Orange Business Services 58 of 89
59 The URL for user connections is displayed as the PingOne dock URL on the dashboard page. 3.2 User connection to the PingOne dock Users can access the PingOne dock only if the identity bridge is selected and configured. The URL of your PingOne dock can be found on the dashboard of your PingOne environment. See 3.1 for more details. With the PingOne directory as an identity bridge: The PingOne dock URL can also be found in the invitation mail for users from the PingOne directory. This mail is sent for every new user created, but only if the PingOne directory was selected as the identity bridge. 4 PingOne administration There are two ways to give administrative rights for PingOne. You can: Create specific administrator accounts. These accounts cannot be used by end users to access the PingOne dock or the applications protected by PingOne. Give administrative rights to users. These rights are given through their group membership in the identity bridge. 4.1 Creating administrator accounts These administrator accounts will not have access to the PingOne dock or the applications protected by PingOne. Copyright Orange Business Services 59 of 89
60 Four types of administrator accounts are available in PingOne: Global Admin SaaS Admin Directory Admin Service User Administrator These are the differences between them: Rights Global Admin SaaS Admin Directory Admin Service User Administrat or Add/Edit/Remove applications Add/Edit/Remove users Configure multi-factor authentication Get reports Change the identity bridge Change the display (logos/custom messages) Add administrator accounts To create Administrator accounts in PingOne, connect to your PingOne administration environment: PingOne Administration Desktop Account Administrators Click on [Add Administrator]. Enter the following information: o o o o First Name Last Name address Role (use the selector to choose between the 4 roles) Click on [Invite]. 4.2 Granting users access to the administration portal With the PingOne directory as an identity bridge If the identity bridge selected in PingOne is the PingOne directory, three types of administrator accounts are available: User reader: this role can view users and groups in the PingOne directory. Copyright Orange Business Services 60 of 89
61 User manager: this role can create and modify the users in the PingOne directory. Group and Entitlement manager: this role has the same entitlements as the user manager plus the ability to create directory groups and change group membership. These three administrative roles are given to the users through their PingOne directory group membership. To give the groups these administrative roles, follow these instructions on your PingOne administration environment: PingOne Administration Desktop Users User Directory Groups On the group list, click on [Edit] near the group to modify. On the Directory Permissions part, select the directly applied role by selecting one of the following options: o No Access o User Reader o User Manager o Group and Entitlement Manager Click on [Save] With other identity bridges PingOne can use the group membership sent by the identity bridge to give your users access to the administration portal. To give an administrator access to your users, connect to your PingOne administration environment: PingOne Administration Desktop Setup Dock Configuration Edit Check the box Show advanced settings to display the Admin-Portal SSO item at the end of the web page. Enter the groups of your identity bridge to use for the administrators in the Global Administrator Group field. If you are using PingOne AD Connect as an identity bridge, enter the fully-distinguished names (DN) of the groups (for example: CN=admins,OU=Test,DC= ). Click on [Save changes]. Copyright Orange Business Services 61 of 89
62 4.3 Access to the PingOne administration environment through the PingOne dock (for users) When a user has administrative rights, a new application appears in their PingOne dock. A new item named Administration also appears in the top menu of the PingOne dock: The user just has to click on one of these elements to open the PingOne Administration page in a new tab. 5 Service customization 5.1 Customizing the PingOne dock The PingOne dock is a web portal that displays all the user applications. The customized elements are displayed in orange in the following diagram: Copyright Orange Business Services 62 of 89
63 These elements can be modified in: Setup Dock Configuration Edit Select the checkbox labeled Show advanced settings. Change the values. Click on [Save changes]. 5.2 Customizing the PingOne AD Connect full with a specific IIS login page If you are using AD Connect Full with IIS, it is possible to use a custom login page. Two steps are needed to perform this look and feel customization: Prepare the customization archive Install the customization archive Preparing the customization archive The look & feel customization archive is an ordinary zip archive, named theme.zip, which contains the necessary HTML and related media files for login and error pages. The choice of folder layout for the archive is free. The only required files inside the zip archive are templates for login/error pages: login.html (in the root of archive) error.html (in the root of archive) Copyright Orange Business Services 63 of 89
64 changepassword.html (in the root of archive) passwordchanged.html (in the root of archive) Templates are free to include any js/graphics/css or other types of scripts packaged within the archive using relative links, for example: <link rel="stylesheet" media="all" type="text/css" href="css/screen.css "> <script src=" assets/js/script.js "></script> All image names referenced should be in lower case. Templates have to use substitution symbols to render dynamic content generated by AD Connect as described below. login.html template should use the following predefined names for authentication form fields: ad.username for username ad.password for password changepassword.html template should use the following predefined names for form fields: ad.username for username ad.password for current password ad.newpassword for new password ad.confirmpassword for new password confirmation Substitution template symbols and constructions per page login.html $action$ - will be replaced with actual URL to AD Connect where form data must be posted for authentication, for example: <form method="post" action="$action$"> </form> $error$ - will be replaced with an error message. If an error occurs, the $if(error)$ $endif$ will display it thanks to the HTML <div> tag. For example: $if(error)$ <div>$error$</div> $endif$ $username$ must be attached to input field for username value, will be used to retain value if error occurred, for example: <input id="username" type="text" size="36" name="ad.username" value="$username$" /> $changepassword_url$ will be replaced by the URL to the change password page, for example: Copyright Orange Business Services 64 of 89
65 <a href="$changepassword_url$">change my password</a> error.html $ErrorMessage$ - will be replaced with actual error description, for example: <font face="arial"> $ErrorMessage$</font> changepassword.html $action$ - will be replaced with the actual URL to AD Connect where form data must be posted for authentication, for example: <form method="post" action="$action$"> </form> $username$ must be attached to input field for username value, will be used to retain value if error occurred, for example: <input id="username" type="text" size="36" name="ad.username" value="$username$" /> $error$ will be replaced by the error message. If an error occurs, the $if(error)$ tag. For example: $endif$ will display it thanks to the HTML <div> $if(error)$ <div>$error$</div> $endif$ $msg$ will be replaced by the success message. If there is a success message to show, the $if(msg)$ $endif$ will display it thanks to the HTML <div> tag. For example: $if(msg)$ <div>$msg$</div> $endif$ $cancel_url$ cancel URL, to which to redirect user if cancel button pressed. If cancellation is possible, the $if(cancel_url)$ $endif$ will show this thanks to the HTML <div> tag. For example: $if(cancel_url)$ <a href="$cancel_url$" title="cancel">cancel</a> $endif$ passwordchanged.html $resume_url$ resume URL, to which to redirect user if 'Continue' button pressed, for example: <a href="$resume_url$" class="button normal allow" title="continue">continue</a> Copyright Orange Business Services 65 of 89
66 5.2.3 Installing the customization archive To install the customization archive, rename the downloaded file "theme.zip" and copy it to the SSO application folder. The default location is: C:\Program Files (X86)\Ping Identity\ADconnect\SSO All the customization content should be part of the zip package and called "theme.zip". No IIS restart is required. 6 Managing applications in PingOne 6.1 Adding an application In PingOne, there are three ways to add an application. Once the application is added, do not forget to enable it for the users. Go to 6.2 to give them access Application from the PingOne catalog As the PingOne catalog contains many applications, it is not possible to describe all their configurations. Please follow the instructions provided by the PingOne catalog. To add an application using the PingOne application catalog, go to the following page in your PingOne administration environment. Applications Application Catalog In the Search field, start typing the name of the application to add. When the application is displayed, click on the arrow on the right-hand side of the table: A short description of the application will appear: Copyright Orange Business Services 66 of 89
67 Click on [Setup] to begin the configuration. Follow the application Service Provider's instructions to configure SSO for the application. Click on [Continue to Next Step] SAML application Use this configuration if you want to set up a SAML application that isn't in the application catalog From the application SSO URL Some applications provide an SSO URL that allows easy configuration of the SAML connections. If you do not have this URL, skip this chapter and go to To add a new SAML application from an SSO URL, go to the following page in your PingOne administration environment. Applications My Applications Click on [Add Application] and select [New SAML Application]. Enter the Application Name and Application Description as they are required fields. For logos and icons, PNG is the only supported graphics format. Click on [Continue to Next Step]. The Application Configuration page is displayed. Click on [I have the SSO URL]. Enter the URL in the SSO URL field. PingOne will encode this URL, so do not encode it (for example, by using "&" rather than "&"). Click on [Save and Publish]. Copyright Orange Business Services 67 of 89
68 Without the application SSO URL If Google Apps is set up as the Identity bridge in your PingOne environment, do not add Google applications using this method. To add a new SAML application, go to the following page in your PingOne administration environment. Applications My Applications Click on [Add Application] and select [New SAML Application]. The Application Details page is displayed. Enter the Application Name and Application Description as they are required fields. For logos and icons, PNG is the only supported graphics format. Click on [Continue to Next Step]. The Application Configuration page is displayed. Provide the SAML configuration details for the application. a. Click on [Download] to retrieve the SAML Metadata for PingOne. This supplies the PingOne connection information to the application. b. To upload metadata from the SAML application, click on [Choose File] to upload the metadata file. The entries for ACS URL and Entity ID will then be supplied for you. If you don t upload the application metadata, you ll need to enter this information. c. For Verification Certificate, click on [Choose File] to upload the application s certificate. The remaining entries are optional, depending on your requirements. Click on [Continue to Next Step]. The SSO Attribute Mapping page is displayed. Modify or add any attribute mappings as necessary for the application. In most cases, the default attribute mappings are sufficient. These mappings assign your identity bridge attributes to the attributes provided by the Service Provider for the application. For each application attribute, it is possible to: o Click on the Required checkbox to designate an attribute(s) as required by the application. o Click in an entry box and select an identity bridge attribute from a dropdown list. o Click in an entry box and enter an identity bridge attribute. Copyright Orange Business Services 68 of 89
69 o Click the As Literal checkbox and in the entry box, enter a literal value to assign. o Click on [Advanced] and enter Advanced Attribute Mapping mode. o Click on [Add new attribute] to enter any additional attributes required by the application. You then have all of the choices above when configuring the attribute. When the configuration of attribute mappings is done, click on [Save & Publish]. The Review Setup page is displayed. Review the application connection information. Some of this information may be needed by the SP to complete the SSO configuration for the application. In particular, you can download the PingOne signing certificate and the PingOne SAML metadata (which has the certificate embedded). The SSO URL for the application is displayed on this page. This URL can be used to test SSO directly to the application without going through the PingOne dock. Click on [Finish] to complete the application setup Basic SSO application To use the basic SSO, users must add a browser extension. The supported browsers are: Internet Explorer 8 (Windows XP and 7), 9 (with Protected Mode disabled), 10 or later. Firefox, 2013 releases or later. Chrome, 2013 releases or later. To add a basic SSO application, go to the following page in your PingOne administration environment. PingOne Administration Desktop Applications My Applications Click on [Add Application] and select [Add New Basic SSO Application]. Click on [Begin] to launch the wizard for adding new Basic SSO applications. The wizard will guide you to configure the application. 6.2 User management for applications Creating groups in PingOne Directory With PingOne directory set as an identity bridge, it is possible to create groups to easily manage the users access to your PingOne protected applications. PingOne Administration Desktop Users User directory Groups Copyright Orange Business Services 69 of 89
70 Click on [Add group]. Enter a name for the new group. Select the Directory Permissions to give administrative rights to the group. For more details about these administrative rights, see chapter Click on [Save] Adding a group in PingOne (except for PingOne directory) To add a user group in PingOne, go to the following page: PingOne Administration Desktop Users User Groups Click on [Add New Groups]. Enter the name of the group. If AD Connect is selected as an identity bridge, enter the full distinguished name of the corresponding Active Directory Group (i.e. CN=ApplicationGroup,OU=PingUsers,DC=mydomain,DC=com).. Click on [Save] Authorizing group access to applications To authorize a user group to access applications, go to the following page: PingOne Administration Desktop Users User Groups Select the group needed and click on [Edit]. Click on the checkbox next to the application needed for this group. Click on [Save]. 7 PingOne browser extension The basic SSO user experience needs a specific browser extension to be used. You can let your users install the plugins manually or use automatic deployment. 7.1 Manual setup of the PingOne browser extension Manual installation is described in the User guide. 7.2 Automatic installation through Windows GPO (on Windows domains only) The PingOne browser extension can be installed on individual desktops by users, or it can also be deployed silently across an enterprise using Windows Group Policy Objects (GPOs). To deploy the PingOne browser extension for Internet Explorer using a GPO, the following steps may be used: Copyright Orange Business Services 70 of 89
71 Create a shared network folder, which all target machines can access. Download and copy the browser extension installer file (PingOne-Extension.msi) into this shared folder. The locations of the browser extension are listed by browser type below. Chrome: Firefox: Extension.xpi Internet Explorer x86: Internet Explorer x64: Open the Group Policy Management console to create a new group policy. Click on [Start- > Run]. Type gpmc.msc and click on [OK]. The Group policy management console will open. Right-click on Group Policy Objects and then click on [New]: Copyright Orange Business Services 71 of 89
72 Give a name to the GPO: Click on [OK]. Highlight the newly created Group Policy, then right-click and select the [Edit] option: Copyright Orange Business Services 72 of 89
73 In the Editor window, navigate to [Computer Configuration -> Policies -> Software Settings -> Software Installation]. Right-click on [Software Installation] to display a pop-up menu, then select [New -> Package...]: Navigate to the shared folder where the PingOne-Extension.msi installer file has been copied and select the installer file: Copyright Orange Business Services 73 of 89
74 Return to the Group Policy Management window to select the organizational unit (OU) to which the new browser extension GPO will be applied: The new policy will be applied to each node that resides in the target OU. The installation process will occur without user intervention. However, the user will be prompted to enter their Privacy Key on the initial post-installation launch of the PingOne dock URL: Copyright Orange Business Services 74 of 89
75 Once the Privacy Key has been entered, the user is ready for Basic SSO activity. 8 Enabling IWA with browser clients (AD Connect) With Integrated Windows Authentication (IWA), the users do not have to re-authenticate after their first login on their Windows desktop (on the internal network only). They can access their corporate application with a simple click. To enable it, their web browsers need to be modified. 8.1 Enabling IWA in the PingOne admin portal PingOne Administration Desktop Setup Identity Repository Click on the pencil to edit the AD Connect configuration Copyright Orange Business Services 75 of 89
76 Click on [Edit] on the line AD Connect configuration Then in the AD Connect Options part, check Enable IWA. In the Intranet IP Blocks, enter your internal IP addresses as they will be seen from the Internet. Click on [Save]. 8.2 Enabling IWA for Mozilla Firefox Open the Mozilla Firefox browser. In the address bar, enter about:config and hit Return. Copyright Orange Business Services 76 of 89
77 Note: If prompted with a warning about changing these options, indicate that you are sure and want to continue. Filter for network.negotiate-auth.trusted-uris. Enter the names of your AD Connect instances. Do not use FQDN names, and use the comma to separate the different values if you have multiple AD Connect instances (for example agent2008r2,agent2012r2). Filter for network.automatic-ntlm-auth.trusted-uris. Enter the names of your AD Connect instances. Do not use FQDN names, and use the comma to separate the different values if you have multiple AD Connect instances (for example agent2008r2, agent2012r2). Filter for network.automatic-ntlm-auth.allow-non-fqdn. Double-click on it to set the value to true. 8.3 Enabling IWA for Internet Explorer Internet Explorer web browsers must be configured as follows: Open the Internet options: Copyright Orange Business Services 77 of 89
78 Select the [Security] tab: Select [Local intranet]: Click on [Custom level ]. In the Security Settings dialog box, scroll down to User Authentication and select [Automatic logon only in Intranet zone]. Click on [OK]. Click on the [Advanced] tab. Scroll down to the Security section. Select [Enable Integrated Windows Authentication]: Copyright Orange Business Services 78 of 89
79 Click on [OK] to validate. If Enable Integrated Windows Authentication was not selected before, the computer must be restarted. 8.4 Enabling IWA for Google Chrome Google Chrome uses the same parameters as Internet Explorer. To configure IWA with Google Chrome, follow the steps described in the previous chapter Reports Each PingOne subsystem logs all transactions. Each customer has access to their own reports from their PingOne Administration Desktop. Customers can get reports: For all the transactions (global view). For a specific user s transactions. 9.1 Global reports Displaying the global reports To display the listing of current transactions for your environment, go to the following page: PingOne Administration Desktop Dashboard Reports This page lists the transactions currently logged by the PingOne subsystems. The transactions are sorted in descending order, beginning with the most recent transaction. You can refresh the page to display any more recent transactions. The transactions of the last 24 hours are returned when the page is rendered, unless you specify date and time filter criteria. All dates and times are for your local time zone. In the top panel of the report are: Copyright Orange Business Services 79 of 89
Flexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationNSi Mobile Installation Guide. Version 6.2
NSi Mobile Installation Guide Version 6.2 Revision History Version Date 1.0 October 2, 2012 2.0 September 18, 2013 2 CONTENTS TABLE OF CONTENTS PREFACE... 5 Purpose of this Document... 5 Version Compatibility...
More informationTenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.
Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,
More informationInstalling and Configuring vcloud Connector
Installing and Configuring vcloud Connector vcloud Connector 2.7.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
More informationAuthentication in XenMobile 8.6 with a Focus on Client Certificate Authentication
Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication Authentication is about security and user experience and balancing the two goals. This document describes the authentication
More informationVMware Identity Manager Administration
VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
More informationConfiguration Guide. BES12 Cloud
Configuration Guide BES12 Cloud Published: 2016-04-08 SWD-20160408113328879 Contents About this guide... 6 Getting started... 7 Configuring BES12 for the first time...7 Administrator permissions you need
More informationSHAREPOINT 2013 IN INFRASTRUCTURE AS A SERVICE
SHAREPOINT 2013 IN INFRASTRUCTURE AS A SERVICE Contents Introduction... 3 Step 1 Create Azure Components... 5 Step 1.1 Virtual Network... 5 Step 1.1.1 Virtual Network Details... 6 Step 1.1.2 DNS Servers
More informationAVG Business SSO Partner Getting Started Guide
AVG Business SSO Partner Getting Started Guide Table of Contents Overview... 2 Getting Started... 3 Web and OS requirements... 3 Supported web and device browsers... 3 Initial Login... 4 Navigation in
More informationOnly LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.
This chapter provides information about the Security Assertion Markup Language (SAML) Single Sign-On feature, which allows administrative users to access certain Cisco Unified Communications Manager and
More informationSystem Administration Training Guide. S100 Installation and Site Management
System Administration Training Guide S100 Installation and Site Management Table of contents System Requirements for Acumatica ERP 4.2... 5 Learning Objects:... 5 Web Browser... 5 Server Software... 5
More informationCA Nimsoft Service Desk
CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationDesktop Surveillance Help
Desktop Surveillance Help Table of Contents About... 9 What s New... 10 System Requirements... 11 Updating from Desktop Surveillance 2.6 to Desktop Surveillance 3.2... 13 Program Structure... 14 Getting
More informationOkta/Dropbox Active Directory Integration Guide
Okta/Dropbox Active Directory Integration Guide Okta Inc. 301 Brannan Street, 3rd Floor San Francisco CA, 94107 info@okta.com 1-888- 722-7871 1 Table of Contents 1 Okta Directory Integration Edition for
More informationPingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1
PingFederate Salesforce Connector Version 4.1 Quick Connection Guide 2011 Ping Identity Corporation. All rights reserved. PingFederate Salesforce Quick Connection Guide Version 4.1 June, 2011 Ping Identity
More informationLifeSize Control TM Deployment Guide
LifeSize Control TM Deployment Guide July 2011 LifeSize Control Deployment Guide 2 LifeSize Control This guide is for network administrators who use LifeSize Control to manage video and voice communications
More informationVirtual Data Centre. User Guide
Virtual Data Centre User Guide 2 P age Table of Contents Getting Started with vcloud Director... 8 1. Understanding vcloud Director... 8 2. Log In to the Web Console... 9 3. Using vcloud Director... 10
More informationAdvanced Configuration Administration Guide
Advanced Configuration Administration Guide Active Learning Platform October 2015 Table of Contents Configuring Authentication... 1 PingOne... 1 LMS... 2 Configuring PingOne Authentication... 3 Before
More informationUSER GUIDE WEB-BASED SYSTEM CONTROL APPLICATION. www.pesa.com August 2014 Phone: 256.726.9200. Publication: 81-9059-0703-0, Rev. C
USER GUIDE WEB-BASED SYSTEM CONTROL APPLICATION Publication: 81-9059-0703-0, Rev. C www.pesa.com Phone: 256.726.9200 Thank You for Choosing PESA!! We appreciate your confidence in our products. PESA produces
More informationSAP NetWeaver AS Java
Chapter 75 Configuring SAP NetWeaver AS Java SAP NetWeaver Application Server ("AS") Java (Stack) is one of the two installation options of SAP NetWeaver AS. The other option is the ABAP Stack, which is
More informationSophos Mobile Control SaaS startup guide. Product version: 6
Sophos Mobile Control SaaS startup guide Product version: 6 Document date: January 2016 Contents 1 About this guide...4 2 About Sophos Mobile Control...5 3 What are the key steps?...7 4 Change your password...8
More informationADFS Integration Guidelines
ADFS Integration Guidelines Version 1.6 updated March 13 th 2014 Table of contents About This Guide 3 Requirements 3 Part 1 Configure Marcombox in the ADFS Environment 4 Part 2 Add Relying Party in ADFS
More informationF-Secure Messaging Security Gateway. Deployment Guide
F-Secure Messaging Security Gateway Deployment Guide TOC F-Secure Messaging Security Gateway Contents Chapter 1: Deploying F-Secure Messaging Security Gateway...3 1.1 The typical product deployment model...4
More informationConnected Data. Connected Data requirements for SSO
Chapter 40 Configuring Connected Data The following is an overview of the steps required to configure the Connected Data Web application for single sign-on (SSO) via SAML. Connected Data offers both IdP-initiated
More informationRoomWizard Synchronization Software Manual Installation Instructions
2 RoomWizard Synchronization Software Manual Installation Instructions Table of Contents Exchange Server Configuration... 4 RoomWizard Synchronization Software Installation and Configuration... 5 System
More informationNETWRIX PASSWORD MANAGER
NETWRIX PASSWORD MANAGER ADMINISTRATOR S GUIDE Product Version: 6.1 February/2012 Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment
More informationUsing SAML for Single Sign-On in the SOA Software Platform
Using SAML for Single Sign-On in the SOA Software Platform SOA Software Community Manager: Using SAML on the Platform 1 Policy Manager / Community Manager Using SAML for Single Sign-On in the SOA Software
More informationSetting Up Resources in VMware Identity Manager
Setting Up Resources in VMware Identity Manager VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced
More informationSAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page 108-10.
Chapter 108 Configuring SAP NetWeaver Fiori The following is an overview of the steps required to configure the SAP NetWeaver Fiori Web application for single sign-on (SSO) via SAML. SAP NetWeaver Fiori
More informationUser Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream
User Manual Onsight Management Suite Version 5.1 Another Innovation by Librestream Doc #: 400075-06 May 2012 Information in this document is subject to change without notice. Reproduction in any manner
More informationVMware vcenter Log Insight Getting Started Guide
VMware vcenter Log Insight Getting Started Guide vcenter Log Insight 1.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by
More informationVMware Identity Manager Connector Installation and Configuration
VMware Identity Manager Connector Installation and Configuration VMware Identity Manager This document supports the version of each product listed and supports all subsequent versions until the document
More informationActive Directory Self-Service FAQ
Active Directory Self-Service FAQ General Information: info@cionsystems.com Online Support: support@cionsystems.com CionSystems Inc. Mailing Address: 16625 Redmond Way, Ste M106 Redmond, WA. 98052 http://www.cionsystems.com
More informationIntroduction to Directory Services
Introduction to Directory Services Overview This document explains how AirWatch integrates with your organization's existing directory service such as Active Directory, Lotus Domino and Novell e-directory
More informationGenerating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...
Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM This guide provides information on...... APNs Requirements Tips on Enrolling in the ios Developer Enterprise Program...
More informationAvaya Video Conferencing Manager Deployment Guide
Avaya Video Conferencing Manager Deployment Guide August 2011 Avaya Video Conferencing Manager Deployment Guide 2 Avaya Video Conferencing Manager This guide is for network administrators who use Avaya
More informationConfiguring. Moodle. Chapter 82
Chapter 82 Configuring Moodle The following is an overview of the steps required to configure the Moodle Web application for single sign-on (SSO) via SAML. Moodle offers SP-initiated SAML SSO only. 1 Prepare
More informationAvePoint Meetings 3.2.2 for SharePoint On-Premises. Installation and Configuration Guide
AvePoint Meetings 3.2.2 for SharePoint On-Premises Installation and Configuration Guide Issued August 2015 Table of Contents About AvePoint Meetings for SharePoint... 4 System Requirements... 5 2 System
More informationPlesk 11 Manual. Fasthosts Customer Support
Fasthosts Customer Support Plesk 11 Manual This guide covers everything you need to know in order to get started with the Parallels Plesk 11 control panel. Contents Introduction... 3 Before you begin...
More informationUP L18 Enhanced MDM and Updated Email Protection Hands-On Lab
UP L18 Enhanced MDM and Updated Email Protection Hands-On Lab Description The Symantec App Center platform continues to expand it s offering with new enhanced support for native agent based device management
More informationWebSpy Vantage Ultimate 2.2 Web Module Administrators Guide
WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide This document is intended to help you get started using WebSpy Vantage Ultimate and the Web Module. For more detailed information, please see
More informationIntegrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER
Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication
More informationAWS Directory Service. Simple AD Administration Guide Version 1.0
AWS Directory Service Simple AD Administration Guide AWS Directory Service: Simple AD Administration Guide Copyright 2015 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's
More informationArchitecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference
Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise
More informationSophos UTM Web Application Firewall for Microsoft Exchange connectivity
How to configure Sophos UTM Web Application Firewall for Microsoft Exchange connectivity This article explains how to configure your Sophos UTM 9.2 to allow access to the relevant Microsoft Exchange services
More informationGenerating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...
Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM This guide provides information on...... APNs Requirements Tips on Enrolling in the ios Developer Enterprise Program...
More informationWHITE PAPER Citrix Secure Gateway Startup Guide
WHITE PAPER Citrix Secure Gateway Startup Guide www.citrix.com Contents Introduction... 2 What you will need... 2 Preparing the environment for Secure Gateway... 2 Installing a CA using Windows Server
More informationDIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access
DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access With IDENTIKEY Server / Axsguard IDENTIFIER Integration Guidelines Disclaimer Disclaimer of Warranties and Limitations
More informationEgnyte Single Sign-On (SSO) Installation for OneLogin
Egnyte Single Sign-On (SSO) Installation for OneLogin To set up Egnyte so employees can log in using SSO, follow the steps below to configure OneLogin and Egnyte to work with each other. 1. Set up OneLogin
More informationPingFederate. IWA Integration Kit. User Guide. Version 3.0
PingFederate IWA Integration Kit Version 3.0 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate IWA Integration Kit User Guide Version 3.0 April, 2012 Ping Identity Corporation
More informationSophos for Microsoft SharePoint startup guide
Sophos for Microsoft SharePoint startup guide Product version: 2.0 Document date: March 2011 Contents 1 About this guide...3 2 About Sophos for Microsoft SharePoint...3 3 System requirements...3 4 Planning
More informationThis How To guide will take you through configuring Network Load Balancing and deploying MOSS 2007 in SharePoint Farm.
Quick Brief This How To guide will take you through configuring Network Load Balancing and deploying MOSS 2007 in SharePoint Farm. This document will serve as prerequisite for Enterprise Portal deployment
More informationCopyright 2013, 3CX Ltd. http://www.3cx.com E-mail: info@3cx.com
Manual Copyright 2013, 3CX Ltd. http://www.3cx.com E-mail: info@3cx.com Information in this document is subject to change without notice. Companies names and data used in examples herein are fictitious
More informationInstallation Guide for Pulse on Windows Server 2012
MadCap Software Installation Guide for Pulse on Windows Server 2012 Pulse Copyright 2014 MadCap Software. All rights reserved. Information in this document is subject to change without notice. The software
More informationGetting Started with AD/LDAP SSO
Getting Started with AD/LDAP SSO Active Directory and LDAP single sign- on (SSO) with Syncplicity Business Edition accounts allows companies of any size to leverage their existing corporate directories
More informationConfiguring Sponsor Authentication
CHAPTER 4 Sponsors are the people who use Cisco NAC Guest Server to create guest accounts. Sponsor authentication authenticates sponsor users to the Sponsor interface of the Guest Server. There are five
More informationPassword Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2
Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2 Last revised: November 12, 2014 Table of Contents Table of Contents... 2 I. Introduction... 4 A. ASP.NET Website... 4 B.
More informationConfiguration Guide BES12. Version 12.2
Configuration Guide BES12 Version 12.2 Published: 2015-07-07 SWD-20150630131852557 Contents About this guide... 8 Getting started... 9 Administrator permissions you need to configure BES12... 9 Obtaining
More informationFlexible Identity Federation
Flexible Identity Federation User guide version 1.0.1 Publication History Date Description Revision 2015.09.25 initial release 1.0.0 2015.12.10 minor corrections 1.0.1 Copyright Orange Business Services
More informationKaseya Server Instal ation User Guide June 6, 2008
Kaseya Server Installation User Guide June 6, 2008 About Kaseya Kaseya is a global provider of IT automation software for IT Solution Providers and Public and Private Sector IT organizations. Kaseya's
More informationLoad Balancing Exchange 2007 Client Access Servers using Windows Network Load- Balancing Technology
Load Balancing Exchange 2007 Client Access Servers using Windows Network Load- Balancing Technology In this article I will show you how you can load-balance Exchange 2007 Client Access Servers (CAS) using
More informationInstallation Guide for Pulse on Windows Server 2008R2
MadCap Software Installation Guide for Pulse on Windows Server 2008R2 Pulse Copyright 2014 MadCap Software. All rights reserved. Information in this document is subject to change without notice. The software
More informationDeploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide
Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide Microsoft Corporation Published: May 2010 Abstract This guide describes the steps for configuring Remote Desktop Connection
More informationAuthentication Methods
Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the
More informationInstallation and Configuration Guide
Entrust Managed Services PKI Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0 Date of Issue: July 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark
More informationSAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS
SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS Applies to: SAP Gateway 2.0 Summary This guide describes how you install and configure SAML 2.0 on Microsoft ADFS server and SAP NetWeaver
More informationEkran System Help File
Ekran System Help File Table of Contents About... 9 What s New... 10 System Requirements... 11 Updating Ekran to version 4.1... 13 Program Structure... 14 Getting Started... 15 Deployment Process... 15
More informationInstalling and Configuring vcloud Connector
Installing and Configuring vcloud Connector vcloud Connector 2.0.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
More informationT his feature is add-on service available to Enterprise accounts.
SAML Single Sign-On T his feature is add-on service available to Enterprise accounts. Are you already using an Identity Provider (IdP) to manage logins and access to the various systems your users need
More informationPingFederate. IWA Integration Kit. User Guide. Version 2.6
PingFederate IWA Integration Kit Version 2.6 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate IWA Integration Kit User Guide Version 2.6 March, 2012 Ping Identity Corporation
More informationvcloud Director User's Guide
vcloud Director 5.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of
More informationXenDesktop Implementation Guide
Consulting Solutions WHITE PAPER Citrix XenDesktop XenDesktop Implementation Guide Pooled Desktops (Local and Remote) www.citrix.com Contents Contents... 2 Overview... 4 Initial Architecture... 5 Installation
More informationConfiguration Guide BES12. Version 12.3
Configuration Guide BES12 Version 12.3 Published: 2016-01-19 SWD-20160119132230232 Contents About this guide... 7 Getting started... 8 Configuring BES12 for the first time...8 Configuration tasks for managing
More informationMobility Manager 9.0. Installation Guide
Mobility Manager 9.0 Installation Guide LANDESK MOBILITY MANAGER Copyright 2002-2012, LANDesk Software, Inc. and its affiliates. All rights reserved. LANDesk and its logos are registered trademarks or
More informationOnCommand Performance Manager 1.1
OnCommand Performance Manager 1.1 Installation and Setup Guide For Red Hat Enterprise Linux NetApp, Inc. 495 East Java Drive Sunnyvale, CA 94089 U.S. Telephone: +1 (408) 822-6000 Fax: +1 (408) 822-4501
More informationEnabling Kerberos SSO in IBM Cognos Express on Windows Server 2008
Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008 Nature of Document: Guideline Product(s): IBM Cognos Express Area of Interest: Infrastructure 2 Copyright and Trademarks Licensed Materials
More informationLAB: Enterprise Single Sign-On Services. Last Saved: 7/17/2006 10:48:00 PM
LAB: Enterprise Single Sign-On Services LAB: Enterprise Single Sign-On Services 2 TABLE OF CONTENTS HOL: Enterprise Single Sign-On Services...3 Objectives...3 Lab Setup...4 Preparation...5 Exercise 1:
More informationNETASQ SSO Agent Installation and deployment
NETASQ SSO Agent Installation and deployment Document version: 1.3 Reference: naentno_sso_agent Page 1 / 20 Copyright NETASQ 2013 General information 3 Principle 3 Requirements 3 Active Directory user
More informationSalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy
SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy Contact information SecurEnvoy www.securenvoy.com 0845 2600010 Merlin House
More informationBlackBerry Enterprise Service 10. Version: 10.2. Configuration Guide
BlackBerry Enterprise Service 10 Version: 10.2 Configuration Guide Published: 2015-02-27 SWD-20150227164548686 Contents 1 Introduction...7 About this guide...8 What is BlackBerry Enterprise Service 10?...9
More informationCloud Authentication. Getting Started Guide. Version 2.1.0.06
Cloud Authentication Getting Started Guide Version 2.1.0.06 ii Copyright 2011 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate.
More informationConfiguring Salesforce
Chapter 94 Configuring Salesforce The following is an overview of how to configure the Salesforce.com application for singlesign on: 1 Prepare Salesforce for single sign-on: This involves the following:
More informationRSA Authentication Manager 8.1 Virtual Appliance Getting Started
RSA Authentication Manager 8.1 Virtual Appliance Getting Started Thank you for purchasing RSA Authentication Manager 8.1, the world s leading two-factor authentication solution. This document provides
More informationCorporate Telephony Toolbar User Guide
Corporate Telephony Toolbar User Guide 1 Table of Contents 1 Introduction...6 1.1 About Corporate Telephony Toolbar... 6 1.2 About This Guide... 6 1.3 Accessing The Toolbar... 6 1.4 First Time Login...
More informationInstallation Guide. SafeNet Authentication Service
SafeNet Authentication Service Installation Guide Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1 Document Information
More informationFairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG-201406--R001.
Fairsail Implementer Microsoft Active Directory Federation Services 2.0 Version 1.92 FS-SSO-XXX-IG-201406--R001.92 Fairsail 2014. All rights reserved. This document contains information proprietary to
More informationWavecrest Certificate
Wavecrest InstallationGuide Wavecrest Certificate www.wavecrest.net Copyright Copyright 1996-2015, Wavecrest Computing, Inc. All rights reserved. Use of this product and this manual is subject to license.
More informationConfiguration Guide BES12. Version 12.1
Configuration Guide BES12 Version 12.1 Published: 2015-04-22 SWD-20150422113638568 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12... 8 Product documentation...
More informationCitrix Access on SonicWALL SSL VPN
Citrix Access on SonicWALL SSL VPN Document Scope This document describes how to configure and use Citrix bookmarks to access Citrix through SonicWALL SSL VPN 5.0. It also includes information about configuring
More informationVelocity Web Services Client 1.0 Installation Guide and Release Notes
Velocity Web Services Client 1.0 Installation Guide and Release Notes Copyright 2014-2015, Identiv. Last updated June 24, 2015. Overview This document provides the only information about version 1.0 of
More informationVeeam Backup Enterprise Manager. Version 7.0
Veeam Backup Enterprise Manager Version 7.0 User Guide August, 2013 2013 Veeam Software. All rights reserved. All trademarks are the property of their respective owners. No part of this publication may
More informationVersion 3.8. Installation Guide
Version 3.8 Installation Guide Copyright 2007 Jetro Platforms, Ltd. All rights reserved. This document is being furnished by Jetro Platforms for information purposes only to licensed users of the Jetro
More informationADConnect SSO over Network Load Balance Cluster
ADConnect SSO over Network Load Balance Cluster This article outlines the steps required to configure ADConnect SSO over Network Load Balance Cluster. Example settings and installation/configuration steps
More informationConfiguring Single Sign-On from the VMware Identity Manager Service to Office 365
Configuring Single Sign-On from the VMware Identity Manager Service to Office 365 VMware Identity Manager JULY 2015 V1 Table of Contents Overview... 2 Passive and Active Authentication Profiles... 2 Adding
More informationUser Guide. Version R91. English
AuthAnvil User Guide Version R91 English August 25, 2015 Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept EULATOS as updated from
More informationNETWRIX ACCOUNT LOCKOUT EXAMINER
NETWRIX ACCOUNT LOCKOUT EXAMINER ADMINISTRATOR S GUIDE Product Version: 4.1 July 2014. Legal Notice The information in this publication is furnished for information use only, and does not constitute a
More informationManaging policies. Chapter 7
Chapter 7 Managing policies You use the Policies tab in Admin Portal to create policy sets for roles. A policy set lets you configure the following categories of policies: Mobile Device Policies Use to
More informationPassword Reset PRO INSTALLATION GUIDE
Password Reset PRO INSTALLATION GUIDE This guide covers the new features and settings available in Password Reset PRO. Please read this guide completely to ensure a trouble-free installation. March 2009
More informationLync Online Deployment Guide. Version 1.0
Date 28/07/2014 Table of Contents 1. Provisioning Lync Online... 1 1.1 Operating System Requirements... 1 1.2 Browser Requirements Administrative Centre... 1 2. Obtaining your login Credentials & Logging
More informationMobile Device Management Version 8. Last updated: 17-10-14
Mobile Device Management Version 8 Last updated: 17-10-14 Copyright 2013, 2X Ltd. http://www.2x.com E mail: info@2x.com Information in this document is subject to change without notice. Companies names
More information