1 APPLICATION NOTE IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS SAML 2.0 combines encryption and digital signature verification across resources for a more secure and robust single sign-on mechanism across network boundaries Copyright 2013, Juniper Networks, Inc. 1
2 Table of Contents Introduction... 4 Scope... 4 Design Considerations... 5 Advantages of SAML... 5 Components of SAML Features of SAML Supported Scenarios... 6 MAG Series as Identity Provider (IdP)... 6 Flow Diagram... 6 Setting Up IdP Configuration...7 Setting Up the SP Information... 9 Configuring the Bookmark...11 Configuring Resource Policies for SSO...12 MAG Series as IdP Summary...13 MAG Series SSL VPN as Service Provider...13 Flow Diagram...13 Install Certificates...14 Setting Up the Authentication Server...16 Setting Up the Sign-In Page...17 MAG Series as Service Provider Summary...20 Summary...20 Appendix A...21 References About Juniper Networks Copyright 2013, Juniper Networks, Inc.
3 List of Figures Figure 1: MAG Series as an IdP...7 Figure 2: Sign-in SAML metadata provider...7 Figure 3: Sign-in SAML identity provider settings... 8 Figure 4: Adding SP information... 9 Figure 5: SAML global configuration... 9 Figure 6: Uploading the metadata file of an SP on the MAG Series... 9 Figure 7: Configuring SP on the MAG Series using metadata...10 Figure 8: Configuring SP on the MAG Series manually...10 Figure 9: Setting up the SP on the MAG Series and specifying details...11 Figure 10: Setting up bookmarks and user roles...11 Figure 11: Roles -> Web -> Bookmark...12 Figure 12: Bookmark details...12 Figure 13: Resource Policies -> SSO -> SAML External Apps...12 Figure 14: SAML external apps configuration...13 Figure 15: MAG Series as an SP...14 Figure 16: Installing a Trusted Server CA...15 Figure 17: Installing a certificate for encryption...15 Figure 18: Setting up SAML Auth Server...16 Figure 19: SAML Auth Server configuration Figure 20: SAML Auth Server configuration Figure 21: SAML Auth Server configuration Figure 22: Sign-In pages...18 Figure 23: Custom Sign-In page creation...18 Figure 24: Sign-In policy...19 Figure 25: Sign-In page...19 Figure 26: SAML error displayed when URL is missing...20 Figure 27: Role Mapping Rule for a custom expression...21 Figure 28: Creating a custom expression...21 List of Tables Table 1. MAG Series as IdP and SP... 6 Table 2. Modes for MAG Series as IdP Copyright 2013, Juniper Networks, Inc. 3
4 Introduction As enterprises and other organizations increasingly move their sensitive business information, applications, and other resources to public, private, or hybrid clouds, security becomes paramount. One of the essential steps toward a more secure environment is to establish and ratify user credentials before allowing them access to resources. While the importance of password protection cannot be emphasized enough, it can prove challenging for users to remember and enter multiple user names and passwords for the various resources they use during their workday. Single sign-on (SSO) is a methodology that allows a user to enter credentials just once in order to access multiple cloud-based resources. While the concept helps to ease the burden on users, it is useful only if it can guarantee a secure means of communication with every other application once the credentials have been entered. Security Assertion Markup Language (SAML) 2.0 can achieve a secure method of verifying user credentials before granting access to cloud-based resources. Perhaps the biggest advantage of SAML 2.0 is the ability to cross-reference beyond borders across clouds, applications, and other resources. By spanning these resources and combining encryption and digital signature verification, SAML 2.0 offers a more secure and robust mechanism to achieve SSO for organizations. While moving data, applications, and other resources to the cloud can have a positive impact on business efficiency and costs, the user experience and productivity often suffer by requiring multiple logins to diverse resources. Of course, the need to verify login credentials before granting access is the first line of defense in network security. Therefore, if a mechanism can maintain the same level of security while easing the burden on the end user, it will achieve dual objectives. To that end, SSO allows users to enter their credentials only once in order to access multiple end applications. There are a variety of ways in which SSO can be implemented, but most of them impose constraints and thus offer less flexibility. While traditional SSO works well in an environment confined within an intranet, expanding the scope of the network (as to the cloud) exposes severe limitations. SAML 2.0 combines the features of a variety of mechanisms including Shibboleth and Liberty Alliance s Identity Federation Framework (ID-FF), thus federating the identity and removing many of the constraints of other methods. SAML, developed by Organization for the Advancement of Structured Information Standards (OASIS), was designed primarily to implement web-based SSO and enable businesses to leverage an identity-based security system. It is an XML-based framework that is used for communicating user information. The standard defines the XML-based assertions, protocols, bindings, and profiles used in communication between SAML entities. OASIS-standard SAML offers security and scalability that has been field proven in production deployments worldwide. With the increasing adoption of cloud-based applications, SAML 2.0 can help alleviate a significant user burden by eliminating the need to enter credentials more than once. Scope This document provides a discussion of the two essential components of the SAML realm the Identity Provider (IdP) and the Service Provider (SP). It includes details of how Juniper Networks MAG Series Junos Pulse Gateways running Junos Pulse Secure Access Service (SSL VPN) can be set up to function as either an IdP or an SP. It also provides specific configuration examples that network engineers can use to set up the MAG Series as either an IdP or SP, depending upon the use case. 4 Copyright 2013, Juniper Networks, Inc.
5 Design Considerations Advantages of SAML The benefits of SAML include: Platform neutrality SAML abstracts the security framework from platform architectures and particular vendor implementations. This offers increased interoperability across different IdP and SP implementations. Loose coupling of directories SAML does not require user information to be maintained and synchronized between directories. Improved online experience for end users SAML enables single sign-on by allowing users to authenticate at an identity provider and then access service providers without additional authentication. In addition, identity federation (linking of multiple identities) with SAML allows for a better and more customized user experience at each service while still promoting privacy. Reduced administrative costs for service providers Using SAML to reuse a single act of authentication (such as logging in with a user name and password) multiple times across multiple services can reduce the cost of maintaining account information. This burden is transferred to the identity provider. Risk transference SAML can act to push responsibility for proper management of identities to the identity provider, which is more often compatible with its business model than that of a service provider. Components of SAML 2.0 SAML 2.0 uses the following components: Assertions A package of information that supplies one or more statements made by an SAML authority. Protocol Defines the request/response protocols to enable communication between the SP and IdP. Bindings Called SAML protocol bindings, these are mappings from SAML request-response message exchanges into standard messaging or communication protocols. For instance, the SAML SOAP binding defines how SAML protocol messages can be communicated within SOAP messages, while the HTTP Redirect binding defines how to pass protocol messages through HTTP redirection. Profiles Constraints and/or extensions in support of the use of SAML for a particular application. The goal of profiles is to enhance interoperability by removing some of the flexibility inevitable in a general use standard. It describes how and which protocol bindings and assertions to use to solve any specific use case. Features of SAML 2.0 SAML 2.0 is not backward compatible with SAML 1.0 or SAML 1.1. New features implemented in SAML 2.0 include: Metadata The Service Provider and Identity Provider can generate metadata that contains information about themselves, including URLs, certificates, keys and supported profiles. The metadata from the IdP, for example, can then be used to set up the correct information on the SP, making SAML 2.0 deployment easier. Encryption SAML 2.0 permits the communication of user information between the Identity Provider and the Service Provider to be encrypted, ensuring end-to-end confidentiality. Identity Provider discovery This helps the SP discover the correct identity provider when there are multiple IdPs. Devices This provides the ability to support mobile devices and smartphones. Pseudonyms SAML 2.0 defines how an opaque pseudo random identifier with no discernible correspondence with meaningful identifiers (for example, s or account names) can be used between providers to represent principals. Pseudonyms are a key privacy-enabling technology because they inhibit collusion between multiple providers (as would be possible with a global identifier such as an address). Identifier management This determines how two providers can establish and manage the principals. Attribute profiles These are the formats in which attribute profiles can be exchanged. Session management This is a mechanism by which all sessions can be terminated by a session authority at the same time, e.g., single logout. Juniper Networks MAG Series Junos Pulse Gateways running Junos Pulse Secure Access Service can be deployed as an IdP or an SP. The following sections examine specific use cases where the MAG Series has been deployed for SSO. Copyright 2013, Juniper Networks, Inc. 5
6 Supported Scenarios The following implementations are supported on MAG Series today. Table 1. MAG Series as IdP and SP IdP-Initiated SSO SP-Initiated SSO MAG Series as IdP Supported Supported when using SAML External Apps and Network Connect (NC) MAG Series as SP Supported Supported MAG Series as IdP supports two modes: Gateway Peer SAML Entity Table 2. Modes for MAG Series as IdP MAG Series as IdP in Gateway Mode SAML SSO policies are used. MAG Series acts as an IdP as well as the end user. When the MAG Series is in gateway mode, it is the IdP and the SP is a protected resource which the end user cannot access directly. As the end user cannot contact the SP directly, the MAG Series will act on behalf of the end user, performing the dual role of being the IdP and forwarding the SAML Assertion on behalf of the end user s browser. Only an IdP-initiated scenario is supported. The session with the SP is maintained at the MAG Series. User does not receive any cookies from the SP. All cookies are stored in the MAG Series device. All user traffic passes through the rewriting engine on the MAG Series. Since the session is maintained at the MAG Series, access to the session with the SP will be lost when the user logs out of the MAG Series, even though the session will still exist on the SP. IdP-Initiated SSO This is the standard SAML deployment and both IdP-initiated and SP-initiated are supported. For IdP-initiated SAML external apps, SSO policies are used. For SP-initiated, just IdP and SP configuration under Sign-In are sufficient. No resource policy is required. The session with the SP is maintained at the end user browser. This mode requires direct access (i.e., without going through the rewriting engine) to the resource from the end user browser. The resource can be on the Internet, on a cloud, or in a protected corporate environment. In the case of a protected resource, a Network Connect/Windows Secure Application Manager (NC/WSAM) tunnel is required. In this case, users will continue to have access to the session at the SP even after logging out of the MAG Series, provided the resource is still reachable by the user. The single logout feature is currently supported only when the MAG Series is set up as an SP. MAG Series as an SP supports: Consumption (IdP initiated) where the MAG Series can consume the Single Logout generated by the IdP. Generation (SP initiated) of a Single Logout request, where the MAG Series generates a single logout. MAG Series as Identity Provider (IdP) Following is a case study of how MAG Series Junos Pulse Gateways running Junos Pulse Secure Access Service can be successfully set up as a SAML IdP to achieve SSO for users. Flow Diagram The diagram is a logical representation and explains the process a customer would follow in order to single sign-on users to one application. This method can be replicated for multiple applications, with each having a distinct Service Provider (SP) configured. The steps involved are as follows: 1. User goes to the login page hosted by the IdP. 2. User enters credentials to log in. 3. The password is verified by the authentication server. Authorization is also completed at this stage. 4. Upon successful authentication, the MAG Series launches a Network Connect (NC or VPN Connection) that gives the user an IP address from a pool while disabling split tunneling. 5. After obtaining an IP address, the user is presented with a page which has a bookmark for the application they want to access. The user then clicks on the bookmark. 6. Clicking on the bookmark triggers a SAML Assertion to be generated by the MAG Series, which acts as the Identity Provider (IdP). The SAML Assertion is sent to the corresponding Service Provider (SP). The SAML response is sent to the SP via HTTP POST through the user s browser. The SP consumes the SAML Assertion, and obtains the username to verify who is trying to access the application. 7. The SP then grants the user access to the application. 6 Copyright 2013, Juniper Networks, Inc.
7 RSA Authentication and AD Authorization (2) Enter user credentials (5) User accesses application by clicking on bookmark (1) User browses to the login page (3) Authenticate user (7) SP consumes SAML assertion and grants user access MAG Series SSL VPN IdP (4) N etwork connect IP address with Split Tunneling disabled (6) IdP sends SAML assertion through the user s browser Figure 1: MAG Series as an IdP The following steps need to be completed when configuring the MAG Series to function as an IdP: Configure the IdP Set up the Service Provider information with which the IdP should communicate Configure the bookmark Configure the SSO information for the bookmark Setting Up IdP Configuration The Entity Id represents the IdP entity information and is auto populated based upon the host name configured on the device. The metadata validity indicates the number of days a peer SAML entity (SP for example) can cache this information. This metadata can be downloaded and imported by the SP as the IdP metadata information. Figure 2: Sign-in SAML metadata provider To set up the IdP further, go to: Authentication > Signing In > Sign-in SAML > Identity Provider. The application uses POST mode for communication. Select the Signing Certificate. This certificate will be used to verify that the information sent is indeed sent by this IdP. This is the digitally signed certificate and the IdP provides the public key with which the SP can verify it. Do not select any Decryption Certificates. Copyright 2013, Juniper Networks, Inc. 7
8 In the Other Configurations section, check both of these boxes: Reuse Existing NC (Pulse) Session (which will aid in SP-initiated SSO) Accept Unsigned AuthnRequest The Service-Provider-related IdP Configuration can be left at the default settings, as this will be overridden by the individual SP settings that will be configured later. Relay State Leave this blank Session Lifetime Configure it to be Role Based Sign-In Policy Choose */ Force Authentication Behavior Choose Reject AuthnRequest User Identity Subject Name Format Choose Other Subject Name Configure USERNAME Web Service Authentication Authentication Type Choose None Artifact Configuration Source ID This field is auto populated Uncheck the box for Enable Artifact Response for Signing and Encryption Figure 3: Sign-in SAML identity provider settings 8 Copyright 2013, Juniper Networks, Inc.
9 Setting Up the SP Information Each SP can be added by clicking on the Add SP button tab under the Peer Service Provider Configuration. The Service Provider information can be configured manually or by using the information in the metadata file uploaded to the IdP. Figure 4: Adding SP information The metadata file can be uploaded under the section: System > Configuration > SAML. Figure 5: SAML global configuration Click on the New Metadata Provider to add the metadata file from any SP. When uploading the metadata file for the SP, the following options were chosen in this example: Specify location as Local and assign the location where the metadata file can be found Check the box for Accept Unsigned Metadata Select roles: Service Provider Figure 6: Uploading the metadata file of an SP on the MAG Series Copyright 2013, Juniper Networks, Inc. 9
10 Once the metadata file has been uploaded, the SP can be configured as shown below. Select the Configuration Mode to be Metadata and then select the appropriate Entity Id from the drop-down menu. The metadata file will also have information on the method of communication Artifact/POST. Figure 7: Configuring SP on the MAG Series using metadata When the Manual Configuration Mode option is chosen, the configuration will change as shown in Figure 8. Figure 8: Configuring SP on the MAG Series manually Carefully populate the Entity Id field and the Assertion Consumer Service URL information. Most SAML failures are related to an improper assertion consumer service (ACS) configuration URL. The Relay state is used to identify the SAML Auth Server to which the user needs to authenticate. It contains the sign-in URL (or the relative path of the sign-in URL) of the MAG Series. RelayState in the case of an IdP-initiated scenario is a value that is agreed upon between the SP and IdP. In the case of a third-party SP, this information needs to be indentified from the SP vendor and configured here. This field is SP specific, and some SPs may not require this information, in which case it can be left blank. In the case of SP-initiated SSO, the value from this configuration field is not used at all. In an SP-initiated case, the RelayState is dictated by the AuthnRequest sent by the SP. The RelayState is sometimes essential to configure (in some IdP-initiated SSO) but can be left blank most of the time. 10 Copyright 2013, Juniper Networks, Inc.
11 The rest of the tabs can be configured as shown in the figure below. Figure 9: Setting up the SP on the MAG Series and specifying details Configuring the Bookmark The bookmark can be configured under the User Roles or through Resource Profiles. The bookmark might need a Web ACL and Rewriting policy. Figure 10: Setting up bookmarks and user roles Copyright 2013, Juniper Networks, Inc. 11
12 Figure 11: Roles -> Web -> Bookmark Figure 12: Bookmark details Configuring Resource Policies for SSO The final step involves creating the Resource Policy for SSO. Go to: Users > Resource Policies > Web > SSO > SAML External Apps. Then choose the SAML External Apps instead of SAML (available under Web > SSO) because the application does not need the MAG Series to be a gateway, and users can access the resource directly. Figure 13: Resource Policies -> SSO -> SAML External Apps 12 Copyright 2013, Juniper Networks, Inc.
13 The policy is configured by clicking on the New Policy button. The Resources field is where the URL for the target resource is specified, while the specific SP with which to communicate is configured from the drop-down menu under: SAML SSO Details > Service Provider Entity Id. Select the appropriate role that should have access. Figure 14: SAML external apps configuration Since the end resources are in a protected environment and will be accessed via Network Connect only, the SSO policies are configured under SAML External Apps. The access to the end resource is through the NC tunnel and the resource is not rewritten via the rewrite engine. MAG Series as IdP Summary With this setup, when users log in with their credentials and click on the bookmark that is presented on their screen, they are able to Single Sign-On into the application via SAML 2.0. This setup supports both IdP-initiated SSO as well as SP-initiated SSO. Single logout is not currently supported in this mode. If the user logs out of the SP, the session is not automatically terminated on the IdP and vice versa. MAG Series SSL VPN as Service Provider Following is a case study of how MAG Series Junos Pulse Gateways, running Junos Pulse Secure Access Service (SSL VPN), can be successfully set up as a SAML SP to achieve SSO for users. Flow Diagram The diagram below explains the process a customer would follow to allow or deny users access to the end application. A logical representation of the workflow is as follows: 1. User wants to access a protected application and therefore must log into the site. After clicking on login, the user is redirected to the Service Provider (SP) via a browser redirect. 2. The SP then redirects the request to the associated Identity Provider (IdP). 3. The IdP presents a login screen to the user in which the user enters login credentials. 4. The IdP performs an authentication against an authentication server and provides a response of either success or failure. Copyright 2013, Juniper Networks, Inc. 13
14 5. Upon successful authentication, the IdP then sends an SAML response with the SAML Assertion to the SP. This response is digitally signed in order to verify that the SP is indeed getting the information from the correct IdP. The response is also encrypted and only the SP has the private key to decrypt this information. This ensures a secure communication channel between the IdP and SP. 6. The SAML response is sent to the SP via HTTP POST through the user s browser. 7. Host Checker verification is performed via the MAG Series at this point. 8. A response is provided depending upon whether the user meets the defined criteria. 9. On successfully passing the above preconditions, the MAG Series redirects the user to a MAG Series starter/ landing page. The MAG Series also simultaneously launches a Network Connect (VPN connection) that gives the user an IP address from a pool while disabling split tunneling. Host Checker (8) Host Checker verification (9) Validation (7) HTTP post assertion to SSL VPN MAG Series SSL VPN IdP (11) SSO to resource via SAML2.0 (2) User clicks login which functionally performs a redirect to the SP (10) Network connect IP address with split tunneling disabled End Application User (3) Redirect with AuthnRequest (6) Respond with SAML assertion encrypted and digitally signed (1) User browses public application (5) Authenticate user Figure 15: MAG Series as an SP The following steps should be performed when configuring the MAG Series to function as an SP: Install the certificates to be used Configure the Authentication/Authorization Server Set up the Sign-In page Install Certificates IdP (4) Enter user credentials Authentication Server There will be two certificates required to enable secure communication between the IdP (Identity Provider) and SP (Service Provider) within the realm of SAML 2.0. In this scenario, the MAG Series gateway will be the SP. The purpose of the two certificates are as follows: 1. One certificate is used to verify that the information sent is indeed sent by the corresponding IdP. This is the digitally signed certificate, and the IdP provides the public key. This information can either be part of the metadata file provided by the IdP or a separate certificate that can be uploaded to the MAG Series. 2. The second certificate is used to encrypt the SAML response with the assertion. The public key is provided to the IdP while the private key is stored on the MAG Series. 14 Copyright 2013, Juniper Networks, Inc.
15 Installing the certificates for encryption involves the following steps: 1) Installing the Trusted Server CA to trust the self-signed certificate 2) Installing the self-signed certificate Install the certificate authority (CA) information under the Trusted Server CA under: System > Configuration > Certificates > Trusted Server CAs. Figures 16 and 17 outline the details as to how this is accomplished. Figure 16: Installing a Trusted Server CA Once this is installed, the next step is to generate and install the self-signed certificate. Install the CA information under: Device Certificates. The path is: System > Configuration > Certificates > Device Certificates. The generated certificate should match the hostname or the fully qualified domain name (FQDN) for the MAG Series. Figure 17: Installing a certificate for encryption The public key for the self-signed certificate is installed on the IdP. Installation of the public key that is used to verify the digitally signed certificate with the SAML response is shown in the next section, which describes set up steps for the SAML Auth Server. Copyright 2013, Juniper Networks, Inc. 15
16 Setting Up the Authentication Server The next step is to configure the SAML Authentication Server. In order to configure the Authentication Server, go to: Authentication > Auth Server, and then select SAML Server from the list as shown in Figure 18. Figure 18: Setting up SAML Auth Server The following steps were used to populate the numerous fields under the SAML Server: Entity Id is automatically populated with the FQDN of the MAG Series gateway (from Network Overview) and the SAML endpoint. -- https://rr-mdf-xxxxxxxxxxxxxxxx.net/dana-na/auth/saml-endpoint.cgi?p=sp1 Enter the FQDN of the IdP Entity Id. -- https://zit8665.development.xxxxxxxxxxxxxxx.net/ Enter the Identity Provider Single Sign-On Service URL. This is the URL at which the IdP accepts the SAML AuthnRequest. -- https://zit8665.development.xxxxxxxxxxxx.net/junipersamltest/login.aspx Ensure that the appropriate clock skew is set. Ideally the SP and IdP should be configured to use the same Network Time Protocol (NTP) server. The recommended value is 5 minutes. The reason the example was configured as 20 in Figure 19 was because the time difference was over 10 minutes. The IdP information could also be set up using the metadata file. The metadata file from the IdP can be imported onto the MAG Series under: System > Configuration > SAML You can then select New Metadata Provider. This is similar to how it was set up in the previous scenario, but in this case the option Identity Provider needs to be checked instead of Service Provider. Figure 19: SAML Auth Server configuration 1 The section below highlights the installation of the IdP certificate or the public key that is used for verifying the digitally signed SAML response: Upload the IdP certificate -- zit8665.development.xxxxxxxxxxxx.net Check Enable Signing Certificate Status Checking Mark Select Device Certificate for Signing as Not Applicable Select Device Certificate for Encryption is the certificate for the FQDN of the MAG Series -- Select rr-mdf-xxxxxxxxxxx.net from the drop-down menu 16 Copyright 2013, Juniper Networks, Inc.
17 Figure 20: SAML Auth Server configuration 2 Use the Download Metadata button for a reference of SAML settings needed for the IdP. Figure 21: SAML Auth Server configuration 3 Setting Up the Sign-In Page The final step involves creating a Sign-In page. This is essential in order to map users to the realm and Authentication Server. The Sign-In policy maps to the realm and the realm maps to the Authentication Server. Therefore, a new realm will need to be created or any existing realm can be mapped to the SAML Auth server. Go to: Authentication > Signing In > Sign-in Policies and create a new Sign-In URL as */saml/. The Sign-In page can be customized (please see the Custom Sign-In Page Solutions Guide). Create a Sign-In page as SAML Test by modifying the sample.zip file. Fill in the realm to which the user should be mapped and the Sign-In SAML for the Sign-In page. Add the path for the Sign-In page for SAML communication as shown in Figure 22. Copyright 2013, Juniper Networks, Inc. 17
20 Configuring the Sign-In URL is an essential step in setting up SAML communication. The message shown in Figure 26 is displayed if the Sign-In URL is not configured when posting the SAML assertion. Figure 26: SAML error displayed when URL is missing A Missing/Invalid sign-in URL error is shown when the RelayState does not map to a configured Sign-In URL, or it maps to a Sign-In URL that is not configured with a realm that has an SAML Server. It is important to note that for SAML authentication, there cannot be more than one realm mapped to the same Sign-In URL being used. MAG Series as Service Provider Summary With this setup, when the user logs in with credentials and succeeds against all levels of security checks, including authentication and Host Checker, SAML 2.0 allows that user to go directly to the cloud-based end application. The user experience is seamless, as SSO is achieved via browser redirects, which are completely transparent to the user. All communication happens on the back end in a secure yet nonintrusive manner. This setup supports both IdP-initiated SSO as well as SP-initiated SSO. Single Logout is supported in this mode. If the user logs out of the SP, user credentials will need to be reentered before accessing the end application at a later time. Summary With the increasing adoption of cloud-based applications, SAML 2.0 helps alleviate a significant user burden by eliminating the need to enter credentials more than once. At the same time, it helps secure access to applications and other valuable resources in public, private, or hybrid clouds, ensuring the validity of user credentials before allowing access to resources. SSO allows users to enter their credentials only once in order to access multiple end applications, and it enables businesses to leverage an effective, identity-based security system. Being able to deploy the Juniper MAG Series as an IdP or an SP provides an organization with added flexibility. The ability to combine encryption along with digital signatures ensures confidentiality and integrity of the user information along with guaranteeing non-repudiation aspects that are critical to the success of cloud-based applications. 20 Copyright 2013, Juniper Networks, Inc.
21 Appendix A While the MAG Series running Junos Pulse Secure Access Service (SSL VPN) cannot generate SAML attributes, currently it can read simple attributes that are sent to it. Therefore, if the IdP sends attributes for the SP to filter along with the username, the MAG Series functioning as an SP is capable of performing this action. The attributes are usually sent in userattr. format. In order to learn specifics of the sent attribute, use the policy trace feature. Once the attribute has been identified, it can be incorporated under the Role Mapping and filtered accordingly. Select Custom Expressions and click on Update. Then click on the tab Expressions. This will open another window as shown in Figure 27 below. Create a custom expression and save the changes. Map the user role for the role mapping rule created and save changes. Figure 27: Role Mapping Rule for a custom expression Figure 28: Creating a custom expression Copyright 2013, Juniper Networks, Inc. 21
22 References 1. SAML 2.0 OASIS Exec Overview: https://www.oasis-open.org/committees/download.php/13525/sstc-samlexec-overview-2.0-cd-01-2col.pdf https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf About Juniper Networks Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at Corporate and Sales Headquarters Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA Phone: 888.JUNIPER ( ) or Fax: APAC and EMEA Headquarters Juniper Networks International B.V. Boeing Avenue PZ Schiphol-Rijk Amsterdam, The Netherlands Phone: Fax: To purchase Juniper Networks solutions, please contact your Juniper Networks representative at or authorized reseller. Copyright 2013 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice EN Mar 2013 Printed on recycled paper 22 Copyright 2013, Juniper Networks, Inc.
Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta Configuration Guide Product Release Document Revisions Published Date 1.0 1.0 May 2016 Pulse Secure, LLC 2700 Zanker Road, Suite 200 San
White Paper JUNOS PULSE APPCONNECT A Micro VPN That Allows Specific Applications on Mobile Devices to Independently Leverage the Connect Secure Gateway Copyright 2014, Juniper Networks, Inc. 1 Table of
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
INTEGRATION GUIDE IDENTIKEY Federation Server for Juniper SSL-VPN Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO
APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,
Chapter 82 Configuring Moodle The following is an overview of the steps required to configure the Moodle Web application for single sign-on (SSO) via SAML. Moodle offers SP-initiated SAML SSO only. 1 Prepare
APPLICATION NOTE Juniper NETWORKS SSL VPN and Windows Mobile Secure, Mobile Access to Corporate Email, Applications, and Intranet Resources Table of Contents Introduction.........................................................................................
SAM Context-Based Authentication Using Juniper SA Integration Guide Revision A Copyright 2012 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete
SAML Authentication Quick Start Guide Powerful Authentication Management for Service Providers and Enterprises Authentication Service Delivery Made EASY Copyright 2013 SafeNet, Inc. All rights reserved.
PRODUCT CATEGORY BROCHURE Juniper Networks SA Series SSL VPN Appliances Juniper Networks SA Series SSL VPN Appliances Lead the Market with Secure Remote Access Solutions That Meet the Needs of Organizations
Using SAML for Single Sign-On in the SOA Software Platform SOA Software Community Manager: Using SAML on the Platform 1 Policy Manager / Community Manager Using SAML for Single Sign-On in the SOA Software
Chapter 75 Configuring SAP NetWeaver AS Java SAP NetWeaver Application Server ("AS") Java (Stack) is one of the two installation options of SAP NetWeaver AS. The other option is the ABAP Stack, which is
Implementation Guide SAP NetWeaver Identity Management Identity Provider Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.10 2011-07-18 Document History CAUTION Before
Chapter 41 Configuring Salesforce The following is an overview of how to configure the Salesforce.com application for singlesign on: 1 Prepare Salesforce for single sign-on: This involves the following:
CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
Chapter 94 Configuring Salesforce The following is an overview of how to configure the Salesforce.com application for singlesign on: 1 Prepare Salesforce for single sign-on: This involves the following:
Single Sign On for ShareFile with NetScaler Deployment Guide This deployment guide focuses on defining the process for enabling Single Sign On into Citrix ShareFile with Citrix NetScaler. Table of Contents
Chapter 40 Configuring Connected Data The following is an overview of the steps required to configure the Connected Data Web application for single sign-on (SSO) via SAML. Connected Data offers both IdP-initiated
SOLUTION BRIEF SECURE ACCESS TO THE VIRTUAL DATA CENTER Ensure that Remote Users Can Securely Access the Virtual Data Center s Virtual Desktops and Other Resources Challenge VDI is driving a unique need
Chapter 83 WebEx This chapter includes the following sections: An overview of configuring WebEx for single sign-on Configuring WebEx for SSO Configuring WebEx in Cloud Manager For more information about
Chapter 67 Configuring SuccessFactors The following is an overview of the steps required to configure the SuccessFactors Enterprise Edition Web application for single sign-on (SSO) via SAML. SuccessFactors
This chapter provides information about the Security Assertion Markup Language (SAML) Single Sign-On feature, which allows administrative users to access certain Cisco Unified Communications Manager and
Chapter 46 Configurin uring Drupal Configure the Drupal Web-SAML application profile in Cloud Manager to set up single sign-on via SAML with a Drupal-based web application. Configuration also specifies
APPLICATION NOTE Smart Download Manager Easing the File Download Process on SRX Series Services Gateways for the Branch Copyright 2012, Juniper Networks, Inc. 1 Table of Contents Introduction...3 Scope...3
C E N T R I F Y G U I D E SAP NetWeaver Java SAML configuration guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component
Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the
Chapter 117 Configuring SuccessFactors The following is an overview of the steps required to configure the SuccessFactors Enterprise Edition Web application for single sign-on (SSO) via SAML. SuccessFactors
Protecting Juniper SA using Certificate-Based Authentication Copyright 2013 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate.
SAML 2.0 SSO Deployment with Okta Simplify Network Authentication by Using Thunder ADC as an Authentication Proxy DEPLOYMENT GUIDE Table of Contents Overview...3 The A10 Networks SAML 2.0 SSO Deployment
Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,
C O L A B O R A T I V E I N N O V A T I O N M A N A G E M E N T Complete Feature Guide SAML Single-Sign-On (SSO) 1. Features This feature allows administrators to setup Single Sign-on (SSO) integration
Chapter 108 Configuring SAP NetWeaver Fiori The following is an overview of the steps required to configure the SAP NetWeaver Fiori Web application for single sign-on (SSO) via SAML. SAP NetWeaver Fiori
PARTNER INTEGRATION GUIDE Edition 1.0 Last Revised December 11, 2014 Overview This document provides standards and guidance for USAA partners when considering integration with USAA. It is an overview of
Chapter 190 WebEx This chapter includes the following sections: "An overview of configuring WebEx for single sign-on" on page 190-1600 "Configuring WebEx for SSO" on page 190-1601 "Configuring WebEx in
Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications VMware Identity Manager AUGUST 2015 V1 Configuring Single Sign-On from VMware Identity Manager to AirWatch Applications
Ameritas Single Sign-On (SSO) and Enterprise SAML Standard Architectural Implementation, Patterns and Usage Guidelines 1 Background and Overview... 3 Scope... 3 Glossary of Terms... 4 Architecture Components...
Getting Started with AD/LDAP SSO Active Directory and LDAP single sign- on (SSO) with Syncplicity Business Edition accounts allows companies of any size to leverage their existing corporate directories
Egnyte Single Sign-On (SSO) Installation for OneLogin To set up Egnyte so employees can log in using SSO, follow the steps below to configure OneLogin and Egnyte to work with each other. 1. Set up OneLogin
Chapter 34 Configurin guring g Clarizen Configure the Clarizen Web-SAML application profile in Cloud Manager to set up single sign-on via SAML with Clarizen. Configuration also specifies how the application
Dell One Identity Cloud Access Manager 8.0.1 - How to Configure for SSO to SAP NetWeaver using SAML 2.0 May 2015 About this guide Prerequisites and requirements NetWeaver configuration Legal notices About
firstname.lastname@example.org Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services
Table of Contents Table of Contents Getting Started with Pivotal Single Sign-On Adding Users to a Single Sign-On Service Plan Administering Pivotal Single Sign-On Choosing an Application Type 1 2 5 7 10
Configuring Single Sign-On from the VMware Identity Manager Service to Office 365 VMware Identity Manager JULY 2015 V1 Table of Contents Overview... 2 Passive and Active Authentication Profiles... 2 Adding
Configuring Parature Self-Service Portal Chapter 2 The following is an overview of the steps required to configure the Parature Self-Service Portal application for single sign-on (SSO) via SAML. Parature
SAML2 Cloud Connector Guide McAfee Cloud Identity Manager version 1.2 or later COPYRIGHT Copyright 2013 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed,
1 HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided
PRODUCT CATEGORY BROCHURE SA Series SSL VPN Appliances Juniper Networks SA Series SSL VPN Appliances Lead the Market with Secure Remote Access Solutions That Meet the Needs of Organizations of Every Size
Configuring Single Sign-on from the VMware Identity Manager Service to WebEx VMware Identity Manager SEPTEMBER 2015 V 2 Configuring Single Sign-On from VMware Identity Manager to WebEx Table of Contents
SAML Authentication with BlackShield Cloud Powerful Authentication Management for Service Providers and Enterprises Version 3.1 Authentication Service Delivery Made EASY Copyright Copyright 2011. CRYPTOCARD
Single Sign On (SSO) Implementation Manual For Connect 5 & MyConnect Sites Version 6 Release 5.7 September 2013 1 What is Blackboard Connect Single Sign On?... 3 How it Works... 3 Drawbacks to Using Single
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Sverview Trust between SharePoint 2010 and ADFS 2.0 Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies
Fujitsu mpollux SAML Security Option White Paper Fujitsu mpollux Version 2.1 February 2009 First Edition February 2009 The programs described in this document may only be used in accordance with the conditions
RSA SecurID Ready Implementation Guide Partner Information Last Modified: September 30, 2005 Product Information Partner Name Juniper Networks Web Site www.juniper.net Product Name NetScreen SA Version
CENTRIFY DEPLOYMENT GUIDE Google Apps Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component of your corporate
Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper TABLE OF CONTENTS INTRODUCTION... 3 Where we came from... 3 The User s Dilemma with the Cloud... 4 The Administrator
Integrating Siteminder with SA SA - Siteminder Integration Guide Abstract The Junos Pulse Secure Access (SA) platform supports the Netegrity Siteminder authentication and authorization server along with
SGOS 5 Series Reverse Proxy with SSL - ProxySG Technical Brief What is Reverse Proxy with SSL? The Blue Coat ProxySG includes the functionality for a robust and flexible reverse proxy solution. In addition
Introduction to Directory Services Overview This document explains how AirWatch integrates with your organization's existing directory service such as Active Directory, Lotus Domino and Novell e-directory
VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
Chapter 94 Intacct This section contains the following topics: "An overview of configuring Intacct for single sign-on" on page 94-710 "Configuring Intacct for SSO" on page 94-711 "Configuring Intacct in
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2013 Fiberlink Communications Corporation. All rights reserved. Information in this document is subject to change without notice. The software
HP Software as a Service Federated SSO Guide Document Release Date: July 2014 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying
MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2014 Fiberlink, an IBM Company. All rights reserved. Information in this document is subject to change without notice. The software described
IBM WebSphere Application Server SAML 2.0 web single-sign-on 2012 IBM Corporation This presentation describes support for SAML 2.0 web browser Single Sign On profile included in IBM WebSphere Application
White Paper Intel Information Technology Computer Manufacturing Security Improving Security and Productivity through Federation and Single Sign-on Intel IT has developed a strategy and process for providing
ADFS Integration Guidelines Version 1.6 updated March 13 th 2014 Table of contents About This Guide 3 Requirements 3 Part 1 Configure Marcombox in the ADFS Environment 4 Part 2 Add Relying Party in ADFS
International Telecommunication Union SAML Federated Identity at OASIS Hal Lockhart BEA Systems Geneva, 5 December 2006 SAML and the OASIS SSTC o SAML: Security Assertion Markup Language A framework for
SAML Single Sign-On T his feature is add-on service available to Enterprise accounts. Are you already using an Identity Provider (IdP) to manage logins and access to the various systems your users need
Salesforce.com: Salesforce Winter '09 Single Sign-On Implementation Guide Copyright 2000-2008 salesforce.com, inc. All rights reserved. Salesforce.com and the no software logo are registered trademarks,
Enabling SAML Single Sign-On with OneLogin Reference Guide 2016 Adobe Systems Incorporated. All Rights Reserved. Products mentioned in this document, such as the services of identity provider Onelogin,
Setup Guide Revision B McAfee Cloud Single Sign On COPYRIGHT Copyright 2013 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee
Security Assertion Markup Language (SAML) Site Manager Setup Trademark Notice Blackboard, the Blackboard logos, and the unique trade dress of Blackboard are the trademarks, service marks, trade dress and
Perceptive Experience Single Sign-On Solutions Technical Guide Version: 2.x Written by: Product Knowledge, R&D Date: January 2016 2016 Lexmark International Technology, S.A. All rights reserved. Lexmark
White Paper Juniper Networks Solutions for VMware NSX Enabling Businesses to Deploy Virtualized Data Center Environments Copyright 2013, Juniper Networks, Inc. 1 Table of Contents Executive Summary...3
White Paper How Junos Spotlight Secure Works The Global Attacker Security Intelligence Service Explained Copyright 2013, Juniper Networks, Inc. 1 Table of Contents Executive Summary...3 Introduction...3
Entrust Managed Services PKI Using Entrust certificates with VPN Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark or a registered trademark
WHITE PAPER SECURING TODAY S MOBILE WORKFORCE Connect, Secure, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite Copyright 2011, Juniper Networks, Inc. Table