Product Guide Revision A. McAfee Cloud Single Sign On 4.0.1

Transcription

1 Product Guide Revision A McAfee Cloud Single Sign On 4.0.1

2 COPYRIGHT Copyright 2013 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Cloud Single Sign On Product Guide

3 Contents Preface 11 About this guide Audience Conventions Find product documentation Introduction 13 How McAfee Cloud SSO implements web single sign on How SSO is initiated How user provisioning is managed Event auditing and monitoring SDK extends built-in functionality environments browsers Installing McAfee Cloud SSO 19 McAfee Cloud SSO software and services Installation options Installing McAfee Cloud SSO on a Windows or Linux standalone server Services installed and uninstalled on Windows or Linux Pre-installation considerations on Windows and Linux Setting up a MySQL database Administrative privileges Installing on a server having a fully qualified domain name Installing as a service Upgrade considerations Using your own JRE on Windows or Linux Set the environment variables when using your own JRE on Linux Installing McAfee Cloud SSO on a Windows server Install McAfee Cloud SSO on Windows Uninstall McAfee Cloud SSO on Windows Starting and stopping McAfee Cloud SSO on Windows Back up an installation on Windows Restore a backup on Windows Installing McAfee Cloud SSO on a Linux server Install McAfee Cloud SSO on Linux Uninstall McAfee Cloud SSO on Linux Start and Stop McAfee Cloud SSO on Linux Back Up an installation on Linux Restore a backup on Linux Installing McAfee Cloud SSO on an appliance or virtual machine An appliance vs. a virtual machine Requirements for using a virtual machine Installation tasks on an appliance or virtual machine Download McAfee Cloud SSO software McAfee Cloud Single Sign On Product Guide 3

4 Contents Re-image a CD or USB drive Create a new virtual machine on your ESX or ESXi server Restart McAfee Cloud SSO services Upgrade McAfee Cloud SSO software on an appliance or virtual machine Provisioning and OTP configuration files on an appliance or virtual machine Post-installation tasks Open the Management Console and import your license file Replace the default SSL server certificate Locate and modify an alias in a keystore Installing a cluster of McAfee Cloud SSO instances Benefits of clustering How nodes are added to a cluster Configure a cluster of two nodes Add a McAfee Cloud SSO instance to an existing cluster Troubleshooting installation Property soae.user.dir is not set Connection to Management Console fails McAfee Cloud SSO cannot connect to MySQL server Using the Management Console 51 Access the Management Console The Management Console dashboard Management Console configuration tabs (A) Management Console Cloud Connectors (B) Management Console system snapshots (C) Management Console quick access (D) Identity Connectors 57 Identity Connectors Manage all configured identity stores in the system Manage all configured Identity Connectors in the system Selecting the Identity Connector type Configure an LDAP identity store Configure an Active Directory identity store Configure an authentication chain Identity Connector Configuring a CAS Identity Connector How CAS and McAfee Cloud SSO manage SSO and SLO Considerations when using CAS Configure a CAS Identity Connector Configure an ECA360 Token Identity Connector Configuring an IWA-AD Identity Connector Create an Active Directory account for McAfee Cloud SSO Run the Ktpass tool Register a service principal name with the Active Directory account Create a key table Configure Internet Explorer for IWA Configure Firefox for IWA Configure an IWA-AD Identity Connector Troubleshooting IWA integration Configure an LDAP Identity Connector Configuring a SAML2 Proxy Identity Connector How McAfee Cloud SSO in the cloud and the enterprise work together How McAfee Cloud SSO in the cloud and the enterprise are configured Configure a SAML2 Proxy Identity Connector Authentication chains 79 4 McAfee Cloud Single Sign On Product Guide

5 Contents Advantages of authentication chains Primary vs. secondary authentication methods Two-factor authentication using one time passwords How two-factor authentication works: LDAP-OTP example How two-factor authentication works: OpenID-OTP example Create an authentication chain Select the authentication module type Customize the login page Configuring the authentication module options Configure a JDBC authentication module Configuring an OpenID authentication module Configuring a Facebook authentication module Configuring a LinkedIn authentication module Configuring a Twitter authentication module Configure an ECA360 Token authentication module Configuring a SAML2 authentication module Configuring a Salesforce authentication module Configure an IWA authentication module Configure a CAS authentication module Configure a SAML2 Proxy authentication module Configure an LDAP authentication module Configure a combined LDAP and OTP authentication module Configure a certificate authentication module Configuring a SiteMinder authentication module Configuring an OTP authentication module Configuring a TPM authentication module Configure a KCD authentication module Customize the authentication module output attributes Default output attributes for a certificate authentication module Configure a JAAS policy for the authentication module Determined by Cloud Connector use cases Register a user-defined authentication module Specify the full class name and upload the.jar file Configure the authentication service options and the output attributes Specify the callback configuration Review the user-defined authentication module options Cloud Connectors 133 Built-in vs. plug-in Cloud Connectors Dynamic Cloud Connectors Generic Cloud Connectors Individual Cloud Connectors Office 365 Cloud Connectors: SAML vs. WS-Federation Creating a Cloud Connector Create a Cloud Connector Configure credential mapping Configure a generic Cloud Connector Configure individual Cloud Connectors Configuring SAML Cloud Connectors How SAML SSO and SLO work How X.509 certificates are managed for SAML SSO and SLO SAML Cloud Connectors and supported SSO processes Configure SAML SSO Configure a SAML assertion SAML assertion reference Configure SAML SLO McAfee Cloud Single Sign On Product Guide 5

6 Contents Configuring SSO in your application administrator account Configuring Cloud Connectors that use WS-Federation Configuring an Office 365 Cloud Connector Configuring a SharePoint Cloud Connector Configure an ECA360 Token Cloud Connector Configure an OpenID Cloud Connector Configuring an Impersonation Cloud Connector Impersonation with reverse proxy built into McAfee Cloud SSO Impersonation with enterprise reverse proxy Requirements for deploying McAfee Cloud SSO in the enterprise domain Verify the domain functional level of the Active Directory server Configure constrained delegation on the Active Directory server Configure an Impersonation Cloud Connector Configuring individual custom Cloud Connectors Configuring an Accellion Cloud Connector Configure an AmazonAWS Cloud Connector Configure a Creately Cloud Connector Configuring a DeskCustom Cloud Connector Configure an EStreamDesk Cloud Connector Configuring a FreshDesk Cloud Connector Configuring an IdeaScale Cloud Connector Configuring a NetSuite Cloud Connector Configure a Schoology Cloud Connector Configuring a TenderSupport Cloud Connector Configuring a UserVoice Cloud Connector Configure just-in-time user provisioning Configuring an authorization policy Configure an authorization policy Build an expression: example Build an expression: example Review the Cloud Connector configuration Cloud Connector SSO methods reference Cloud authenticators and application adapters 219 Single Identity Provider Multiple Identity Providers Configuration tasks Configure a cloud authenticator Configure an application adapter Integrating McAfee Cloud SSO with Web Gateway 227 Benefits of Web Gateway integration How enabling and disabling Web Gateway integration affects SSO How McAfee Cloud SSO and Web Gateway implement SSO together Configure McAfee Cloud SSO and Web Gateway to work together Web Gateway integration and Cloud Connector reference Logging and monitoring 243 What the logs and monitoring features record Audit logging and alerts Manage audit logging Configure the auditing policy Configure a filter for the audit log View the audit log Download the audit log Purge the audit log McAfee Cloud Single Sign On Product Guide

7 Contents Manage alerts Create an alert View alerts Delete an alert Modify an alert Manage the alert log Configure a filter for the alert log View the alert log Download the alert log Purge the alert log Audit events reference Manage transaction and error logging Configure the transaction log Configure a filter for the transaction log View the transaction log Download the transaction log Purge the transaction log Use cloud metrics to monitor end-user events Configure a filter for the selected metrics View the cloud metrics Download the cloud metrics Purge all cloud metrics in the McAfee Cloud SSO system Use login history to monitor login and logoff events Configure a filter for the login history View the login history Download the login history Purge the login history Add-on services 263 Implementing SSO to Salesforce through Connect for Outlook Salesforce requirements for integrating Connect for Outlook Configuring SSO to Salesforce through Connect for Outlook Manage instances of the identity proxy service Configure delegated authentication in Salesforce Install and configure the Salesforce Connect for Outlook plug-in Downloading user data from Google and Salesforce applications securely How McAfee Cloud SSO implements the OAuth authorization protocol Manage instances of the OAuth service Enable the OAuth service provided by McAfee Cloud SSO in Google Configure a new remote access application in Salesforce Advanced configuration 275 Configure runtime data and audit log storage in a MySQL database Configure network proxy addresses Configure a timeout value for end-user sessions Enable your custom portal configuration Managing administrative user accounts The built-in administrator vs. administrative user accounts Create an administrative user account Delete an administrative user account Modify an administrative user account Managing X.509 certificates for SAML authentication How X.509 certificates work McAfee Cloud SSO preconfigured key pair Acquiring an X.509 certificate View all X.509 certificates McAfee Cloud Single Sign On Product Guide 7

8 Contents View one X.509 certificate Export an X.509 certificate Delete an X.509 certificate Import an X.509 certificate Validate an X.509 certificate Generate a new key pair Import key pairs Import a trusted certificate Replace the SSL key pair Enable certificate validation Manage Cloud Connector plug-ins View all Cloud Connector plug-ins Enable or disable a Cloud Connector plug-in Modify a Cloud Connector plug-in Delete a Cloud Connector plug-in Configure Web Gateway integration Install a custom Cloud Connector plug-in Export system configuration data Import system configuration data Restart the McAfee Cloud SSO service Import a license file Configure a fully qualified domain name Configure SMTP and remote OTP options Select a language A Integrating RCDevs OpenOTP Authentication Server 295 RCDevs OpenOTP Authentication Server overview RCDevs OpenOTP high-level integration tasks Install RCDevs OpenOTP Authentication Server Configure RCDevs OpenOTP Authentication Server B Accessing Salesforce Chatter from a mobile device 299 Implementing SSO for Salesforce Chatter users on a mobile device Salesforce Chatter high-level integration tasks Management Console tasks required to integrate Salesforce Chatter Create a custom Salesforce domain name for your organization Configure SSO and SLO in your Salesforce administrator account Set up the Salesforce Chatter Mobile client on the mobile device Setting up the Pledge OTP client on the mobile device C Managing access to user data on SharePoint securely 305 McAfee Cloud SSO as proxy between SharePoint and web applications Configuring SharePoint integration McAfee Cloud SSO tasks for integrating SharePoint in the enterprise Web application tasks for integrating SharePoint in the enterprise Web browser tasks for integrating SharePoint in the enterprise Configure the Active Directory domain controller Install and configure the SharePoint server D Integrating AD FS 2.0 with McAfee Cloud SSO 311 AD FS 2.0 identity federation terms Software requirements for AD FS 2.0 integration AD FS 2.0 roles in identity federation AD FS 2.0 as the Identity Provider AD FS 2.0 as the Relying Party Identity federation with AD FS 2.0 as Identity Provider McAfee Cloud Single Sign On Product Guide

9 Contents Configure McAfee Cloud SSO as the Relying Party in AD FS How claim rules are edited in AD FS 2.0: Relying Party Trust example Identity Federation with AD FS 2.0 as Relying Party Configure McAfee Cloud SSO as the Claims Provider in AD FS Edit claim rules in AD FS 2.0: Claims Provider Trust example AD FS 2.0 service URL locations X.509 certificate preparation steps in AD FS Configuring AD FS 2.0 Federation with a WIF application AD FS 2.0 considerations and troubleshooting tips Enable NTLM authentication in Firefox Sharing AD FS 2.0 claims with a SAML 2.0 Service Provider Workstation not registered in the Service Principal Name directory Authentication Required pop-up window in Internet Explorer Add STS Reference option is missing in Visual Studio WIF application cannot verify signature of SAML token Signature verification failure Audience verification failure E Expression language support 327 Attribute mapping and expressions in McAfee Cloud SSO F Troubleshooting tips 329 Internet Explorer cannot download file The upgrade process does not migrate credentials Not all settings are exported from a MySQL database AdminiTrack connector does not support SSO to v Uninstalling McAfee Cloud SSO on Windows restarts the system OTP Service Status or Provisioning Service Status is incorrect G Acronyms 331 Acronyms Index 335 McAfee Cloud Single Sign On Product Guide 9

10 Contents 10 McAfee Cloud Single Sign On Product Guide

11 Preface This guide provides the information you need to work with your McAfee product. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience. The information in this guide is intended primarily for: Administrators People who implement and enforce the company's security program. Users People who use the computer where the software is running and can access some or all of its features. Conventions This guide uses these typographical conventions and icons. Book title, term, emphasis Bold User input, code, message Interface text Hypertext blue Title of a book, chapter, or topic; a new term; emphasis. Text that is strongly emphasized. Commands and other text that the user types; a code sample; a displayed message. Words from the product interface like options, menus, buttons, and dialog boxes. A link to a topic or to an external website. Note: Additional information, like an alternate method of accessing an option. Tip: Suggestions and recommendations. Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data. Warning: Critical advice to prevent bodily harm when using a hardware product. McAfee Cloud Single Sign On Product Guide 11

12 Preface Find product documentation Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. 1 Go to the McAfee Technical Support ServicePortal at 2 Under Self Service, access the type of information you need: To access... User documentation Do this... 1 Click Product Documentation. 2 Select a product, then select a version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. 12 McAfee Cloud Single Sign On Product Guide

13 1 Introduction 1 McAfee Cloud Single Sign On (McAfee Cloud SSO, formerly McAfee Cloud Identity Manager) offers identity management, single sign on (SSO), one time password (OTP), and provisioning services for administrators who want to simplify and secure the use of cloud, Software as a Service (SaaS), and web applications for members of their organization. The administrator configures the McAfee Cloud SSO service using the Management Console, a web-based interface accessible from a web browser. Contents How McAfee Cloud SSO implements web single sign on How SSO is initiated How user provisioning is managed Event auditing and monitoring SDK extends built-in functionality environments browsers How McAfee Cloud SSO implements web single sign on McAfee Cloud SSO is the trusted third party that authenticates the end user against an identity source and provides identity information to a cloud service or application. In the Identity Provider role, McAfee Cloud SSO authenticates the user against the identity store or authentication service used by your organization. McAfee Cloud SSO creates a session for the authenticated user, so that the user only needs to log in once. To implement SSO, you create connectors in the Management Console: Identity Connector The Identity Connector is the configuration that allows McAfee Cloud SSO to connect to and communicate with the identity source used by your organization. Cloud Connector The Cloud Connector is the configuration that allows McAfee Cloud SSO to connect to and provide identity and SSO services for a cloud service or application. After you configure an Identity Connector for your organization, you configure one Cloud Connector for each cloud service or application that members of your organization need to access. Each Cloud Connector configuration includes the Identity Connector you configured. The first time an end user seeks access to a cloud service or application,mcafee Cloud SSO presents a login page that corresponds to the Identity Connector. After the user is authenticated, McAfee Cloud SSO presents the application portal page, which includes all cloud services and applications having a Cloud Connector whose configuration includes the Identity Connector. McAfee Cloud Single Sign On Product Guide 13

14 1 Introduction How SSO is initiated After McAfee Cloud SSO establishes a session with a user, it can enforce authorization policies and restrict access to cloud services. Authorization policies are defined in the Cloud Connector wizard. Each policy applies to a single service and allows or denies access to specified HTTP URLs. Some cloud services and applications require configuration in your application administrator account in addition to the Management Console. Configuration in your application administrator account is covered in this guide. How SSO is initiated McAfee Cloud SSO supports two SSO use cases: Identity Provider (IdP)-initiated and Service Provider (SP)-initiated SSO. In IdP-initiated SSO, McAfee Cloud SSO initiates the SSO process. In SP-initiated SSO, the cloud service or application initiates the SSO process. In both, the end user is seeking access to a cloud service or application. The authentication process takes place using redirects through the user s browser. The redirects are automatic and take place quickly, so that the user is not aware of the authentication process running in the background. Figure 1-1 How IdP-initiated and SP-initiated SSO work Some cloud services and applications support both IdP-initiated and SP-initiated SSO. Other services and applications support one. 14 McAfee Cloud Single Sign On Product Guide

15 Introduction How user provisioning is managed 1 Table 1-1 IdP-initiated and SP-initiated SSO processes Use case Process IdP-initiated SSO 1 The end user seeks access to a cloud service or application (the Service Provider) through McAfee Cloud SSO (the Identity Provider). 2 McAfee Cloud SSO authenticates the end user against the Identity Directory. 3 McAfee Cloud SSO redirects the authentication result to the cloud service or application through the end user s browser. 4 The cloud service or application grants access to the end user. SP-initiated SSO 1 The end user seeks access to a cloud service or application (the Service Provider) directly. 2 The cloud service or application redirects the end user s authentication request to McAfee Cloud SSO (the Identity Provider) through the user s browser. 3 McAfee Cloud SSO authenticates the end user against the Identity Directory. 4 McAfee Cloud SSO redirects the authentication result to the cloud service or application through the end user s browser. 5 The cloud service or application grants access to the end user. How user provisioning is managed Provisioning automatically creates new and updates existing user accounts in the target application based on the status of the accounts in the source organization. McAfee Cloud SSO offers multiple ways to manage provisioning: McAfee Cloud Single Sign On Product Guide 15

16 1 Introduction Event auditing and monitoring Management Console Provides preconfigured provisioning connectors for a few cloud applications. Provisioning Studio Provides provisioning connector plug-ins that can be customized for each cloud application instance. Provisioning SDK Provides an API that developers can use to write their own provisioning plug-ins, which are then imported in the Provisioning Studio. Table 1-2 Provisioning options and when to use them Provisioning option Management Console Description Just-in-time provisioning: Automatically creates and updates user accounts in the target application to match user accounts in the source organization as users log in Uses account mapping rules that you configure Greatly simplifies configuration cloud applications: Google, Salesforce, and Schoology When to use Select this option when you want on-demand user provisioning and simple configuration. To locate in the Management Console: Open the Cloud Connector wizard, then open the provisioning step. Provisioning Studio Provisioning SDK Bulk provisioning: Continuously creates, updates, and deletes user accounts in the target application to match user accounts in the source organization Uses provisioning policies that you configure Adds flexibility and complexity to the configuration cloud applications: Box, Coupa, EchoSign, Google, Joomla, LongJump, NetSuite, Office 365, Salesforce, Schoology, ServiceNow, SuccessFactors, SugarCRM, WebEx Custom provisioning: You can write your own provisioning plug-ins, then import them in the Provisioning Studio. cloud applications: Any cloud application that supports provisioning Select this option when you want continuous bulk provisioning and the option of configuring provisioning policies. Select this option when the Provisioning Studio does not support your cloud application with a plug-in. Event auditing and monitoring The McAfee Cloud SSO auditing feature uses an events-based auditing model that records all events generated by administrative user actions in the Management Console. Using the auditing feature, administrators can configure auditing policies that support the security and compliance requirements of their organization. To monitor audited events more closely, administrators can configure alert triggers and notification methods and using the SDK, customize alerts. In addition to the audit log and alerts, McAfee Cloud SSO makes the following information available to administrators: 16 McAfee Cloud Single Sign On Product Guide

17 Introduction SDK extends built-in functionality 1 Transaction and error logging McAfee Cloud SSO keeps a log of completed identity service operations and errors or exceptions. Cloud metrics McAfee Cloud SSO keeps a count of end-user events, such as SSO, SLO, authorization, provisioning, and deprovisioning. Login history McAfee Cloud SSO keeps a record of logon and logoff events for administrators who are using the Management Console and end users in the enterprise. SDK extends built-in functionality McAfee Cloud SSO provides an extensible software framework and SDK that software developers can use to extend the built-in functionality of the product. Using the SDK and McAfee Cloud Single Sign On Developer s Guide, developers can extend and customize the product through the following tasks: Write custom connectors for.net and Java-based web applications that do not support SAML 2.0 authentication. Write custom connectors to cloud applications not included in the application catalog. Write custom authentication modules. Write custom alert notification methods. Customize the login page and application portal for end users. environments McAfee Cloud SSO supports the following environments. Table 1-3 operating system environments Version Architecture IA-32 Intel 64 Linux Operating System Red Hat Enterprise Linux Server and Advanced Platform 5.0 Yes Yes Windows Operating System Windows Server 2003 Standard Edition Yes Yes Windows Server 2003 DataCenter Edition Yes Yes Windows Server 2003 Enterprise Edition Yes Yes Windows Server 2008 Yes Yes McAfee Cloud Single Sign On Product Guide 17

18 1 Introduction browsers browsers McAfee Cloud SSO supports different browsers for the application portal and the Management Console. Table 1-4 web browsers Application portal Management Console web browsers End users access SaaS and web applications through the McAfee Cloud SSO application portal on a web browser. The following web browsers are supported. Desktop browsers: Google Chrome Microsoft Internet Explorer 8, 9 Mozilla Firefox 16, 17, 18 Safari Mobile browsers: Android 4.x devices and WebKit browser ios devices and Safari browser Administrative users manage McAfee Cloud SSO services through the Management Console, a web-based user interface on a local computer. The following web browsers are supported. Desktop browsers: Microsoft Internet Explorer 8, 9 Mozilla Firefox 16, 17, 18 Mobile browsers None are currently supported. 18 McAfee Cloud Single Sign On Product Guide

19 2 Installing 2 McAfee Cloud SSO You can install the McAfee Cloud SSO software on a Windows or Linux operating system on a standalone server or on an appliance or virtual machine with MLOS installed. When installed on any of these platforms, McAfee Cloud SSO can be integrated with McAfee Web Gateway (Web Gateway). Contents McAfee Cloud SSO software and services Installation options Installing McAfee Cloud SSO on a Windows or Linux standalone server Services installed and uninstalled on Windows or Linux Pre-installation considerations on Windows and Linux Installing McAfee Cloud SSO on a Windows server Installing McAfee Cloud SSO on a Linux server Installing McAfee Cloud SSO on an appliance or virtual machine Post-installation tasks Installing a cluster of McAfee Cloud SSO instances Troubleshooting installation McAfee Cloud SSO software and services In addition to providing services over a network, McAfee Cloud SSO runs as a local service on a Windows or Linux operating system. After the software is installed, McAfee Cloud SSO provides services over a network that includes Identity Providers, Service Providers, and individual users who access the network through a web browser. Entities on the network access McAfee Cloud SSO services through service URLs. In the context of providing network services, McAfee Cloud SSO is described as a service or services. At the highest level, it provides the following network services: Identity management and SSO service One time password service Provisioning service McAfee Cloud SSO also runs as a local service when installed on a Windows or Linux operating system. You need to start the service manually, unless you select the Install as Service option in the installation wizard. When this option is selected, the operating system automatically starts and restarts McAfee Cloud SSO. In this case, you only need to start McAfee Cloud SSO the first time. When viewed as a local service on a Windows or Linux operating system, the McAfee Cloud SSO services have the following names: McAfee Cloud Single Sign On Product Guide 19

20 2 Installing McAfee Cloud SSO Installation options McAfeeCIM-SSO Service McAfee One Time Password McAfee Provisioning Service For more information, see the following documents: McAfee One Time Password Product Guide McAfee Cloud Single Sign On Provisioning Guide Installation options You can install the McAfee Cloud SSO software on a standalone server or on an appliance or virtual machine. When McAfee Cloud SSO is installed on a standalone server, you have the option of installing McAfee One Time Password (McAfee OTP) at the same time, separately, or not at all. McAfee OTP is installed with an initial configuration. To modify the configuration, use the McAfee OTP remote administration console. For more information, see the McAfee One Time Password Product Guide. Table 2-1 Installation on a standalone server McAfee Cloud SSO Installation formats Installation on a standalone server The installation package, which includes Oracle JRE Update 45, is available in the following formats: 32-bit Windows with JVM (.exe file) 64-bit Windows with JVM (.exe file) 32-bit Linux with JVM (.bin file) 64-bit Linux with JVM (.bin file) Although McAfee Cloud SSO is installed with JVM, you can use your own JRE. Installation options Services installed Typical Installs a default configuration Custom Installs a custom configuration Upgrade (When available) Upgrades an older version to a newer version Identity and single sign on service Provisioning service One time password service The typical installation option installs the one time password service. The custom installation option allows you to install the one time password service when McAfee Cloud SSO is installed, separately, or not at all. 20 McAfee Cloud Single Sign On Product Guide

21 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on a Windows or Linux standalone server 2 Table 2-2 Installation on an appliance or virtual appliance McAfee Cloud SSO Installation on an appliance or virtual machine Installation formats The installation package, which includes JRE Update 27, is available in the following formats:.iso image file.usb image file Installation options Services installed Installs a default configuration The following services can be installed: Identity and single sign on service Provisioning service One time password service Installing McAfee Cloud SSO on a Windows or Linux standalone server Installing McAfee Cloud SSO involves the following high-level tasks. 1 Review the topics that cover pre-installation considerations. 2 Select an option: Windows Download the installation package that corresponds to your Windows operating system and install the McAfee Cloud SSO software. Linux Download the installation package that corresponds to your Linux operating system and install the McAfee Cloud SSO software. 3 Start the McAfee Cloud SSO service manually. 4 Open the Management Console and import your license file. The McAfee Cloud SSO service is restarted automatically. Services installed and uninstalled on Windows or Linux The McAfee Cloud SSO services that are installed and uninstalled depend on the type of installation. For more information, consult the following table. McAfee Cloud Single Sign On Product Guide 21

22 2 Installing McAfee Cloud SSO Pre-installation considerations on Windows and Linux Table 2-3 Services installed and uninstalled on Windows or Linux Installation type Services installed Services uninstalled Fresh install of in typical or custom mode Upgrade from 3.0 to Upgrade from 3.1 or later to All services are installed with an option to not install McAfee OTP: McAfee Cloud SSO McAfee OTP Provisioning All services are installed: McAfee Cloud SSO McAfee OTP Provisioning All services are installed: McAfee Cloud SSO McAfee OTP Provisioning All services are uninstalled. Uninstalling McAfee Cloud SSO also uninstalls the McAfee OTP (if installed) and Provisioning services. All services are uninstalled. Uninstalling McAfee Cloud SSO also uninstalls the McAfee OTP and Provisioning services. McAfee Cloud SSO is uninstalled. The McAfee OTP and Provisioning services must be separately uninstalled. Pre-installation considerations on Windows and Linux Before you begin installing McAfee Cloud SSO on a Windows or Linux operating system, review the topics that cover the pre-installation considerations. Setting up a MySQL database We recommend that you configure McAfee Cloud SSO to store runtime data (such as user information and the auditing log) in a MySQL database instead of a system file, which is the default setting. You can configure the storage setting in the installation wizard or in the Admin tab in the Management Console. To download the MySQL database, visit McAfee Cloud SSO automatically creates all the required tables in mcsso360db., where you can also find installation instructions. The database can be installed on the same server as McAfee Cloud SSO or on a separate server. To improve performance when system load is high, install the database on a separate server. During installation of the MySQL database, you create a root account with a password. Make a note of the root password, because you need it later when installing McAfee Cloud SSO. After the MySQL database is installed, create a new database for McAfee Cloud SSO in MySQL. To create a database named mcsso360db, open the MySQL client and run the following SQL command: mysql> create database mcsso360db; If database creation is successful, a message like the following is displayed: Query OK, 1 row affected (0.00 sec) 22 McAfee Cloud Single Sign On Product Guide

23 Installing McAfee Cloud SSO Pre-installation considerations on Windows and Linux 2 Administrative privileges We recommend that you install McAfee Cloud SSO from the built-in Windows administrator or Linux superuser (root) account. Installing McAfee Cloud SSO with administrative privileges allows the software to access system folders and run as a service. The typical (default) McAfee Cloud SSO installation sets the program installation and user configuration folders to system folders. When installing McAfee Cloud SSO for evaluation, however, you can select the custom installation option and configure installation folders that do not require administrative privileges. We recommend that you install McAfee Cloud SSO as a service. When this option is selected, the service starts when the operating system starts and restarts when the service fails, minimizing down time. Installing on a server having a fully qualified domain name To ensure that users on other machines can access McAfee Cloud SSO services, we strongly recommend that you install McAfee Cloud SSO on a machine that has a fully qualified domain name (FQDN) and that you specify the FQDN in the Management Console. When you access the Management Console through a web browser, McAfee Cloud SSO saves the host name or IP address that you enter and uses it to generate all McAfee Cloud SSO service URLs. Without the FQDN, McAfee Cloud SSO uses a local name for the installation machine when generating the service URLs. Users on other machines might not be able to access McAfee Cloud SSO services. Installing as a service In the installation wizard, we recommend that you select the Install as Service option. When McAfee Cloud SSO is installed as a local service on a Windows or Linux operating system, the operating system automatically starts the service when the system starts and restarts the service when it fails because of an error, thus minimizing down time. When McAfee Cloud SSO is installed as a service, you can still start and stop the service manually. Installing McAfee Cloud SSO as a service requires administrative privileges. After installing McAfee Cloud SSO as a service, you must start the service the first time. Restart the operating system, which automatically starts the service, or start the service manually. Thereafter, the service automatically starts and restarts and normally does not need to be manually started again. Windows operating systems View and modify the default startup and recovery options in the McAfeeCIM-SSO Service Properties dialog box. To open the properties dialog box, navigate from the Control Panel to Services, right-click the McAfeeCIM-SSO Service, then click Properties. Table 2-4 McAfeeCIM-SSO Service Properties Tab Option Default value General Startup type Automatic Recovery First failure Second failure Subsequent failures Restart the service Recovery Restart service after 0 (minutes) McAfee Cloud Single Sign On Product Guide 23

24 2 Installing McAfee Cloud SSO Pre-installation considerations on Windows and Linux Upgrade considerations When you uninstall an older version of McAfee Cloud SSO and install a newer version, you lose all system configuration data. To avoid having to reconfigure your system each time you install a new version, you have the option of upgrading instead. Before you upgrade McAfee Cloud SSO from an older version to a newer version, review the following upgrade considerations. Table 2-5 Upgrade considerations Consideration Installation directory User configuration directory McAfee Cloud SSO services Configuration tools Description The installation directory and user configuration directory must stay the same. We strongly recommend that you stop the following services before upgrading: McAfee Cloud SSO McAfee OTP Provisioning We strongly recommend that you close the following configuration tools before upgrading: McAfee Cloud SSO Management Console McAfee OTP remote administration console Provisioning Studio Before upgrading a cluster, review the following considerations. Table 2-6 Cluster upgrade considerations Upgrade option Versions Online v2.1 to v2.5 v3.1 to v3.2 or later Offline v2.1 to v3.0 v3.0 to v3.1 Consideration Upgrade one instance in the cluster while all other instances in the cluster are running. Stop the McAfee Cloud SSO service on each node and upgrade each node individually. Online Offline v3.x to v4.0.1 After upgrading a cluster, start the McAfee OTP and provisioning services on each node in the cluster. This is a requirement. Using your own JRE on Windows or Linux Although McAfee Cloud SSO is installed with JVM, you can use your own JRE. Before using your own JRE, verify that the following requirements are met. Your JRE is Update 45 or later. The JCE Unlimited Strength Jurisdiction Policy is applied to your JRE. For each McAfee Cloud SSO service, the JRE path is set to your custom JRE directory. 24 McAfee Cloud Single Sign On Product Guide

25 Installing McAfee Cloud SSO Pre-installation considerations on Windows and Linux 2 Apply the JCE Unlimited Strength Jurisdiction Policy to your JRE To securely use your JRE with McAfee Cloud SSO, download and install JCE Unlimited Strength Jurisdiction Policy Files 6. 1 Download the JCE policy files from: 2 See the README.txt file included in the download for instructions for installing the.jar files. Set the JRE path for each service To use your own JRE, you must specify your custom JRE path for each McAfee Cloud SSO service before starting the service for the first time. 1 Set the path for Identity and SSO service. a Locate the start script file and open it with a text editor. Windows: <install_dir>\current\bin\essoenv.cmd Linux: <install_dir>/current/bin/essoenv.sh where <install_dir> specifies the name of the program installation directory. b c d Locate the ECA360SSO_JAVA variable in the file. Update the JRE path specified by the variable to your custom JRE directory. Save the updated file. 2 Set the path for the McAfee One Time Password service. a Open the file OTPServer.lax with a text editor. b Locate the following lines in the file: # LAX.NL.CURRENT.VM # # the VM to use for the next launch lax.nl.current.vm=/usr/java/default/jre/bin/java c d Update the JRE path specified in the last line to your custom JRE directory. Save the updated file. 3 Set the path for the provisioning service. a Open the file AAMService.lax with a text editor. b Locate the following lines in the file: # LAX.NL.CURRENT.VM # # the VM to use for the next launch lax.nl.current.vm=/usr/java/default/jre/bin/java c d Update the JRE path specified in the last line to your custom JRE directory. Save the updated file. McAfee Cloud Single Sign On Product Guide 25

26 2 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on a Windows server Set the environment variables when using your own JRE on Linux To use your JRE on Linux, set the environment variables and test the settings. 1 Open a terminal window and enter the following command: root@server ~ # export JAVA_HOME=<jre_install_dir> where <jre_install_dir> specifies the installation directory of the JRE on your computer. Example: /usr/java/jre1.6.0_45 2 Enter the following commands: root@server ~ # export JRE_HOME=$JAVA_HOME/jre root@server ~ # export PATH=$JAVA_HOME/bin:$PATH 3 Test your java settings by executing the following command: root@server install # java -version If the Java settings are correct, a message like the following is displayed: java version "1.6.0_45" Java(TM) SE Runtime Environment (build 1.6.0_45-b01) Java HotSpot(TM) Server VM (build 14.2-b01, mixed mode) Installing McAfee Cloud SSO on a Windows server You can install and uninstall, start and stop, and back up and restore McAfee Cloud SSO on a Windows operating system. Install McAfee Cloud SSO on Windows Follow this process to install McAfee Cloud SSO on a Windows standalone server. Before you begin If administrative privileges are required, you must log on to the Windows built-in administrator account or run the McAfee Cloud SSO installer as administrator. 1 Download one of the following installers to a download directory and start the installer: 32-bit Windows mcsso_win32_4.0.1.<xxx>.exe 64-bit Windows mcsso_win64_4.0.1.<xxx>.exe where <xxx> specifies the three-digit build number. 2 To complete each step in the wizard, follow the options in this table. 26 McAfee Cloud Single Sign On Product Guide

27 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on a Windows server 2 Table 2-7 Option definitions for Windows installation Step License agreement Choose setup type Option definition Read the license agreement, select the I accept the terms of the License Agreement option, then click Next. Select an option, then click Next: Upgrade An existing McAfee Cloud SSO installation is upgraded to the new version being installed, and the system configuration of the older version is retained and automatically upgraded also. An Upgrade is recommended for users who want to install a newer version without having to reconfigure the system. Typical McAfee Cloud SSO is installed with a default configuration. A typical installation is recommended for most users. Custom McAfee Cloud SSO is installed with a custom configuration. A custom installation is recommended for advanced users. The Custom installation option allows you to customize the installation directory, user configuration directory, license file, storage type (file or MySQL database), Java path, and web port. Custom installation options only Install McAfee One Time Password Select an option, then click Next: Yes McAfee OTP is installed with McAfee Cloud SSO. No McAfee OTP is not installed with McAfee Cloud SSO. McAfee OTP can be installed separately from McAfee Cloud SSO. Choose Program Installation Folder To modify the default installation folder, click Choose, then locate and select a custom installation directory. Click Next. Default: %PROGRAMFILES%\McAfee\CIM\SSO The installation directory is where all McAfee Cloud SSO runtime components and global configurations are installed. Choose User Configuration Folder To modify the default user configuration folder, click Choose, then locate and select a custom user configuration directory. Click Next. Default: %USERPROFILE%\CIM-SSO The user directory is where all user-specific configurations are installed. Choose Storage Type Select where to store the runtime data, then click Next: File Stores the runtime data in a system file. The Configure JRE Path step opens. MySQL Stores the runtime data in a MySQL database. The Configure Database step opens. The storage type can be configured in the Management Console. McAfee Cloud Single Sign On Product Guide 27

28 2 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on a Windows server Table 2-7 Option definitions for Windows installation (continued) Step Configure JRE Path Option definition (File option) Select an option, then click Next: Java Path Specifies using your own JRE. Click Choose to specify the path to the folder where your JRE is located. Default: %PROGRAMFILES%\McAfee\CIM\SSO\jre Use Embedded Java Specifies using the JVM installed with McAfee Cloud SSO. Configure Database (MySQL option) Specify the following options, then click Next: DB URL Specifies the URL of the MySQL database. Default: localhost If the port number of the MySQL Server has the default value of 3306, you can omit the port number when specifying the URL. Otherwise, you must specify the port number in the URL. DB Name Specifies the name of the MySQL database. Default: eca360db DB Root Specifies the name of the root user. Default: root DB Password Specifies the password of the root user. Default: passwd Configure Runtime Parameters Configure McAfee One Time Password Installation Specify the following options, then click Next: Management Console Web Port Specifies the port number of the McAfee Cloud SSO HTTP server. Default: (Optional) Click Choose to locate and select a custom installation directory or accept the default value, then click Next. Default: %PROGRAMFILES%\McAfee\CIM\OTP 2 (Optional) Specify the port number used by the McAfee OTP service or accept the default value, then click Next. Default: 3100 Options shared by Upgrade, Typical, and Custom installations 28 McAfee Cloud Single Sign On Product Guide

29 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on a Windows server 2 Table 2-7 Option definitions for Windows installation (continued) Step Configure SSL Server Certificate Option definition (Optional) To import an SSL server X.509 certificate key pair: 1 Select the Import SSL Server X.509 KeyPair checkbox. 2 Click Browse to locate the keystore file on your computer. 3 Type the password assigned to the keystore in the KeyStore Passphrase field, then click Read. The keystore file is read, and all key pair entries in the file are listed in the KeyPair Alias drop-down list. 4 From the KeyPair Alias drop-down list, select the alias corresponding to the X. 509 certificate that you want to import. The alias is the name assigned to the key pair when it was created. In the Management Console, the alias is used to reference the key pair. 5 Type the password assigned to the selected key pair in the KeyPair Passphrase field, then click View. The SSL Certificate Information dialog box opens. 6 Click OK, then click Next. If you do not import your own SSL certificate in the installation wizard, you can import it later using a command line tool. Install as Service (Optional) Select the Install McAfee Cloud SSO as service checkbox. When selected, the McAfee Cloud SSO service is started when the operating system starts and restarted when the service fails, minimizing down time. We recommend that you select this option. Installation Summary Installing Installation Complete Review the installation summary, then click Install. Wait while McAfee Cloud SSO is installed. Click Done. Uninstall McAfee Cloud SSO on Windows Before you uninstall the McAfee Cloud SSO software, stop all Cloud SSO services, including the provisioning service and, if installed, McAfee OTP. Before you begin If administrative privileges are required, you must log on to the Windows built-in administrator account or uninstall McAfee Cloud SSO as administrator. 1 From the Start menu, select All Programs McAfee CIM SSO. 2 Click Uninstall McAfee Cloud Single Sign On, then click Next. 3 Select an option, then click Next: Complete Uninstall Removes all McAfee Cloud SSO features that were installed by InstallAnywhere. This option does not remove folders and files created after installation. Uninstall Specific Features Allows you to specify which McAfee Cloud SSO features are uninstalled. 4 (Uninstall Specific Features) To uninstall McAfee Cloud SSO, deselect the Application checkbox, then click Next. McAfee Cloud Single Sign On Product Guide 29

30 2 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on a Windows server 5 (Optional) Select the Remove license file and user configuration file checkbox. 6 To uninstall all or the specified McAfee Cloud SSO features, click Uninstall. 7 Click Done. Starting and stopping McAfee Cloud SSO on Windows You can start and stop the McAfee Cloud SSO service using one of several methods. If administrative privileges are required, you must log on to the Windows built-in administrator account or start and stop McAfee Cloud SSO as administrator. After you start the service, you can open the Management Console. Table 2-8 Starting and stopping McAfee Cloud SSO on Windows Method In a command prompt Steps Enter one of the following commands. To start the McAfee Cloud SSO service, enter the command: <install_dir>\current\bin\eca360sso.cmd start To stop the McAfee Cloud SSO service, enter the command: <install_dir>\current\bin\eca360sso.cmd stop where <install_dir> specifies the name of the program installation directory. Default: %PROGRAMFILES%\McAfee\CIM\SSO From the Start menu 1 Select All Programs McAfee CIM SSO. 2 Select an option: Start Service Starts the McAfee Cloud SSO service Stop Service Stops the McAfee Cloud SSO service From the Control Panel 1 Select the Services dialog box. 2 In the dialog box, select the McAfeeCIM-SSO Service. 3 Start, Stop, or Restart the selected service. Back up an installation on Windows We recommend that you back up the current installation before upgrading to a new version of McAfee Cloud SSO. The backup utility saves the McAfee Cloud SSO software and all user configuration and runtime data. In the event that data is lost, it can be restored from the backup. The Windows backup utility is supported for McAfee Cloud SSO versions 2.1 and later. 1 Log on to Windows as administrator. 2 Stop the McAfee Cloud SSO service. 30 McAfee Cloud Single Sign On Product Guide

31 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on a Windows server 2 3 Open a command window and change to the following directory: <install_dir> where <install_dir> specifies the name of the program installation directory. 4 Run the Windows backup command: current\bin\eca360sso backup -o <backup_dir> where <backup_dir> specifies a user-defined directory where the backup is saved. If the backup directory is located inside the installation directory or user configuration directory, the backup fails. The installation is saved in the following subdirectory: <backup_dir>\eca_backup-<date&timestamp> where <date&timestamp> specifies the date and time that the installation was backed up in the format yyyy-mm-dd.hh.mm. Restore a backup on Windows In the event of lost data, you can restore a McAfee Cloud SSO installation from a backup. The Windows restore utility is supported for McAfee Cloud SSO versions 2.1 and later. 1 Log on to Windows as administrator. 2 Stop the McAfee Cloud SSO service. 3 Open a command window and change to the following directory: <backup_dir>\eca_backup-<date&timestamp> where <backup_dir> specifies the user-defined directory where the backup is located. 4 Verify that the directory includes the following files:.masterdir.userdir cli.jar ECA-backup-masterdir.tgz ECA-backup-userdir.tgz restore.cmd 5 Type the Windows restore command at the command prompt: restore.cmd. McAfee Cloud Single Sign On Product Guide 31

32 2 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on a Linux server Installing McAfee Cloud SSO on a Linux server You can install and uninstall, start and stop, and back up and restore McAfee Cloud SSO on a Linux operating system. Install McAfee Cloud SSO on Linux Follow this process to install McAfee Cloud SSO on a Linux standalone server. Before you begin If administrative privileges are required, you must install McAfee Cloud SSO as superuser (root). If you are using an X Window System or X11, the installer runs in GUI mode by default. Otherwise, the installer runs in console mode. To force a start in console mode, use the following command: 32-bit Linux./mcsso_linux32_4.0.1.<xxx>.bin I console 64-bit Linux./mcsso_linux64_4.0.1.<xxx>.bin I console where <xxx> specifies the three-digit build number. 1 Download one of the following installers to a download directory: 32-bit Linux mcsso_linux32_4.0.1.<xxx>.bin 64-bit Linux mcsso_linux64_4.0.1.<xxx>.bin where <xxx> specifies the three-digit build number. 2 Start the installer by entering one of the following commands: 32-bit Linux root@server <download_dir> #./mcsso_linux32_4.0.1.<xxx>.bin 64-bit Linux root@server <download_dir> #./mcsso_linux64_4.0.1.<xxx>.bin where <download_dir> specifies the name of the download directory and <xxx> specifies the three-digit build number. 3 Complete the steps in the following table. 32 McAfee Cloud Single Sign On Product Guide

33 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on a Linux server 2 Table 2-9 Steps and option definitions in the installation wizard on Linux Step License Agreement Choose Setup Type Option definition Read the license agreement, select I accept the terms of the License Agreement, then click Next. Select an option, then click Next: Typical McAfee Cloud SSO is installed with a default configuration. A typical installation is recommended for most users. Custom McAfee Cloud SSO is installed with a custom configuration. A custom installation is recommended for advanced users. The Custom installation option allows you to customize the installation directory, user configuration directory, license file, storage type (file or MySQL database), Java path, and web port. You can upgrade McAfee Cloud SSO from version 2.0 or later by selecting the Custom installation option in the installation wizard and specifying the same program installation and user configuration folders that the existing version uses. Custom installation options only Install McAfee One Time Password Select an option, then click Next: Yes McAfee OTP is installed with McAfee Cloud SSO. No McAfee OTP is not installed with McAfee Cloud SSO. McAfee OTP can be installed separately from McAfee Cloud SSO. Choose Program Installation Folder To modify the default installation folder, click Choose, then locate and select a custom installation directory. Click Next. Default: /opt/mcafee/cim/sso The installation directory is where all McAfee Cloud SSO runtime components and global configurations are installed. Choose User Configuration Folder To modify the default user configuration folder, click Choose, then locate and select a custom user configuration directory. Click Next. Default: /opt/mcafee/cim/sso/userdir The user directory is where all user-specific configurations are installed. Choose Storage Type Select where to store the runtime data, then click Next: File Stores the runtime data in a system file. The ConfigureJRE Path step opens. MySQL Stores the runtime data in a MySQL database. The Configure Database step opens. The storage type can be configured in the Management Console. Configure JRE Path (File option) Select an option, then click Next: Java Path Specifies using your own JRE. Click Choose to specify the path to the folder where your JRE is located. Default: /opt/mcafee/cim/sso/jre Use Embedded Java Specifies using the JVM installed with McAfee Cloud SSO. McAfee Cloud Single Sign On Product Guide 33

34 2 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on a Linux server Table 2-9 Steps and option definitions in the installation wizard on Linux (continued) Step Configure Database Option definition (MySQL option) Specify the following options, then click Next: DB URL Specifies the URL of the MySQL database. Default: localhost If the port number of the MySQL Server has the default value of 3306, you can omit the port number when specifying the URL. Otherwise, you must specify the port number in the URL. DB Name Specifies the name of the MySQL database. Default: eca360db DB Root Specifies the name of the root user. Default: root DB Password Specifies the password of the root user. Default: passwd Configure Runtime Parameters Configure McAfee One Time Password Installation Specify the following options, then click Next: Management Console Web Port Specifies the port number of the McAfee Cloud SSO HTTP server. Default: (Optional) Click Choose to locate and select a custom installation directory or accept the default value, then click Next. Default: /opt/mcafee/cim/otp 2 (Optional) Specify the port number used by the McAfee OTP service or accept the default value, then click Next. Default: 3100 Options shared by Upgrade, Typical, and Custom installations Configure SSL Server Certificate (Optional) To import an SSL server X.509 certificate key pair: 1 Select the Import SSL Server X.509 KeyPair checkbox. 2 Click Browse to locate the keystore file on your computer. 3 Type the password assigned to the keystore in the KeyStore Passphrase field, then click Read. The keystore file is read, and all key pair entries in the file are listed in the KeyPair Alias drop-down list. 4 From the KeyPair Alias drop-down list, select the alias corresponding to the X. 509 certificate that you want to import. The alias is the name assigned to the key pair when it was created. In the Management Console, the alias is used to reference the key pair. 5 Type the password assigned to the selected key pair in the KeyPair Passphrase field, then click View. The SSL Certificate Information dialog box opens. 6 Click OK, then click Next. If you do not import your own SSL certificate in the installation wizard, you can import it later using a command line tool. 34 McAfee Cloud Single Sign On Product Guide

35 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on a Linux server 2 Table 2-9 Steps and option definitions in the installation wizard on Linux (continued) Step Install as Service Option definition (Optional) Select the Install McAfee Cloud SSO as service checkbox. When selected, the McAfee Cloud SSO service is started when the operating system starts and restarted when the service fails, minimizing down time. We recommend that you select this option. Installation Summary Installing Installation Complete Review the installation summary, then click Install. Wait while McAfee Cloud SSO is installed. Click Done. Uninstall McAfee Cloud SSO on Linux Before you uninstall the McAfee Cloud SSO software, stop all McAfee Cloud SSO services, including the provisioning service and if installed, McAfee OTP. Before you begin If administrative privileges are required, you must uninstall McAfee Cloud SSO as superuser (root). 1 Navigate to the following directory: <install_dir> where <install_dir> specifies the name of the program installation directory. Default: /opt/mcafee/cim/sso 2 Enter the following command at the prompt to stop the McAfee Cloud SSO service: root@server <install_dir> #./current/bin/eca360sso.sh stop 3 After McAfee Cloud SSO is stopped, run the uninstaller: root@server <install_dir> #./Uninstaller/Uninstall 4 Click Next. 5 Select an option, then click Next: Complete Uninstall Removes all McAfee Cloud SSO features that were installed by InstallAnywhere. This option does not remove folders and files created after installation. The Remove All User Data step opens. Uninstall Specific Features Allows you to specify which McAfee Cloud SSO features are uninstalled. 6 (Uninstall Specific Features) To uninstall McAfee Cloud SSO, deselect the Application checkbox, then click Next. 7 (Optional) Select the Remove license file and user configuration file checkbox. 8 To uninstall all or the specified McAfee Cloud SSO features, click Uninstall. 9 Click Done. McAfee Cloud Single Sign On Product Guide 35

36 2 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on a Linux server Start and Stop McAfee Cloud SSO on Linux Use the following options to start or stop McAfee Cloud SSO. Before you begin If administrative privileges are required, you must start and stop Cloud SSO as superuser (root). 1 Navigate to the following directory: <install_dir> where <install_dir> specifies the name of the program installation directory. Default: /opt/mcafee/cim/sso 2 Select an option. To start the McAfee Cloud SSO service, execute the following command: root@server <install_dir> #./current/bin/eca360sso.sh start To stop the McAfee Cloud SSO service, execute the following command: root@server <install_dir> #./current/bin/eca360sso.sh stop After you start the McAfee Cloud SSO service, you can open the Management Console. Back Up an installation on Linux We recommend that you back up the current installation before upgrading to a new version of McAfee Cloud SSO. The backup utility saves the McAfee Cloud SSO software and all user configuration and runtime data. In the event that data is lost, it can be restored from the backup. The Linux backup utility is supported for McAfee Cloud SSO versions 2.1 and later. 1 Log on to Linux as superuser (root). 2 Stop the McAfee Cloud SSO service. 3 Navigate to the following directory: <install_dir> where <install_dir> specifies the name of the program installation directory. Default: /opt/mcafee/cim/sso 4 Execute the Linux backup command: current/bin/eca360sso.sh backup -o <backup_dir> where <backup_dir> specifies the user-defined directory where the backup is saved. If the backup directory is located inside the installation directory or user configuration directory, the backup fails. The installation is saved in the following subdirectory: <backup_dir>/eca_backup-<date&timestamp> where <date&timestamp> specifies the date and time that the installation was backed up in the format yyyy-mm-dd.hh.mm. 36 McAfee Cloud Single Sign On Product Guide

37 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on a Linux server 2 Restore a backup on Linux In the event of lost data, you can restore a McAfee Cloud SSO installation from a backup. The Linux restore utility is supported for McAfee Cloud SSO versions 2.1 and later. 1 Log on to Linux as superuser (root). 2 Stop the McAfee Cloud SSO service. 3 Navigate to the following directory: <backup_dir>/eca_backup-<date&timestamp> where <backup_dir> specifies the user-defined directory where the backup is located. 4 Verify that the directory includes the following files:.masterdir.userdir cli.jar ECA-backup-masterdir.tgz ECA-backup-userdir.tgz restore.cmd 5 Execute the Linux restore command: restore.sh McAfee Cloud Single Sign On Product Guide 37

38 2 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on an appliance or virtual machine Installing McAfee Cloud SSO on an appliance or virtual machine You can install the McAfee Cloud SSO software on an appliance or on a virtual machine (VM). An appliance vs. a virtual machine The McAfee Cloud SSO installation and configuration wizards are the same whether you install on an appliance or a virtual machine. The two installation options are set up differently, however, as shown in the following diagram. Figure 2-1 An appliance vs. a virtual machine Option 1, installing McAfee Cloud SSO on an appliance This installation option requires two appliances. The Web Gateway software is installed on one appliance. The other appliance is re-imaged with McAfee Cloud SSO software. Option 2, installing McAfee Cloud SSO on a virtual machine This installation option requires a VMware ESX or ESXi server. On the ESX server, you create two virtual machines. On one, you install an image of the Web Gateway software. On the other, you install an image of the McAfee Cloud SSO software. After the software is installed, each virtual machine is known as a virtual appliance. Requirements for using a virtual machine The McAfee Cloud SSO software image must be installed on a VMware ESX or ESXi server. If you are using VMware Workstation, the host system must meet the following specifications. CPU 64-bit capable Virtualization extension VT-x/AMD-V 38 McAfee Cloud Single Sign On Product Guide

39 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on an appliance or virtual machine 2 Installation tasks on an appliance or virtual machine Installing McAfee Cloud SSO involves the following high-level tasks. 1 Download the McAfee Cloud SSO software in a.iso or.usb image file. 2 Re-image a CD or USB drive. 3 (Virtual machine) Create a new virtual machine on your ESX or ESXi server. 4 Run the installer. 5 Configure MLOS. 6 Open the Management Console and import your license file. 7 Log on to MLOS and manually restart the following services in the order shown: One time password service Provisioning service Identity and single sign on service Download McAfee Cloud SSO software The McAfee Cloud SSO software can be downloaded in a.iso or.usb image file and installed on an appliance or virtual machine. Choose an.iso image file when you want to install from a CD and a.usb image file when you want to install from a USB drive. The software includes all McAfee Cloud SSO services, MLOS, and the installation and configuration wizards. 1 Open a web browser and access: 2 Enter your user name and password. 3 On the home page of the Content & Cloud Security Portal, select Software McAfee Cloud Single Sign On Downloads. 4 Download the.iso or.usb image file: mcssoappl <xxx>.x86_64.iso mcssoappl <xxx>.x86_64.usb where <xxx> specifies the three-digit build number. Re-image a CD or USB drive If you download an.iso image file, burn the image on a CD. Alternatively, if you download a.usb image file, write the file to a USB drive. When you restart the appliance or virtual machine from the re-imaged CD or USB drive, the McAfee Cloud SSO installation wizard opens. When installation is complete, the appliance configuration wizard opens, and you configure MLOS. 1 Perform the steps listed in the following table that correspond to your image file format. McAfee Cloud Single Sign On Product Guide 39

40 2 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on an appliance or virtual machine Table 2-10 Re-image a CD or USB drive and start the installation Image file format.iso image file Steps 1 Burn the ISO image on a CD. 2 Insert the CD in a CD drive on the appliance or the system hosting your virtual machine. 3 (Virtual machine) Create a new virtual machine. 4 Restart the appliance or virtual machine from the CD. The McAfee Cloud SSO installation wizard opens..usb image file 1 Write the.usb image file to a USB drive. 2 Insert the USB drive in a USB port on the appliance or the system hosting your virtual machine. 3 (Virtual machine) Create a new virtual machine. 4 Restart the appliance or virtual machine from the USB drive. The McAfee Cloud SSO installation wizard opens. For information about installing McAfee Cloud SSO on a Windows appliance using a USB drive, refer to the McAfee KnowledgeBase article: kc.mcafee.com/corporate/index?page=content&id=kb In the installation wizard, click Enter to select the default installation option: 2 - video console (with configuration wizard) 3 In the appliance configuration wizard, configure the following MLOS options: Table 2-11 Option definitions for configuring MLOS Option Auto-configure interface eth0 with DHCP Host name Root password Permit root logon with SSH Definition Specifies whether DHCP (Dynamic Host Configuration Protocol) is enabled for your network. Value: Yes Specifies the host name or IP address of the virtual machine where McAfee Cloud SSO is installed. Default: mcssoappl Specifies the password of the Linux root user account. Specifies whether the root user is allowed to log on remotely. Value: Yes Create a new virtual machine on your ESX or ESXi server If you are installing McAfee Cloud SSO on a virtual machine, you need to create a new virtual machine on your ESX or ESXi server. The options in the following table are recommended or required. For options that are not listed, accept the default values. 40 McAfee Cloud Single Sign On Product Guide

41 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on an appliance or virtual machine 2 1 Perform one of the following steps: Insert the CD containing the McAfee Cloud SSO software image in a CD drive on the system hosting your virtual machine. Insert the USB drive containing the McAfee Cloud SSO software image in a USB port on the system hosting your virtual machine. 2 Configure options for a new virtual machine. Table 2-12 Options for a virtual machine Option Configuration type Definition Typical Advanced (recommended for virtual appliance setup) Installation mode Install from disk ISO image (required for virtual appliance setup) Install later Operating system Linux (64 bit) version 2.6 Memory Hard disk space 4 GB (recommended) 200 GB (recommended) Number of processors 1 2 (minimum requirement) 4... The number of processors provided for selection depends on the equipment of the host system that is used for setting up the virtual appliance. Network connection mode Bridged (recommended) NAT... CD/DVD drive with assigned ISO image Network interface card type E1000 VMXNET 3 SCSI controller (for some ESX versions) <drive name>/<name of the ISO image> BusLogic Controller (recommended) LSI Logic Controller Restart McAfee Cloud SSO services All McAfee Cloud SSO services are installed and running by default. Access to services depends on the license you purchase. After you import your license in the Management Console, the McAfee Cloud SSO service is stopped automatically. Restart the services in the order shown. 1 Log on to MLOS. 2 Enter the following command: /etc/init.d/mcsso restart Alternatively, you can restart the services individually by entering the following commands in the order shown: /etc/init.d/mcsso-otp restart /etc/init.d/mcsso-prov restart /etc/init.d/mcsso restart McAfee Cloud Single Sign On Product Guide 41

42 2 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on an appliance or virtual machine McAfee Cloud SSO services are restarted in this order: 1 McAfee One Time Password 2 McAfee Provisioning Service 3 McAfeeCIM-SSO Service Upgrade McAfee Cloud SSO software on an appliance or virtual machine You can upgrade the McAfee Cloud SSO software, which includes single sign on, one time password, and provisioning services, from version to on an appliance or virtual machine. 1 Log on to MLOS. 2 To upgrade McAfee Cloud SSO services, enter the following commands: yum update mcsso yum update otp yum update aam 3 To restart the services, enter the following command: /etc/init.d/mcsso restart This step is required. Alternatively, you can restart the services individually by entering the following commands in the order shown: /etc/init.d/mcsso-otp restart /etc/init.d/mcsso-prov restart /etc/init.d/mcsso restart McAfee Cloud SSO services are restarted in this order: 1 McAfee One Time Password 2 McAfee Provisioning Service 3 McAfeeCIM-SSO Service 42 McAfee Cloud Single Sign On Product Guide

43 Installing McAfee Cloud SSO Installing McAfee Cloud SSO on an appliance or virtual machine 2 Provisioning and OTP configuration files on an appliance or virtual machine When McAfee Cloud SSO is installed on an appliance or virtual machine, you can update the provisioning and OTP configuration files with changes that you make in the Provisioning Studio or McAfee OTP remote administration console, respectively. Update the provisioning configuration file on an appliance or virtual machine When McAfee Cloud SSO is installed on an appliance or virtual machine, you can access and update the provisioning configuration file from the Windows or Linux computer where the Provisioning Studio is installed. 1 On the Windows or Linux computer where the Provisioning Studio is installed, start the Provisioning Studio. 2 In the Provisioning Studio, click Remote Load Remote Configuration. 3 Click Yes in response to the prompt: Do you want to save the current configuration? 4 Specify values for the following remote connection options. Remote Server URL Specifies the IP address of the server where McAfee Cloud SSO is installed. Format: Password Specifies the password needed to access the provisioning configuration file on the server where McAfee Cloud SSO is installed. Initial value: passwd Configuration File Specifies the name of the provisioning configuration file to download from the server where McAfee Cloud SSO is installed. Value: config.aam 5 In response to Load Action Packages, click OK. 6 Click Yes in response to the prompt: Do you want to save the current configuration? 7 Click OK in response to the message: Action packages saved as backup. 8 Click OK in response to the following messages: Action packages loaded from server Remote configuration loaded from server Update the OTP properties file on an appliance or virtual machine When McAfee Cloud SSO is installed on an appliance or virtual machine, you can access and update the otp.properties file from the Windows or Linux computer where the McAfee OTP remote administration console is installed. Before you begin We recommend that you start the McAfee OTP remote administration console as administrator on Windows or as superuser (root) on Linux. McAfee Cloud Single Sign On Product Guide 43

44 2 Installing McAfee Cloud SSO Post-installation tasks 1 On the Windows or Linux computer where the McAfee OTP remote administration console is installed, start the remote administration console. 2 In the Remote OTP-Server connect dialog box, specify values for the following options: OTPServer address Specifies the IP address of the server where McAfee Cloud SSO is installed. Portnr Specifies the port number used by the McAfee OTP service. Default: 3100 Password Specifies the password needed to access the McAfee OTP service. Initial value: passwd 3 Click Connect. Post-installation tasks Use the following table as a guide to the post-installation tasks and when they need to be performed. Table 2-13 Post-installation tasks Import your license file in the Management Console Replace the default SSL server certificate in the Management Console or using a command line tool Timing After you install McAfee Cloud SSO and the service is running Before you deploy McAfee Cloud SSO in a production setting Open the Management Console and import your license file After you install and start the McAfee Cloud SSO service, access the Management Console in a web browser using an initial user name and password. After you are logged on, import your license file. 1 In a supported web browser the address window, enter a link with the following format: where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed and <portnumber> specifies the port number used by McAfee Cloud SSO. 2 Type the following initial values in the fields on the logon page, then click Log on. User name admin Password passwd 3 From the Admin tab drop-down list, select License. 4 Click Change License. 5 In the Import License dialog box, browse for and select your license file, click Upload License, then click OK. 44 McAfee Cloud Single Sign On Product Guide

45 Installing McAfee Cloud SSO Post-installation tasks 2 Replace the default SSL server certificate Replace the default self-signed certificate installed with McAfee Cloud SSO with a valid certificate signed by a Certificate Authority. McAfee Cloud SSO uses an encrypted Java keystore to store the default certificate and provides a command line tool that allows you to replace the default certificate with your own certificate from a PKCS 12 or JKS keystore. Alternatively, you can import your own certificate in the installation wizard. Table 2-14 Keystore file formats File format Definition PKCS 12 Public Key Cryptography Standards Defines a file format (.p12 or.pfx) published by RSA Laboratories for storing X.509 private keys paired with public key certificates. JKS Java Key Store Defines a file format (.jks) for storing X.509 certificates and private keys used by Java-based applications. If the alias corresponding to your key pair is the hash value of a public key instead of a name, you must locate and modify the alias in the keystore using Java keytool commands. 1 Prepare a PKCS 12 or JKS keystore (with.p12 or.pfx file name extension), which includes the SSL certificate. You can use OpenSSL to generate a self-signed certificate, or you can use a certificate signed by a trusted certificate authority (CA). 2 Open a command window and change to the following directory: <install_dir>\current\bin where <install_dir> specifies the name of the program installation directory. 3 Run the following Java program: java -jar ReplaceSSLCert.jar -keystore <keystore_filename> -storetype < pkcs12 jks > - storepass <keystore_password> -keypass <certificate_password> -alias <certificate_alias> where -keystore <keystore_filename> specifies the name of the file that holds the keystore, -storetype < pkcs12 jks > specifies whether the keystore file format is PKCS 12 or JKS, -storepass <keystore_password> specifies the password assigned to the keystore, -keypass <certificate_password> specifies the password assigned to the key pair, and -alias <certificate_alias> specifies the name assigned to the key pair when it was created. 4 Restart McAfee Cloud SSO. 5 To view the certificate, open the Management Console and follow your web browser s instructions for viewing certificates. Locate and modify an alias in a keystore Each key pair in a keystore is identified by a unique alias. If the alias corresponding to your key pair is the hash value of a public key instead of a name, you must locate and modify the alias in the keystore using the following Java keytool commands. Then when you replace the default SSL server certificate with your own, you can reference your key pair with an alias name rather than a hash value. McAfee Cloud Single Sign On Product Guide 45

46 2 Installing McAfee Cloud SSO Installing a cluster of McAfee Cloud SSO instances 1 To locate the alias of your key pair in the keystore file, run the following command: keytool -list -keystore <keystore_filename> -storetype < pkcs12 jks > where -keystore <keystore_filename> specifies the name of the file that holds the keystore and -storetype < pkcs12 jks > specifies whether the keystore file format is PKCS 12 or JKS. When the alias is a hash value instead of a name, it is represented by an index number in the output generated by the -list command. 2 To modify the alias of your key pair in the keystone file, run the following command: keytool -changealias -keystore <keystore_filename> -storetype < pkcs12 jks > -alias <index_number> -destalias <alias_name> where -keystore <keystore_filename> specifies the name of the file that holds the keystore, -storetype < pkcs12 jks > specifies whether the keystore file format is PKCS 12 or JKS, -alias <index_number> specifies the index number of the alias you want to modify, and -destalias <alias_name> specifies a destination alias or new name for the alias you want to modify. Installing a cluster of McAfee Cloud SSO instances Clustering is the grouping of several McAfee Cloud SSO instances, each instance installed on its own server. The instances, which are called nodes, make up a cluster. One node, known as the master node, coordinates the remaining nodes, which are called the slave nodes. All McAfee Cloud SSO configuration is shared across the nodes, so that they function as a single machine. Benefits of clustering Clustering supports load balancing and failover and improves the scalability and availability of the McAfee Cloud SSO service. Scalability Load balancing distributes the work across the servers, thus allowing the cluster to handle larger workloads. The ability to handle larger and larger workloads is called scalability. Availability Failover is the ability to switch from one McAfee Cloud SSO server to another when the first server fails. The ability of each server in a cluster to back up the other servers in case of failure makes the cluster highly available and is called availability. When you have more than one instance of McAfee Cloud SSO, you must configure clustering for the McAfee Cloud SSO service to function correctly. 46 McAfee Cloud Single Sign On Product Guide

47 Installing McAfee Cloud SSO Installing a cluster of McAfee Cloud SSO instances 2 How nodes are added to a cluster To configure clustering for each instance of McAfee Cloud SSO, you install and start the instance, modify the cluster configuration file for that instance and restart the instance. The first instance that is added to a cluster and restarted becomes the master node. When you configure the second node in the cluster, you modify both the cluster configuration file for the second node and the cluster configuration file for the master node, so that there are two nodes in the node list. <nodelist> <node><name>...</name><ipaddress>...</ipaddress></node> <node><name>...</name><ipaddress>...</ipaddress></node> </nodelist> The number of nodes in the node list equals the number of nodes in the existing cluster plus the node that you are adding to the cluster. Configure a cluster of two nodes To configure a cluster of two McAfee Cloud SSO instances as a master node and a slave node, follow these steps. Repeat the steps as needed to configure larger clusters. 1 Install and start the first instance on a server. 2 Open the cluster configuration file for the first instance. 3 Add the first <node> to the <nodelist> in the cluster configuration file, as follows: <nodelist> <node><name>master</name><ipaddress>...</ipaddress></node> </nodelist> where <name> specifies the name of the McAfee Cloud SSO instance Example: Master and <ipaddress> specifies the IP address of the server where the McAfee Cloud SSO instance is installed. 4 Restart the first instance. The first instance is the master node. 5 To add a second instance to the cluster: a Install and start the second instance on its own server b c Open the cluster configuration files for the master node and the second instance. Add a second <node> to the <nodelist> in both cluster configuration files, as follows: <nodelist> <node><name>master</name><ipaddress>ipaddress0</ipaddress></node> <node><name>slave1</name><ipaddress>ipaddress1</ipaddress></node> </nodelist> 6 Restart the master node, then restart the second instance. The second instance is added to the cluster as a slave node. McAfee Cloud Single Sign On Product Guide 47

48 2 Installing McAfee Cloud SSO Installing a cluster of McAfee Cloud SSO instances Add a McAfee Cloud SSO instance to an existing cluster Clustering improves the scalability and availability of the McAfee Cloud SSO service. 1 Install McAfee Cloud SSO on the server and start the service. 2 Locate the cluster configuration file in the following folder, then open the file with a text editor. Default Windows location: %PROGRAMFILES%\McAfee\CIM\SSO\current\configuration\.defaultSys\cluster.xml Default Linux location: /opt/mcafee/cim/sso/current/configuration/.defaultsys/cluster.xml 3 In the cluster.xml file, update the following options. Table 2-15 Option definitions for the cluster configuration file (cluster.xml) Option Cluster options Node options Definition Update the default cluster options with values that match the existing cluster. clustername Specifies the name of the cluster. clusterport Specifies the number of the port used by the nodes in the cluster to communicate. Default: 9997 Update the node options with values that match the McAfee Cloud SSO instance you are adding to the existing cluster: name Specifies the name of the node. Replace the default value with the fully qualified domain name (FQDN) of the node. Default: localhost ipaddress Specifies the IP address of the node. Replace the default value with the IP address that can be accessed by the other nodes in the cluster. Default: Copy the existing cluster s node list from the master node s configuration file and paste it in the file that you are editing above the node that you just modified. Example: <nodelist> <node><name>master</name><ipaddress>ipaddress0</ipaddress></node> <node><name>slave1</name><ipaddress>ipaddress1</ipaddress></node> <node><name>slave2</name><ipaddress>ipaddress2</ipaddress></node> </nodelist> where Slave2 is the name of the node that you just added to the cluster. 5 Locate the bootstrap.xml file in the following folder: Default Windows location: %PROGRAMFILES%\McAfee\CIM\SSO\current\configuration\template\conf\bootstrap.xml Default Linux location: /opt/mcafee/cim/sso/current/configuration/template/conf/bootstrap.xml 6 Open the file with a text editor and replace with the IP address of the node that you are adding to the cluster. 7 Restart the server for the changes in the file to take effect. 48 McAfee Cloud Single Sign On Product Guide

49 Installing McAfee Cloud SSO Troubleshooting installation 2 Troubleshooting installation Refer to this section when you encounter an issue while installing McAfee Cloud SSO. Property soae.user.dir is not set The following error is displayed: Property soae.user.dir is not set. Table 2-16 Property soae.user.dir is not set Symptom The following error message is displayed: SOAE start failed with exception java.lang.exception: Property soae.user.dir is not set. Solution There are two possible reasons for and solutions to this error. Take one or both steps, then try installing again. The JAVA_HOME environment variable was not set before the installer was run. Verify that the JAVA_HOME environment variable is set correctly. (Windows) The installer was run by a user with administrative privileges instead of from the built-in administrator account. Log on to the built-in administrator account. Connection to Management Console fails An attempt to connect to the Management Console from another computer fails. Table 2-17 Connection to Management Console fails Symptom McAfee Cloud SSO is installed on a Windows Server. You attempt to access the Management Console on this server from another computer using Internet Explorer, but Internet Explorer fails to connect. Solution On the Windows Server where McAfee Cloud SSO is installed, verify that Windows Firewall is disabled. The steps to disable Windows Firewall depend on the version of Windows Server in use. Refer to Microsoft s documentation for more information. McAfee Cloud SSO cannot connect to MySQL server Connection to the MySQL server fails. Table 2-18 McAfee Cloud SSO cannot connect to MySQL server Symptom McAfee Cloud SSO cannot connect to the MySQL Server. Solution Verify the following: The MySQL options, including the port number, are correctly configured in McAfee Cloud SSO. The MySQL options are configured on the Configure Database step of the installation wizard or on the Admin tab in the Management Console. Verify that TCP/IP connections are enabled in MySQL. This option is configured in the MySQL Server Instance Configuration Wizard. On the Windows Server where McAfee Cloud SSO is installed, verify that Windows Firewall is disabled. McAfee Cloud Single Sign On Product Guide 49

50 2 Installing McAfee Cloud SSO Troubleshooting installation 50 McAfee Cloud Single Sign On Product Guide

51 3 Using 3 the Management Console The McAfee Cloud SSO Management Console is a web-based user interface that provides administrators with a single, central point of management and control through a web browser on a local computer. The Management Console includes wizards for configuring many McAfee Cloud SSO components, including Cloud Connectors, authentication modules, application adapters, and alerts. Contents Access the Management Console The Management Console dashboard Access the Management Console To access the Management Console, you need the host name and port number of the server where McAfee Cloud SSO is installed. 1 In the address window of a supported web browser, enter a link having the following format: where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed and <portnumber> specifies the port number used by McAfee Cloud SSO. 2 Type the following initial values in the fields on the login page, then click Log in. a In the User name field, type admin. b In the Password field, type passwd. See also Managing administrative user accounts on page 278 The Management Console dashboard When you are logged on, you can see that the Management Console dashboard includes four distinct areas. McAfee Cloud Single Sign On Product Guide 51

52 3 Using the Management Console The Management Console dashboard Management Console configuration tabs (A) The configuration tabs in the Management Console dashboard provide access to functional areas, where administrators can create, configure, and manage Cloud Connectors, application adapters, and auditing policies and perform monitoring and administrative tasks. Table 3-1 Management Console configuration tabs Tab Cloud Connectors Application Adapters Logs Monitoring Description From the Cloud Connectors tab, you can manage: Cloud Connectors Identity Connectors From the Application Adapters tab, you can manage: Application adapters Cloud authenticators From the Logs tab, you can manage: Audit logging Transaction and error logging From the Monitoring tab, you can manage: Alerts Metrics Login History 52 McAfee Cloud Single Sign On Product Guide

53 Using the Management Console The Management Console dashboard 3 Table 3-1 Management Console configuration tabs (continued) Tab Addons Admin Description From the Addons tab, you can manage the following additional services: Identity proxy service SSO to Salesforce through Connect for Outlook OAuth service Securely download user data from Google and Salesforce cloud applications From the Admin tab, you can manage the following advanced configuration options: Database Management Proxy Management Session Management Portal Configuration Admin Accounts Certificate Management Connector Management Export Configuration Import Configuration Restart Server License Domain Settings Miscellaneous Settings Language Settings Management Console Cloud Connectors (B) When the Management Console opens, the configured Cloud Connectors are displayed in Carousel View or List View. In both views, you can edit, duplicate, troubleshoot, or delete individual Cloud Connectors. You can also access the Cloud Connector wizard, where you can create and configure new Cloud Connectors. View the configuration of individual Cloud Connectors A Cloud Connector s configuration includes the Identity Connector, the identity store, and the McAfee Cloud SSO single sign on and single log off service URLs for IdP-initiated and SP-initiated SSO. Not all fields are configured with values for every Cloud Connector. McAfee Cloud Single Sign On Product Guide 53

54 3 Using the Management Console The Management Console dashboard 1 In the Management Console, select Cloud Connectors from the Cloud Connectors tab drop-down list. 2 Click the troubleshooting icon corresponding to the Cloud Connector whose configuration you want to view. 3 In the Cloud Connector window, click the General Info tab, where you can view the specified Cloud Connector s configuration. Table 3-2 Configuration of an individual Cloud Connector Field Name Identity Provider Download Metadata Identity Connector Identity Connector Name Identity Connector Type Identity Store Description Specifies the name that uniquely identifies the Cloud Connector in the McAfee Cloud SSO system. Specifies the name of the Identity Connector that was selected when configuring the Cloud Connector. (SAML2 Cloud Connectors) When clicked, allows you to download the SAML metadata file. Specifies the name that uniquely identifies the Identity Connector in the McAfee Cloud SSO system. Specifies the type of Identity Connector. Identifies the identity store by type and by host name and port number of the server where the identity store is installed. Example: LDAP:localhost:20389 Identity Store Type Specifies the type of identity store. Value: LDAP Active Directory Application Endpoint Location SSO Service SLO Service IdP-initiated SSO Specifies the McAfee Cloud SSO service URL that the end user uses to access SSO services directly when SSO is initiated by the Identity Provider. IdP-initiated SLO Specifies the McAfee Cloud SSO service URL that the end user uses to access SLO services directly when SLO is initiated by the Identity Provider. Service Connection Endpoint Location SSO Service SLO Service SSO Demo Service SSO Test URL Alias SP-initiated SSO Specifies the McAfee Cloud SSO service URL that the Service Provider uses to access SSO services when SSO is initiated by the Service Provider. SP-initiated SLO Specifies the McAfee Cloud SSO service URL that the Service Provider uses to access SLO services when SLO is initiated by the Service Provider. Specifies the URL that opens the application portal where you can access cloud applications using the Cloud Connectors that you configured. Specifies a short name that you can use in place of the longer URL to access the McAfee Cloud SSO application portal. 54 McAfee Cloud Single Sign On Product Guide

55 Using the Management Console The Management Console dashboard 3 Management Console system snapshots (C) When Carousel View is selected in the Cloud Connectors or Application Adapters tab, you can view snapshots or graphs of the overall functioning of the McAfee Cloud SSO system during the most recent 30-minute period. In the Cloud Connectors tab, the graphs apply to all Cloud Connectors. In the Application Adapters tab, the graphs apply to all application adapters. Management Console quick access (D) The bottom area of the Management Console provides another snapshot of McAfee Cloud SSO as well as quick access to key configurations already in the McAfee Cloud SSO system. Table 3-3 Management Console quick access Heading Alerts Identity Connectors Description Lists the date and time of the most recent alerts and allows you to view all alerts as well as details about individual alerts. Lists the most recently configured Identity Connectors in the McAfee Cloud SSO system. You can click each Identity Connector to view or modify its configuration. Clicking See All opens the Identity Connectors window. To view, click the Cloud Connectors tab. Cloud Authenticators Lists the most recently configured cloud authenticators in the McAfee Cloud SSO system. You can click each cloud authenticator to view or modify its configuration. Clicking See All opens the Cloud Authenticators window. To view, click the Application Adapters tab. Service Provider Integration Kits Google and Salesforce Cloud Connectors come preconfigured with just-in-time provisioning. To view the built-in attributes that are available for provisioning, click Google or Salesforce, respectively. This section is only visible when the Cloud Connectors tab is selected. McAfee Cloud Single Sign On Product Guide 55

56 3 Using the Management Console The Management Console dashboard 56 McAfee Cloud Single Sign On Product Guide

57 4 4 Identity Connectors Each Cloud Connector configuration requires an Identity Connector The Identity Connector is the configuration that allows McAfee Cloud SSO to connect to and communicate with an identity source, such as an identity store or authentication service. When a user in your organization wants to access a cloud application, Cloud SSO collects the user s credentials and authenticates the user against the identity source that you specify. McAfee Cloud SSO also supports authentication chains through an Identity Connector. Authentication chains are made up of authentication modules that you configure. You can add modules to, remove modules from, and change the order of the modules in a chain. Contents Identity Connectors Manage all configured identity stores in the system Manage all configured Identity Connectors in the system Selecting the Identity Connector type Configure an LDAP identity store Configure an Active Directory identity store Configure an authentication chain Identity Connector Configuring a CAS Identity Connector Configure an ECA360 Token Identity Connector Configuring an IWA-AD Identity Connector Configure an LDAP Identity Connector Configuring a SAML2 Proxy Identity Connector McAfee Cloud Single Sign On Product Guide 57

58 4 Identity Connectors Identity Connectors Identity Connectors Of the supported Identity Connector types, the authentication chain type offers the largest selection of authentication methods and the option of combining multiple methods together in one Identity Connector. Table 4-1 identity stores, Identity Connectors, and authentication modules Connector type Identity stores Identity Connectors Authentication modules Description Identity stores are the directories that hold user accounts and identity information. Identity store configurations allow McAfee Cloud SSO to connect to and search the user directories. Identity store configurations can be saved and reused. The supported identity stores are: LDAP Active Directory (AD) Identity Connector configurations allow McAfee Cloud SSO to connect to and communicate with an identity source, such as an identity store or authentication service. Identity Connector configurations can be saved and reused. The supported Identity Connector types are: Authentication Chain LDAP Integrated Windows Authentication with Active Directory (IWA-AD) Central Authentication Service (CAS) SAML2 Proxy ECA360 Token Authentication Authentication modules make up authentication chains. You can add modules to, remove modules from, and change the order of the modules in a chain. The supported authentication methods are: JDBC OpenID Facebook LinkedIn Twitter Custom SAML2 Salesforce Integrated Windows Authentication (IWA) Central Authentication Service (CAS) SAML2 Proxy LDAP LDAP and OTP (Pledge) Certificate SiteMinder OTP OTP Self-service TPM KCD McAfee Software Token Pledge generates one time passwords on a mobile device. 58 McAfee Cloud Single Sign On Product Guide

59 Identity Connectors Manage all configured identity stores in the system 4 Manage all configured identity stores in the system The Identity Store window displays all configured identity stores in the McAfee Cloud SSO system and allows you to edit or delete them. 1 In the Management Console: From the Cloud Connectors tab drop-down list, select Identity Connectors, then select the Identity Store option. 2 In the Identity Store window, you can view information about each identity store in the McAfee Cloud SSO system and edit or delete individual identity stores. Table 4-2 Identity stores configured in the McAfee Cloud SSO system Option Edit Type Host Name Delete Definition When clicked, opens the dialog box where you can modify the identity store options. Lists the identity store type. The options are: LDAP Active Directory Lists the host name and port number of the server where the LDAP or Active Directory identity store is installed. Removes the identity store from the McAfee Cloud SSO system. Manage all configured Identity Connectors in the system The Identity Connector window displays all configured Identity Connectors in the McAfee Cloud SSO system and allows you to edit, test, or delete them. 1 In the Management Console: From the Cloud Connectors tab drop-down list, select Identity Connectors, then select the Identity Connector option. 2 In the Identity Connector window, you can view information about each Identity Connector in the system and edit, test, or delete individual Identity Connectors. Table 4-3 Identity Connectors configured in the McAfee Cloud SSO system Option Edit Identity Connector Name Definition When clicked, opens the dialog box where you can modify the Identity Connector options. Lists the user-assigned name that uniquely identifies the Identity Connector in the McAfee Cloud SSO system. McAfee Cloud Single Sign On Product Guide 59

60 4 Identity Connectors Selecting the Identity Connector type Table 4-3 Identity Connectors configured in the McAfee Cloud SSO system (continued) Option Type Test Delete Definition Lists the type of Identity Connector. Options: Authentication Chain LDAP Integrated Windows Authentication with Active Directory (IWA-AD) Central Authentication Service (CAS) SAML2 Proxy ECA360 Token Authentication Tests the Identity Connector connection that you configured. Removes the Identity Connector from the McAfee Cloud SSO system. Selecting the Identity Connector type Select the Identity Connector type based on the identity store or type of authentication service that you are using. Table 4-4 Types of Identity Connectors Identity Connector type Identity store Authentication service LDAP IWA-AD CAS ECA360 Token Authentication LDAP Active Directory (AD) Central Authentication Service McAfee Cloud SSO provides an authentication service through an application adapter, which produces a custom token. SAML2 Proxy Authentication Chain Using an identity store, McAfee Cloud SSO in the enterprise provides an authentication service for McAfee Cloud SSO in the cloud. The authentication chain is an Identity Connector that allows you to assemble and order multiple authentication modules. 60 McAfee Cloud Single Sign On Product Guide

61 Identity Connectors Configure an LDAP identity store 4 Configure an LDAP identity store You configure an LDAP identity store in the McAfee Cloud SSO system, so that McAfee Cloud SSO can connect to and search an LDAP user store. 1 In the Management Console: From the Cloud Connectors tab drop-down list, select Identity Connectors. 2 Select the Identity Store option, then click New Identity Store. 3 In the New Identity Store dialog box, specify values for the following options. Table 4-5 Option definitions for an LDAP identity store Option Type Enable SSL Server Host Server Port User Name Password Test Definitions Select the LDAP identity store type. When selected, configures an SSL connection to the LDAP identity store. Specifies the host name or IP address of the server where the LDAP identity store is installed. Specifies the port number of the server where the LDAP identity store is installed. Specifies the user name required to access the LDAP identity store. Example: uid=admin,ou=system Specifies the password required to access the LDAP identity store. Tests the connection to the LDAP identity store. Configure an Active Directory identity store Configure an Active Directory identity store so that McAfee Cloud SSO can connect to and communicate with an Active Directory user store. Active Directory authentication is based on the network authentication protocols, Kerberos and NTLM. To store Kerberos principals and passwords more securely, you can configure storage in a keytab file. 1 In the Management Console: From the Cloud Connectors tab drop-down list, select Identity Connectors. 2 Select the Identity Store option, then click New Identity Store. McAfee Cloud Single Sign On Product Guide 61

62 4 Identity Connectors Configure an authentication chain Identity Connector 3 In the New Identity Store dialog box, specify values for the following options. Table 4-6 Option definitions for an Active Directory identity store Option Type Allow fallback Use keytab file Domain name Service Principal Name Definition Select the Active Directory identity store type. When selected, McAfee Cloud SSO accepts the less secure NTLM authentication protocol in place of Kerberos, if Kerberos authentication fails. When selected, allows you to specify and upload a keytab file where pairs of Kerberos principals and encrypted keys (Kerberos passwords) are stored. Specifies the name of the Active Directory domain. Specifies the service principal name that uniquely identifies the Active Directory account. Format: HTTP/<mcsso-server>@<AD_DOMAIN_NAME> where <mcsso-server> specifies the name of the server where McAfee Cloud SSO is installed and <AD_DOMAIN_NAME> specifies the name of the Active Directory domain. HTTP and the Active Directory domain name must be uppercase. Test Use stored credentials disabled Password Domain Controller IP Use stored credentials enabled Select keytab file Upload keytab file 4 Click Save Identity Store. Tests the connection to the Active Directory identity store. Specifies the password configured for the Active Directory account. Specifies the IP address of the domain controller where Active Directory is installed. Browse for and select the keytab file. Uploads the selected keytab file. Configure an authentication chain Identity Connector You can configure one or more authentication modules and add them to an authentication chain. 1 In the Management Console: From the Cloud Connectors tab drop-down list, select Identity Connectors. 2 Select the Identity Connector option, then click New Identity Connector. 3 In the New Identity Connector dialog box: In the Identity Connector field, specify a name that uniquely identifies the Identity Connector in the McAfee Cloud SSO system. 62 McAfee Cloud Single Sign On Product Guide

63 Identity Connectors Configuring a CAS Identity Connector 4 4 From the Identity Connector Type drop-down list, select Authentication Chain. 5 Click one or more options in the following table. Table 4-7 Option definitions for configuring an authentication chain Option Definition Edit Opens the authentication module wizard where you can modify the configuration of the selected module. Delete Up Down New Removes the selected authentication module from the authentication chain. Moves the selected authentication module up one position in the authentication chain. Moves the selected authentication module down one position in the authentication chain. Opens the authentication module wizard where you can configure an authentication module and add it to the authentication chain. See also Advantages of authentication chains on page 79 Configuring a CAS Identity Connector The Central Authentication Service (CAS) is an SSO authentication protocol that allows users to access multiple SaaS and web applications after providing their credentials only once. It also allows SaaS and web applications to authenticate users without having access to their credentials. Working with CAS, McAfee Cloud SSO can implement SSO, SLO, and user provisioning. Provisioning takes place when McAfee Cloud SSO maps user attributes from an identity store to an account in the application. Provisioning takes place once, when the user logs in to the application for the first time and an account is created. The Central Authentication Service authenticates users against an identity store and supports a number of identity store options, including LDAP directories and databases. For each authenticated user, CAS issues and validates a Service Ticket. Using this ticket, McAfee Cloud SSO manages the user's authenticated identity and session and provides SSO and SLO services. To use CAS as the identity source, you need to configure both McAfee Cloud SSO and CAS. McAfee Cloud Single Sign On Product Guide 63

64 4 Identity Connectors Configuring a CAS Identity Connector How CAS and McAfee Cloud SSO manage SSO and SLO CAS and McAfee Cloud SSO manage SSO and SLO through a Service Ticket, which establishes an authenticated identity across multiple applications. Figure 4-1 How CAS and McAfee Cloud SSO manage SSO and SLO The SSO and SLO process takes place as follows: 1 The end user requests access to a SaaS or web application through a web browser. 2 The application redirects the end user s request to McAfee Cloud SSO. 3 McAfee Cloud SSO delegates authentication to CAS. 4 CAS presents a login page to the end user and gathers credentials. CAS authenticates the credentials against the end user s enterprise identity in an LDAP directory or database. On successful authentication, CAS issues a Service Ticket and redirects the end user s request to McAfee Cloud SSO. 5 McAfee Cloud SSO sends the Service Ticket back to CAS for validation. 6 CAS validates the Service Ticket and sends the validated result to McAfee Cloud SSO. 7 McAfee Cloud SSO maps the end user's identity to the application, and the user is logged in. 64 McAfee Cloud Single Sign On Product Guide

65 Identity Connectors Configuring a CAS Identity Connector 4 8 McAfee Cloud SSO manages the end user s session and authenticated identity. While the session is active, McAfee Cloud SSO manages additional login requests to other applications, so that the end user only needs to authenticate once. 9 When the end user logs off, McAfee Cloud SSO manages the active CAS and application sessions and the SLO process. Considerations when using CAS When you are using CAS with McAfee Cloud SSO, review the following considerations and complete the steps that apply to your situation. Table 4-8 Guidelines for using CAS When... You are configuring a Cloud Connector and select a CAS Identity Connector... McAfee Cloud SSO can connect to the CAS server directly without going through a network proxy first... Do this... On the credential mapping and user provisioning steps in the Cloud Connector wizard, select AUTHN_RESULT_FIELD as the subject or source type. Configure McAfee Cloud SSO to bypass the network proxy when connecting to CAS server addresses, which improves network performance. 1 In the Management Console: Select Proxy Management from the Admin tab drop-down list, then click the Route Proxy tab. 2 Type the host name of the CAS server in the No Proxy for field. 3 Click Save Settings. You have a Cloud Connector configured with a CAS Identity Connector and user provisioning... Configure CAS with the user attributes that McAfee Cloud SSO requires to perform user provisioning. 1 Locate the following file on the CAS server: deployerconfigcontext.xml. 2 Open the XML file and add the following property to the attributerepository section of the file: <property name="resultattributemapping"> <map> <entry key="uid" value="uid" /> <entry key="sn" value="sn" /> <entry key="cn" value="cn" /> <entry key="mail" value="mail" /> <entry key="givenname" value="givenname" /> </map> </property> 3 Save and close the XML file. 4 In CAS Services Management, edit the HTTPS service, so that the attribute list matches the attributes configured in the XML file and required by McAfee Cloud SSO for user provisioning. See also Configure network proxy addresses on page 276 McAfee Cloud Single Sign On Product Guide 65

66 4 Identity Connectors Configuring a CAS Identity Connector Configure a CAS Identity Connector To configure a CAS Identity Connector, provide the CAS service URLs. 1 In the Management Console: From the Cloud Connectors tab drop-down list, select Identity Connectors. 2 Select the Identity Connector option, then click New Identity Connector. 3 In the New Identity Connector dialog box: In the Identity Connector field, specify a name that uniquely identifies the Identity Connector in the McAfee Cloud SSO system. 4 From the Identity Connector Type drop-down list, select Central Authentication Service. 5 Specify values for the following options. Table 4-9 Option definitions for CAS connectors Option Sign In URL Sign Out URL Validate URL Clock Skew Output attributes Definition Specifies the URL of the CAS sign-in page. Example: Specifies the URL of the CAS sign-out page. Example: Specifies the URL of the CAS service that validates Service Tickets. Example: Specifies a value to use when calculating the expiration time. This value is designed to offset small differences between clocks on different computer systems. Default value: 0 Units: seconds Output attributes are used for credential mapping and user provisioning to a SaaS or web application. You can customize the default output attributes by selecting the following options: Add Opens the New attribute dialog box, where you can create a new output attribute by specifying values for the following fields, then clicking Save. Target name Specifies the name of the user attribute in the SaaS or web application. Source name Specifies the name of the user attribute in CAS. Edit Opens the Edit attribute dialog box, where you can modify the selected output attribute. Remove Removes the selected output attribute. If an output attribute has no value at runtime, a runtime error occurs. Therefore, we recommend verifying that the specified output attributes have values at runtime. 6 Click Save Identity Connector. 66 McAfee Cloud Single Sign On Product Guide

67 Identity Connectors Configure an ECA360 Token Identity Connector 4 Configure an ECA360 Token Identity Connector McAfee Cloud SSO provides an authentication service through the application adapter which produces a custom token. Before you begin Before you can configure an ECA360 Token Identity Connector, you need to configure an application adapter. 1 In the Management Console: From the Cloud Connectors tab drop-down list, select Identity Connectors. 2 Select the Identity Connector option, then click New Identity Connector. 3 In the New Identity Connector dialog box: In the Identity Connector field, specify a name that uniquely identifies the Identity Connector in the McAfee Cloud SSO system. 4 From the Identity Connector Type drop-down list, select ECA360 Token Authentication. 5 Specify values for the following options. Table 4-10 Option definitions for an ECA360 Token Identity Connector Option SSO URL SLO URL Definition Specifies the URL of the SSO service provided by the application adapter. Specifies the URL of the SLO service provided by the application adapter. You can view the SSO URL and SLO URL in the Management Console, as follows. 1 From the Application Adapters tab drop-down list, select Application Adapters. 2 Click the troubleshooting icon corresponding to the application adapter that you are using. 3 In the Application Adapter window: In Application Endpoint Location you can view the SSO URL in the SSO Service field. In Service Connection Endpoint Location you can view the SLO URL in the SLO Service field. Assertion Issuer Specifies the URL of the token issuer, which is themcafee Cloud SSO service. Format: where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed and <portnumber> specifies the port number used by McAfee Cloud SSO. Default: 8443 McAfee Cloud Single Sign On Product Guide 67

68 4 Identity Connectors Configuring an IWA-AD Identity Connector Table 4-10 Option definitions for an ECA360 Token Identity Connector (continued) Option Select a key pair Output attributes Definition From the drop-down list, select the key pair that McAfee Cloud SSO uses to sign the custom token. Output attributes are used for credential mapping and user provisioning to a SaaS or web application. You can customize the default output attributes by selecting the following options: Add Opens the New attribute dialog box, where you can create a new output attribute by specifying values for the following fields, then clicking Save: Target name Specifies the name of the user attribute in the SaaS or web application. Source name Specifies the name of the user attribute produced by the application adapter and consumed by the ECA360 Token Identity Connector. Edit Opens the Edit attribute dialog box, where you can modify the selected output attribute. Remove Removes the selected output attribute. If an output attribute has no value at runtime, a runtime error occurs. Therefore, we recommend verifying that the specified output attributes have values at runtime. 6 Click Save Identity Connector. See also Multiple Identity Providers on page 220 Configuring an IWA-AD Identity Connector To use Integrated Windows Authentication with Active Directory as the identity source, configure the Active Directory server and the supported Internet Explorer and Firefox web browsers in addition to configuring McAfee Cloud SSO. Create an Active Directory account for McAfee Cloud SSO Create an Active Directory account for McAfee Cloud SSO, so the Active Directory server can provide identity information. 1 On a Windows computer, select Start Control Panel Administrative Tools Active Directory Users and Computers. 2 In the Active Directory Users and Computers dialog box: In the navigation tree, right-click the Users folder, then select New User. 3 In the New Object - User dialog box, provide values for the following options, then click Next. First name Specifies a first name that together with the last name identifies the McAfee Cloud SSO account in Active Directory. Last name Specifies a last name that together with the first name identifies the McAfee Cloud SSO account in Active Directory. User logon name Specifies the user name that McAfee Cloud SSO provides when logging on to the Active Directory account. 68 McAfee Cloud Single Sign On Product Guide

69 Identity Connectors Configuring an IWA-AD Identity Connector 4 4 In the Password field, type the password that McAfee Cloud SSO provides for logging on to the Active Directory account. Retype the password in the Confirm password field. 5 Select the Password never expires checkbox, then click Next. 6 To accept the configuration, click Finish. Run the Ktpass tool The Ktpass command-line tool allows non-windows services that support Kerberos authentication, like McAfee Cloud SSO, to use the interoperability features provided by the Windows Server 2003 Kerberos KDC service. The Ktpass tool configures a service principal name for McAfee Cloud SSO and replaces the user name that you assigned to the McAfee Cloud SSO account in Active Directory with the service principal name. The Ktpass tool also generates a keytab file containing the shared secret for the McAfee Cloud SSO service. 1 On the computer where Active Directory is running, open a command prompt and enter the following command: ktpass -princ HTTP/<mcsso-server> <mcsso-server-fqdn> -mapuser <ad-account-username> -pass * -ptype KRB5_NT_PRINCIPAL where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed, <mcsso-server-fqdn> specifies the fully qualified domain name of the server where McAfee Cloud SSO is installed, and <ad-account-username> specifies the name of the user that you mapped to the McAfee Cloud SSO account in Active Directory. Select the <mcsso-server> option when the server where McAfee Cloud SSO is installed is not part of an AD forest. For example, you can select this option when McAfee Cloud SSO is installed on Linux or on an appliance. Select the <mcsso-server-fqdn> option when the server where McAfee Cloud SSO is installed is part of an AD forest. 2 When prompted, enter the password you specified for the McAfee Cloud SSO account in Active Directory. Register a service principal name with the Active Directory account Active Directory only responds to McAfee Cloud SSO requests that are addressed to registered service principal names. To support communication between Active Directory and McAfee Cloud SSO, register a service principal name with the Active Directory account. The Ktpass command-line tool allows non-windows services that support Kerberos authentication, like McAfee Cloud SSO, to use the interoperability features provided by the Windows Server 2003 Kerberos KDC service. The Ktpass tool configures a service principal name for McAfee Cloud SSO and replaces the user name that you assigned to the McAfee Cloud SSO account in Active Directory with the service principal name. The Ktpass tool also generates a keytab file containing the shared secret for the McAfee Cloud SSO service. McAfee Cloud Single Sign On Product Guide 69

70 4 Identity Connectors Configuring an IWA-AD Identity Connector 1 On the computer where Active Directory is running, open a command prompt and enter the following command: ktpass -princ HTTP/<mcsso-server> <mcsso-server-fqdn> -mapuser <ad-account-username> -pass * -ptype KRB5_NT_PRINCIPAL where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed, <mcsso-server-fqdn> specifies the fully qualified domain name of the server where McAfee Cloud SSO is installed, and <ad-account-username> specifies the name of the user that you mapped to the McAfee Cloud SSO account in Active Directory. Select the <mcsso-server> option when the server where McAfee Cloud SSO is installed is not part of an AD forest. For example, you can select this option when McAfee Cloud SSO is installed on Linux or on an appliance. Select the <mcsso-server-fqdn> option when the server where McAfee Cloud SSO is installed is part of an AD forest. 2 When prompted, enter the password you specified for the McAfee Cloud SSO account in Active Directory. 3 (Optional) To view the results of the registration command, enter the following command at the prompt: setspn -L <mcsso-server> <mcsso-server-fqdn> Create a key table If you plan to store Kerberos principals and passwords in a keytab file, create the key table. 1 On a Windows-based computer, open a command prompt and enter the following command: C:\>ktab -a <mcsso-spn> -k <mcsso-server>.keytab where <mcsso-spn> specifies the service principal name configured for McAfee Cloud SSO and <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed. 2 (Optional) To view the resulting key table, enter the following command at the prompt: C:\>ktab -1 -k <mcsso-server>.keytab Configure Internet Explorer for IWA Before you can access SaaS and web applications through Internet Explorer, you must configure the web browser for IWA. 1 In Internet Explorer, select Tools Internet Options. 2 In the Internet Options dialog box, click the Security tab, select Local intranet, then click Sites. 3 In the Local intranet dialog box, click Advanced. 70 McAfee Cloud Single Sign On Product Guide

71 Identity Connectors Configuring an IWA-AD Identity Connector 4 4 Add the following websites to the security zone, click Close, then click OK. where <domain-name> specifies the name of your Active Directory domain. 5 In the Internet Options dialog box, click the Advanced tab. 6 In the Settings Security area, select the Enable Integrated Windows Authentication checkbox. This change takes effect when you restart Internet Explorer. 7 Click OK. Configure Firefox for IWA Before you can access SaaS and web applications through Firefox, you must configure the web browser must for IWA. 1 In Firefox, enter about:config in the address field. 2 Locate the following strings in the Preference Name column: network.automatic-ntlm-auth.trusted-uris network.negotiate-auth.delegation-uris network.negotiate-auth.trusted-uris 3 Change the value of each string to: <domain-name> where <domain-name> specifies the name of your Active Directory domain. Configure an IWA-AD Identity Connector An IWA-AD Identity Connector is configured with an Active Directory identity store. You can use an existing Active Directory identity store in the McAfee Cloud SSO system or configure a new Active Directory identity store. 1 In the Management Console, select Identity Connectors from the Cloud Connectors tab dropdown list. 2 Select the Identity Connector option, then click New Identity Connector. 3 In the New Identity Connector dialog box, specify a name in the Identity Connector field that uniquely identifies the Identity Connector in the McAfee Cloud SSO system. 4 From the Identity Connector Type drop-down list, select Integrated Windows Authentication with Active Directory. 5 Specify values for the following options. Table 4-11 Option definitions for an IWA-AD Identity Connector Option Identity Store Base DN Definition From the drop-down list, select an existing Active Directory identity store. Specifies the Distinguished Name of the entry in the LDAP tree at which to start the search for a user. Example: DC=AD-DOMAIN McAfee Cloud Single Sign On Product Guide 71

72 4 Identity Connectors Configuring an IWA-AD Identity Connector Table 4-11 Option definitions for an IWA-AD Identity Connector (continued) Option Search Attribute Search Scope New Active Directory Output attributes Definition Specifies the user attribute to search for and return. Example: samaccountname Select an option: BASE Searches the Base DN entry only ONE_LEVEL Only searches the entries one level below the Base DN SUBTREE Searches the Base DN and the entire subtree When clicked, opens the New Identity Store dialog box, where you can configure a new Active Directory identity store. Output attributes are used for credential mapping and user provisioning to a SaaS or web application. You can customize the default output attributes by selecting the following options: Add Opens the New attribute dialog box, where you can create a new output attribute by specifying values for the following fields, then clicking Save: Target name Specifies the name of the user attribute in the SaaS or web application. Source name Specifies the name of the user attribute in the Active Directory identity store. Edit Opens the Edit attribute dialog box, where you can modify the selected output attribute. Remove Removes the selected output attribute. If an output attribute has no value at runtime, a runtime error occurs. Therefore, we recommend verifying that the specified output attributes have values at runtime. 6 Click Save Identity Connector. 72 McAfee Cloud Single Sign On Product Guide

73 Identity Connectors Configuring an IWA-AD Identity Connector 4 Troubleshooting IWA integration Consult the following table when you encounter an issue with IWA integration. Table 4-12 Troubleshooting issues with IWA integration Summary KDC has no support for encryption Symptom and solution Symptom: When McAfee Cloud SSO is run, the KDC has no support for encryption logon exception occurs. Solution: Select the Use DES encryption types for this account checkbox for the McAfee Cloud SSO Active Directory account, as follows. 1 On a Windows-based computer, select Start Control Panel Administrative Tools Active Directory Users and Computers. 2 In the Active Directory Users and Computers dialog box: In the navigation tree, select the Users folder. 3 In the Users folder, right-click McAfee Cloud SSO. 4 In the Properties dialog box, click the Account tab, select the Use DES encryption types for this account checkbox, then click OK. Checksum failed Symptom: When McAfee Cloud SSO is run, the Checksum failed message is displayed. Solution: Take the following steps. 1 Verify that the HTTP and HTTPS Service Principal Names are configured correctly for the McAfee Cloud SSO Active Directory account. 2 Refresh the Kerberos ticket by using the SPN to log on to a domain controller. IWA authentication fails when the browser is running on the server where the KDC is installed IWA authentication fails when the browser is running on the server where McAfee Cloud SSO is installed Symptom: IWA authentication fails when the web browser is running on the server where the KDC is installed. The KDC is installed as part of the domain controller. The domain controller is the server where Active Directory is running. Solution: Run the web browser on a different computer than the one where KDC is installed. This symptom is the result of a known Microsoft issue. Symptom: IWA authentication fails when the web browser is running on the server where McAfee Cloud SSO is installed. Solution: Run the web browser on a different computer than the one where McAfee Cloud SSO is installed. McAfee Cloud Single Sign On Product Guide 73

74 4 Identity Connectors Configure an LDAP Identity Connector Table 4-12 Troubleshooting issues with IWA integration (continued) Summary Errors occur after renaming the server where McAfee Cloud SSO is installed Kerberos authentication fails Symptom and solution Symptom: Errors occur after renaming the server where McAfee Cloud SSO is installed. Solution: If you rename the McAfee Cloud SSO server after the Service Principal Names are registered, you must register them again using the new server name. This step is required even if you are using a virtual IP address or DNS name that does not change. Symptom: Kerberos authentication fails. Solution: In the Active Directory Users and Computers dialog box, check the following settings. Verify that the Password never expires checkbox is selected. If the checkbox is not selected and the password expires, Kerberos authentication fails. This option was configured when an Active Directory account was created for McAfee Cloud SSO. Verify that the Kerberos options are set to their default values. If they have been modified, Kerberos authentication fails. Open the McAfee Cloud SSO Properties dialog box, then click the Account tab. In the Account options area, deselect the Kerberos checkboxes as needed. Configure an LDAP Identity Connector An LDAP Identity Connector is configured with an LDAP identity store. You can use an existing LDAP identity store in the McAfee Cloud SSO system or configure a new LDAP identity store. 1 In the Management Console: From the Cloud Connectors tab drop-down list, select Identity Connectors. 2 Select the Identity Connector option, then click New Identity Connector. 3 In the New Identity Connector dialog box: In the Identity Connector field, specify a name that uniquely identifies the Identity Connector in the McAfee Cloud SSO system. 4 From the Identity Connector Type drop-down list, select LDAP. 5 Specify values for the following options. Table 4-13 Option definitions for an LDAP Identity Connector Option Identity Store Base DN Search Attribute Definitions From the drop-down list, select an existing LDAP identity store. Specifies the Distinguished Name of the entry in the LDAP tree at which to start searching for a user. Example: ou=users,ou=system Specifies the user attribute to search for and return. Example: uid 74 McAfee Cloud Single Sign On Product Guide

75 Identity Connectors Configuring a SAML2 Proxy Identity Connector 4 Table 4-13 Option definitions for an LDAP Identity Connector (continued) Option Search Scope New LDAP Output attributes Definitions Select an option: BASE Searches the Base DN entry only ONE_LEVEL Only searches the entries one level below the Base DN SUBTREE Searches the Base DN and the entire subtree When clicked, opens the New Identity Store dialog box, where you can configure a new LDAP identity store. Output attributes are used for credential mapping and user provisioning to a SaaS or web application. You can customize the default output attributes by selecting the following options: Add Opens the New attribute dialog box, where you can create a new output attribute by specifying values for the following fields, then clicking Save. Target name Specifies the name of the user attribute in the SaaS or web application. Source name Specifies the name of the user attribute in the LDAP identity store Edit Opens the Edit attribute dialog box, where you can modify the selected output attribute. Remove Removes the selected output attribute If an output attribute has no value at runtime, a runtime error occurs. Therefore, we recommend verifying that the specified output attributes have values at runtime. 6 Click Save Identity Connector. Configuring a SAML2 Proxy Identity Connector The SAML2 Proxy Identity Connector is used when McAfee Cloud SSO is deployed in the enterprise and in the cloud. In a typical installation, McAfee Cloud SSO is deployed inside the enterprise, enabling SSO to SAML SaaS and web applications for end users inside the organization s intranet. In a dual installation, McAfee Cloud SSO is also deployed in the cloud, thereby enabling SSO to SAML SaaS and web applications for end users outside the intranet through a corporate public portal. This use case allows end users to access cloud applications without going through a VPN. McAfee Cloud Single Sign On Product Guide 75

76 4 Identity Connectors Configuring a SAML2 Proxy Identity Connector How McAfee Cloud SSO in the cloud and the enterprise work together McAfee Cloud SSO in the cloud is the primary Identity Provider and delegates authentication to the secondary Identity Provider, which is McAfee Cloud SSO in the enterprise. Figure 4-2 McAfee Cloud SSO deployed in the cloud and the enterprise The SAML SSO process consists of the following steps: 1 The end user requests access to a SaaS or web application through a corporate public portal outside the enterprise. 2 The request is forwarded to McAfee Cloud SSO in the cloud. 3 If the end user is not authenticated, McAfee Cloud SSO in the cloud presents a login page to the end user and collects the user s credentials. 4 McAfee Cloud SSO in the cloud then redirects the end user s request to McAfee Cloud SSO in the enterprise with a SAML authentication request containing the encrypted credentials. 5 McAfee Cloud SSO in the enterprise authenticates the end user against an LDAP or Active Directory end user store in the enterprise. 6 McAfee Cloud SSO in the enterprise then redirects the end user s request to McAfee Cloud SSO in the cloud with a SAML response in an Binding. 7 McAfee Cloud SSO in the cloud verifies the SAML response, sets a session cookie, and redirects the end user to the requested SaaS or web application. How McAfee Cloud SSO in the cloud and the enterprise are configured Dual deployment of McAfee Cloud SSO in the cloud and the enterprise requires a SAML2 Proxy Identity Connector and a SAML2 Proxy Cloud Connector. As the word proxy suggests, each instance of McAfee Cloud SSO serves as a proxy for the other. 76 McAfee Cloud Single Sign On Product Guide

77 Identity Connectors Configuring a SAML2 Proxy Identity Connector 4 Instance serving as proxy How the proxy works How the proxy is implemented McAfee Cloud SSO in the enterprise McAfee Cloud SSO in the cloud McAfee Cloud SSO in the cloud delegates authentication to McAfee Cloud SSO in the enterprise. McAfee Cloud SSO in the enterprise serves as a proxy, performing the role of Identity Provider in place of McAfee Cloud SSO in the cloud. McAfee Cloud SSO in the enterprise sends the authentication result to McAfee Cloud SSO in the cloud. McAfee Cloud SSO in the cloud serves as a proxy, redirecting the user to the requested application with the authentication result in place of McAfee Cloud SSO in the enterprise. McAfee Cloud SSO in the cloud delegates authentication through the SAML2 Proxy Identity Connector. McAfee Cloud SSO in the enterprise sends the authentication result for redirection through the SAML2 Proxy Cloud Connector. To configure dual deployment of McAfee Cloud SSO in the cloud and the enterprise, configure the following Identity Connector and Cloud Connector types for each McAfee Cloud SSO instance. McAfee Cloud SSO instance Identity Connector type Cloud Connector type In the cloud SAML2 Proxy SAML2 In the enterprise LDAP or IWA-AD SAML2 Proxy When you configure the SAML2 Proxy Identity Connector for McAfee Cloud SSO in the cloud, you need several values that are provided when you configure the SAML2 Proxy Cloud Connector for McAfee Cloud SSO in the enterprise. Therefore, we recommend that you configure McAfee Cloud SSO in the enterprise before configuring McAfee Cloud SSO in the cloud. Configure a SAML2 Proxy Identity Connector Configure a SAML2 Proxy Identity Connector for an instance of McAfee Cloud SSO in the cloud that delegates authentication to an instance of McAfee Cloud SSO in the enterprise. Because McAfee Cloud SSO in the cloud initiates the SSO process, it requires the sign-in and sign-out URLs of McAfee Cloud SSO in the enterprise. 1 In the Management Console: From the Cloud Connectors tab drop-down list, select Identity Connectors. 2 Select the Identity Connector option, then click New Identity Connector. 3 In the New Identity Connector dialog box: In the Identity Connector field, specify a name that uniquely identifies the Identity Connector in the McAfee Cloud SSO system. 4 From the Identity Connector Type drop-down list, select SAML2 Proxy. 5 Expand the Option configuration and Output attributes areas, then specify values for the following options. Table 4-14 Option definitions for a SAML2 Proxy Identity Connector Option SignIn URL Issuer Definition Specifies the sign-in page URL of the SAML2 Proxy authentication service provided by an instance of McAfee Cloud SSO in the enterprise for an instance of McAfee Cloud SSO in the cloud. Specifies the X.509 certificate issuer. McAfee Cloud Single Sign On Product Guide 77

78 4 Identity Connectors Configuring a SAML2 Proxy Identity Connector Table 4-14 Option definitions for a SAML2 Proxy Identity Connector (continued) Option Assertion Issuer Certificate to verify SAML response SignOut URL Signature area Signature Signature Keys Definition Specifies the URL of the McAfee Cloud SSO identity service in the enterprise. McAfee Cloud SSO is the SAML assertion issuer. From the drop-down list, select an X.509 certificate. McAfee Cloud SSO in the cloud verifies the signed SAML assertion with the certificate. Specifies the sign-out page URL of the SAML2 Proxy authentication service provided by an instance of McAfee Cloud SSO in the enterprise for the instance of McAfee Cloud SSO in the cloud. When selected, allows you to configure a key pair and advanced options. From the drop-down list, select a key pair. McAfee Cloud SSO in the enterprise signs the SAML assertion with the private key. Advanced configuration Signature generation method Canonicalization generation method KeyInfo Type From the drop-down list, select RSA_WITH_SHA_1. From the drop-down list, select C_14_N_EXCLUSIVE. From the drop-down list, select an option: RSA_KEY_VALUE Specifies that the SAML assertion is signed with an RSA private key. X_509_DATA Specifies that the SAML assertion is signed with an X.509 certificate containing a private key. Output attributes Output attributes are used for credential mapping and user provisioning to a SaaS or web application. You can customize the default output attributes by selecting the following options: Add Opens the New attribute dialog box, where you can create a new output attribute by specifying values for the following fields, then clicking Save. Target name Specifies the name of the user attribute in the McAfee Cloud SSO instance in the cloud. Source name Specifies the name of the user attribute in the McAfee Cloud SSO instance in the enterprise Edit Opens the Edit attribute dialog box, where you can modify the selected output attribute. Remove Removes the selected output attribute. If an output attribute has no value at runtime, a runtime error occurs. Therefore, we recommend verifying that the specified output attributes have values at runtime. 6 Click Save Identity Connector. 78 McAfee Cloud Single Sign On Product Guide

79 5 Authentication 5 chains Authentication chains allow you to combine multiple authentication methods together in one Identity Connector. The authentication methods are the modules that make up the authentication chain. The authentication chain is one type of Identity Connector. Contents Advantages of authentication chains Primary vs. secondary authentication methods Two-factor authentication using one time passwords Create an authentication chain Select the authentication module type Customize the login page Configuring the authentication module options Customize the authentication module output attributes Configure a JAAS policy for the authentication module Register a user-defined authentication module Advantages of authentication chains Authentication chains allow you to configure strong authentication and authentication that is more flexible. For an example of strong authentication, you can require successful authentication by two or more authentication methods or add a secondary authentication method, such as OTP or TPM, to a primary authentication method, creating two-factor authentication. For an example of more flexible authentication, assume that an application accepts Facebook or Salesforce authentication. You can create an authentication chain consisting of two authentication modules, one for Facebook authentication and the other for Salesforce authentication, and configure an OR relationship between them. Authentication modules can be built-in McAfee Cloud SSO modules or user-defined modules that you write using the McAfee Cloud SSO API and register in the Management Console. For information about how to write your own authentication modules, see the McAfee Cloud Single Sign On Developer s Guide. See also Configure a JAAS policy for the authentication module on page 127 Register a user-defined authentication module on page 129 McAfee Cloud Single Sign On Product Guide 79

80 5 Authentication chains Primary vs. secondary authentication methods Primary vs. secondary authentication methods Most built-in authentication methods are available for primary authentication. These methods can be added to authentication chains at any point in the chain, including as the first or only authentication module. A few methods are only available for secondary authentication after the first authentication module is configured and added to the authentication chain. These methods are used for two-factor authentication. Table 5-1 Primary and secondary authentication methods Authentication method CAS Certificate ECA360 Token Facebook IWA JDBC LDAP LDAP and OTP (Pledge) LinkedIn OpenID Salesforce SAML2 SAML2 Proxy SiteMinder Twitter KCD OTP OTP Self-service TPM Availability Primary authentication Primary authentication Primary authentication Primary authentication Primary authentication Primary authentication Primary authentication Primary authentication Primary authentication Primary authentication Primary authentication Primary authentication Primary authentication Primary authentication Primary authentication Secondary authentication only Secondary authentication only Secondary authentication only Secondary authentication only The OTP self-service authentication module is only available when McAfee OTP is installed with McAfee Cloud SSO. Two-factor authentication using one time passwords You create an authentication chain having a primary authentication method as the first module and an OTP authentication method as the second module in the chain. 80 McAfee Cloud Single Sign On Product Guide

81 Authentication chains Two-factor authentication using one time passwords 5 How two-factor authentication works: LDAP-OTP example To configure LDAP-OTP authentication, you add an LDAP authentication method as the first module and an OTP authentication method as the second module in the authentication chain. Figure 5-1 LDAP-OTP authentication 1 The end user requests access to a SaaS or web application. 2 The SaaS or web application redirects the end user s request to McAfee Cloud SSO. 3 McAfee Cloud SSO prompts the end user for credentials, which the end user provides. 4 McAfee Cloud SSO validates the end user s credentials against the LDAP directory. 5 McAfee Cloud SSO sends a message requesting a one time password to the McAfee OTP service. 6 The McAfee OTP service sends the one time password to the end user. 7 The end user types the one time password in the prompt from McAfee Cloud SSO and clicks Verify. 8 McAfee Cloud SSO sends the one time password to the McAfee OTP service for verification, which the service provides. 9 McAfee Cloud SSO sends the authentication result to the SaaS or web application. 10 The SaaS or web application grants access to the end user. McAfee Cloud Single Sign On Product Guide 81

82 5 Authentication chains Two-factor authentication using one time passwords How two-factor authentication works: OpenID-OTP example To configure OpenID-OTP authentication, you add an OpenID authentication method as the first module and an OTP authentication method as the second module in the authentication chain. In this example, Google is the OpenID Provider. Figure 5-2 OpenID-OTP authentication 1 The end user requests access to a SaaS or web application. 2 The SaaS or web application redirects the end user s request to McAfee Cloud SSO with an authentication request. 3 McAfee Cloud SSO redirects the authentication request to the OpenID Provider, Google. 4 Google prompts the end user for credentials, which the user provides. 5 Google sends the authentication result to McAfee Cloud SSO. 6 McAfee Cloud SSO sends a message requesting a one time password to the McAfee OTP service. 7 The McAfee OTP service sends the one time password to the end user. 8 The end user types the one time password in the prompt from McAfee Cloud SSO and clicks Verify. 9 McAfee Cloud SSO sends the one time password to the McAfee OTP service for verification, which the service provides. 10 McAfee Cloud SSO sends the authentication result to the SaaS or web application. 11 The SaaS or web application grants access to the end user. 82 McAfee Cloud Single Sign On Product Guide

83 Authentication chains Create an authentication chain 5 Create an authentication chain You build an authentication chain from authentication modules that you configure in the authentication module wizard. 1 In the Management Console: From the Cloud Connectors tab drop-down list, select Identity Connectors, then click New Identity Connector. 2 In the New Identity Connector dialog box, specify a name that uniquely identifies the authentication chain in the McAfee Cloud SSO system, then select Authentication Chain from the Identity Connector Type drop-down list. 3 For each authentication module that you want to add to the authentication chain: a Click New. b In the authentication module wizard, complete the following steps: Table 5-2 Authentication module wizard steps Step Authentication Module Authentication Login Page Description Select the authentication module type. Customize the login page. This step is only available when configuring authentication modules that collect user credentials through an HTML form. Authentication Options Output Attributes Policy Configuration Configure module-specific options. Customize output attributes. Configure a JAAS policy. c Click Finish. 4 Modify the order of the modules in the chain as needed. 5 Click Save Identity Connector. Select the authentication module type The authentication module type is the authentication method used to authenticate end users. 1 In the authentication module wizard: In the navigation pane, click Authentication Module. 2 In the configuration window, select the authentication method you want to configure, then click Next. Customize the login page You can customize the login page when configuring authentication modules that collect user credentials through an HTML form, including JDBC, LDAP, OTP, and OTP Self-service modules. Custom options include the login page title, any notes, and labels for the login fields. McAfee Cloud Single Sign On Product Guide 83

84 5 Authentication chains Configuring the authentication module options 1 In the authentication module wizard: In the navigation pane, click Authentication Login Page. 2 In the configuration window, specify values for the following options, then click Next. Table 5-3 Custom login page option definitions Option Login Page Description Login Fields Configure Login Field Definition Login title Allows you to specify a custom title for the login page. Login notes (Optional) Allows you to specify notes for the end user which are displayed on the login page. Name login field Specifies a label for the user name field on the login page. (This option is not available when configuring an OTP or OTP self-service authentication module.) Password login field Specifies a label for the password field on the login page. OTP login field Specifies a label for the OTP field on the login page. (This option is only available when configuring a combined LDAP and OTP authentication module.) Edit When clicked, opens the Configure Login Field dialog box. (Dialog box) Specify a source for the user name or password credential, then click OK: Login credentials The user name or password credential is input on the login page. Specify a label for the field in the Login field label field. Preceding module s output The user name or password credential is output by the preceding module in the authentication chain. Select an output attribute from the drop-down list. Custom login page options for OTP and OTP self-service authentication modules Button/Link Configuration Enable the buttons that are displayed on the end user s mobile device by selecting the checkboxes and optionally, customize the labels by double clicking them. Submit OTP When enabled, this button allows the end user to submit the one time password generated by the OTP client to the OTP server for verification. Re-generate OTP When enabled, this button allows the end user to request a one time password from the OTP client. Configuring the authentication module options You configure fields and options that are specific to the type of authentication module you selected. Configure a JDBC authentication module Configure a JDBC authentication module when identity information is stored in a database. 1 In the JDBC authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area, specify values for the following options, then click Next. 84 McAfee Cloud Single Sign On Product Guide

85 Authentication chains Configuring the authentication module options 5 Table 5-4 Option definitions for a JDBC authentication module Option Definition Database Connection JDBC Driver From the drop-down list, select a supported JDBC driver: com.mysql.jdbc.driver com.microsoft.sqlserver.jdbc.sqlserverdriver DB URL Specifies the URL of the database. MySQL Format: jdbc:mysql://servername:port/databasename SQL Format: jdbc:sqlserver://servername:port;databasename=database_name DB User Name DB Password Test Connection Specifies the user name of the database administrator. Specifies the password of the database administrator. Tests the database connection you configured. Query String Query String The query string retrieves the user name and password values from a JDBC table. Select an option: Typical Query String Creates a query string using the options that you provide. Custom Query String Allows you to specify a custom query string. Typical Query String Specify values for the following fields: Table Name Specifies the name of the JDBC table. User Name Column Specifies the column in the table where the user name or ID is located. Password Column Specifies the column in the table where the password is located. Custom Query String Specify a custom query string using the following format: SELECT * FROM ${TableName} WHERE ${UserNameColumn}=? and $ {PasswordColumn}=? Configuring an OpenID authentication module The OpenID standard allows end users to authenticate by using an OpenID, which is an identifier in the form of a URL. To obtain an OpenID, users register with an OpenID Provider. In the OpenID authentication module wizard, McAfee Cloud SSO offers a built-in configuration option for OpenID Providers Google, Yahoo, and myopenid. McAfee Cloud SSO also offers a generic configuration option for any Service Provider that supports the OpenID standard. McAfee Cloud Single Sign On Product Guide 85

86 5 Authentication chains Configuring the authentication module options How OpenID and McAfee Cloud SSO work together The following diagram shows how McAfee Cloud SSO and OpenID Provider Google work together to authenticate the end user to a SaaS or web application. In the OpenID standard, McAfee Cloud SSO, the Identity Provider, is known as the Relying Party. Figure 5-3 Google OpenID authentication 1 The end user requests access to a SaaS or web application. 2 The application redirects the end user s request to McAfee Cloud SSO. 3 McAfee Cloud SSO presents a login page with authentication options to the end user, including the option to log in using an OpenID. The end user selects the OpenID option and submits a Google OpenID. 4 McAfee Cloud SSO sends an authentication request to the Google OpenID endpoint URL. 5 The Google OpenID endpoint redirects the end user to a Google Federated Login page, where the user is prompted for a Google account user name and password. When the end user is authenticated, Google displays a confirmation page, which notifies the user that a third-party application is requesting authentication. To log in to the SaaS or web application through a Google account, the end user must confirm the third-party authentication. 6 Google redirects the end user s request to McAfee Cloud SSO with five user attributes: country, , firstname, language, and lastname. 7 McAfee Cloud SSO redirects the end user to the SaaS or web application. 8 The application grants access to the end user. 86 McAfee Cloud Single Sign On Product Guide

87 Authentication chains Configuring the authentication module options 5 Configure an OpenID authentication module Configure an OpenID authentication module when an OpenID Provider is the source of identity information. 1 In the OpenID authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area, specify values for the following options, then click Next. Table 5-5 Option definitions for an OpenID authentication module Option OpenID Provider OpenID Identifier Attribute Prefix Attribute Fetch Select Subject Advanced Options OP Logout Definition Select the OpenID Provider that is the source of identity information: Google Yahoo myopenid Generic Provider-specific values populate the fields. Specifies the published URL of the OpenID Provider s service. Google value: Yahoo value: Specifies the schema used to map attributes from the OpenID source to McAfee Cloud SSO. Google and Yahoo value: myopenid and Generic value: For OpenId Providers that support the Attribute Exchange Extension, the Attribute Fetch area lists the attributes that the Provider sends to McAfee Cloud SSO when the user is authenticated. Google, Yahoo, and myopenid Providers The list of attributes is pre-configured. You can remove attributes from the list, but you cannot add new attributes to the list. Generic OpenID Provider The list of attributes is fully configurable. To add an attribute to the list, click Import. In the Import dialog box, select an attribute from the Attribute Alias drop-down list, then click Add. Select the attribute from the list that uniquely identifies the user or subject. When selected, allows you to configure SLO. Select an option: Enable Enables SLO for this OpenID Provider Disable Disables SLO for this OpenID Provider McAfee Cloud Single Sign On Product Guide 87

88 5 Authentication chains Configuring the authentication module options Table 5-5 Option definitions for an OpenID authentication module (continued) Option Logout URL Definition Specifies the OpenID Provider s logout URL. Google value: Yahoo value: OP Realm Specifies the source of the authentication request. The OpenID Provider uses this value to verify that McAfee Cloud SSO is the source of the authentication request. The following sample URLs are valid: extauthn/login where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed. Configuring a Facebook authentication module Facebook provides the authentication service, while McAfee Cloud SSO provides identity management and SSO services for end users in your organization who want access to cloud applications. Facebook authentication requires configuration in Facebook as well as the Management Console. 88 McAfee Cloud Single Sign On Product Guide

89 Authentication chains Configuring the authentication module options 5 How Facebook and McAfee Cloud SSO work together Facebook authentication is based on the OAuth standard. OAuth is an open standard for authorization that allows users to share private data stored on one website with another website without having to expose credentials, such as username and password. Instead, specific tokens authorized by the user and granted by Facebook give third parties limited access to user information. Facebook authentication does not support SLO. This is a limitation of the OAuth standard. Figure 5-4 Facebook authentication 1 The end user requests access to a SaaS or web application. 2 The SaaS or web application redirects the end user s request to McAfee Cloud SSO. 3 McAfee Cloud SSO redirects the end user s request to Facebook. 4 If the end user is not logged in to Facebook, Facebook issues a login page, and the end user provides login credentials. When the end user is authenticated, Facebook sends an authorization request to the end user. The user authorizes McAfee Cloud SSO. 5 Facebook redirects the end user s request to McAfee Cloud SSO with an access token. The access token allows McAfee Cloud SSO to access the SaaS or web application on the end user s behalf. 6 McAfee Cloud SSO redirects the end user to the SaaS or web application and issues a login cookie. 7 The SaaS or web application grants access to the end user. McAfee Cloud Single Sign On Product Guide 89

90 5 Authentication chains Configuring the authentication module options Set up a Facebook application account for McAfee Cloud SSO You set up an application account in Facebook for McAfee Cloud SSO, so that Facebook can provide the authentication service. The application account also provides values that you need when configuring a Facebook authentication module in the Management Console. For more information, visit: Create a Facebook application account for professional use or use an existing one. 2 In the Basic Information dialog box, specify values for the following fields. For the remaining fields, you can accept the default values. Table 5-6 Basic information for a Facebook application account Option Application Name Manage Users Definition Specifies a unique name for your Facebook application account. Add one or more managers to your Facebook application account and assign each manager one of the following roles: Administrator Developer Tester Insights User 3 In the Core Settings dialog box, specify values for the following fields. For the remaining fields, you can accept the default values. Table 5-7 Core settings for a Facebook application account Option Application ID Application Secret Site Domain Site URL Definition Copy this value and paste it in the corresponding field on the Authentication Options step of the Facebook authentication module wizard. Copy this value and paste it in the corresponding field on the Authentication Options step of the Facebook authentication module wizard. Specifies the name of the website domain. Example: sh.mcafee.com Specifies the URL of the McAfee Cloud SSO service. Example: 90 McAfee Cloud Single Sign On Product Guide

91 Authentication chains Configuring the authentication module options 5 Configure a Facebook authentication module Configure a Facebook authentication module when Facebook is the Identity Provider. 1 In the Facebook authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area, specify values for the following options, then click Next. Table 5-8 Option definitions for a Facebook authentication module Option AppID App Secret Facebook SLO Facebook whitelist Whitelist Upload Whitelist Download Whitelist Definition Specifies the application ID assigned by Facebook when you register McAfee Cloud SSO. You can view this value in your Facebook account. Specifies the application secret assigned by Facebook when you register McAfee Cloud SSO. You can view this value in your Facebook account. This option is disabled. Facebook authentication is based on the OAuth standard, which does not support SLO. When selected, allows you to configure a whitelist. The whitelist is a text file of s separated by commas. The whitelist identifies users who are allowed to access the SaaS or web application by first authenticating to Facebook. To locate the whitelist file on your computer, click Browse. When clicked, allows you to upload the contents of the selected file to McAfee Cloud SSO. When clicked, allows you to download the whitelist to the following location and file: <Download_Directory>/whitelist.txt where <Download_Directory> specifies your web browser s download directory. Configuring a LinkedIn authentication module LinkedIn provides the authentication service, while McAfee Cloud SSO provides identity management and SSO services for end users in your organization who want access to cloud applications. LinkedIn authentication requires configuration in LinkedIn as well as the Management Console. McAfee Cloud Single Sign On Product Guide 91

92 5 Authentication chains Configuring the authentication module options How LinkedIn and McAfee Cloud SSO work together LinkedIn authentication is based on the OAuth standard. OAuth is an open standard for authorization that allows users to share private data stored on one website with another website without having to expose credentials, such as username and password. Instead, specific tokens authorized by the user and granted by LinkedIn give third parties limited access to user information. LinkedIn authentication does not support SLO. This is a limitation of the OAuth standard. Figure 5-5 LinkedIn authentication 1 The end user requests access to a SaaS or web application, such as Salesforce. 2 The application delegates authentication to McAfee Cloud SSO. 3 McAfee Cloud SSO sends a request for a Request Token to the OAuth provider, LinkedIn, and LinkedIn grants an unauthorized Request Token to McAfee Cloud SSO. 4 McAfee Cloud SSO redirects the end user s request to LinkedIn. 5 On a login page, LinkedIn notifies the end user that McAfee Cloud SSO is seeking access to the user s LinkedIn account and prompts the user for credentials. The end user provides the login credentials and authorizes the Request Token granted to McAfee Cloud SSO. 6 LinkedIn authenticates the end user and redirects the user s request to McAfee Cloud SSO with a Verifier Token. 7 McAfee Cloud SSO sends a request for an Access Token to LinkedIn. The request includes the Verifier Token. LinkedIn grants an Access Token to McAfee Cloud SSO. McAfee Cloud SSO accesses the end user s LinkedIn credentials. 8 McAfee Cloud SSO authenticates the end user and sends the authentication result to the application. 9 The application grants access to the end user. 92 McAfee Cloud Single Sign On Product Guide

93 Authentication chains Configuring the authentication module options 5 Register an application in your LinkedIn developer s account To use LinkedIn as the authentication service, you need to register the third-party SaaS or web application in your LinkedIn developer s account. When registration is complete, LinkedIn assigns an API key and secret to the application. You need these values when you configure the LinkedIn authentication module. The values, which together are known as the shared secret, are required for a transaction between an OAuth provider (LinkedIn) and an OAuth consumer (McAfee Cloud SSO). 1 Log on to your LinkedIn developer s account. 2 Click Add New Application. 3 Complete the required fields. Configure a LinkedIn authentication module Configure a LinkedIn authentication module when LinkedIn is the Identity Provider. 1 In the LinkedIn authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area, specify values for the following options, then click Next. Table 5-9 Option definitions for a LinkedIn authentication module Option App ID App Secret Definition Specifies the API or consumer key assigned by LinkedIn when you register the SaaS or web application. Specifies the API or consumer secret assigned by LinkedIn when you register the SaaS or web application. Configuring a Twitter authentication module Twitter provides the authentication service, while McAfee Cloud SSO provides identity management and SSO services for end users in your organization who want access to cloud applications. Twitter authentication requires configuration in Twitter as well as the Management Console. McAfee Cloud Single Sign On Product Guide 93

94 5 Authentication chains Configuring the authentication module options How Twitter and McAfee Cloud SSO work together Twitter authentication is based on the OAuth standard. OAuth is an open standard for authorization that allows users to share private data stored on one website with another website without having to expose credentials, such as username and password. Instead, specific tokens authorized by the user and granted by Twitter give third parties limited access to user information. Twitter authentication does not support SLO. This is a limitation of the OAuth standard. Figure 5-6 Twitter authentication 1 The end user requests access to a SaaS or web application, such as Salesforce. 2 The application delegates authentication to McAfee Cloud SSO. 3 McAfee Cloud SSO sends a request for a Request Token to the OAuth provider, Twitter, and Twitter grants an unauthorized Request Token to McAfee Cloud SSO. 4 McAfee Cloud SSO redirects the end user s request to Twitter. 5 On a login page, Twitter notifies the end user that McAfee Cloud SSO is seeking access to the user s Twitter account and prompts the end user for credentials. The end user provides the login credentials and authorizes the Request Token granted to McAfee Cloud SSO. 6 Twitter authenticates the end user and redirects the user s request to McAfee Cloud SSO with a Verifier Token. 7 McAfee Cloud SSO sends a request for an Access Token to Twitter. The request includes the Verifier Token. Twitter grants an Access Token to McAfee Cloud SSO. McAfee Cloud SSO accesses the end user s Twitter credentials. 8 McAfee Cloud SSO authenticates the end user and sends the authentication result to the application. 9 The application grants access to the end user. 94 McAfee Cloud Single Sign On Product Guide

95 Authentication chains Configuring the authentication module options 5 Register an application in your Twitter developer s account To use Twitter as the authentication service, you need to register the third-party SaaS or web application in your Twitter developer s account. Before you begin To obtain a Twitter developer's account, visit 1 Log on to your Twitter developer s account. 2 Click Settings, then click Connections. 3 Under Developers, click here. 4 Click Register a new application. 5 Complete the required fields. For information about Twitter OAuth authentication, visit: For information about Twitter user account credentials, visit: For information about Twitter REST API resources, visit: Configure a Twitter authentication module Configure a Twitter authentication module when Twitter is the Identity Provider. 1 In the Twitter authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area, specify values for the following options, then click Next. Table 5-10 Option definitions for a Twitter authentication module Option App ID App Secret Definition Specifies the API or consumer key assigned by Twitter when you register the SaaS or web application. Specifies the API or consumer secret assigned by Twitter when you register the SaaS or web application. Configure an ECA360 Token authentication module Configure an ECA360 Token authentication module when McAfee Cloud SSO provides the identity information through an application adapter that produces a custom token. Before you begin Before you can configure an ECA360 Token authentication module, you need to configure an application adapter. McAfee Cloud Single Sign On Product Guide 95

96 5 Authentication chains Configuring the authentication module options 1 In the ECA360 Token authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area, specify values for the following options, then click Next. Table 5-11 Option definitions for an ECA360 Token authentication module Option SSO URL SLO URL Definition Specifies the URL of the SSO service provided by the application adapter. Specifies the URL of the SLO service provided by the application adapter. You can view the SSO URL and SLO URL in the Management Console, as follows. 1 From the Application Adapters tab drop-down list, select Application Adapters. 2 Click the troubleshooting icon corresponding to the application adapter that you are using. 3 In the Application Adapter window: In the Application Endpoint Location area You can view the SSO URL in the SSO Service field. In the Service Connection Endpoint Location area You can view the SLO URL in the SLO Service field. Assertion Issuer Select a key pair Specifies the URL of the token issuer, which is the McAfee Cloud SSO service. Format: where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed and <portnumber> specifies the port number used by McAfee Cloud SSO. Default: 8443 From the drop-down list, select the key pair that McAfee Cloud SSO uses to sign the custom token. See also Multiple Identity Providers on page 220 Configuring a SAML2 authentication module Configure a SAML2 authentication module when the Identity Provider is a SAML assertion issuer and the SAML assertion is the source of identity information. Issuer vs. IdP issuer How the Identity Provider role is assigned depends on the context. In the Identity Connector context, the Identity Provider is an external identity store or authentication service. In the Cloud Connector context, McAfee Cloud SSO is the Identity Provider. In SAML2 authentication, the Identity Provider is an external SAML assertion issuer. McAfee Cloud SSO is the issuer of the signing key pair. Table 5-12 Issuer options in SAML2 authentication Option IdP Issuer Issuer Definition Specifies the URL of an external SAML assertion service that issues SAML assertions attesting to the user s identity. Specifies the URL of the McAfee Cloud SSO service that issues the signing key pair. 96 McAfee Cloud Single Sign On Product Guide

97 Authentication chains Configuring the authentication module options 5 See also Managing X.509 certificates for SAML authentication on page 280 Configure SSO for a SAML2 authentication module You have the option of configuring IdP-initiated SSO, SP-initiated SSO, or both. Configuring SP-initiated SSO requires additional options. 1 In the SAML2 authentication module wizard: In the navigation pane, click SAML SSO. 2 In the configuration window, specify values for the following options, then click Next. Table 5-13 SSO option definitions for a SAML2 authentication module Option IdP-initiated SSO SP-initiated SSO SP-initiated SSO Bypass request match check Definition When selected, enables IdP-initiated SSO. When selected, enables SP-initiated SSO. When deselected Specifies that McAfee Cloud SSO does compare the ID attribute in the authentication request that it sends to the Identity Provider with the InResponseTo attribute in the authentication response that it receives from the Identity Provider, looking for a match When selected Specifies that McAfee Cloud SSO does not compare the authentication request and response, looking for a match For more information about this option, consult the SaaS or web application vendor s SSO profile. Issuer Signature Signature Signature Keys Specifies the URL of the McAfee Cloud SSO service that issues the signing key pair. Format: where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed and <portnumber> specifies the port number used by McAfee Cloud SSO. Default: 8443 When selected, allows you to specify the signature type, the key pair, and advanced options. Select a signature type: XML Signature McAfee Cloud SSO signs SSO requests with an XML signature. SAML Binding Signature McAfee Cloud SSO signs SSO requests with a SAML binding signature. From the drop-down list, select a key pair. In SP-initiated SSO, McAfee Cloud SSO redirects the SSO request from the Service Provider to the Identity Provider with a signing key pair. The Identity Provider uses the Issuer URL and signing key pair to verify the SSO request. Advanced Signature generation method From the drop-down list, select RSA_WITH_SHA_1. McAfee Cloud Single Sign On Product Guide 97

98 5 Authentication chains Configuring the authentication module options Table 5-13 SSO option definitions for a SAML2 authentication module (continued) Option Canonicalization generation method KeyInfo Type Definition From the drop-down list, select C_14_N_EXCLUSIVE. From the drop-down list, select an option: RSA_KEY_VALUE Specifies that the SAML assertion is signed with an RSA private key X_509_DATA Specifies that the SAML assertion is signed with an X.509 certificate containing a private key Single Sign On Service Binding From the drop-down list, select an option: HTTP_POST Specifies that the authentication response is placed in the HTTP body. HTTP_REDIRECT Specifies that the authentication response is placed in the URL. Location Specifies the SSO service URL of McAfee Cloud SSO. Configure a SAML assertion for a SAML2 authentication module Configure the values that McAfee Cloud SSO needs to verify SAML assertions issued by the Identity Provider. 1 In the SAML2 authentication module wizard: In the navigation pane, click SAML Assertion. 2 In the configuration window, specify values for the following options, then click Next. Table 5-14 SAML assertion option definitions for a SAML2 authentication module Option IdP Issuer Select a key pair Audience Definition Specifies the URL of the Identity Provider that issues SAML assertions attesting to the user s identity. From the drop-down list, select the key pair that the Identity Provider issues. McAfee Cloud SSO uses the IdP Issuer URL and the key pair to verify the SAML assertions that the Identity Provider issues. When selected, allows you to restrict the SAML assertion audience to a specified URL. The audience is the Assertion Consumer Service or endpoint that consumes SAML assertions. In the Audience field, specify the McAfee Cloud SSO identity service as follows. Format: where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed and <portnumber> specifies the port number used by McAfee Cloud SSO. Default: McAfee Cloud Single Sign On Product Guide

99 Authentication chains Configuring the authentication module options 5 Configure SLO for a SAML2 authentication module You have the option of configuring IdP-initiated SLO, SP-initiated SLO, or both. 1 In the SAML2 authentication module wizard: In the navigation pane, click SAML SLO. 2 (Optional) In the configuration window, configure IdP-initiated SLO. Table 5-15 Option definitions for IdP-initiated SLO Option IdP-initiated SLO Definition When selected, allows you to configure IdP-initiated SLO. IdP-initiated SLO Request Verification Request Verification When selected, allows you to configure the IdP issuer URL and the X.509 certificate issued by the Identity Provider. McAfee Cloud SSO uses these values to verify IdP-initiated SLO requests. IdP Issuer Specifies the URL of the Identity Provider. Signature Verification When selected, allows you to specify the X.509 certificate issued by the Identity Provider. X509 Certificate From the drop-down list, select the X.509 certificate issued by the Identity Provider. IdP-initiated SLO Response Creation Response Creation Issuer When selected, allows you to configure the SLO response that McAfee Cloud SSO creates. Specifies the McAfee Cloud SSO service that issues the signing key pair. Format: where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed and <portnumber> specifies the port number used by McAfee Cloud SSO. Default: 8443 Signature Signature Signature Keys When selected, allows you to specify the signature type, the key pair, and advanced options. Select a signature type: XML Signature McAfee Cloud SSO signs SLO responses with an XML signature. SAML Binding Signature McAfee Cloud SSO signs SLO responses with a SAML binding signature From the drop-down list, select a key pair. In IdP-initiated SLO, the Identity Provider uses the McAfee Cloud SSO URL and signing key pair to verify the SLO response that McAfee Cloud SSO creates. Advanced Signature generation method From the drop-down list, select RSA_WITH_SHA_1. McAfee Cloud Single Sign On Product Guide 99

100 5 Authentication chains Configuring the authentication module options Table 5-15 Option definitions for IdP-initiated SLO (continued) Option Canonicalization generation method KeyInfo Type Definition From the drop-down list, select C_14_N_EXCLUSIVE. From the drop-down list, select an option: RSA_KEY_VALUE Specifies that the SAML assertion is signed with an RSA private key X_509_DATA Specifies that the SAML assertion is signed with an X.509 certificate containing a private key 3 (Optional) In the configuration window, configure SP-initiated SLO. Table 5-16 Option definitions for SP-initiated SLO Option SP-initiated SLO Definition SP-initiated SLO Request Creation Request Creation When selected, allows you to configure SP-initiated SLO. When selected, allows you to configure the McAfee Cloud SSO issuer URL and the X.509 certificate that McAfee Cloud SSO issues. The Identity Provider uses these values to verify the SLO request that McAfee Cloud SSO creates. Issuer Specifies the URL of the McAfee Cloud SSO service that issues the signing key pair. Format: where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed and <portnumber> specifies the port number used by McAfee Cloud SSO. Default: 8443 Signature Signature Signature Keys Advanced Signature generation method Canonicalization generation method KeyInfo Type When selected, allows you to specify the signature type, the key pair, and advanced options. Select a signature type: XML Signature McAfee Cloud SSO signs SLO responses with an XML signature. SAML Binding Signature McAfee Cloud SSO signs SLO responses with a SAML binding signature. From the drop-down list, select a key pair. From the drop-down list, select RSA_WITH_SHA_1. From the drop-down list, select C_14_N_EXCLUSIVE. From the drop-down list, select an option: RSA_KEY_VALUE Specifies that the SAML assertion is signed with an RSA private key X_509_DATA Specifies that the SAML assertion is signed with an X.509 certificate containing a private key SP-initiated SLO Response Verification 100 McAfee Cloud Single Sign On Product Guide

101 Authentication chains Configuring the authentication module options 5 Table 5-16 Option definitions for SP-initiated SLO (continued) Option Response Verification Signature Verification Definition When selected, allows you to configure the Identity Provider issuer URL and the X.509 certificate that the Identity Provider issues. McAfee Cloud SSO uses these values to verify the SLO response that the Identity Provider creates. IdP Issuer Specifies the URL of the Identity Provider issuer. When selected, allows you to configure the following option: X509 Certificate From the drop-down list, select the X.509 certificate issued by the Identity Provider. 4 Configure the SLO service, then click Next. Table 5-17 Single Logout Service option definitions Option Binding Location Definition From the drop-down list, select an option: HTTP_POST Specifies that the authentication response is placed in the HTTP body. HTTP_REDIRECT Specifies that the authentication response is placed in the URL. Specifies the SLO service URL of McAfee Cloud SSO. Configuring a Salesforce authentication module Salesforce provides the authentication service, while McAfee Cloud SSO provides identity management and SSO services for end users in your organization who want access to cloud applications. Salesforce authentication requires configuration in Salesforce as well as the Management Console. How Salesforce and McAfee Cloud SSO work together McAfee Cloud SSO and Salesforce share information using the SAML protocol. McAfee Cloud SSO delegates authentication to Salesforce. If the user is not logged in, Salesforce issues a login page, the user provides credentials, and Salesforce authenticates the user. Figure 5-7 Salesforce as Identity Provider McAfee Cloud Single Sign On Product Guide 101

102 5 Authentication chains Configuring the authentication module options 1 The end user requests access to a SaaS or web application. 2 The SaaS or web application redirects the end user s request to McAfee Cloud SSO. 3 McAfee Cloud SSO redirects the end user to Salesforce. 4 If the end user is not logged in to Salesforce, Salesforce issues a login page, and the end user provides login credentials. 5 When the end user is authenticated, Salesforce redirects the user s request to McAfee Cloud SSO with an encoded SAML response. 6 McAfee Cloud SSO verifies the SAML response and redirects the end user to the SaaS or web application. 7 The SaaS or web application grants access to the end user. Prerequisites for configuring a Salesforce authentication module Before you can configure a Salesforce authentication module in McAfee Cloud SSO, the following prerequisites must be met. Salesforce domain name If you do not have a Salesforce domain name, you can obtain one from Salesforce. Self-signed Salesforce certificate and key pair If you do not have a self-signed Salesforce certificate and key pair, one is automatically generated when you configure Salesforce as the Identity Provider in your administrator account. Salesforce is configured as the Identity Provider in your administrator account Log on to your administrator account. To configure Salesforce as the Identity Provider: From the management page, select Setup Administration Setup Security Controls Identity Provider. Salesforce metadata file After you configure Salesforce as the Identity Provider, you download the Salesforce SAML2 IdP metadata to a file by clicking the Download Metadata button. You upload the contents of this file when you configure the Salesforce authentication module in the Management Console. 102 McAfee Cloud Single Sign On Product Guide

103 Authentication chains Configuring the authentication module options 5 Configure a Salesforce authentication module Configure a Salesforce authentication module when Salesforce is the Identity Provider 1 In the Salesforce authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area, specify values for the following options, then click Next. Table 5-18 Option definitions for a Salesforce authentication module Option SAML2 IdP Type Metadata File SP Assertion Issuer Select signature key pair Certificate to verify SAML response Definition Verify that SFDC is selected from the drop-down list. Browse for and upload the metadata file that you downloaded in your Salesforce administrator account. The following fields are populated with values from the metadata file. SignIn URL Specifies the URL of the Salesforce authentication service sign-in page. SignOut URL (Optional) Specifies the URL of the Salesforce authentication service sign-out page. IdP Assertion Issuer Specifies the Identity Provider that issues SAML assertions. Salesforce is the Identity Provider. Specifies the Service Provider that issues SAML assertions. McAfee Cloud SSO is the Service Provider. From the drop-down list, select a key pair. McAfee Cloud SSO signs SAML assertions with the private key. From the drop-down list, select an X.509 certificate. McAfee Cloud SSO verifies signed SAML assertions with the certificate. Configure an IWA authentication module Configure an IWA authentication module when identity information is stored in Active Directory. 1 In the IWA authentication module wizard: In the navigation pane, click Authentication Options. 2 Expand the configuration window, specify values for the following options, then click Next. Table 5-19 Option definitions for an IWA authentication module Option Identity Store Base DN Search Attribute Definition From the drop-down list, select an existing Active Directory identity store. Specifies the Distinguished Name of the entry in the LDAP tree at which to start the search for a user. Example: DC=AD-DOMAIN Specifies the user attribute to search for and return. Example: samaccountname McAfee Cloud Single Sign On Product Guide 103

104 5 Authentication chains Configuring the authentication module options Table 5-19 Option definitions for an IWA authentication module (continued) Option Search Scope New Active Directory Definition From the drop-down list, select an option: BASE Searches the Base DN entry only ONE_LEVEL Only searches the entries one level below the Base DN SUBTREE Searches the Base DN and the entire subtree When clicked, opens the New Identity Store dialog box, where you can configure a new Active Directory identity store. Configure a CAS authentication module Configure a CAS authentication module when the Identity Provider is the Central Authentication Service. 1 In the CAS authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area, specify values for the following options, then click Next. Table 5-20 Option definitions for a CAS authentication module Option Sign In URL Sign Out URL Validate URL Clock Skew Definition Specifies the URL of the CAS sign-in page. Example: Specifies the URL of the CAS sign-out page. Example: Specifies the URL of the CAS service that validates Service Tickets. Example: Specifies a value to use when calculating the expiration time. This value is designed to offset small differences between clocks on different computer systems. Default value: 0 Units: seconds Configure a SAML2 Proxy authentication module Configure a SAML2 Proxy authentication module for an instance of McAfee Cloud SSO in the cloud that delegates authentication to an instance of McAfee Cloud SSO in the enterprise. Because McAfee Cloud SSO in the cloud initiates the SSO process, it requires the sign-in and sign-out URLs of McAfee Cloud SSO in the enterprise. 1 In the SAML2 Proxy authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area, specify values for the following options, then click Next. 104 McAfee Cloud Single Sign On Product Guide

105 Authentication chains Configuring the authentication module options 5 Table 5-21 Option definitions for a SAML2 Proxy authentication module Option SignIn URL Issuer Assertion Issuer Certificate to verify SAML response SignOut URL Signature Signature Signature Keys Advanced Signature generation method Canonicalization generation method KeyInfo Type Definition Specifies the sign-in page URL of the SAML2 Proxy authentication service provided by an instance of McAfee Cloud SSO in the enterprise for an instance of McAfee Cloud SSO in the cloud. Specifies the X.509 certificate issuer. Specifies the URL of the McAfee Cloud SSO identity service in the enterprise. McAfee Cloud SSO is the SAML assertion issuer. From the drop-down list, select an X.509 certificate. McAfee Cloud SSO in the cloud verifies the signed SAML assertion with the certificate. Specifies the sign-out page URL of the SAML2 Proxy authentication service provided by an instance of McAfee Cloud SSO in the enterprise for the instance of McAfee Cloud SSO in the cloud. When selected, allows you to configure a key pair and advanced options. From the drop-down list, select a key pair. McAfee Cloud SSO in the enterprise signs the SAML assertion with the private key. From the drop-down list, select RSA_WITH_SHA_1. From the drop-down list, select C_14_N_EXCLUSIVE. From the drop-down list, select an option: RSA_KEY_VALUE Specifies that the SAML assertion is signed with an RSA private key X_509_DATA Specifies that the SAML assertion is signed with an X.509 certificate containing a private key Configure an LDAP authentication module Configure an LDAP authentication module when identity information is stored in an LDAP directory. 1 In the LDAP authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area, specify values for the following options, then click Next. Table 5-22 Option definitions for an LDAP authentication module Option Identity Store Base DN Search Attribute Definition From the drop-down list, select an existing LDAP identity store. Specifies the Distinguished Name of the entry in the LDAP tree at which to start searching for a user. Example: ou=users,ou=system Specifies the user attribute to retrieve from the identity store. Example: uid McAfee Cloud Single Sign On Product Guide 105

106 5 Authentication chains Configuring the authentication module options Table 5-22 Option definitions for an LDAP authentication module (continued) Option Search Scope New LDAP Definition Specifies how many levels to search in the LDAP tree below the Base DN. From the drop-down list, select an option: BASE Searches the Base DN entry only ONE_LEVEL Only searches the entries one level below the Base DN SUBTREE Searches the Base DN and the entire subtree When clicked, opens the New Identity Store dialog box, where you can configure a new LDAP identity store. Configure a combined LDAP and OTP authentication module Configuring a combined LDAP and OTP authentication module allows you to collect the user name and password credentials and the one time password on one login page. 1 In the combined LDAP and OTP authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area, specify values for the following options, then click Next. Table 5-23 Option definitions for a combined LDAP and OTP authentication module Option Definition Configure the LDAP Options Identity Store Base DN From the drop-down list, select an existing LDAP identity store. Specifies the Distinguished Name of the entry in the LDAP tree at which to start searching for a user. Example: ou=users,ou=system Search Attribute Search Scope Specifies the user attribute to retrieve from the identity store. Example: uid Specifies how many levels to search in the LDAP tree below the Base DN. From the drop-down list, select an option: BASE Searches the Base DN entry only ONE_LEVEL Only searches the entries one level below the Base DN SUBTREE Searches the Base DN and the entire subtree New LDAP Configure the OTP Options OTP Connector When clicked, opens the New Identity Store dialog box, where you can configure a new LDAP identity store. From the drop-down list, select an OTP connector. 106 McAfee Cloud Single Sign On Product Guide

107 Authentication chains Configuring the authentication module options 5 Table 5-23 Option definitions for a combined LDAP and OTP authentication module (continued) Option New OTP Connector UID Definition When clicked, opens the OTP Connector dialog box, where you can provide values for the following options, then click Save OTP Connector. Server Host Specifies the host name or IP address of the OTP server. Server Port Specifies the port number of the OTP server. Default: 3100 Client Name Specifies the name that you assigned to your OTP client s integration module in the McAfee OTP remote administration console. If you did not assign a client name, you can leave this field blank. Password Specifies the password required to access and configure the OTP Server remotely. If the OTP Server does not require a password, you can leave this field blank. Test Connection Tests the connection to the OTP server that you configured. Select an attribute from the drop-down list of attributes output by the preceding module in the authentication chain. The OTP server uses this identifier to look up users in the database. Configure a certificate authentication module Configure a certificate authentication module when an X.509 certificate is the source of identity information. 1 In the certificate authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area, specify values for the following options, then click Next. Table 5-24 Option definitions for a certificate authentication module Option Option configuration Certificate Provider SSL Port Definition From the drop-down list, select SSL as the type of provider that issues the certificate. Specifies the number of the SSL port. Default: 8445 CRL checking CRL Check CRL Distribution Points URL OCSP checking OCSP Check Enables or disables CRL checking. The CRL is a list of certificates issued by the certificate provider that have been revoked and are no longer valid. When CRL checking is enabled, you can specify the location of the Certificate Distribution Point, where you can download the most recent CRL, in the URL field. Default: When deselected, McAfee Cloud SSO reads the Certificate Distribution Point from the certificate. Specifies the location of the Certificate Distribution Point. Enables or disables OCSP checking. When enabled, McAfee Cloud SSO sends an OCSP request for the status of the certificate to the certificate provider. McAfee Cloud Single Sign On Product Guide 107

108 5 Authentication chains Configuring the authentication module options Table 5-24 Option definitions for a certificate authentication module (continued) Option OCSP Server Definition When OCSP checking is enabled, you can specify the location of the OCSP server in the URL field. Default: When deselected, McAfee Cloud SSO reads the OCSP server from the certificate. URL Keystore configuration Keystore Type LDAP keystore configuration Certificate Subject Attribute Identity Store Base DN Specifies the location of the OCSP server. McAfee Cloud SSO uses information in the keystore to verify the certificate. From the drop-down list, select an option: LDAP Allows you to configure an LDAP keystore Built-in The keystore is configured with built-in values Specifies the subject attribute whose value is used to search the LDAP keystore for a certificate. Specifies an LDAP keystore. Specifies the Distinguished Name of the entry in the LDAP tree at which to start searching for the certificate. Example: ou=certs,ou=system Search Attribute Search Scope New LDAP Specifies the subject attribute whose value must match the value of the certificate subject attribute when searching the LDAP keystore for a certificate. Default: uid Specifies how many levels to search in the LDAP tree below the Base DN. From the drop-down list, select an option: BASE Search the Base DN entry only ONE_LEVEL Only search the entries one level below the Base DN SUBTREE Search the Base DN and the entire subtree When clicked, opens the New Identity Store dialog box, where you can configure an LDAP identity store. Configuring a SiteMinder authentication module Integrating SiteMinder authentication with McAfee Cloud SSO requires configuration in the SiteMinder Administrative UI as well as the Management Console. Integrating SiteMinder with McAfee Cloud SSO SiteMinder can be integrated with McAfee Cloud SSO installed at the Identity Provider or at the Service Provider. For organizations that use SiteMinder authentication locally, McAfee Cloud SSO is installed at the Identity Provider. For organizations that want access to applications that require SiteMinder authentication, McAfee Cloud SSO is installed at the Service Provider. 108 McAfee Cloud Single Sign On Product Guide

109 Authentication chains Configuring the authentication module options 5 Identity Provider When installed at the Identity Provider, McAfee Cloud SSO converts valid SMSESSION cookies generated in the Identity Provider domain to federation tokens that enable single sign-on to Service Provider applications outside the domain. Service Provider When installed at the Service Provider, McAfee Cloud SSO converts valid federation tokens to SMSESSION cookies that enable single sign-on to applications that require SiteMinder authentication. An SMSESSION cookie is generated when a user is authenticated and authorized against a SiteMinder Policy Server in the Identity Provider or Service Provider domain. How SiteMinder use cases differ McAfee Cloud SSO supports several SiteMinder use cases. Table 5-25 SiteMinder use cases and how they differ Use case McAfee Cloud SSO installed at the Identity Provider, authenticated user McAfee Cloud SSO installed at the Identity Provider, unauthenticated user McAfee Cloud SSO installed at the Service Provider How SiteMinder use cases differ The authenticated user has a valid SMSESSION cookie. To implement single sign-on to Service Provider applications, McAfee Cloud SSO generates a federation token. McAfee Cloud SSO collects user name and password credentials from the unauthenticated user and forwards them to the SiteMinder Policy Server. For Service Provider applications that require SiteMinder authentication, McAfee Cloud SSO allows users who have a valid federation token to authenticate to SiteMinder using a SMSESSION cookie. McAfee Cloud SSO installed at the IdP authenticated user McAfee Cloud SSO is installed at the Identity Provider. The user is already authenticated and has a valid SMSESSION cookie. To implement single sign-on to Service Provider applications, McAfee Cloud SSO converts valid SMSESSION cookies generated in the Identity Provider domain to federation tokens that enable single sign-on to Service Provider applications outside the domain. Figure 5-8 Identity Provider use case authenticated user McAfee Cloud Single Sign On Product Guide 109

110 5 Authentication chains Configuring the authentication module options 1 The end user requests access to a SaaS or web application by clicking the application s icon on the McAfee Cloud SSO portal. The end user s request includes a valid SMSESSION cookie. 2 McAfee Cloud SSO redirects the end user to the application with a federation token. 3 The application grants access to the end user. McAfee Cloud SSO installed at the IdP unauthenticated user McAfee Cloud SSO is installed at the Identity Provider, and the user is not authenticated. McAfee Cloud SSO collects user name and password credentials from the user and forwards them to the SiteMinder Policy Server. The Policy Server authenticates the user and authorizes access to the application. An SMSESSION cookie and SiteMinder response attributes are generated. To implement single sign-on, McAfee Cloud SSO generates the federation token. Figure 5-9 Identity Provider use case unauthenticated user 1 The end user seeks access to a SaaS or web application by clicking the application s icon on the McAfee Cloud SSO portal. 2 McAfee Cloud SSO prompts the end user for credentials, which the user provides on a login page. 3 McAfee Cloud SSO forwards the end user s credentials to the SiteMinder Policy Server. The Policy Server authenticates the end user and authorizes access to the application. The custom SiteMinder web agent embedded in McAfee Cloud SSO returns a SMSESSION cookie and SiteMinder response attributes. 4 McAfee Cloud SSO generates a federation token and sends it to the Service Provider through the end user s browser. 5 The Service Provider grants the end user access to the application. 110 McAfee Cloud Single Sign On Product Guide

111 Authentication chains Configuring the authentication module options 5 McAfee Cloud SSO installed at the Service Provider McAfee Cloud SSO accepts a federation token from any supported authentication type, extracts the SSO subject, and sends the subject to the SiteMinder Policy Server. The Policy Server looks up the user in the SiteMinder user directory. If the user is found and enabled, a SMSESSION cookie is generated and forwarded to the Service Provider. Figure 5-10 Service Provider use case 1 McAfee Cloud SSO receives a federation token containing an SSO subject from an authentication source. The source can be any supported authentication method. For example, it can be an identity store like LDAP or an identity service like Facebook. 2 McAfee Cloud SSO forwards the SSO subject to the SiteMinder Policy Server. 3 Using the subject, the Policy Server looks up the end user in the SiteMinder user directory. 4 If the end user is found and enabled, the custom SiteMinder web agent embedded in McAfee Cloud SSO returns a SMSESSION cookie and SiteMinder response attributes. 5 McAfee Cloud SSO forwards the SMSESSION cookie to the Service Provider application. Configuration in the SiteMinder Administrative UI McAfee Cloud SSO communicates with the SiteMinder Policy Server through a custom SiteMinder web agent. The custom web agent is embedded in McAfee Cloud SSO and requires no configuration on the McAfee Cloud SSO side. However, the SiteMinder administrator must perform configuration tasks in the Administrative UI. Create a custom agent type You create a custom agent type in the SiteMinder Administrative UI, so that the Policy Server can communicate with the custom agent embedded in McAfee Cloud SSO. You then have the option of creating one or more custom response attribute types for the agent. McAfee Cloud Single Sign On Product Guide 111

112 5 Authentication chains Configuring the authentication module options 1 In the SiteMinder Administrative UI, navigate to the SiteMinder Agent Type Dialog. 2 In the Name field, type a meaningful name for the custom agent type. Example: mcsso-custom-agent 3 To open the New Agent Action dialog box: In the Agent Type Definition tab, click Create. 4 Specify CUSTOM_ECA_ACTION as the name of the action, then click OK. 5 To create one or more response attribute types for the custom agent, click the Agent Type Properties tab. 6 For each response attribute type that you want to create: a Click Create. The SiteMinder Agent Attribute Dialog opens. b c In the Name field, type a meaningful name for the response attribute type. Example: mcsso-custom-agent-attr-ldap-1 From the Data Type drop-down list, select String. d In the Identifier field, type a value in the range or This value uniquely identifies the custom response attribute type and cannot be assigned to more than one attribute. Values in the range are reserved for response attribute types that are built in to SiteMinder. e For each Response Behavior in the following table: From the drop-down list, select an option. Table 5-26 Response Behavior option definitions Option Access Accept Access Reject Access Challenge Definition The custom agent includes this attribute type in the response when access is allowed. This type of attribute can provide information for the Service Provider to use when delivering the service. Example: Zero or One The custom agent includes this attribute type in the response when access is denied. This type of attribute can provide information for the end user in the form of a message. Example: Not Allowed The custom agent includes this attribute type in the response when a challenge/response authentication scheme is configured. Example: Not Allowed f To create the custom response attribute type, click OK. 7 To create the custom agent type, click OK. 112 McAfee Cloud Single Sign On Product Guide

113 Authentication chains Configuring the authentication module options 5 Create a custom agent object In the SiteMinder Administrative UI, you create a custom agent object based on the custom agent type that you created. 1 In the SiteMinder Administrative UI, navigate to the SiteMinder Agent Dialog. 2 In the Name field, type a meaningful name for the custom agent. Example: mcsso-custom-agent-1 The McAfee Cloud SSO administrator needs this value to configure a SiteMinder authentication module in the Management Console. The agent name is not case-sensitive. 3 Select the Support 4.x agents checkbox. 4 In the Agent Type area: From the drop-down list, select the SiteMinder option and name of the custom agent type that you created. Example: mcsso-custom-agent 5 In the IP Address or Host Name field, type the IP address or host name of the server where McAfee Cloud SSO is installed. The McAfee Cloud SSO administrator needs this value to configure a SiteMinder authentication module in the Management Console. 6 In the Shared Secret area, type the shared secret in the Secret and Confirm Secret fields. 7 To create the custom agent object, click OK. Configure a custom authentication scheme The Service Provider use case requires a custom SiteMinder authentication scheme and library. The library is built using the SiteMinder Java Authentication API and saved in the following.jar file: eca360ssoauth.jar. To deploy the custom authentication scheme, the SiteMinder administrator must install the library, then configure the custom authentication scheme. 1 Install the SiteMinder authentication scheme library that is customized for McAfee Cloud SSO. 2 In the Administrative UI, configure the custom authentication scheme. McAfee Cloud Single Sign On Product Guide 113

114 5 Authentication chains Configuring the authentication module options Table 5-27 Configure a custom authentication scheme for the Service Provider use case Install the custom library Steps to complete... 1 Add the eca360ssoauth.jar file to the Policy Server s jar file directory: Windows location NETE_PS_ROOT\bin\jars Linux location NETE_PS_ROOT/bin/jars 2 Add the.jar file to the Policy Server s NETE_JVM_OPTION_FILE environment variable in the JVMOptions.txt file. Configure the custom authentication scheme 1 In the Administrative UI, navigate to the SiteMinder Authentication Scheme Dialog. 2 In the Name field, type a meaningful name for the authentication scheme. Example: MCSSOAuth 3 From the Authentication Scheme Type drop-down list, select Custom Template. 4 In the Protection Level field, type a value in the permitted range. Example: 5 5 Select the Password Policies Enabled for this Authentication Scheme checkbox. 6 In the Scheme Setup tab, type smjavaapi in the Library field. 7 In the Scheme Setup tab, type the full class name of the authentication scheme in the Parameter field. Value: com.intel.e360.siteminder.auth.eca360siteminderauthscheme 8 To save the configuration, click OK. Create a response and add response attributes When you create a custom agent type, you have the option of creating custom response attribute types for the agent. You can then configure response attributes based on these custom types and add them to a response. Response attributes are generated by the Policy Server and returned by the custom web agent embedded in McAfee Cloud SSO. 1 In the Administrative UI, navigate to the SiteMinder Response Dialog. 2 In the Name field, type a meaningful name for the response. 3 From the Agent Type drop-down list, select the custom agent that you created. Example: mcsso-custom-agent 4 For each response attribute that you want to create: a Click Create. The SiteMinder Response Attribute Editor opens. b c From the Attribute drop-down list, select a custom response attribute type. In the Attribute Setup tab: For the Attribute Kind, select the Static or User Attribute option. 114 McAfee Cloud Single Sign On Product Guide

115 Authentication chains Configuring the authentication module options 5 d In the Variable Value or Attribute Name field, specify a value using the following format: custom_eca_response_<resp-name>=<%userattr="<attr-name>"% where <resp-name> specifies a name for the SiteMinder module s output attribute and <attr-name> specifies the name of the Policy Server response attribute that you want the custom agent to return. Example: custom_eca_response_ =<%userattr="mail"%> e To create the response attribute, click OK. 5 To create the response, click OK. Configuration in the Management Console Configuration in the Management Console depends on the use case. Table 5-28 SiteMinder use cases and connector configuration Use case Identity Provider Connectors required Configure the following connectors: 1 Identity Connector Configure an authentication chain consisting of one authentication module having the type SiteMinder. 2 Cloud Connector Configure a Cloud Connector for the application in the Service Provider domain and select the Identity Connector you configured in step one. Service Provider Configure the following connectors: 1 Application adapter Configure an application adapter for the application that requires SiteMinder authentication. 2 Cloud authenticator Configure an authentication chain consisting of two authentication modules and select the application adapter that you configured in step one. The first module is the same type as the authentication source. The second module is a SiteMinder authentication module. Configure a SiteMinder authentication module Configure a SiteMinder authentication module when SiteMinder is the Identity Provider. 1 In the SiteMinder authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area, specify values for the following options, then click Next. Table 5-29 Option definitions for a SiteMinder authentication module Option Agent Name Agent Shared Secret Definition Specifies the name configured for the custom SiteMinder agent that is embedded with McAfee Cloud SSO. The SiteMinder administrator configures the agent name in the Administrative UI when the custom agent object is created. Specifies the shared secret configured for the custom SiteMinder agent that is embedded with McAfee Cloud SSO. The SiteMinder administrator configures the shared secret in the Administrative UI when the custom agent object is created. McAfee Cloud Single Sign On Product Guide 115

116 5 Authentication chains Configuring the authentication module options Table 5-29 Option definitions for a SiteMinder authentication module (continued) Option SiteMinder Policy Servers Configure SiteMinder Policy Server Definition Select one or more options as needed: Add Opens the Configure SiteMinder Policy Server dialog box, where you can configure a Policy Server and add it to the SiteMinder authentication module Edit Opens the Configure SiteMinder Policy Server dialog box, where you can modify the configuration of the selected Policy Server Remove Deletes the selected Policy Server from the SiteMinder authentication module Remove All Deletes all Policy Servers from the SiteMinder authentication module (Dialog box) To configure and add a Policy Server to the SiteMinder authentication module, specify values for the following options, then click Save: Policy Server Host Specifies the host name or IP address of the Policy Server. Policy Server Accounting Port Specifies the port number of the Policy Server accounting service. Default: Policy Server Authentication Port Specifies the port number of the Policy Server authentication service. Default: Policy Server Authorization Port Specifies the port number of the Policy Server authorization service. Default: Test Policy Server Connection Advanced Configuration Options Multi-server Behavior Tests the connection to the selected Policy Server. When more than one Policy Server is configured, select an option: Failover Specifies that all Policy Server requests are sent to one Policy Server. If that Policy Server fails, all requests are sent to the next Policy Server and so on in a chain of configured Policy Servers. Round-robin Specifies that Policy Server requests are distributed dynamically among the configured Policy Servers. Connection Timeout Initial Number of Connections Maximum Number of Connections Connections Increment Step Specifies the number of seconds to wait for a connection to the Policy Server before a timeout occurs. Default: 30 Specifies the maximum number of connections to the Policy Server that the SiteMinder agent creates. Default: 2 Specifies the maximum number of connections to the Policy Server that the SiteMinder agent creates. Default: 20 Specifies the number of Policy Server connections that the SiteMinder agent adds each time more connections are needed. Default: McAfee Cloud Single Sign On Product Guide

117 Authentication chains Configuring the authentication module options 5 Troubleshooting SiteMinder integration Consult the following table when you encounter an issue with SiteMinder integration. Table 5-30 Troubleshooting issues with SiteMinder integration Summary The Universal ID attribute must exist in the Siteminder user directory The SiteMinder authentication module fails to start Symptom and solution Symptom: A login exception occurs. Solution: Verify that the Universal ID attribute exists in the SiteMinder user directory configured for McAfee Cloud SSO. Symptom: When the SiteMinder Policy Server is running on a Windows 32-bit system, it fails to start the SiteMinder authentication module in McAfee Cloud SSO. Solution: This failure is a limitation of the SiteMinder Policy Server. Configuring an OTP authentication module OTP authentication adds a secondary authentication method to a primary authentication method in an authentication chain. The OTP server, which can be an external server or installed with McAfee Cloud SSO, delivers a one time password to the end user by a specified method. Depending on the delivery method, the user enters the one time password on a login page or mobile device and submits the password to the OTP server for verification. McAfee Cloud SSO supports the following OTP delivery methods overall. Table 5-31 OTP delivery methods overall OTP delivery method Mail SMS OTP client on a mobile device Description The OTP server sends the one time password to an address by an service. The OTP server sends the one time password to a mobile phone number by SMS, a text message service. The one time password is generated by an OTP client running on a mobile device. McAfee Cloud SSO supports the following OTP clients: Pledge Yubico (YubiKey) When the user submits the one time password on a mobile device, the OTP server verifies the one time password by locating the user s OATH key in the server s database. OTP server options and available OTP delivery methods Available OTP delivery methods depend on the following OTP server options. The HOTP option The target OTP attribute The mail and SMS delivery method options McAfee Cloud Single Sign On Product Guide 117

118 5 Authentication chains Configuring the authentication module options Table 5-32 Available OTP delivery methods depend on OTP server options HOTP Option Target OTP Attribute = Mail or Mobile Enabled Disabled The HOTP option has no effect, and the mail and SMS delivery methods are supported when they are enabled in the OTP server. The HOTP option has no effect, and the mail and SMS delivery methods are supported when they are enabled in the OTP server. Target OTP Attribute = UID Delivery of a one time password by an OTP client on a mobile device is supported. Mail and SMS delivery are not supported. The HOTP option has no effect, and the mail and SMS delivery methods are supported when they are enabled in the OTP server. OTP mapping use cases The following table summarizes the target OTP attributes and corresponding OTP mapping use cases. The MOBILE target attribute refers to a mobile phone number and the SMS delivery method, not to a mobile device. Table 5-33 OTP mapping use cases Target OTP attribute MAIL Source attribute address OTP mapping use case The end user sends a request to the OTP server for a one time password. The request includes the address specified by the source attribute. The OTP server sends the one time password to the specified address. Verify that mail delivery is enabled in the OTP server. The HOTP option in the OTP server has no effect. MOBILE mobile phone number The end user sends a request to the OTP server for a one time password. The request includes the mobile phone number specified by the source attribute. The OTP server sends the one time password to the mobile phone number using SMS, the Short Message Service. Verify that SMS delivery is enabled in the OTP server. The HOTP option in the OTP server has no effect. UID identifier If HOTP is enabled, the end user sends a request containing the one time password generated by the OTP client on a mobile device to the OTP server. The request includes the identifier specified by the source attribute. The OTP server uses the specified identifier to locate the user and the user s OATH key in the server s database. The server then uses the OATH key to verify the one time password. If HOTP is disabled, the end user sends a request to the OTP server for a one time password. The request includes the identifier specified by the source attribute. The OTP server uses the specified identifier to locate the user in the server s database. If the target OTP attribute is set to mail and mail delivery is enabled in the OTP server, the server sends the one time password to the address in the user s account. If the target OTP attribute is set to mobile and SMS delivery is enabled in the OTP server, the server sends the one time password to the mobile phone number in the user s account. 118 McAfee Cloud Single Sign On Product Guide

119 Authentication chains Configuring the authentication module options 5 Configure an OTP authentication module Configure an OTP authentication module when you want to add one time password as a secondary authentication method to a primary authentication method in an authentication chain. 1 In the OTP authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area, specify values for the following options, then click Next. Table 5-34 Option definitions for an OTP authentication module Option OTP Connector New OTP Connector Definition From the drop-down list, select an OTP connector. When clicked, opens the OTP Connector dialog box, where you can provide values for the following options, then click Save OTP Connector. Server Host Specifies the host name or IP address of the OTP server. Server Port Specifies the port number of the OTP server. Default: 3100 Client Name Specifies the name that you assigned to your OTP client s integration module in the McAfee OTP remote administration console. If you did not assign a client name, you can leave this field blank. Password Specifies the password required to access and configure the OTP Server remotely. If the OTP Server does not require a password, you can leave this field blank. Test Connection Tests the connection to the OTP server that you configured. OTP Mapping Source Target OTP Attribute Select a source attribute from the drop-down list of attributes output by the preceding module in the authentication chain. The value of the source attribute is mapped to the target OTP attribute. From the drop-down list, select an option: MAIL Select MAIL as the target OTP attribute when the OTP server sends the one time password to the address specified by the source attribute MOBILE Select MOBILE as the target OTP attribute when the OTP server sends the one time password to the mobile phone number specified by the source attribute UID Select UID as the target OTP attribute when the OTP server uses the identifier specified by the source attribute to locate the user in the database Configure an OTP self-service authentication module Configure an OTP self-service authentication module when you want the end user to select from the available OTP delivery methods and optionally, to specify an address or mobile phone number. To support OTP self-service authentication, you must configure the remote OTP options and HTTP and HTTPS proxy addresses in the Admin tab in the Management Console. The OTP self-service authentication module is only available as a secondary authentication method. McAfee Cloud Single Sign On Product Guide 119

120 5 Authentication chains Configuring the authentication module options 1 In the OTP self-service authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area, specify values for the following options, then click Next. Table 5-35 Option definitions for an OTP self-service authentication module Option Select one or more delivery methods Pledge delivery of one time password Definition Select all OTP delivery methods that are available to the end user: Pledge Pledge generates a one time password on a mobile device. The end user sends the one time password to the OTP server, which verifies the password. The OTP server sends the one time password to an address using an service. Mobile The OTP server sends the one time password to a mobile phone number using a text message service. Verify that the following requirements are met: McAfee OTP is installed, and Pledge delivery is configured in the McAfee OTP remote administration console. The Pledge OTP client is set up on the mobile device. For more information, see the McAfee One Time Password Product Guide. delivery of one time password Specify a source for the address: 1 From the drop-down list, select an attribute output by the preceding module in the authentication chain. 2 To prompt the end user for the address, select the Self-service checkbox. delivery is built into McAfee Cloud SSO. You can view and optionally modify the SMTP settings by clicking Configure SMTP. Configure SMTP When clicked, opens the SMTP Settings dialog box, where you can configure the service. Specify values for the following options, then click OK. SMTP Host Specifies the host name or IP address of the SMTP server that sends the messages. Default: smtp.mcafee.com SMTP Port Specifies the port number of the SMTP server that sends the messages. Default: 25 Sender Specifies the address from where the messages are sent. Default: MCSSOAdmin@mcafee.com The SMTP settings are global. You can also view and modify them in the Admin tab in the Management Console. 120 McAfee Cloud Single Sign On Product Guide

121 Authentication chains Configuring the authentication module options 5 Table 5-35 Option definitions for an OTP self-service authentication module (continued) Option Mobile delivery of one time password Definition Specify a source for the mobile phone number: 1 From the drop-down list, select an attribute output by the preceding module in the authentication chain. 2 To prompt the end user for the mobile phone number, select the Self-service checkbox. McAfee OTP must be installed, and mobile delivery must be configured in the McAfee OTP remote administration console. Attribute as key From the drop-down list, select an attribute output by the preceding module in the authentication chain to use when looking up the user in the OTP server s database. See also Configure network proxy addresses on page 276 Configure SMTP and remote OTP options on page 293 Configuring a TPM authentication module TPM authentication is based on the Trusted Platform Module security chip installed on a client computer. The term client computer refers to the end user s computer. You set up a TPM environment on the client computer so that the end user can authenticate to McAfee Cloud SSO using TPM as the secondary authentication method. McAfee Cloud SSO provides TPM authentication for SaaS and web applications that require it. Prerequisites for using TPM authentication with McAfee Cloud SSO Before an end user can authenticate to McAfee Cloud SSO using TPM as the secondary authentication method, the following prerequisites must be met. TPM must be set up on the client computer. The end user must have a TPM password. The end user s TPM public key must be uploaded in the Management Console. This step takes place when you configure a TPM authentication module. The TPM authentication module must be configured and added to an authentication chain as the secondary authentication method in the Management Console. This step takes place when you configure an Identity Connector for a SaaS or web application that requires TPM authentication. How McAfee Cloud SSO implements TPM authentication The following description of the TPM authentication process includes behind-the-scenes details that the end user never sees. The end user only sees the TPM login page and the TPM password. 1 The end user requests access to a SaaS or web application that requires TPM authentication. 2 The application delegates authentication to McAfee Cloud SSO. 3 McAfee Cloud SSO generates a random number, which is a time stamp, and sends the number, a TPM login page, and a Java applet to the client computer. McAfee Cloud Single Sign On Product Guide 121

122 5 Authentication chains Configuring the authentication module options 4 The end user enters the TPM password on the TPM login page. The Java applet invokes the TPM driver on the client computer. The TPM driver signs the random number with the end user s TPM password. The signed random number or signature is sent to McAfee Cloud SSO along with the end user s TPM public key. 5 McAfee Cloud SSO compares the end user s TPM public key to all registered keys and verifies that the TPM public key is trusted. McAfee Cloud SSO uses the trusted TPM public key to verify the signature generated by the TPM driver on the client computer and authenticates the user. 6 McAfee Cloud SSO sends the authentication result to the SaaS or web application. 7 The application grants access to the end user. Setting up a TPM environment on the client computer You set up a TPM environment on the client computer, so that end users can authenticate to McAfee Cloud SSO using TPM as the secondary authentication method. Setting up TPM involves the tasks in the following table. Table 5-36 s needed for setting up TPM on the client computer Enable TPM on the client computer Run the TPM driver on the client computer Description Activate the TPM security chip, then clear the TPM ownership in BIOS. Details vary from computer to computer. Contact your computer manufacturer for more information. The TPM driver generates the TPM password from the end user s private key and prepares the TPM public key for export. The end user enters the TPM password on the TPM login page when authenticating to McAfee Cloud SSO. The McAfee Cloud SSO administrator imports the TPM public key when configuring the TPM authentication module in the Management Console. For information about creating a TPM driver, contact the manufacturer of the TPM security chip. Add the Windows home directory to the list of path names specified by the Path variable on the client computer The Path variable is a Windows system environment variable that specifies a semicolon-separated list of paths to search when locating executable files. On a Windows 7 operating system: 1 From the Start menu, select Control Panel System Advanced system settings. 2 In the System Properties dialog box: Click the Advanced tab, then click Environment Variables. 3 In the Environment Variables dialog box: In the System variables area, select the Path variable, then click Edit. 4 In the Edit System Variable dialog box: In the Variable value field, add your Windows home directory to the list of path names, then click OK. Format: C:\Users\<default_user_name> You can locate the default user name as follows. In the System Properties dialog box, click the Advanced tab. In the User Profiles area, click Settings. In the User Profiles dialog box, the default user name is listed first. 5 To close the Environment Variables dialog box, click OK. 6 To close the System Properties dialog box, click OK. 122 McAfee Cloud Single Sign On Product Guide

123 Authentication chains Configuring the authentication module options 5 Table 5-36 s needed for setting up TPM on the client computer (continued) Extract the TPM public key and encryption key wrapper on the client computer Description On the client computer: 1 Extract the TPM public key and encryption key wrapper. 2 Rename the public key file to intel-tpm.pub and the wrapper file to intel-tmp.kw. 3 Save the renamed files in the Windows home directory. Modify the JRE security policy file on the client computer You modify the JRE security policy file, so that the TPM driver can sign the random number generated by McAfee Cloud SSO with the end user s TPM password. 1 Locate and open the JRE security policy file. Example: C:\Program Files\Java\jre6\lib\security\java.policy 2 Add the following line to the end of the file: permission java.security.allpermission 3 Restart the web browser. Sample JRE security policy file to modify for TPM authentication The following code is an example of the JRE security policy file that you need to modify for TPM authentication. // Standard extensions have all permissions by default. grant codebase "file:${{java.ext.dirs}}/" { permission java.security.allpermission; }; // Default permissions are granted to all domains. grant { // Allow any thread to stop by using the java.lang.thread.stop() // method without any arguments. // Note: This permission is granted by default only to remain // backwards compatible. // We recommended that you either remove this permission // from this policy file or further restrict it to code sources // that you specify, because Thread.stop() is potentially unsafe. // See " for more information. permission java.lang.runtimepermission "stopthread"; // Allow anyone to listen on un-privileged ports. permission java.net.socketpermission "localhost:1024-", "listen"; // "Standard" properties can be read by anyone. permission java.util.propertypermission "java.version", "read"; permission java.util.propertypermission "java.vendor", "read"; permission java.util.propertypermission "java.vendor.url", "read"; permission java.util.propertypermission "java.class.version", "read"; permission java.util.propertypermission "os.name", "read"; permission java.util.propertypermission "os.version", "read"; permission java.util.propertypermission "os.arch", "read"; permission java.util.propertypermission "file.separator", "read"; permission java.util.propertypermission "path.separator", "read"; permission java.util.propertypermission "line.separator", "read"; permission java.util.propertypermission "java.specification.version", "read"; permission java.util.propertypermission "java.specification.vendor", "read"; permission java.util.propertypermission "java.specification.name", "read"; permission java.util.propertypermission "java.vm.specification.version", "read"; permission java.util.propertypermission "java.vm.specification.vendor", "read"; permission java.util.propertypermission "java.vm.specification.name", "read"; permission java.util.propertypermission "java.vm.version", "read"; permission java.util.propertypermission "java.vm.vendor", "read"; permission java.util.propertypermission "java.vm.name", "read"; McAfee Cloud Single Sign On Product Guide 123

124 5 Authentication chains Configuring the authentication module options permission java.security.allpermission; }; Configure a TPM authentication module You configure a TPM authentication module when you want to add one or more TPM public key files as a secondary authentication method to a primary authentication method in an authentication chain. 1 In the TPM authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area. 3 To add one or more TPM public key files to the authentication module, repeat these steps as needed. a Click Add. b In the Import TPM public key dialog box, browse for the TPM public key file, then click Upload. 4 Click Next. Configure a KCD authentication module Configure a KCD authentication module when you want to add Kerberos authentication as a secondary authentication method to a primary authentication method in an authentication chain. Managing Kerberos authentication is called impersonation. When managing Kerberos authentication, McAfee Cloud SSO impersonates the end user. Kerberos constrained delegation is configured on the domain controller to specify which applications McAfee Cloud SSO is allowed to access when impersonating a user. The domain controller is the server where Active Directory is running. The server responds to authentication requests made within the Windows Server domain. All enterprise applications and host computers must be in the Windows Server domain. McAfee Cloud SSO must be installed on a Windows Server that is connected to an Active Directory user store. The authentication module wizard automatically detects the Active Directory connection and verifies that the user store is in the enterprise domain. 124 McAfee Cloud Single Sign On Product Guide

125 Authentication chains Customize the authentication module output attributes 5 1 In the KCD authentication module wizard: In the navigation pane, click Authentication Options. 2 In the configuration window, expand the Option configuration area, specify values for the following options, then click Next. Table 5-37 Option definitions for a KCD authentication module Option Definition Select the subject from the preceding module s output attributes Source Local Agent AD Domain Identity Store Base DN Specifies the name of the Active Directory domain. Specifies the name of the Active Directory domain. From the drop-down list, select an existing Active Directory identity store or click New Active Directory to create a new one. Specifies the Distinguished Name of the entry in the LDAP tree at which to start searching for a user. Example: DC=MCAFEE,DC=COM Search Attribute Search Scope New Active Directory Specifies the user attribute to retrieve from the identity store. Example: samaccountname Specifies how many levels to search in the LDAP tree below the Base DN. From the drop-down list, select an option: BASE Searches the Base DN entry only ONE_LEVEL Only searches the entries one level below the Base DN SUBTREE Searches the Base DN and the entire subtree When clicked, opens the New Identity Store dialog box, where you can configure a new Active Directory identity store. Customize the authentication module output attributes User attributes are output by one authentication module and passed to the next authentication module in an authentication chain. The output attributes are known as target attributes to the first module and source attributes to the next module in the authentication chain. You can customize the attributes output by the authentication module that you are configuring. 1 In the authentication module wizard: In the navigation pane, click Output Attributes. 2 In the configuration window, select the Configure one or more output attributes checkbox. 3 To customize the output attributes, specify values for the following options, then click Next. McAfee Cloud Single Sign On Product Guide 125

126 5 Authentication chains Customize the authentication module output attributes Table 5-38 Output attribute option definitions for an authentication module Option New attribute Definition To customize the output attributes, select an option: Add Opens the New attribute dialog box, where you can configure a new output attribute. Edit Opens the Edit attribute dialog box, where you can edit the selected output attribute. Remove Removes the selected output attribute. (Dialog box) To configure a new output attribute, specify values for the following options, then click Save. Target name Specifies the name of the target attribute output by the authentication module you are configuring. This name is used by the succeeding module in the authentication chain to refer to the attribute. Source name Specifies the name of the source attribute that you are mapping to the target attribute. The source attribute can be output by the preceding module in the authentication chain or it can be a login credential entered by the end user. Edit Opens the Select source dialog box, where you can configure the source attribute. Final result When selected, specifies that the target attribute output by the authentication module you are configuring is also output by the authentication chain overall. An output attribute that is specified as the final result of an authentication chain cannot be output by any succeeding authentication module in the chain. This requirement is enforced during configuration of the authentication chain, and an error message is displayed. Select source (Dialog box) Select an option, then click OK: Authentication result Specifies that the source attribute is output by the preceding module in the authentication chain. From the Select authentication result drop-down list, select an attribute. Login credential Specifies that the source attribute is a login credential entered by the end user. From the Select login credential drop-down list, select the User name or Password prompt. Extract value from entry (Authentication result) When selected, allows you to specify an expression that extracts a value from the source attribute output by the preceding module in the authentication chain. Example: ADDRESS=([\d\w\.]+@[\d\w\.]+), CN= This expression extracts the address from the subject field of an X.509 certificate. Default output attributes for a certificate authentication module The contents of an X.509 certificate are the source of the default output attributes configured for a certificate authentication module. Table 5-39 Default output attributes for a certificate authentication module Attribute Serial Number Subject Definition Specifies a number that uniquely identifies the X.509 certificate. Specifies the name of the entity that is authenticated. An entity can be an individual or an organization. 126 McAfee Cloud Single Sign On Product Guide

127 Authentication chains Configure a JAAS policy for the authentication module 5 Table 5-39 Default output attributes for a certificate authentication module (continued) Attribute Definition Issuer Specifies the name of the X.509 certificate issuer. Subject Unique Identifier Specifies an identifier that is unique to the subject. This optional attribute can be set to null. Issuer Unique Identifier Specifies an identifier that is unique to the issuer. This optional attribute can be set to null. Version Specifies the version of the X.509 certificate. Configure a JAAS policy for the authentication module Select a JAAS policy type for the authentication module and optionally, configure one or more JAAS policy conditions. The JAAS policy type specifies whether authentication by the module is required for overall authentication by the chain and whether processing of the chain stops or continues with the next module. You can use JAAS policy conditions to restrict access to specified times, days, IP addresses, browser types, and user attribute values. If the policy conditions evaluate to true, access to the requested application is permitted. 1 In the authentication module wizard: In the navigation pane, click Policy Configuration. 2 In the configuration window, select a JAAS Policy Type. Table 5-40 JAAS policy types Policy type Is authentication by the module required for overall authentication by the chain? Processing of the chain Requisite Required Stops when authentication by the module fails Required Required Continues Sufficient Optional Stops when authentication by the module succeeds Optional Optional Continues McAfee Cloud Single Sign On Product Guide 127

128 5 Authentication chains Configure a JAAS policy for the authentication module 3 (Optional) Select the Condition checkbox, then configure one or more policy conditions. Table 5-41 JAAS policy conditions Condition Determined by Cloud Connector Time restriction Day restriction IP restriction Browser restriction Authentication context Description When selected, lets you enable or disable the authentication module in the Cloud Connector wizard. This flexibility allows you to use the same authentication chain with a wider variety of Cloud Connectors and applications. When selected, allows you to specify a time range. If the time of access falls within the specified time range, the condition is true. When selected, allows you to specify one or more days of the week. If the day of the week belongs to the specified set of days, the condition is true. When selected, allows you to specify a range of IP addresses. If the IP address falls within the specified address range, the condition is true. When selected, allows you to select a browser type. If the request is from a browser of the specified type, the condition is true. When selected, allows you to specify a Boolean expression that is based on an attribute output by the preceding authentication module. If the expression evaluates to true, the condition is true. 4 Click Finish. See also Attribute mapping and expressions in McAfee Cloud SSO on page 327 Determined by Cloud Connector use cases The following use cases show how the Determined by Cloud Connector feature allows you to use the same authentication chain in more than one situation. Authentication modules that can be enabled and disabled in the Cloud Connector wizard are disabled by default. Use case 1 1 Create an authentication chain consisting of one LDAP module and one OTP module. 2 Select the Determined by Cloud Connector checkbox for the OTP module. 3 Configure two Cloud Connectors. For an application that requires one time passwords In the Cloud Connector wizard: On the Identity Connector step, enable the OTP module. For an application that does not require one time passwords In the Cloud Connector wizard: On the Identity Connector step, disable the OTP module. 128 McAfee Cloud Single Sign On Product Guide

129 Authentication chains Register a user-defined authentication module 5 Use case 2 Figure 5-11 Secondary authentication is determined when the Cloud Connector is configured 1 Create an authentication chain consisting of one LDAP module, one OTP module, and one OTP self-service module. 2 Select the Determined by Cloud Connector checkbox for both OTP modules. 3 Configure a Google Cloud Connector. On the Identity Connector step, enable the OTP module. The OTP self-service module is disabled by default. 4 Configure a Salesforce Cloud Connector. On the Identity Connector step, enable the OTP self-service module. The OTP module is disabled by default. Register a user-defined authentication module You can create your own authentication module using the SDK provided with McAfee Cloud SSO and register it in the Management Console. Specify the full class name and upload the.jar file You specify the full class name and optionally, a description of the user-defined authentication module, then upload the.jar file containing the authentication module. 1 In the Management Console: From the Cloud Connectors tab drop-down list, select Identity Connectors, then click New Identity Connector. 2 In the New Identity Connector dialog box, specify a name that uniquely identifies the authentication chain in the McAfee Cloud SSO system, select Authentication Chain from the Identity Connector Type drop-down list, then click New. McAfee Cloud Single Sign On Product Guide 129

130 5 Authentication chains Register a user-defined authentication module 3 In the authentication module wizard: On the Authentication Module step, click Register new module. 4 In the registration wizard: On the Module Name step, specify values for the following options, then click Next. Table 5-42 Module Name step of the registration wizard Option Full Class Name Browse Description Definition Specifies the user-defined authentication module s full class name. Format: com.intel.e360.identityservice.authn.spi.<module_name>authnloginmodule where <module_name> specifies the name of the authentication module. Browse for and select the.jar file containing the user-defined authentication module, then click Upload. (Optional) Describes the user-defined authentication module. Configure the authentication service options and the output attributes You configure the authentication service options and the output attributes, specifying which output attributes are shared with the next module in the authentication chain. The values that you specify must match the implementation of the authentication module. 1 In the registration wizard: In the navigation pane, click Option Configuration. 2 In the configuration window, expand the Option configuration and Output attributes areas. 3 Specify values for the following options, then click Next. Table 5-43 Option Configuration step of the registration wizard Option Definition Option configuration Option name Property Specifies a name that uniquely identifies the option. Select one or more of the following properties: Required When selected, specifies that this option must be configured by the administrator in the authentication module wizard List When selected, specifies that this option is a list value having the string type attributes from preceding module When selected, specifies that this option is passed to the user-defined module from the preceding module in the authentication chain Option type Select a data type: string Specifies a string value password Specifies a password boolean Specifies a boolean value integer Specifies an integer enum Specifies a list of constant values Add When clicked, adds the option with the specified name, properties, and data type to the option list. 130 McAfee Cloud Single Sign On Product Guide

131 Authentication chains Register a user-defined authentication module 5 Table 5-43 Option Configuration step of the registration wizard (continued) Option Definition Output attributes Add Type the name of the output attribute in this field, optionally select the Share with succeeding modules checkbox, then click Add. Share with succeeding modules When clicked, specifies that the output attribute is shared with the next module in the authentication chain. Specify the callback configuration The Callback configuration defines the credentials required for authentication and how the login page is rendered. When authentication is delegated to a custom Identity Provider or authentication service or credentials are extracted from HttpServletRequest or HttpServletResponse, the callback configuration is not needed. In this case, you can omit this step, and the value of the callback configuration is null. 1 In the registration wizard: In the navigation pane, click Callback Configuration. 2 In the configuration window, select the Upload the XML file containing the callback configuration checkbox. 3 Browse for and select the XML file containing the callback configuration, then click Upload. The contents of the callback configuration file are displayed in the Callback Configuration area. 4 Click Next. Review the user-defined authentication module options After you review the configuration, you have the option of restarting the McAfee Cloud SSO service. You need to restart the service for your changes to take effect. 1 Review the user-defined authentication module options, then click Finish. 2 (Optional) Click Yes to restart the McAfee Cloud SSO service. The changes take effect. McAfee Cloud Single Sign On Product Guide 131

132 5 Authentication chains Register a user-defined authentication module 132 McAfee Cloud Single Sign On Product Guide

133 6 Cloud 6 Connectors A Cloud Connector is the configuration that allows McAfee Cloud SSO to connect to and provide identity and SSO services for a cloud application. Contents Built-in vs. plug-in Cloud Connectors Dynamic Cloud Connectors Generic Cloud Connectors Individual Cloud Connectors Office 365 Cloud Connectors: SAML vs. WS-Federation Creating a Cloud Connector Create a Cloud Connector Configure credential mapping Configure a generic Cloud Connector Configure individual Cloud Connectors Configuring SAML Cloud Connectors Configuring Cloud Connectors that use WS-Federation Configure an ECA360 Token Cloud Connector Configure an OpenID Cloud Connector Configuring an Impersonation Cloud Connector Configuring individual custom Cloud Connectors Configure just-in-time user provisioning Configuring an authorization policy Review the Cloud Connector configuration Cloud Connector SSO methods reference Built-in vs. plug-in Cloud Connectors McAfee Cloud SSO offers a variety of built-in and plug-in Cloud Connectors that simplify the configuration of single sign on to SaaS and web applications. In the SaaS model, the Service Provider hosts the application and data in the cloud, and end users access the hosted service over the Internet through a web browser on a local computer. The built-in Cloud Connectors are part of the McAfee Cloud SSO system and cannot be managed in any way. The plug-in Cloud Connectors that come installed with the product are like the Cloud Connector plug-ins developed by customers. Plug-in Cloud Connectors can be installed, disabled, enabled, deleted, and modified. For more information, see the McAfee Cloud Single Sign On Developer s Guide. See also Manage Cloud Connector plug-ins on page 288 McAfee Cloud Single Sign On Product Guide 133

134 6 Cloud Connectors Dynamic Cloud Connectors Dynamic Cloud Connectors When integrated with Web Gateway, McAfee Cloud SSO supports SSO to cloud applications that provide login page information dynamically (such as DropBox) with dynamic Cloud Connectors. Before you can configure a dynamic Cloud Connector, Web Gateway integration must be enabled in the Management Console. See also Installing McAfee Cloud SSO on an appliance or virtual machine on page 38 Benefits of Web Gateway integration on page 227 Configure Web Gateway integration on page 289 Generic Cloud Connectors Most Cloud Connectors support a single application and are known as individual Cloud Connectors. Some Cloud Connectors are generic, such as the SAML2 Cloud Connector, and can support many applications. The generic SAML2 Cloud Connector supports any cloud application that uses the SAML 2.0 protocol, but is not included in the McAfee Cloud SSO application catalog. Generic Cloud Connectors are built-in and cannot be managed. Table 6-1 Types of generic Cloud Connectors Cloud Connector type Single Sign On type Definition ECA360 Token User-defined Select the ECA360 Token Cloud Connector type for.net and Java-based web applications. GenericOpenID OpenID Select the GenericOpenID Cloud Connector type for any OpenID Provider that is not included in the McAfee Cloud SSO application catalog. GenericSAML1 SAML 1.1 Select the GenericSAML1 Cloud Connector type for any cloud application that uses the SAML 1.1 protocol, but is not included in the McAfee Cloud SSO application catalog. GenericSAML2 SAML 2.0 Select the GenericSAML2 Cloud Connector type for any cloud application that uses the SAML 2.0 protocol, but is not included in the McAfee Cloud SSO application catalog. HTTPPOST Select the HTTPPOST Cloud Connector type for any cloud application that runs on an HTTP server and uses form-based authentication, but is not included in the McAfee Cloud SSO application catalog. Impersonation Kerberos Select the Impersonation Cloud Connector type for any cloud application that uses Kerberos authentication, but is not included in the McAfee Cloud SSO application catalog. Individual Cloud Connectors McAfee Cloud SSO supports many cloud applications with individual Cloud Connectors. Individual Cloud Connectors come with many options preconfigured, greatly simplifying the configuration that is required in the Cloud Connector wizard. Individual Cloud Connectors can be grouped by the method or protocol used to implement SSO, such as or SAML 2.0. Cloud Connectors that use the same SSO method or protocol share many configuration details. 134 McAfee Cloud Single Sign On Product Guide

135 Cloud Connectors Office 365 Cloud Connectors: SAML vs. WS-Federation 6 Table 6-2 Individual Cloud Connectors grouped by SSO method or protocol SSO method or protocol SAML 2.0 WS-Federation Custom Description McAfee Cloud SSO supports many cloud applications that run on an HTTP server and use form-based authentication with individual Cloud Connectors. applications include AdminiTrack, Atlassian, Bill, Box, Cloudwords, and Concur. McAfee Cloud SSO supports many cloud applications that use the SAML 2.0 protocol with individual SAML 2.0 Cloud Connectors. SAML 2.0 applications include ADP, BoxNet, EchoSign, HostAnalytics, Jive, and LongJump. McAfee Cloud SSO supports cloud applications that use WS-Federation with individual Cloud Connectors. applications include Office 365 and SharePoint. McAfee Cloud SSO supports cloud applications that use a proprietary SSO method with individual custom Cloud Connectors. applications include Accellion, AmazonAWS, Creately, DeskCustom, EStreamDesk, Freshdesk, IdeaScale, NetSuite, Schoology, TenderSupport, and UserVoice. Office 365 Cloud Connectors: SAML vs. WS-Federation McAfee Cloud SSO supports Office 365 with two individual Cloud Connectors: a SAML Cloud Connector and a WS-Federation Cloud Connector. Table 6-3 Office 365 Cloud Connectors: SAML vs. WS-Federation Cloud Connector SSO method or protocol Use when... Office365SAML SAML 2.0 Does not require ADFS Use this connector when you do not have an ADFS environment. Office365 WS-Federation Requires ADFS Use this connector when you have an ADFS environment or can set one up. Creating a Cloud Connector The Cloud Connector wizard leads you through the steps required to create and configure a Cloud Connector. The wizard includes steps that are common to the configuration of every type of Cloud Connector. It also includes steps that are unique to each Cloud Connector type. These steps depend on the cloud application and the method or protocol that it uses to implement SSO. Table 6-4 Steps in the Cloud Connector wizard Step in the wizard Cloud Connectors sharing this step Corresponding topics Cloud Connector Type All Cloud Connectors Create a Cloud Connector Identity Connector All Cloud Connectors Credential Mapping Some Cloud Connectors Configure credential mapping McAfee Cloud Single Sign On Product Guide 135

136 6 Cloud Connectors Create a Cloud Connector Table 6-4 Steps in the Cloud Connector wizard (continued) Step in the wizard Configure SSO Cloud Connectors sharing this step All Cloud Connectors Steps and details vary for each cloud application and SSO method. Corresponding topics Topics organized in categories: Generic HTTP POST Cloud Connector Individual Cloud Connectors SAML Cloud Connectors Generic Cloud Connectors Individual custom Cloud Connectors Just-in-Time User Provisioning Google, Salesforce, and Schoology only Configure just-in-time user provisioning Authorization Enforcement All Cloud Connectors Configure an authorization policy Review All Cloud Connectors Review the Cloud Connector configuration Create a Cloud Connector Each Cloud Connector configuration includes a type, a unique name that you assign, and an Identity Connector. The Identity Connector is the configuration that allows McAfee Cloud SSO to connect to and communicate with an identity store or authentication service. 1 In the Management Console: From the Cloud Connectors drop-down list, select the Cloud Connectors option. 2 Click New Cloud Connector. 3 In the Cloud Connector wizard: On the Cloud Connector Type step, perform one of the following options. Select a built-in Cloud Connector type. Click More to open the More Cloud Connectors window, where you can view all plug-in Cloud Connector types supported by McAfee Cloud SSO. Select one, then click OK. To view a subset of built-in or plug-in Cloud Connector types, you can specify a string value in the Filter Cloud Connector Type field. Only Cloud Connector types containing the specified string are displayed. To view a subset of plug-in Cloud Connector types in the More Cloud Connectors window, you can click a category in the All Applications area. Cloud Connectors are grouped by the business purpose of the target application. 4 In the Cloud Connector Name field, specify a name that uniquely identifies the Cloud Connector in the McAfee Cloud SSO system. 136 McAfee Cloud Single Sign On Product Guide

137 Cloud Connectors Configure credential mapping 6 5 Click Next. 6 In the Cloud Connector wizard: On the Identity Connector step, select an existing Identity Connector, or specify a new one. Configure credential mapping You configure credential mapping so that user attributes having one name in the authentication source can be mapped to user attributes having a different name in the target application. You specify the subject type and source. The subject is the user whose identity is authenticated. The subject type is the type of identity information. The subject source is a value that corresponds to the subject type. Not all credential mapping options are available or required for every Cloud Connector. 1 In the Management Console: In the Cloud Connector wizard, open the Credential Mapping step. 2 From the Subject Type drop-down list, select the type of identity information, then specify a value that corresponds to the subject type in the Subject Source field. Table 6-5 Subject Type and Subject Source in credential mapping Subject Type Type of identity information Subject Source CONSTANT AUTHN_RESULT_FIELD EXPRESSION Specifies a constant value. The value is mapped to the target application. Specifies an attribute output by the Identity Connector. The value of the attribute is mapped to the target application. Specifies an expression. The result of the expression is mapped to the target application. Type a constant value in the Subject Source field. From the Subject Source drop-down list, select an attribute name. Type an expression in the Subject Source field. For an Office365SAML Cloud Connector, the following selections are required: Subject Type: AUTHN_RESULT_FIELD Subject Source: objectguid 3 Specify values for the credential mapping options in the following table. McAfee Cloud Single Sign On Product Guide 137

138 6 Cloud Connectors Configure credential mapping Table 6-6 Credential mapping option definitions Configuration area Credential Mapping New attribute mapping Options and definitions Click one or more of the following options: Add Opens the New attribute mapping dialog box. Edit Opens the Edit attribute mapping dialog box, where you can edit the selected attribute mapping. Remove Removes the selected attribute mapping. (Dialog box) Specify values for the following options, then click OK: Target name Specifies the name of the attribute in the cloud application. Source type From the drop-down list, select the type of identity information to map from the McAfee Cloud SSO source to the target application, then configure the source. CONSTANT Specifies a constant value. The value is mapped to the target application. AUTHN_RESULT_FIELD From the drop-down list, select an attribute name. The value of the attribute is mapped to the target application. EXPRESSION Specifies an expression. The result of the expression is mapped to the target application. More options for attribute When selected, allows you to configure more target-source attribute mappings. Office 365 (WS-Federation) credential mapping considerations To support credential mapping to an Office 365 application: In the Management Console, configure the Identity Connector as follows. 1 Create an IWA-AD or LDAP Identity Connector. 2 In the Option Configuration area, select an Active Directory identity store, which can be configured as an Active Directory or LDAP identity store in the Management Console. 3 In the Output Attributes area, add the following attribute pairs: Target-Source: userprincipalname-userprincipalname Target-Source: objectguid-objectguid On the Credential Mapping step of the Cloud Connector wizard, configure the same attribute pairs. Office 365 SAML credential mapping considerations To support SAML credential mapping to an Office 365 application: In the Management Console, configure the Identity Connector as follows. 1 Create an IWA-AD or LDAP Identity Connector. 2 In the Option Configuration area, select an Active Directory identity store, which can be configured as an Active Directory or LDAP identity store in the Management Console. 3 In the Output Attributes area, add the following attribute pair: Target-Source: IDP -userPrincipalName On the Credential Mapping step of the Cloud Connector wizard, configure the same attribute pair. 138 McAfee Cloud Single Sign On Product Guide

139 Cloud Connectors Configure a generic Cloud Connector 6 Table 6-6 Credential mapping option definitions (continued) Configuration area Options and definitions SharePoint credential mapping options New attribute mapping (Dialog box) Built-in target When selected, allows you to select a target name from a list of built-in names. Example: CommonName Target namespace Specifies the namespace in which the target name is defined. Example: Configure a generic Cloud Connector You can configure the generic Cloud Connector for any cloud application that runs on an HTTP server and supports form-based authentication, but is not included in the McAfee Cloud SSO application catalog. You configure the request message that McAfee Cloud SSO sends to the cloud application running on the HTTP server. You also have the option of configuring a credential store. Credentials kept in the credential store, which is embedded in McAfee Cloud SSO, are easier and quicker to access than credentials kept in a separate identity store. 1 (Optional) In the Management Console: In the Cloud Connector wizard, open the Credential Store step and specify values for the options in the following table. Table 6-7 credential store option definitions Option Enable Credential Store Query Index Sample Attributes Credentials to Collect from User Definition When selected, opens the options that allow you to configure the credential store. From the drop-down list, select the attribute to use when looking up users in the user store. Adds sample user name and password attributes to the Credentials to Collect from User area. Click one or more of the following options: Add Opens the New attribute dialog box. Edit Opens the Edit attribute dialog box, where you can edit the selected attribute. Remove Removes the selected attribute from the Credentials to Collect from User area. McAfee Cloud Single Sign On Product Guide 139

140 6 Cloud Connectors Configure a generic Cloud Connector Table 6-7 credential store option definitions (continued) Option New attribute Advanced Configuration Definition (Dialog box) Specify values for the following options, then click OK: Attribute Type From the drop-down list, select the type of credential to collect: a user name, a password, or another attribute type. Attribute Name Specifies the name of the attribute in the user store. Prompt Message Specifies the prompt to display on the login page when collecting this credential. Do not display this value in clear text When selected, the value that the user enters on the login page is not displayed in clear text. To delete the credentials in the credential store, select this checkbox, then click Clean Credential Store. Each instance of an Cloud Connector has its own credential store. The following situations are examples of times when you might want to clear a credential store: To clear a test account before deploying the credential store in a production environment To reconfigure credential mapping from the directory to the credential store when the LDAP or AD schema changes To reconfigure the credential store when the target service changes the authentication method it requires To invalidate expired credentials To implement a new password policy 2 In the Management Console: In the Cloud Connector wizard, open the Post Configuration step and specify values for the request message options in the following table. Table 6-8 request message option definitions Option Http Method Post URL Definition From the drop-down list, select the type of message: GET POST Specifies the URL of the target HTTP server. 140 McAfee Cloud Single Sign On Product Guide

141 Cloud Connectors Configure individual Cloud Connectors 6 Table 6-8 request message option definitions (continued) Option Post Attribute Mapping New attribute mapping Definition Click one or more of the following options: Add Opens the New attribute mapping dialog box. Edit Opens the Edit attribute mapping dialog box, where you can edit the selected attribute mapping. Remove Removes the selected attribute mapping from the Post Attribute Mapping area. (Dialog box) Specify values for the following options, then click OK: Target name Specifies the name of the attribute in the cloud application. Source type From the drop-down list, select the type of identity information to map from the McAfee Cloud SSO source to the target application, then configure the source. CONSTANT Specifies a constant value. The value is mapped to the target application. AUTHN_RESULT_FIELD From the drop-down list, select an attribute name. The value of the attribute is mapped to the target application. EXPRESSION Specifies an expression. The result of the expression is mapped to the target application. CREDENTIAL_STORE From the drop-down list, select a credential. The value of the credential is mapped to the target application. Configure individual Cloud Connectors Each Cloud Connector that is developed for an individual cloud application comes with many preconfigured options, greatly simplifying configuration in the Cloud Connector wizard. 1 In the Management Console: In the individual Cloud Connector wizard, open the Post Configuration step. 2 Provide values for the post configuration options in the following table. Table 6-9 Individual Cloud Connector option definitions Option <cloud-connector-type> Domain Query Index Definition Specifies the name of your cloud application domain. Example: If your cloud application service URL is mydomain.cloudapp.com, then mydomain is the name of your cloud application domain. From the drop-down list, select the attribute to use when looking up users in the user store. Configuring SAML Cloud Connectors McAfee Cloud SSO supports many cloud applications that use the SAML 2.0 protocol with individual SAML 2.0 Cloud Connectors. For cloud applications that use the SAML 1.1 or SAML 2.0 protocol, but McAfee Cloud Single Sign On Product Guide 141

142 6 Cloud Connectors Configuring SAML Cloud Connectors are not included in the McAfee Cloud SSO application catalog, McAfee Cloud SSO provides generic SAML 1.1 and SAML 2.0 Cloud Connectors, respectively. How SAML SSO and SLO work SAML SSO and SLO can be initiated by McAfee Cloud SSO or the cloud application. When initiated by McAfee Cloud SSO, the SSO or SLO process is IdP-initiated. When initiated by the cloud application, the process is SP-initiated. In both cases, McAfee Cloud SSO is the Identity Provider that issues signed SAML assertions attesting to the user s identity. McAfee Cloud SSO signs SAML assertions, requests, and responses with a key pair. The cloud application uses the key pair and the X.509 certificate issuer to verify the signature. Likewise, McAfee Cloud SSO uses the X.509 certificate and certificate issuer URL provided by the cloud application to verify signed SAML assertions, requests, and responses coming from the application. To distinguish between the following terms, think of them as the actions that McAfee Cloud SSO can take: Request Creation McAfee Cloud SSO creates a request. Response Verification McAfee Cloud SSO verifies a response. Request Verification McAfee Cloud SSO verifies a request. Response Creation McAfee Cloud SSO creates a response. Table 6-10 Configuring IdP-initiated SAML SSO and SLO Configuration area Request Creation IdP-Initiated SSO and SLO McAfee Cloud SSO creates a request McAfee Cloud SSO creates a SAML SSO or SLO request. You configure the key pair that McAfee Cloud SSO uses to sign the request and the URL of the certificate issuer. The cloud application uses the signing key pair and certificate issuer URL to verify the SAML SSO or SLO request. Response Verification McAfee Cloud SSO verifies a response The cloud application creates a response to the SAML SSO or SLO request. You configure the X.509 certificate that the application uses to sign the response and the URL of the certificate issuer. McAfee Cloud SSO uses the X.509 certificate and certificate issuer URL to verify the response from the cloud application. Table 6-11 Configuring SP-initiated SAML SSO and SLO Configuration area SP-Initiated SSO and SLO Request Verification Response Creation McAfee Cloud SSO verifies a request The cloud application creates a SAML SSO or SLO request. You configure the X.509 certificate that the application uses to sign the request and the URL of the certificate issuer. McAfee Cloud SSO uses the X.509 certificate and certificate issuer URL to verify the SAML SSO or SLO request. McAfee Cloud SSO creates a response McAfee Cloud SSO creates a response to the SAML SSO or SLO request. You configure the key pair that McAfee Cloud SSO uses to sign the response and the URL of the certificate issuer. The cloud application uses the signing key pair and the certificate issuer URL to verify the response from McAfee Cloud SSO. 142 McAfee Cloud Single Sign On Product Guide

143 Cloud Connectors Configuring SAML Cloud Connectors 6 How X.509 certificates are managed for SAML SSO and SLO The SAML protocol allows an Identity Provider, such as McAfee Cloud SSO, and a Service Provider, such as a SAML cloud application, to exchange information. The SAML parties use X.509 certificates to sign and verify SAML assertions, requests, and responses. X.509 certificate management tasks depend on whether SSO (and optionally SLO) are IdP-initiated, SP-initiated, or both. Table 6-12 Certificate management tasks for SAML SSO and SLO SAML SSO type Definition Certificate management tasks IdP-initiated SSO The Identity Provider (McAfee Cloud SSO) initiates SSO. 1 Export the X.509 certificate in the Management Console. 2 Import the X.509 certificate in your application administrator account. SP-initiated SSO The Service Provider (SAML cloud application) initiates SSO. 1 Export the X.509 certificate in your application administrator account. 2 Import the X.509 certificate in the Management Console. See also Managing X.509 certificates for SAML authentication on page 280 SAML Cloud Connectors and supported SSO processes When you configure SSO to a SAML cloud application, you need the information in the following table to determine which certificate management tasks are required. Table 6-13 SAML Cloud Connectors and supported SSO processes SAML Cloud Connector IdP-initiated SSO SP-initiated SSO ADP Not supported Agresso Apperian Not supported BoxNet Clarizen Coupa Not supported EchoSign Egnyte Force.com Google GoToMeeting Not supported GoToTraining Not supported GoToWebinar Not supported HostAnalytics Not supported Jive LongJump Not supported Marketo Not supported McAfee Cloud Single Sign On Product Guide 143

144 6 Cloud Connectors Configuring SAML Cloud Connectors Table 6-13 SAML Cloud Connectors and supported SSO processes (continued) SAML Cloud Connector IdP-initiated SSO SP-initiated SSO MindTouch Not supported Office365SAML Not supported Replicon Not supported Salesforce SAML 1.1 Generic Not supported SAML 2.0 Generic SAML 2.0 Proxy Not supported SAP SAPCloud Not supported ServiceNow ShareFile Not supported SilkRoad SpringCM Not supported SuccessFactors Not supported SugarCRM Not supported Syncplicity Not supported VersionOneUltimate WebEx WebExConnect Not supported YouTube Zendesk Not supported Zoho 144 McAfee Cloud Single Sign On Product Guide

145 Cloud Connectors Configuring SAML Cloud Connectors 6 Configure SAML SSO Some SAML Cloud Connectors require configuration on the SAML SSO step. 1 In the Management Console: In the SAML Cloud Connector wizard, open the SAML SSO step. 2 Specify values for the SAML SSO options in the following table. Not all Cloud Connectors require every option. Table 6-14 SAML SSO option definitions Option Upload Metadata Assertion Consumer Service Default SSO Location Definition Opens the Import Metadata dialog box, where you can upload the SAML metadata file provided by the cloud application. The metadata is saved and automatically populates the fields in the SAML SSO window. Specifies the URL and HTTP Binding type of one or more endpoints that consume the SAML assertions produced by McAfee Cloud SSO. From the drop-down list, select the default Assertion Consumer Service. This information is provided by the cloud application. SAML SSO options IdP-initiated SSO IdP-initiated SSO Relay State SAML SSO options SP-initiated SSO SP-initiated SSO Cloud Issuer Issuer When selected, opens the options for configuring IdP-initiated SSO. Specifies the URL of the cloud application that the user is requesting. When selected, opens the options for configuring SP-initiated SSO. Specifies the URL of the Service Provider that issues the SAML SSO request. The Service Provider is the cloud application. SSO URL Request Verification Signed Request Signature Keys X509 Certificate Specifies the URL of the SSO service provided by McAfee Cloud SSO. When selected, opens the options that allow you to configure how McAfee Cloud SSO verifies a SAML SSO request from the cloud application. From the drop-down list, select the X.509 certificate used by the cloud application to sign the SAML SSO request. Configure a SAML assertion Through SAML assertions, McAfee Cloud SSO can make statements about a subject or user s identity, attributes, and right to access an application. 1 In the Management Console: In the SAML Cloud Connector wizard, open the SAML Assertion step. 2 Specify values for the SAML assertion options in the following tables. Not all Cloud Connectors require every option. Some options are unique to a particular Cloud Connector. McAfee Cloud Single Sign On Product Guide 145

146 6 Cloud Connectors Configuring SAML Cloud Connectors Table 6-15 SAML assertion option definitions Option ACS URL Definition Specifies the URL of the Assertion Consumer Service used by the application to consume SAML assertions produced by McAfee Cloud SSO. Contact your application customer service representative for more information. Domain Name Authentication Method Cloud Issuer URL SP Issuer Conditions Confirmation method NameID Format Put attributes in one statement Relay State SAML Assertion Issuer Specifies the domain name of your application instance. Example: If your application instance is then My-Org is your domain name. From the drop-down list, select the SAML authentication method type. Specifies the URL of the application that issues SAML authentication requests when SSO is SP-initiated. Add audience Restricts the SAML assertion audience to the specified URLs. Example: Clock Skew Specifies a value to use when calculating the SAML assertion s expiration time. This value is designed to offset small differences between clocks in different security domains. Default value: 20 Units: seconds Lifetime Specifies a lifetime value to use when calculating the SAML assertion s expiration time. When the expiration time is exceeded, the SAML assertion is invalidated by the assertion consumer. When specifying the lifetime value, consider the estimated transmission latency between security domains. Default value: 60 Units: seconds From the drop-down list, select the SAML confirmation method identifier. From the drop-down list, select the SAML name identifier format. When selected, attributes are placed in a single statement in the SAML assertion. Default: Each attribute is placed in a separate statement. Specifies the URL of the application that the end user is requesting. McAfee Cloud SSO redirects the user to this URL after the user is authenticated. SuccessFactors value: /sf/home?bplte_company= Specifies the URL of the McAfee Cloud SSO service that issues SAML assertions. Format: where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed and <portnumber> specifies the port number used by McAfee Cloud SSO. Default: McAfee Cloud Single Sign On Product Guide

147 Cloud Connectors Configuring SAML Cloud Connectors 6 Table 6-15 SAML assertion option definitions (continued) Option Sign SAML Assertion Definition Select one of the following options: Sign SAML Response Specifies that McAfee Cloud SSO sign the entire SAML response that it generates Sign SAML Assertion Specifies that McAfee Cloud SSO sign just the assertion in the SAML response that it generates For more information about this option, consult the cloud application vendor s SSO profile. Signature Keys Signature Method (IdP-initiated SSO) From the drop-down list, select the key pair used by McAfee Cloud SSO to sign SAML assertions, requests, and responses. The application uses this X.509 certificate to verify the signatures. Signature generation method From the drop-down list, select RSA_WITH_SHA_1. Canonicalization generation method From the drop-down list, select C_25_N_EXCLUSIVE. KeyInfo Type From the drop-down list, select one of the following options: RSA_KEY_VALUE Specifies that the SAML assertion is signed by an RSA private key X_509_DATA Specifies that the SAML assertion is signed by a private key associated with an X.509 certificate SLO URL SPNameQualifier X509 Certificate Specifies the URL of the application SLO endpoint. Specifies the name of the Service Provider or application. (SP-initiated SSO) From the drop-down list, select the X.509 certificate used by the application to sign SAML requests and responses. McAfee Cloud SSO uses this certificate to verify the signatures. Google SAML assertion option definitions Sign-in page URL Sign-out page URL Copy these values and paste them in the corresponding fields in your Google administrator account. Format: package/<id-connector-name>/saml2/sso SLO/<cloud-connector-name> where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed <portnumber> specifies the port number used by McAfee Cloud SSO Default: 8443 <id-connector-name> specifies the name of the Identity Connector you select when configuring the Google Cloud Connector and <cloud-connector-name> specifies the name you assign the Google Cloud Connector. When SSO and SLO are SP-initiated, Google requires the McAfee Cloud SSO SSO and SLO service URLs. IDP Initiated SSO When selected, opens the options for configuring IdP-initiated SSO. McAfee Cloud Single Sign On Product Guide 147

148 6 Cloud Connectors Configuring SAML Cloud Connectors Table 6-15 SAML assertion option definitions (continued) Option Target Service Definition From the drop-down list, select a Google service. Example: Google Mail When SSO is IdP-initiated, McAfee Cloud SSO requires the name of the Google service. Marketo SAML assertion option definitions Munchkin ID Specifies the ID of your Marketo Munchkin account. To locate your Munchkin account ID, go to: Provide the logon credentials for your administrator account. Click the Admin tab. In the navigation tree, select Admin Integration, then click Munchkin. Salesforce SAML assertion option definitions Identity Provider Login URL Identity Provider Logout URL Copy these values and paste them in the corresponding fields in your Salesforce administrator account. Format: package/<id-connector-name>/saml2/sso SLO/<cloud-connector-name> where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed <portnumber> specifies the port number used by McAfee Cloud SSO Default: 8443 <id-connector-name> specifies the name of the Identity Connector you select when configuring the Salesforce Cloud Connector and <cloud-connector-name> specifies the name you assign the Salesforce Cloud Connector. When SSO and SLO are SP-initiated, Salesforce requires the McAfee Cloud SSO SSO and SLO service URLs. Login URL Logout URL Copy these values from your Salesforce account and paste them in the corresponding fields on the SAML Assertion step of the Cloud Connector wizard. When SSO and SLO are IdP-initiated, McAfee Cloud SSO requires the Salesforce login and logout URLs. SuccessFactors SAML assertion option definitions SuccessFactors Company ID Specifies the ID assigned to your organization by SuccessFactors. Example: If the URL of your SuccessFactors instance is My-Org.successfactors.com/companyid=ABCDE123, then ABCDE123 is your SuccessFactors Company ID. SugarCRM SAML assertion option definitions SugarCRM Instance URL Specifies the URL of the Assertion Consumer Service provided by SugarCRM. 148 McAfee Cloud Single Sign On Product Guide

149 Cloud Connectors Configuring SAML Cloud Connectors 6 SAML assertion reference When you are configuring the SAML assertion options, you might want to consult the OASIS SAML 2.0 specification. To locate more information in the specification about specific options, see the following instructions. Table 6-16 SAML assertion reference SAML assertion option Authentication Method Confirmation Method NameID Format For more information about each option, follow these steps... 1 Open the.pdf file Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0 by clicking the link: 2 Look for the section Schemas. 1 Open the.pdf file Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 by clicking the link: 2 Look for the section Confirmation Method Identifiers. 1 Open the.pdf file Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 by clicking the link: 2 Look for the section Name Identifier Format Identifiers. Configure SAML SLO Generic SAML 2.0 Cloud Connectors require configuration on the SAML SLO step. 1 In the Management Console: In the SAML Cloud Connector wizard, open the SAML SLO step. 2 Specify values for the SAML SLO options in the following table. Not all Cloud Connectors require every option. Table 6-17 SAML SLO option definitions Option SAML Single Logout IDP Initiated SLO SP Initiated SLO Binding Definition When selected, opens the options for configuring SLO. When selected, opens the options for configuring IdP-initiated SLO. When selected, opens the options for configuring SP-initiated SLO. From the drop-down list, select one of the following HTTP binding types: HTTP_POST HTTP_REDIRECT Location Specifies the URL of the cloud application s SLO service. IdP-initiated SLO Request Creation options Request Creation Issuer When selected, opens the options that allow you to configure how McAfee Cloud SSO creates a SAML SLO request. Specifies the URL of the Identity Provider that issues the SAML SLO request. McAfee Cloud SSO is the Identity Provider. McAfee Cloud Single Sign On Product Guide 149

150 6 Cloud Connectors Configuring SAML Cloud Connectors Table 6-17 SAML SLO option definitions (continued) Option Signature Signature Keys Signature generation method Canonicalization generation method KeyInfo Type Definition Select this checkbox to configure how McAfee Cloud SSO signs the SAML SLO request, then select an option: XML Signature Specifies that McAfee Cloud SSO sign the SAML SLO request with an XML signature SAML Binding Signature Specifies that McAfee Cloud SSO sign the SAML SLO request with a SAML binding signature From the drop-down list, select the key pair used by McAfee Cloud SSO to sign the SAML SLO request. The cloud application uses this certificate and the certificate issuer URL to verify the signatures. From the drop-down list, select RSA_WITH_SHA_1. From the drop-down list, select C_25_N_EXCLUSIVE. From the drop-down list, select one of the following options: RSA_KEY_VALUE Specifies that the SAML SLO request is signed by an RSA private key X_509_DATA Specifies that the SAML SLO request is signed by a private key associated with an X.509 certificate IdP-initiated SLO Response Verification options Response Verification Cloud Issuer Signature Verification X509 Certificate When selected, opens the options that allow you to configure how McAfee Cloud SSO verifies a SAML SLO response from the cloud application. Specifies the URL of the Service Provider that issues the SAML SLO response. The cloud application is the Service Provider. When selected, allows you to configure the X.509 certificate used by the cloud application. From the drop-down list, select the X.509 certificate used by the cloud application to sign the SAML SLO response. SP-initiated SLO Request Verification options Request Verification Cloud Issuer Signature Verification X509 Certificate When selected, opens the options that allow you to configure how McAfee Cloud SSO verifies a SAML SLO request from the cloud application. Specifies the URL of the Service Provider that issues the SAML SLO request. The cloud application is the Service Provider. When selected, allows you to configure the X.509 certificate used by the cloud application. From the drop-down list, select the X.509 certificate used by the cloud application to sign the SAML SLO request. SP-initiated SLO Response Creation options Response Creation Issuer Destination (Optional) When selected, opens the options that allow you to configure how McAfee Cloud SSO creates a response to the SAML SLO request. Specifies the URL of the Identity Provider that issues the SAML SLO response. McAfee Cloud SSO is the Identity Provider. Specifies the URL of the page to which the user is redirected when logged off. 150 McAfee Cloud Single Sign On Product Guide

151 Cloud Connectors Configuring SAML Cloud Connectors 6 Table 6-17 SAML SLO option definitions (continued) Option Signature Signature Keys Signature generation method Canonicalization generation method KeyInfo Type Definition Select this checkbox to configure how McAfee Cloud SSO signs the SAML SLO response, then select an option: XML Signature Specifies that McAfee Cloud SSO sign the SAML SLO response with an XML signature SAML Binding Signature Specifies that McAfee Cloud SSO sign the SAML SLO response with a SAML binding signature From the drop-down list, select the key pair used by McAfee Cloud SSO to sign the SAML SLO response. The cloud application uses this certificate and the certificate issuer URL to verify the signature. From the drop-down list, select RSA_WITH_SHA_1. From the drop-down list, select C_25_N_EXCLUSIVE. From the drop-down list, select one of the following options: RSA_KEY_VALUE Specifies that the SAML SLO response is signed by an RSA private key X_509_DATA Specifies that the SAML SLO response is signed by a private key associated with an X.509 certificate Configuring SSO in your application administrator account Enabling SSO to some cloud applications requires configuration in your application administrator account in addition to the Management Console. Sometimes the Cloud Connector cannot be configured without values available in the application account, and SSO in the application account cannot be configured without values in the Management Console. In this case, you can configure the Cloud Connector and the application account in parallel. Configuring SSO in Apperian Contact your Apperian account representative for assistance and instructions. Configuring SSO in BoxNet Your BoxNet account representative configures an administrator account for you. Contact your BoxNet representative and provide the following information: SAML Certificate Specifies the X.509 certificate provided by McAfee Cloud SSO. SSO URL Specifies the URL of the McAfee Cloud SSO SSO service accessed by the end user. To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the BoxNet Cloud Connector. Click the General Info tab. In the Application Endpoint Location area, look for the SSO Service URL. Issuer ID Specifies the URL of the McAfee Cloud SSO service that issues SAML assertions. Configure SSO in your Citrix account Enabling SSO to a Citrix application requires configuration in your Citrix administrator account. Citrix applications include GoToMeeting, GoToTraining, and GoToWebinar. Not all Citrix accounts support SAML 2.0. Contact your Citrix Online customer service representative to see if your account supports SAML 2.0. McAfee Cloud Single Sign On Product Guide 151

152 6 Cloud Connectors Configuring SAML Cloud Connectors 1 To access the SAML settings for your Citrix administrator account, go to the following URL: 2 Provide the logon credentials for your administrator account. 3 On the Set up SAML 2.0 single sign-on (SSO) page, select the Configure manually option, then upload the X.509 certificate file provided by McAfee Cloud SSO. 4 Click Save. Configure SSO in your Clarizen account Enabling SSO to a Clarizen application requires configuration in your Clarizen administrator account. 1 To access the Clarizen administration page, go to the following URL: 2 Provide the logon credentials for your administrator account. 3 From the logon name drop-down list, select Settings. 4 On the Settings page, click the Global Settings tab. 5 In the Global Settings tab, click the Federated Authentication tab. 6 In the Federated Authentication tab, configure the following options. a Select the Enable Federated Authentication checkbox. b Click Upload and upload the certificate provided by McAfee Cloud SSO. This is the Identity Provider certificate. c Paste the URL of the McAfee Cloud SSO single sign-on service accessed by Clarizen in the Sign-in URL field. To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the Clarizen Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SSO Service URL. Clarizen uses this value when initiating SSO. 7 Save the options. Configure SSO in your Coupa account Enabling SSO to a Coupa application requires configuration in your Coupa administrator account. 1 Log on to your Coupa administrator account. 2 Select Setup Company Setup Security Controls. 152 McAfee Cloud Single Sign On Product Guide

153 Cloud Connectors Configuring SAML Cloud Connectors 6 3 Scroll to the bottom of the page and provide values for the following fields: a Select the Log in using SAML checkbox. b c d e Paste the URL that Coupa uses to access the McAfee Cloud SSO SSO service in the Login page URL and Timeout URL fields. Paste the URL that Coupa uses to access the McAfee Cloud SSO SLO service in the Logout page URL field. Upload the X.509 certificate provided by McAfee Cloud SSO. Click Save. To locate the McAfee Cloud SSO SSO and SLO service URLs, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the Coupa Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SSO Service and SLO Service URLs. Coupa uses these values when initiating SSO and SLO. 4 In your Coupa administrator account, select Setup Users Edit Users. 5 Verify that the Single Sign-On ID field is set to the address that is passed from McAfee Cloud SSO to Coupa in the NameID element of the SAML assertion. Configure SSO in your EchoSign account Enabling SSO to an EchoSign application requires configuration in your EchoSign administrator account. 1 Log on to your EchoSign administrator account. 2 Select Account Account Settings SAML Settings. 3 Select one of the following SAML Mode options: SAML Allowed Specifies that users can continue using their EchoSign credentials while using SAML. SAML Mandatory Specifies that users cannot continue using their EchoSign credentials while using SAML. 4 In the Identity Provider (IdP) Configuration area, configure the options in the following table. Table 6-18 IdP-initiated SSO option definitions for your EchoSign account Option IdP Entity ID IdP Login URL IdP Logout URL Definition Specifies the URL of the McAfee Cloud SSO service that issues SAML assertions. IdP Login URL Specifies the McAfee Cloud SSO SSO service URL accessed by the end user when SSO is IdP-initiated. IdP Logout URL Specifies the McAfee Cloud SSO SLO service URL accessed by the end user when SLO is IdP-initiated. EchoSign requires the SLO service URL even though IdP-initiated SLO is not supported. To locate these values, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the EchoSign Cloud Connector. Click the General Info tab. In the Application Endpoint Location area, look for the SSO Service and SLO Service URLs. McAfee Cloud Single Sign On Product Guide 153

154 6 Cloud Connectors Configuring SAML Cloud Connectors 5 In the IdP Certificate field, copy and paste the contents of the X.509 certificate file obtained from McAfee Cloud SSO. 6 Click Save Changes. Configure SSO in your Google account Enabling SSO to a Google application requires configuration in your Google administrator account. Before you begin For information about creating a Google administrator account, visit: 1 Log on to your Google administrator account. 2 On the dashboard, click Domain Settings. 3 On the domain settings page, click the User settings tab. 4 Select the Enable provisioning API checkbox. 5 Click Set up single sign-on (SSO). 6 Configure the options in the following table. Table 6-19 SSO and SLO option definitions for your Google account Option Enable Single Sign-on Sign-in page URL Sign-out page URL Definition Select this checkbox. When selected, enables SSO to your Google application. Sign-in page URL Specifies the URL of the McAfee Cloud SSO SSO service used by Google when initiating SSO. Sign-out page URL Specifies the URL of the McAfee Cloud SSO SLO service used by Google when initiating SLO. To locate these values, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the Google Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SSO Service and SLO Service URLs. Change password URL Verification certificate Use a domain specific issuer Save Changes Specifies the URL of the page where end users can change their passwords. Specifies the X.509 certificate file provided by McAfee Cloud SSO. Select this checkbox. When selected, Google sends SAML requests that include a domain specific issuer. When deselected, Google sends SAML requests that include a standard issuer. Standard issuer: google.com Domain specific issuer: google.com/a/<mydomain.com> When clicked, saves the SSO options. s Set up Google Apps subdomains for McAfee Cloud SSO on page 155 A single McAfee Cloud SSO instance can support multiple Google Apps subdomains, when each subdomain is registered in a separate Google Apps account. 154 McAfee Cloud Single Sign On Product Guide

155 Cloud Connectors Configuring SAML Cloud Connectors 6 Set up Google Apps subdomains for McAfee Cloud SSO A single McAfee Cloud SSO instance can support multiple Google Apps subdomains, when each subdomain is registered in a separate Google Apps account. Before you begin For more information about setting up domains, open the Google Apps Basic Guide to DNS at the following location: 1 Purchase a domain and create subdomains under the domain. 2 Create a Google Apps account for each subdomain and register the subdomains in their respective accounts. 3 For each subdomain, create a Google Apps Cloud Connector in the McAfee Cloud SSO Management Console. Configuring SSO in HostAnalytics Your HostAnalytics account representative configures an administrator account for you. Contact your HostAnalytics representative and provide the following information: SAML Certificate Specifies the X.509 certificate provided by McAfee Cloud SSO. SSO URL Specifies the URL of the McAfee Cloud SSO SSO service accessed by the end user. To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the HostAnalytics Cloud Connector. Click the General Info tab. In the Application Endpoint Location area, look for the SSO Service URL. Issuer ID Specifies the URL of the McAfee Cloud SSO service that issues SAML assertions. Configure SSO in your Jive account Enabling SSO to a Jive application requires configuration in your Jive administrator account. 1 Log on to your Jive administrator account. 2 Select People Settings Single Sign On. 3 On the Single Sign On Settings page, click the SAML tab, then click the General tab. 4 Click Edit Metadata, paste the contents of the SAML metadata file provided by McAfee Cloud SSO in the field provided, then click Save Settings to load the data. Loading the metadata populates the General tab with a list of McAfee Cloud SSO attributes available for user attribute mapping. McAfee Cloud Single Sign On Product Guide 155

156 6 Cloud Connectors Configuring SAML Cloud Connectors 5 In the User Attribute Mapping area, for each user attribute you want mapped from McAfee Cloud SSO to Jive: a b Type the name of the attribute in your Jive profile in the corresponding field in the Attribute Name column. Select the corresponding checkbox in the Federated column. 6 Click Save Settings. You can use the options on the Advanced tab to refine and troubleshoot the SAML integration. Sample SAML metadata file for SSO to a Jive application The following XML code is an example of the SAML metadata you can use when configuring SSO in your Jive administrator account. <?xml version="1.0" encoding="utf-8"?> <md:entitydescriptor xmlns:md="urn:oasis:names:tc:saml:2.0:metadata" entityid=" validuntil=" t02:55:03.831z"> <md:idpssodescriptor protocolsupportenumeration="urn:oasis:names:tc:saml:2.0:protocol"> <md:keydescriptor use="signing"> <ds:keyinfo xmlns:ds=" <ds:x509data> <ds:x509issuerserial> <ds:x509issuername>cn=eca360sso,ou=ssg,o=intel,l=shanghai,s=china, C=CN</ds:X509IssuerName> <ds:x509serialnumber> </ds:x509serialnumber> </ds:x509issuerserial> <ds:x509certificate>... </ds:x509certificate> <ds:x509subjectname>cn=eca360sso,ou=ssg,o=intel,l=shanghai,s=china, C=CN</ds:X509SubjectName> </ds:x509data> </ds:keyinfo> </md:keydescriptor> <md:singlelogoutservice Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" JiveConnector"/> <md:nameidformat>urn:oasis:names:tc:saml:1.1:nameid-format:unspecified </md:nameidformat> <md:singlesignonservice Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" JiveConnector"/> </md:idpssodescriptor> </md:entitydescriptor> Configure SSO in your LongJump account Enabling SSO to a LongJump application requires configuration in your LongJump administrator account. 1 Log on to your LongJump administrator account. 2 Select Settings Administration Single Sign-On. 156 McAfee Cloud Single Sign On Product Guide

157 Cloud Connectors Configuring SAML Cloud Connectors 6 3 Click Edit to activate the options. 4 In the Single Sign-On Settings area: From the Sign-On Using drop-down list, select SAML. 5 In the Developer Configuration area, configure the following options. a From the SAML Version drop-down list, select 2.0. b c d e In the Issuer field, specify the URL of the McAfee Cloud SSO service that issues SAML assertions. From the User Id Type drop-down list, select LongJump User Id. From the User Id Location drop-down list, select Subject. In the SAML Third party authentication URL field, specify the URL of the McAfee Cloud SSO SSO service used by LongJump when initiating SSO. To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the LongJump Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SSO Service URL. f g Copy the contents of the X.509 certificate file provided by McAfee Cloud SSO, and paste them in the Paste Issuer Certificate field. Click Save. Configure SSO in your Marketo account Enabling SSO to a Marketo application requires configuration in your Marketo administrator account. 1 To access the Marketo administration page, go to the following URL: 2 Provide the logon credentials for your administrator account. 3 Click Admin. 4 In the navigation tree, select Admin Integration, then click Single Sign-On. 5 On the SSO Settings page: In the SAML Settings area, select the Edit option. McAfee Cloud Single Sign On Product Guide 157

158 6 Cloud Connectors Configuring SAML Cloud Connectors 6 In the Edit SAML Settings dialog box, provide values for the following options. Table 6-20 SSO option definitions for your Marketo account Option SAML Single Sign-On Issuer ID Entity ID Definition From the drop-down list, select Enabled. Specifies the URL of the SAML assertion issuer service provided by McAfee Cloud SSO. Specifies the McAfee Cloud SSO SSO service URL accessed by the end user when SSO is IdP-initiated. To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the Marketo Cloud Connector. Click the General Info tab. In the Application Endpoint Location area, look for the SSO Service URL. User ID Location Name Id Format Identity Provider Certificate Select the In Name identifier element of Subject option. Displays the format of the SAML name identifier. Specifies the X.509 certificate provided by McAfee Cloud SSO. 7 Click Save. Configuring SSO in your MindTouch account Contact your MindTouch account representative to exchange metadata. Your representative enables SSO in your MindTouch account for you. Configure SAML SSO in your Office 365 account Enabling SAML SSO to an Office 365 application requires configuration in your Office 365 administrator account. 1 Purchase a domain, add the domain to your Office 365 account, and verify it. Example: abc.com 2 Using Microsoft's DirSync tool, populate your Office 365 account with the users in your Active Directory account. 3 In your Office 365 account, assign licenses to and activate users. 4 To enable SAML SSO in your Office 365 account, download Windows Azure Active Directory Module for Windows Powershell (64-bit version) and install Windows Powershell on your system. 5 At the Powershell command prompt, enter the following command, then provide your Office 365 administrator account credentials: $cred=get-credential. 6 At the Powershell command prompt, enter the command: Connect-MsolService Credential $cred. 158 McAfee Cloud Single Sign On Product Guide

159 Cloud Connectors Configuring SAML Cloud Connectors 6 7 At the Powershell command prompt, specify the environment variables, as follows: $dom=<verified-domain-name> where <verified-domain-name> specifies the name of your verified domain $url=<mcsso-sso-service-url> where <MCSSO-SSO-Service-URL> specifies the URL of the SSO service provided by McAfee Cloud SSO To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the Office 365 SAML Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SSO Service URL. $uri=<mcsso-saml-assertion-issuer-url> where <MCSSO-SAML-Assertion-Issuer-URL> specifies the URL of the McAfee Cloud SSO service that issues SAML assertions $logouturl=<logout-url> where <Logout-URL> specifies the location to which users are redirected when they log out $cert=<x509-certificate-contents> where <X509-certificate-contents> specifies the contents of the X.509 certificate used by McAfee Cloud SSO The contents must not include a line break. 8 At the Powershell prompt, set up a trust relationship between McAfee Cloud SSO and Office 365, as follows: Set-MsolDomainAuthentication DomainName $dom -FederationBrandName $dom -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP If the Powershell command prompt appears without any errors after this command is run, federation between McAfee Cloud SSO and Office 365 is successfully configured. Configure SSO in your Replicon account Enabling SSO to a Replicon application requires configuration in your Replicon administrator account. 1 Log on to your Replicon administrator account. 2 On the menu bar at the top of the page, click Administration. 3 Select System System Preferences Security. 4 Enable SAML authentication. Replicon supports the SAML 1.1 standard. 5 Upload the X.509 certificate provided by McAfee Cloud SSO. 6 Specify the URL of the McAfee Cloud SSO SSO service used by Replicon when initiating SSO. To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the Replicon Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SSO Service URL. McAfee Cloud Single Sign On Product Guide 159

160 6 Cloud Connectors Configuring SAML Cloud Connectors Configure SSO in your Salesforce account Enabling SSO to a Salesforce application requires configuration in your Salesforce administrator account. 1 Log on to your Salesforce administrator account. 2 From the drop-down list beside your name, select Setup. 3 In the navigation pane: Under Administration Setup, click Security Controls, then click Single Sign-On Settings. 4 To open the Single Sign-On Settings dialog box, click Edit. 5 To expand the dialog box, select the SAML Enabled checkbox. 6 In the Single Sign-On Settings dialog box, complete the following options. Table 6-21 SSO option definitions for your Salesforce account Option Definition SAML Version From the drop-down list, select 2.0. Issuer Identity Provider Login URL Identity Provider Logout URL Specifies the URL of the SAML assertion issuer service provided by McAfee Cloud SSO. Identity Provider Login URL Specifies the McAfee Cloud SSO SSO service URL accessed by the end user when SSO is IdP-initiated. Identity Provider Logout URL Specifies the McAfee Cloud SSO SLO service URL accessed by the end user when SLO is IdP-initiated. To locate these values, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the Salesforce Cloud Connector. Click the General Info tab. In the Application Endpoint Location area, look for the SSO Service and SLO Service URLs. Identity Provider Certificate SAML User ID Type SAML User ID Location Attribute Name Save Specifies the X.509 certificate provided by McAfee Cloud SSO. Select the Assertion contains the Federation ID from the User object option. Select the User ID is in an Attribute element option. Specify the mail attribute. When clicked, saves the SSO configuration. Configuring SSO in SAP Contact your SAP account representative to exchange metadata. Your representative enables SSO in your SAP account for you. Configure SSO in your SAPCloud account You enable SSO in your SAPCloud account, so that McAfee Cloud SSO can provide SSO services for SAPCloud users. 1 Log on to your SAPCloud administrator account. 2 Click Trust, click the Local Service Provider tab, then click Edit. 160 McAfee Cloud Single Sign On Product Guide

161 Cloud Connectors Configuring SAML Cloud Connectors 6 3 Configure the following options for the local Service Provider, then click Save. Table 6-22 Local Service Provider option definitions Option Configuration Type Local Provider Name Signing Key Signing Certificate Principal Propagation Get Metadata Definition From the drop-down list, select Custom. Value: To create a new signing key and certificate pair, click Generate Key Pair. From the drop-down list, select Enabled. When clicked, downloads the SAPCloud SAML metadata. 4 Click the Trusted Identity Provider tab, then select the McAfee Cloud SSO identity service as the trusted Identity Provider. 5 Configure the following options for the trusted Identity Provider. Table 6-23 Trusted Identity Provider option definitions Option Name Assertion Consumer Service Single Sign-on URL Single Logout URL Definition Specifies the McAfee Cloud SSO SAML assertion issuer URL. From the drop-down list, select Application Root (default). Single Sign-on URL Specifies the URL of the McAfee Cloud SSO SSO service. Single Logout URL Specifies the URL of the McAfee Cloud SSO SLO service. To locate these values, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the SAPCloud Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SSO Service and SLO Service URLs. SAPCloud uses these values when initiating SSO and SLO. Single Sign-on Binding Single Logout Binding Signature Algorithm Signing Certificate User ID Source From the drop-down list, select HTTP-POST. From the drop-down list, select HTTP-POST. From the drop-down list, select SHA-1. Copy the contents of the McAfee Cloud SSO X.509 certificate and paste them in this field. From the drop-down list, select subject. Configure SSO in your ServiceNow account Enabling SSO to a ServiceNow application requires configuration in your ServiceNow administrator account. 1 Open your ServiceNow administrator account. 2 Navigate to the SAML 2 Single Sign-on Properties page. 3 To enable SAML SSO, select the Enable external authentication checkbox. McAfee Cloud Single Sign On Product Guide 161

162 6 Cloud Connectors Configuring SAML Cloud Connectors 4 In the base URL to the Identity Provider s AuthnRequest service field, specify the URL of the McAfee Cloud SSO SSO service used by ServiceNow when initiating SSO. To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the ServiceNow Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SLO Service URL. 5 In the base URL to the Identity Provider s SingleLogoutRequest service field, specify the URL of the McAfee Cloud SSO SLO service used by ServiceNow when initiating SLO. To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the ServiceNow Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SLO Service URL. 6 In the When SAML 2.0 single sign-on fails... redirect to this URL field, specify the URL of the McAfee Cloud SSO SLO service used by ServiceNow when initiating SLO. 7 In the URL to the Service-now instance (usually this instance) field, specify the URL of your ServiceNow instance, as follows: Format: Example: 8 In the The entity identification, or the issuer field, specify the URL of your ServiceNow instance. 9 In the User table field to match with the Subject s NameID element in the SAMLResponse field, specify In the The NameID policy to use for returning the Subject s NameID in the SAMLResponse field, specify the following string value: urn:oasis:names:tc:saml:1.1:nameid-format: address 11 To Turn on debug logging for SAML 2.0 Authentication, select the Yes checkbox. Configure SSO in your ShareFile account Enabling SSO to a ShareFile application requires configuration in your ShareFile administrator account. 1 Log on to your ShareFile administrator account. 2 Select Admin Configure Single Sign-On. 3 Select the Enable SAML checkbox. 4 In the Entity ID field, specify the URL of the SAML assertion issuer service provided by McAfee Cloud SSO. 5 Next to Certificate, click Change. 6 In the dialog box that opens, paste the contents of the X.509 certificate file provided by McAfee Cloud SSO. 7 In the Login URL field, specify the McAfee Cloud SSO SSO service URL accessed by the end user when SSO is IdP-initiated. To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the ShareFile Cloud Connector. Click the General Info tab. In the Application Endpoint Location area, look for the SSO Service URL. 8 Click Save Settings. 162 McAfee Cloud Single Sign On Product Guide

163 Cloud Connectors Configuring SAML Cloud Connectors 6 Configuring SSO in SilkRoad Your SilkRoad account representative configures an administrator account for you. Contact your SilkRoad representative and provide the following information: X.509 Certificate Specifies the X.509 certificate exported in the Management Console. Sign-in Page URL Specifies the URL of the McAfee Cloud SSO SSO service used by SuccessFactors when initiating SSO. To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the SilkRoad Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SSO Service URL. Configuring SSO in SuccessFactors Your SuccessFactors account representative configures an administrator account for you. Contact your SuccessFactors representative and provide the following information: Sign In Page URL Specifies the URL of the McAfee Cloud SSO SSO service accessed by SuccessFactors when initiating SSO. To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the SuccessFactors Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SSO Service URL. Identity Issuer Specifies the URL of the SAML assertion issuer service provided by McAfee Cloud SSO. Request the following information from your SuccessFactors representative. You need this information when configuring the SuccessFactors Cloud Connector in the Management Console. SuccessFactors Domain Name Specifies the domain name of your application instance. SuccessFactors Company ID Specifies the ID assigned to your organization by SuccessFactors. Configure SSO in your SugarCRM account Enabling SSO to a SugarCRM application requires configuration in your SugarCRM administrator account. 1 Open Sugar to the Administration Home page. 2 In the Users sub-panel, click Password Management. 3 On the Password Management page: In the SAML Authentication area, select the Enable SAML Authentication checkbox. 4 In the X509 Certificate field, paste the contents of the X.509 certificate file provided by McAfee Cloud SSO. 5 Click Save. McAfee Cloud Single Sign On Product Guide 163

164 6 Cloud Connectors Configuring SAML Cloud Connectors Configure SSO in your Syncplicity account Enabling SSO to a Syncplicity application requires configuration in your Syncplicity administrator account. 1 Log on to your Syncplicity administrator account. 2 Click Configure Authentication Settings. 3 In the Custom Domain field, type the name of your Syncplicity domain. 4 For Single Sign-On Status, select the Enabled option. 5 In the Entity Id field, specify the URL of the SAML assertion issuer service provided by McAfee Cloud SSO. 6 In the Sign-in page URL field, specify the McAfee Cloud SSO SSO service URL accessed by the end user when SSO is IdP-initiated. To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the Syncplicity Cloud Connector. Click the General Info tab. In the Application Endpoint Location area, look for the SSO Service URL. 7 Click Choose File to select and upload the X.509 certificate file provided by McAfee Cloud SSO. 8 Click Save Changes. Configuring SSO in VersionOneUltimate Contact your VersionOneUltimate representative for assistance and instructions. Configuring SSO in WebEx Configuring SSO in WebEx involves three tasks: configuring SSO in your WebEx administrator account, installing the WebEx Connect client, and configuring federated web SSO using the WebEx Connect Administration Tool. Configure SSO in your WebEx account Enabling SSO to a WebEx application requires configuration in your WebEx administrator account. Before you begin For more information, consult the Cisco WebEx Site Administration Guide at the following location: webex_siteadmin/wx_siteadmin_wbs27_sp10_.pdf 1 Open the WebEx Site Administration page. 2 Provide the logon credentials for your WebEx administrator account. 3 In the navigation tree: Under Manage Site, click SSO Configuration. 164 McAfee Cloud Single Sign On Product Guide

165 Cloud Connectors Configuring SAML Cloud Connectors 6 4 On the SSO Configuration page, specify the following options. a From the Federation Protocol drop-down list, select SAML 2.0. b For the SSO Profile, specify the following options: 1 Select the SP Initiated option. 2 Select the AuthnRequest Signed checkbox. 3 In the Destination field, specify the URL of the McAfee Cloud SSO SSO service used by WebEx when initiating SSO. To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the WebEx Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SSO Service URL. c d e In the WebEx SAML Issuer (SP ID) field, specify the URL of the X.509 certificate issuer used by WebEx. Example: In the Issuer for SAML (IdP ID) field, specify the URL of the SAML assertion issuer service provided by McAfee Cloud SSO. In the Customer SSO Service Login URL field, specify the URL of the McAfee Cloud SSO SSO service used by WebEx when initiating SSO. This value is the same as the value specified in the Destination field of the SSO Profile section. f In the AuthnContextClassRef field, specify the SAML authentication method. Example: urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtransport Install and enable the WebEx Connect client on Windows The WebEx Connect solution includes client software that you download and install locally on your computer. To obtain the installer and an account, contact your WebEx Connect account representative. 1 On Windows: Open a command prompt and go to the directory where the installer is located. 2 To start the installer, enter the following command: Connect.exe. The installation package and run-time executable are both named Connect.exe. 3 To enable the run-time executable, enter the following command: Connect.exe /sso_org <org_domain_name> Example: Connect.exe /sso_org Example.com 4 In the WebEx Connect client interface, select File Change Connection Settings, then set Login Server to the following value: <hostname>.webexconnect.com. Replace <hostname> with the name of the server where WebEx Connect is running. This information is available from your WebEx Connect representative. 5 In the WebEx Connect installation directory, locate the apconfig.ini file, open the file, and modify the CasURL option as follows: CasURL=<hostname>.webexconnect.com. McAfee Cloud Single Sign On Product Guide 165

166 6 Cloud Connectors Configuring SAML Cloud Connectors Configure federated web SSO for your WebEx organization Using the WebEx Connect Administration Tool, you can configure federated web SSO for your WebEx organization. 1 To access the WebEx Connect Administration Tool, go to the URL provided by your WebEx Connect representative and provide your logon credentials. 2 In the WebEx Connect Administration Tool: Click the Configuration tab. 3 Expand the System Settings area, then click Security Settings. 4 On the Security Settings page, click Federated Web SSO Configuration. 5 In the Federated Web SSO Configuration dialog box, provide values for the following options, then click Save. Table 6-24 Federated Web SSO configuration Option Definition Federation Protocol From the drop-down list, select SAML 2.0. SSO Profile WebEx SAML Issuer (SP ID) Issuer for SAML (IdP ID) Customer SSO Service Login URL Select the SP Initiated option. Type the following value in this field: Specifies the URL of the SAML assertion issuer service provided by McAfee Cloud SSO. Specifies the URL of the McAfee Cloud SSO SSO service used by WebEx Connect when initiating SSO. To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the WebEx Connect Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SSO Service URL. NameID Format AuthnContextClassRef From the drop-down list, select Address. Type the following value in this field: urn:oasis:names:tc:saml: 2.0:ac:classes:PasswordProtectedTransport 6 On the Security Settings page, click Organization Certificate Management. 7 In the Organization Certificate Management dialog box: a b c Click Import New Certificate. Browse for and upload the X.509 certificate file provided by McAfee Cloud SSO. Click Save. 8 On the Security Settings page, click Save. 166 McAfee Cloud Single Sign On Product Guide

167 Cloud Connectors Configuring SAML Cloud Connectors 6 Configure SSO for YouTube in Google Configuring the following options in your Google Apps account enables SSO to your YouTube application. 1 Log on to your Google Apps administrator account. 2 On the Google Admin Dashboard, click Advanced tools. 3 On the Advanced tools page: In the Authentication area, click Set up single sign-on (SSO). 4 On the Set up single sign-on (SSO) page, configure the following options, then click Save changes. Table 6-25 Option definitions for enabling SSO in your YouTube account Option Enable Single Sign-on Sign-in page URL Sign-out page URL Definition When selected, enables SSO in your YouTube account. Sign-in page URL Specifies the URL of the McAfee Cloud SSO SSO service. Sign-out page URL Specifies the URL of the McAfee Cloud SSO SLO service. To locate these values, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the YouTube Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SSO Service and SLO Service URLs. YouTube uses these values when initiating SSO and SLO. Change password URL Verification certificate Use a domain specific issuer Specifies the location where end users can change their passwords. You can provide the sign-in page URL. Specifies the McAfee Cloud SSO certificate containing the public key that Google needs to verify login requests. When selected, the following issuer value is sent in SAML requests in place of google.com: google.com/a/cloudprocedo.com. Configure SSO in your Zendesk account Enabling SSO to a Zendesk application requires configuration in your Zendesk administrator account. 1 Log on to your Zendesk administrator account. 2 On the Home page: From the Settings drop-down list, select the Security option. 3 On the Security page: In the Authentication tab, configure the following options. Table 6-26 SSO option definitions for your Zendesk account Option Single Sign-On Enabled Mode Definition Verify that this checkbox is selected. From the drop-down list, select SAML. McAfee Cloud Single Sign On Product Guide 167

168 6 Cloud Connectors Configuring SAML Cloud Connectors Table 6-26 SSO option definitions for your Zendesk account (continued) Option SAML SSO URL Remote logout URL Definition SAML SSO URL Specifies the URL of the McAfee Cloud SSO SSO service used by Zendesk when initiating SSO. Remote logout URL Specifies the URL of the McAfee Cloud SSO SLO service used by Zendesk when initiating SLO. To locate these values, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the Zendesk Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SSO Service and SLO Service URLs. Certificate fingerprint Specifies the SHA1 fingerprint of the X.509 certificate provided by McAfee Cloud SSO. 1 To extract the SHA1 fingerprint from the certificate, run the OpenSSL X.509 certificate command: openssl x509 -sha1 -in <filename>.crt -noout -fingerprint where -sha1 specifies that the SHA1 algorithm signs SAML requests and responses, -in <filename>.crt specifies the name of the certificate file read by the command, -noout specifies that the output of the command is not encoded, and -fingerprint specifies that the command outputs the certificate s fingerprint. 2 Copy the output of the OpenSSL command and paste it in the Certificate fingerprint field. For more information about OpenSSL, visit Save When clicked, saves the SSO configuration. Configure SSO in your Zoho account Enabling SSO to a Zoho application requires configuration in your Zoho administrator account. 1 Log on to your administrator account in the Zoho Admin Console. 2 In the Control Panel, click SAML Authentication. 3 In the SAML Authentication Details area, specify the options in the following table. 168 McAfee Cloud Single Sign On Product Guide

169 Cloud Connectors Configuring Cloud Connectors that use WS-Federation 6 Table 6-27 SSO option definitions for your Zoho account Option Login URL Logout URL Definition Login URL Specifies the McAfee Cloud SSO SSO service URL accessed by the end user when SSO is IdP-initiated. Logout URL Specifies the McAfee Cloud SSO SLO service URL accessed by the end user when SLO is IdP-initiated. To locate these values, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the Zoho Cloud Connector. Click the General Info tab. In the Application Endpoint Location area, look for the SSO Service and SLO Service URLs. Change Password URL PublicKey Algorithm Specifies the McAfee Cloud SSO SSO service URL accessed by the end user when SSO is IdP-initiated. This option has the same value as the Login URL. Specifies the X.509 certificate provided by McAfee Cloud SSO. Select one of the following options: Browse for and upload the certificate file Paste the contents of the certificate file in the field From the drop-down list, select RSA. 4 Click OK. Configuring Cloud Connectors that use WS-Federation McAfee Cloud SSO supports cloud applications that use WS-Federation with individual Cloud Connectors. Applications in this category include Office 365 and SharePoint. Configuring an Office 365 Cloud Connector Integrating Office 365 with McAfee Cloud SSO involves configuration on both the Office 365 side and the McAfee Cloud SSO side. On the Office 365 side, the AD FS 2.0 administrator sets up the Office 365 environment according to the following procedures. 1 Set up the Office 365 environment on Windows Server Set Up a trust between AD FS 2.0 and Office Synchronize Office 365 with Enterprise Active Directory on 32-bit Windows. 4 Update the Trust between AD FS 2.0 and Office 365. On the McAfee Cloud SSO side, the administrator completes the following tasks in the Management Console. 1 Import the public-private key pair used by AD FS 2.0. For more information about this step, visit: 2 Configure the Office 365 Cloud Connector. McAfee Cloud Single Sign On Product Guide 169

170 6 Cloud Connectors Configuring Cloud Connectors that use WS-Federation How McAfee Cloud SSO implements SSO to an Office 365 application When Office 365 is integrated with McAfee Cloud SSO, single sign-on to Office 365 using AD FS 2.0 is configured, and end users can sign in to Office 365 using the enterprise Active Directory account. Complete integration includes the following two steps: The AD FS 2.0 public-private key pair is imported in McAfee Cloud SSO. This step allows McAfee Cloud SSO to integrate with Office 365 in place of AD FS 2.0. Your Office 365 directory is synchronized with the enterprise Active Directory. Synchronizing the accounts in the two directories populates the Office 365 directory with the Active Directory users. This step allows users to authenticate once against the enterprise Active Directory and enables single sign-on. Figure 6-1 Office 365 integration with McAfee Cloud SSO 1 The end user requests access to the Office 365 service. 2 Office 365 redirects the end user s request to McAfee Cloud SSO. 3 McAfee Cloud SSO authenticates the end user against the enterprise Active Directory. 4 McAfee Cloud SSO redirects the end user to Office 365 with the authentication result. 5 Office 365 grants access to the end user. How the Office 365 environment is set up To set up the Office 365 environment, you need two machines and one domain. The machines are as follows. Windows Server 2008 R2 The AD FS 2.0 administrator sets up the Office 365 environment on this server, which includes installing and configuring Active Directory, AD FS 2.0, and Microsoft Internet Information Services (IIS). It also includes installing and configuring the Microsoft Online Services Module that comes with Office 365 for Windows PowerShell for single sign-on. Windows Server 2003 SP2 (32-bit) or Windows Server 2008 SP2 (32-bit) The AD FS 2.0 administrator installs and configures the Microsoft Online Services Directory Synchronization tool on this server. This tool is used to synchronize your Office 365 account with the enterprise Active Directory account. 170 McAfee Cloud Single Sign On Product Guide

171 Cloud Connectors Configuring Cloud Connectors that use WS-Federation 6 Set up the Office 365 environment on Windows Server 2008 To set up the Office 365 environment, the AD FS 2.0 administrator performs the tasks in this procedure on Windows Server 2008 R2. After the tasks are complete, the AD FS 2.0 administrator sends the following information to the McAfee Cloud SSO administrator. Office 365 administrator account information McAfee Cloud SSO machine name in the Office 365 domain Office 365 public-private key pair 1 Sign up for an Office 365 account of the midsize businesses and enterprises type. 2 Access your account and download the following software: Office desktop setup Checks your personal computer for required updates and configures your Office desktop apps to work with Office 365. Microsoft Lync Enables instant messaging, audio and video web conferences, and more. 3 Purchase a domain, add the domain to your Office 365 account, and verify it. Example: abc.com 4 Add the name of the machine where McAfee Cloud SSO is installed to the domain. The resulting name is the McAfee Cloud SSO machine name. Example: mcsso.abc.com 5 Install an Active Directory with the same domain name as the purchased domain. 6 Install and configure Microsoft IIS and generate a public-private key pair. 7 Install and configure AD FS Download and install the Microsoft Online Services Module that comes with Office 365 for Windows PowerShell for single sign-on. 9 In the Microsoft Online Services Module, configure single sign-on to Office Send the public-private key pair to the McAfee Cloud SSO administrator. Set up a trust between AD FS 2.0 and Office 365 To set up a Trust between AD FS 2.0 and Office 365, you can either add a new single sign-on domain or convert an existing standard domain to a single sign-on domain using the Microsoft Online Services Module on Windows Server When the trust is set up, the public key is automatically uploaded from AD FS 2.0 to Office Open the Microsoft Online Services Module. 2 Run the following command and when prompted, provide your Office 365 administrator account credentials: $cred=get-credential 3 Run the command: Connect-MsolService Credential $cred You are now connected to Office 365 and can run additional commands. McAfee Cloud Single Sign On Product Guide 171

172 6 Cloud Connectors Configuring Cloud Connectors that use WS-Federation 4 Run the command: Set-MsolAdfscontext -Computer <AD_FS_2.0_Server> where <AD_FS_2.0_Server> specifies the fully qualified domain name of the primary AD FS 2.0 server. Default value when omitted: localhost 5 (New domain) Run the command: New-MsolFederatedDomain DomainName <domain> The domain is added and enabled for single sign-on. 6 (Existing domain) Run the command: Convert-MsolDomainToFederated DomainName <domain> A new single sign-on domain is added or an existing standard domain is converted to single sign-on authentication. Synchronize Office 365 with Enterprise Active Directory on 32-bit Windows In this section, you install the Microsoft Online Services Directory Synchronization tool, synchronize your Office 365 directory with the enterprise Active Directory, and activate the synchronized user accounts in your Office 365 directory on a 32-bit Windows system. Synchronizing the accounts populates the Office 365 directory with the Active Directory users. 1 Install and configure the Microsoft Online Services Directory Synchronization tool. 2 Activate directory synchronization in your Office 365 directory, as follows: a Open the Office 365 portal in your web browser. b In the header, click Admin. The Admin Overview page opens. c Under Management in the navigation tree, click Users. The Users page opens. d e At the top of the page, click the link next to Active Directory synchronization. Under Activate Active Directory synchronization on the Set up and manage Active Directory synchronization page, click Activate. 3 Activate the synchronized user accounts in your Office 365 directory, as follows: a Open the Office 365 portal in your web browser. b In the header, click Admin. The Admin Overview page opens. c Under Management in the navigation tree, click Users. The Users page opens. d Select the Unlicensed users view, select all unlicensed users, then click Activate synced users. 172 McAfee Cloud Single Sign On Product Guide

173 Cloud Connectors Configuring Cloud Connectors that use WS-Federation 6 Update the trust between AD FS 2.0 and Office 365 After synchronizing Office 365 with Active Directory, you update the properties of the Trust between AD FS 2.0 and Office 365 using the Microsoft Online Services Module on Windows Server Open the Microsoft Online Services Module. 2 Run the command: $cred=get-credential. 3 Run the command: Connect-MsolService Credential $cred. 4 Run the command: Set-MsolAdfscontext -Computer <AD_FS_2.0_Server> where <AD_FS_2.0_Server> specifies the fully qualified domain name of the primary AD FS 2.0 server. Default value when omitted: localhost 5 Run the command: Update-MSOLFederatedDomain DomainName <domain>. Office 365 reference For more information about setting up the Office 365 environment, consult the following Microsoft resources. For more information about adding a domain to your Office 365 account, visit: For more information about setting up AD FS 2.0 on a Windows Server 2008 operating system, visit: 10).aspx For more information about installing and configuring the Microsoft Online Services Module for Windows PowerShell for single sign-on, visit: For more information about adding or converting a domain for single sign-on, visit: For more information about installing the Microsoft Online Services Directory Synchronization tool, visit: For more information about synchronizing directories, visit: McAfee Cloud Single Sign On Product Guide 173

174 6 Cloud Connectors Configuring Cloud Connectors that use WS-Federation Configuring a SharePoint Cloud Connector Integrating SharePoint with McAfee Cloud SSO involves configuration on both the SharePoint side and the McAfee Cloud SSO side. How McAfee Cloud SSO implements SSO to a SharePoint web application McAfee Cloud SSO and SharePoint support IdP-initiated and SP-initiated SSO. In the following diagram, SSO is initiated by SharePoint, the Service Provider. Figure 6-2 SSO initiated by SharePoint 1 The end user requests access to a SharePoint web application. 2 The SharePoint server redirects the end user s request to McAfee Cloud SSO for authentication using the WS-Federation protocol. 3 McAfee Cloud SSO authenticates the end user against Active Directory. 4 McAfee Cloud SSO sends a WS-Federation response to the SharePoint server. The WS-Federation response includes a signed SAML assertion attesting to the end user s identity and one or more Active Directory user attributes. 5 The SharePoint server returns the web application s home page to the end user s browser. Import the trusted identity token issuer in SharePoint SharePoint establishes a trust relationship with an Identity Provider by importing the trusted identity token issuer, which is the X.509 certificate provided by McAfee Cloud SSO. 1 In the Management Console: Export an X.509 certificate and place it in a location that SharePoint can access. 2 So that you can run the following Windows PowerShell commands, open the SharePoint Management Shell. 174 McAfee Cloud Single Sign On Product Guide

175 Cloud Connectors Configuring Cloud Connectors that use WS-Federation 6 3 Set the PowerShell variable $trustcert equal to the path to the X.509 certificate as follows: $trustcert = Get-PfxCertificate <certpath> where <certpath> is the path to the X.509 certificate. 4 Create an X.509 certificate object as follows: $trustcert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2( $trustcert ) 5 Create a trusted root authority containing the X.509 certificate as follows: New-SPTrustedRootAuthority -Name <certalias> -Certificate $trustcert where <certalias> specifies the name assigned to the trusted root authority. Example: TrustedRoot 6 Map a source attribute from the Identity Provider (McAfee Cloud SSO) to the display name that the user sees after logging in to SharePoint as follows: $map = New-SPClaimTypeMapping -IncomingClaimType <incoming-claim-type> -IncomingClaimTypeDisplayName <display-name> -SameAsIncoming where <incoming-claim-type> specifies the target namespace that corresponds to the type of source attribute and <display-name> specifies the target name that corresponds to the source attribute. example: $map = New-SPClaimTypeMapping -IncomingClaimType -IncomingClaimTypeDisplayName Address -SameAsIncoming 7 Set the PowerShell variable $realm equal to the string value configured for the realm in McAfee Cloud SSO. Example: urn:seo:sharepoint McAfee Cloud Single Sign On Product Guide 175

176 6 Cloud Connectors Configuring Cloud Connectors that use WS-Federation 8 Set the PowerShell variable $signinurl equal to the endpoint URL of the Identity Provider (McAfee Cloud SSO). Format: sharepoint/sso?spentity=<cloud-connect-name> where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed, <id-connect-name> specifies the name of the Identity Connector selected when the SharePoint Cloud Connector was configured in the Management Console, and <cloud-connect-name> specifies the name assigned to the SharePoint Cloud Connector when it was configured in the Management Console. To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the SharePoint Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SSO Service URL. 9 Import the McAfee Cloud SSO trusted identity token issuer as follows: $ap = New-SPTrustedIdentityTokenIssuer -Name <issuer-name> -Description <issuer-desc> -Realm $realm -ImportTrustCertificate $trustcert -ClaimsMappings $map -SignInUrl $signinurl -IdentifierClaim <incoming-claim-type> where <issuer-name> assigns a name to the trusted identity token issuer, <issuer-desc> specifies a description for the trusted identity token issuer, and <incoming-claim-type> specifies the target namespace that corresponds to the type of source attribute. example: $ap = New-SPTrustedIdentityTokenIssuer -Name MCSSO-Server -Description "MCSSO Identity Services" -Realm $realm -ImportTrustCertificate $trustcert -ClaimsMappings $map -SignInUrl $signinurl -IdentifierClaim Remove a trusted identity token issuer from SharePoint and modify it If needed, you can remove a trusted identity token issuer from SharePoint and modify it, then import it again. 1 So that you can run the following Windows PowerShell commands, open the SharePoint Management Shell. 2 Remove the trusted identity token issuer as follows: Remove-SPTrustedIdentityTokenIssuer <issuer-name> where <issuer-name> specifies the name to the trusted identity token issuer that you want to modify. Example: MCSSO-Server 176 McAfee Cloud Single Sign On Product Guide

177 Cloud Connectors Configuring Cloud Connectors that use WS-Federation 6 3 Remove the trusted root authority as follows: Remove-SPTrustedRootAuthority <certalias> where <certalias> specifies the name of the trusted root authority. Example: TrustedRoot 4 Modify the trusted identity token issuer, then import it again. Add credential mapping to a trusted identity token issuer in SharePoint If you want, you can add a source type and credential mapping to a trusted identity token issuer after it is imported in SharePoint. 1 So that you can run the following Windows PowerShell commands, open the SharePoint Management Shell. 2 Specify the name of the trusted identity token issuer to which you want the source type and credential mapping added as follows: $ap = Get-SPTrustedIdentityTokenIssuer -identity <issuer-name> where <issuer-name> specifies the name of the trusted identity token issuer. Example: MCSSO-Server 3 Add the source type to the trusted identity token issuer as follows: $ap.claimtypes.add(<incoming-claim-type>) where <incoming-claim-type> specifies the target namespace that corresponds to the type of source attribute. Example: 4 Map the source attribute from the Identity Provider (McAfee Cloud SSO) to the display name that the user sees after logging in to SharePoint as follows: $map2 = New-SPClaimTypeMapping -IncomingClaimType <incoming-claim-type> -IncomingClaimTypeDisplayName <display-name> -SameAsIncoming where <incoming-claim-type> specifies the target namespace that corresponds to the source attribute and <display-name> specifies the target name that corresponds to the source attribute. example: $map2 = New-SPClaimTypeMapping -IncomingClaimType -IncomingClaimTypeDisplayName Address -SameAsIncoming 5 Add the new credential mapping to the trusted identity token issuer as follows: Add-SPClaimTypeMapping Identity $map2 TrustedIdentityTokenIssuer $ap McAfee Cloud Single Sign On Product Guide 177

178 6 Cloud Connectors Configuring Cloud Connectors that use WS-Federation Enable SSO in the SharePoint web application To integrate SharePoint with McAfee Cloud SSO, you need to enable SSO in the web application. 1 Open the SharePoint 2010 Central Administration website. 2 On the Central Administration homepage: In the Application Management section, click Manage web applications. 3 To create a new web application with SSO enabled: a On the ribbon: To create a new web application, click New. b c d On the Create New Web Application page: In the Authentication section, click Claims Based Authentication. In the Security Configuration section: To enable SSL, under Use Secure Sockets Layer (SSL), click Yes. (Optional) To enable SSL for the website, you must configure SSL by requesting and installing an SSL certificate. For more information about how to set up SSL on IIS 7, visit: e In the Claims Authentication Types section: To enable SSO, configure the following options. 1 Select the Trusted Identity Provider checkbox. 2 Specify McAfee Cloud SSO as the trusted identity provider. 3 Deselect all other checkboxes. f Specify values for the remaining options or accept the default values, then click OK. 4 To enable SSO in an existing web application: a Select the web application for which you want SSO enabled. b c Select Authentication Providers Default Authentication Provider. In the Claims Authentication Types section: To enable SSO, configure the following options. 1 Select the Trusted Identity Provider checkbox. 2 Specify McAfee Cloud SSO as the trusted identity provider. 3 Deselect all other checkboxes. d Leave the remaining options unchanged, then click OK. Configure access to the SharePoint web application site Users and groups can access the SharePoint web application site according to the permissions that you grant. 1 Log on to the administrator account of the SharePoint web application that has SSO enabled. 2 Click Site Actions, then click Site Permissions. 3 Under Edit, click Grant Permissions. The Grant Permissions page opens. 178 McAfee Cloud Single Sign On Product Guide

179 Cloud Connectors Configuring Cloud Connectors that use WS-Federation 6 4 In the Select Users area, type the names or addresses of the users and groups that you want to have access to the website. 5 In the Grant Permissions area, you can add users to a SharePoint group and select the permissions that you want the specified users and groups to have. 6 Click OK. Configure a SharePoint Cloud Connector McAfee Cloud SSO supports cloud applications that use WS-Federation with the SharePoint Cloud Connector. 1 In the Management Console: In the SharePoint Cloud Connector wizard, open the SSO Configuration step. 2 Specify values for the following SSO options. Table 6-28 SSO option definitions for a SharePoint Cloud Connector Option Signature Keys SAML Assertion Issuer SharePoint Login URL Conditions Definition From the drop-down list, select the key pair used by McAfee Cloud SSO to sign SAML assertions. Specifies the URL of the McAfee Cloud SSO service that issues SAML assertions. Format: where <mcsso-server> specifies the name of the server where McAfee Cloud SSO is installed and <portnumber> specifies the port number used by McAfee Cloud SSO. Default: 8443 Specifies the URL of your SharePoint web application login page. Clock Skew Specifies a value to use when calculating the SAML assertion s expiration time. This value is designed to offset small differences between clocks in different security domains. Default value: 20 Units: seconds Lifetime Specifies a lifetime value to use when calculating the SAML assertion s expiration time. When the expiration time is exceeded, the SAML assertion is invalidated by the assertion consumer. When specifying the lifetime value, consider the estimated transmission latency between security domains. Default value: 60 Units: seconds McAfee Cloud Single Sign On Product Guide 179

180 6 Cloud Connectors Configure an ECA360 Token Cloud Connector Configure an ECA360 Token Cloud Connector McAfee Cloud SSO provides a generic Cloud Connector named ECA360 Token for.net and Java-based web applications. The ECA360 Token Cloud Connector produces a custom token that certifies the identity of the authenticated user. 1 In the Management Console: In the ECA360 Token Cloud Connector wizard, open the Custom Connection step. 2 Configure values for connecting to the.net or Java-based web application. Table 6-29 Custom connection option definitions Option Authn Response Binding Cloud App Logout Location Default Cloud App Page Definition Select one of the following options: HTTP_POST The Identity Connector response is placed in the HTTP message body. HTTP_REDIRECT The Identity Connector response is placed in the HTTP redirect URL. Select this checkbox to configure IdP-initiated SLO and specify the default SLO URL of the SaaS or web application in the Location field. Select this checkbox to configure IdP-initiated SSO and specify the default SSO URL of the SaaS or web application in the Endpoint field. 3 In the ECA360 Token Cloud Connector wizard, open the Token Profile step. 4 Configure a custom McAfee Cloud SSO token for the.net or Java-based web application. Table 6-30 Custom token option definitions Option Conditions Definition Add audience Restricts the token s audience to the specified URLs. Example: Clock Skew Specifies a value to use when calculating the token s expiration time. This value is designed to offset small differences between clocks in different security domains. Default value: 20 Units: seconds Signature Specify Issuer Lifetime Specifies a lifetime value to use when calculating the token s expiration time. When the expiration time is exceeded, the token is invalidated by the token consumer. When specifying the lifetime value, consider the estimated transmission latency between security domains. Default value: 60 Units: seconds Signature generation method From the drop-down list, select RSA_WITH_SHA_1. Please choose key name From the drop-down list, select the key pair that McAfee Cloud SSO uses to sign the token. When selected, allows you to specify the issuer of the signing key pair in the Issuer field. Example: McAfee Cloud Single Sign On Product Guide

181 Cloud Connectors Configure an OpenID Cloud Connector 6 Configure an OpenID Cloud Connector McAfee Cloud SSO provides a generic OpenID Cloud Connector for any cloud application that supports OpenID, but is not included in the application catalog. To configure an OpenID Cloud Connector, you map user attributes from the McAfee Cloud SSO source to the OpenID Provider target according to the OpenID standard. User attribute mapping to an OpenID target is called attribute exchange mapping. OpenID is an open standard that allows users to authenticate without a central authentication authority. Identity information is shared in the form of unique URLs. The attribute exchange map allows the administrator to control what identity information the cloud application can access. For more information about the OpenID standard, visit 1 In the Management Console: In the OpenID Cloud Connector wizard, open the OpenID step. 2 Configure attribute exchange mapping as shown in the following table. Table 6-31 OpenID attribute exchange mapping Column Source Source Type Target Target Type Definition Select one of the following source types: CONSTANT Specifies that the source has a constant value. Type a string value in the Source column. Examples: en_us, United States AUTHN_RESULT_FIELD Specifies that the source is a user attribute output by the Identity Connector. Type the name of the user attribute in the Source column. Example: mail EXPRESSION Specifies that the source is the result of an expression. Type the expression in the Source column. CREDENTIAL_STORE Specifies that the source is a credential in the credential store. Type the name of the credential in the Source column. Specifies the user attribute name in the OpenID Provider target. Examples: , language, locale Specifies the user attribute type in the OpenID Provider target. Target attribute types are defined by URLs. Examples: Configuring an Impersonation Cloud Connector McAfee Cloud SSO manages SSO to enterprise applications that require IWA through two services: an impersonation service and a reverse proxy service. While the impersonation service manages Kerberos, the computer network authentication protocol used by IWA, the reverse proxy service McAfee Cloud Single Sign On Product Guide 181

182 6 Cloud Connectors Configuring an Impersonation Cloud Connector exchanges the Kerberos ticket-granting ticket (TGT) for a Kerberos service ticket and forwards user requests to the enterprise applications. Impersonation with reverse proxy built into McAfee Cloud SSO When McAfee Cloud SSO is deployed in the enterprise domain and the domain does not include a reverse proxy server, you can use the reverse proxy built into McAfee Cloud SSO. The reverse proxy acts as a transparent firewall between the user and the enterprise domain. Figure 6-3 Impersonation with reverse proxy built into McAfee Cloud SSO 1 McAfee Cloud SSO authenticates the end user against the Active Directory server and receives a Kerberos TGT in return. 2 McAfee Cloud SSO presents the end user with a portal that includes a link to the enterprise application, which the end user clicks. 3 The reverse proxy server that is built into McAfee Cloud SSO sends a request for a Kerberos service ticket to the Active Directory server. The request includes the end user s authenticated identity. The Active Directory server sends the service ticket to McAfee Cloud SSO. 4 The built-in reverse proxy server constructs an HTTP request that includes the service ticket and forwards the request to the enterprise application. The enterprise application sends an HTTP response to McAfee Cloud SSO. 5 The built-in reverse proxy server transforms the enterprise application URL received in the HTTP response following predefined rules and redirects the end user to the enterprise application through McAfee Cloud SSO. 6 The enterprise application grants access to the end user. Impersonation with enterprise reverse proxy When McAfee Cloud SSO is deployed in the enterprise domain and the domain does include a reverse proxy server, the enterprise reverse proxy server is deployed in the DMZ between the user and McAfee Cloud SSO. The DMZ adds a layer of security between the external Internet and the enterprise s 182 McAfee Cloud Single Sign On Product Guide

183 Cloud Connectors Configuring an Impersonation Cloud Connector 6 internal network. In this scenario, McAfee Cloud SSO uses the enterprise and built-in reverse proxy servers. Figure 6-4 Impersonation with enterprise reverse proxy 1 The end user requests access to the enterprise portal. The enterprise reverse proxy server maps the enterprise URL to McAfee Cloud SSO and forwards the request. 2 McAfee Cloud SSO authenticates the user against the Active Directory server and receives a Kerberos Ticket Granting Ticket (TGT) in return. 3 When the end user is authenticated, McAfee Cloud SSO presents the end user with a portal that includes links to the enterprise applications. The portal presentation is forwarded to the end user through the enterprise reverse proxy. The end user requests an enterprise application by clicking a link in the McAfee Cloud SSO portal. The end user s request is forwarded to McAfee Cloud SSO through the enterprise reverse proxy. 4 The reverse proxy server built into McAfee Cloud SSO sends a request for a Kerberos service ticket to the Active Directory server. The request includes the end user s authenticated identity. The Active Directory server sends the service ticket to McAfee Cloud SSO. 5 The built-in reverse proxy server constructs an HTTP request that includes the service ticket and forwards the request to the enterprise application. The enterprise application sends an HTTP response to McAfee Cloud SSO. 6 McAfee Cloud SSO forwards the HTTP response to the enterprise reverse proxy. The enterprise reverse proxy transforms the enterprise application URL received in the HTTP response following predefined rules and redirects the end user to the requested enterprise application through McAfee Cloud SSO. The enterprise application grants access to the end user. McAfee Cloud Single Sign On Product Guide 183

184 6 Cloud Connectors Configuring an Impersonation Cloud Connector Requirements for deploying McAfee Cloud SSO in the enterprise domain Before deploying McAfee Cloud SSO in the enterprise domain, verify that the required connections can be made. The user can access McAfee Cloud SSO directly or through an enterprise reverse proxy server configured for McAfee Cloud SSO. McAfee Cloud SSO can directly access the applications in the enterprise domain. The firewall on the Windows Server where McAfee Cloud SSO is installed is configured so that the ports where the built-in reverse proxy server listens are open. Verify the domain functional level of the Active Directory server To use constrained delegation, the domain functional level of the Windows Server running Active Directory must be Windows Server To verify the domain functional level, start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in that comes with the Windows Server operating system. 2 In the navigation tree, click Computers. 3 In the configuration window, double-click your web server. 4 In the Properties dialog box, verify that there is a Delegation tab. If there is a checkbox labeled Trust Computer for Delegation on the General tab, but no Delegation tab, you need to raise the domain functional level to Windows Server Configure constrained delegation on the Active Directory server You configure constrained delegation on the Active Directory server (domain controller) to specify which SaaS or web applications McAfee Cloud SSO can access when impersonating a user. The Active Directory server responds to authentication requests within the Windows Server domain. All SaaS or web applications and host computers must be in the Windows Server domain. 1 Start the MMC Active Directory Users and Computers snap-in that comes with the Windows Server operating system. 2 In the navigation tree, click Computers. 3 In the configuration window, double-click your web server. 4 In the Properties dialog box: In the Delegation tab, select Trust this computer for delegation to specified services only. 5 Select Use any authentication protocol. 6 Click Add. 7 In the Add Services dialog box, click Users or computers. 8 In the Select Users or Computers dialog box, type the name of your SaaS or web application server, verify that the service principal names for your SaaS or web application are correctly configured, then click OK. 184 McAfee Cloud Single Sign On Product Guide

185 Cloud Connectors Configuring an Impersonation Cloud Connector 6 Configure an Impersonation Cloud Connector You can configure a generic Impersonation Cloud Connector for any enterprise application that uses Kerberos authentication, but is not included in the McAfee Cloud SSO application catalog. Configuration steps include a custom token. 1 In the Management Console: In the Impersonation Cloud Connector wizard, open the Impersonation step. 2 Specify values for the impersonation options in the following table. Table 6-32 Impersonation option definitions Option Schemes Service Main URL Service Logout URL Service Binding Domain Manage Domains Definition Select the SPNEGO (Kerberos) impersonation scheme. Specifies the service URL of the enterprise application that the user wants to access. (Optional) Specifies the logout URL of the enterprise application that the user wants to access. Specifies an alternative domain name for the enterprise application that is based on the FQDN of the computer where McAfee Cloud SSO is installed. Example: If mcsso-service.com is the FQDN, then cloudapp1.mcsso-service.com is an example of a service binding domain name. (Optional) Opens the Domain Setting dialog box, where you can configure the FQDN and one or more service binding domain names. You can also access the Domain Setting dialog box by selecting Domain Settings from the Admin tab drop-down list. Domain Setting (Dialog box) Specify values for the following options, then click OK. Enable When selected, opens the options on the Domain Setting dialog box. Domain Name Specifies the FQDN of the computer where McAfee Cloud SSO is installed. Default Sets the Domain Name value to Click one or more options: Add Opens the New Domain dialog box, where you can configure a new service binding domain name. Edit Opens the Edit Domain dialog box, where you can modify the selected service binding domain name. Remove Deletes the selected service binding domain name. McAfee Cloud Single Sign On Product Guide 185

186 6 Cloud Connectors Configuring an Impersonation Cloud Connector Table 6-32 Impersonation option definitions (continued) Option Transformation Rules New Transformation Rule Definition Click one or more of the following options: Add Opens the New Transformation Rule dialog box, where you can configure a transformation rule. Edit Opens the Edit Transformation Rule dialog box, where you can modify the selected transformation rule. Remove Deletes the selected transformation rule. (Dialog box) To redirect the user to the enterprise application through McAfee Cloud SSO, you need to configure one or more URL transformation rules for the built-in reverse proxy server: Source Specifies the format of the URL that the reverse proxy server receives from the enterprise application. Example: Target Specifies the format of the URL after it is transformed by the reverse proxy server. Example: If you are using an enterprise reverse proxy server in addition to the reverse proxy built into McAfee Cloud SSO, you also need to configure the URL transformation rules required by your reverse proxy. 3 In the Impersonation Cloud Connector wizard, open the Token Profile step. 4 Configure the custom McAfee Cloud SSO token that certifies the identity of the authenticated user. Table 6-33 Custom token option definitions Option Conditions Signature Specify Issuer Definition Add audience Restricts the token s audience to the specified URLs. Example: Clock Skew Specifies a value to use when calculating the token s expiration time. This value is designed to offset small differences between clocks in different security domains. Default value: 20 Units: seconds Lifetime Specifies a lifetime value to use when calculating the token s expiration time. When the expiration time is exceeded, the token is invalidated by the token consumer. When specifying the lifetime value, consider the estimated transmission latency between security domains. Default value: 60 Units: seconds Signature generation method From the drop-down list, select RSA_WITH_SHA_1. Please choose key name From the drop-down list, select the key pair that McAfee Cloud SSO uses to sign the token. When selected, allows you to specify the issuer of the signing key pair in the Issuer field. Example: McAfee Cloud Single Sign On Product Guide

187 Cloud Connectors Configuring individual custom Cloud Connectors 6 Configuring individual custom Cloud Connectors McAfee Cloud SSO supports cloud applications that use a proprietary SSO method with individual custom Cloud Connectors. Configuring an Accellion Cloud Connector Configuring an Accellion Cloud Connector requires an end user account in Accellion as well as configuration in the Management Console. Requirements for integrating Accellion with McAfee Cloud SSO To integrate Accellion with McAfee Cloud SSO, verify that you meet the following requirements. You must have an end-user account in Accellion Accellion supports SSO to end users only, not administrators. Therefore, you must create an end-user account. Log on to an Accellion administrator account, select Manage Users, then click Add Users. The end-user address in the identity store must match the address in Accellion When sending SSO requests to McAfee Cloud SSO, Accellion uses the address that the end user enters when logging in to the application launch portal. This address must match the address in the end-user account in Accellion. If needed, modify the address in the identity store (or other identity source) to match the address in the Accellion account. Configure an Accellion Cloud Connector McAfee Cloud SSO supports the Accellion cloud application, which uses a proprietary SSO method, with the Accellion Cloud Connector. 1 In the Management Console: In the Accellion Cloud Connector wizard, open the SSO Configuration step. 2 Specify values for the following SSO options. Table 6-34 SSO option definitions for an Accellion Cloud Connector Option Hostname Definition Specifies the FQDN of the server where the Accellion appliance is installed. To locate this value in your Accellion administrator account, select Administration Application. Application ID Specifies your Accellion application ID. To locate this value in your Accellion administrator account, select Administration API. Secret Key Specifies your Accellion secret key. To locate this value in your Accellion administrator account, select Administration API. Mail Attribute From the drop-down list, select the attribute whose value McAfee Cloud SSO sends to the Accellion application. McAfee Cloud Single Sign On Product Guide 187

188 6 Cloud Connectors Configuring individual custom Cloud Connectors Configure an AmazonAWS Cloud Connector McAfee Cloud SSO supports the Amazon Web Services (AWS) cloud application, which uses a proprietary SSO method, with the AmazonAWS Cloud Connector. 1 In the Management Console: In the AWS Cloud Connector wizard, open the SSO Configuration step. 2 Specify values for the following SSO options. Table 6-35 SSO option definitions for an AmazonAWS Cloud Connector Option Access Key ID Secret Key Definition You can locate these AWS values as follows: 1 Log on to the AWS Management Console. 2 From the drop-down list by your name, select Security Credentials. 3 In the Access Credentials area, click the Access Keys tab. 4 In the tab, look for the Access Key ID and Secret Access Key values. Subject ID From the drop-down list, select the mail attribute. Configure a Creately Cloud Connector McAfee Cloud SSO supports the Creately cloud application, which uses a proprietary SSO method, with the Creately Cloud Connector. 1 In the Management Console: In the Creately Cloud Connector wizard, open the SSO Configuration step. 2 Specify values for the following options. Table 6-36 SSO option definitions for a Creately Cloud Connector Option API Key Shared Secret User Attribute Definition Obtain these values from your Creately account representative. From the drop-down list, select the mail attribute. Configuring a DeskCustom Cloud Connector McAfee Cloud SSO offers two Cloud Connectors for the Desk.com application: an individual HTTP connector named Desk and a custom connector named DeskCustom. Select the DeskCustom Cloud Connector when you want to use multipass authentication. Configure multipass authentication in your Desk.com account. 188 McAfee Cloud Single Sign On Product Guide

189 Cloud Connectors Configuring individual custom Cloud Connectors 6 Configure multipass authentication in your Desk.com account You configure multipass authentication in your Desk.com account, so that McAfee Cloud SSO can connect to the DeskCustom application and provide SSO services for end users. 1 To access the Desk.com administration page, visit: where <yourdomain> specifies the name of your Desk.com domain. 2 Provide the logon credentials for your administrator account. 3 From the Agent drop-down list, select Admin. 4 Click Channels. 5 In the Channels navigation tree, click Support Center, then click Private Portal. 6 On the Private Portal page: a From the Authentication Method drop-down list, select Multipass (Use Your Own). b c d Set the Multipass: Require HMAC switch to On. Set the Multipass: Random IV switch to Off. Copy the Multipass Key value and paste it in a text file. If no value is displayed for the Multipass Key, click Generate. You need this value when you configure the DeskCustom Cloud Connector in the Management Console. 7 To save your options, click Update. Configure a DeskCustom Cloud Connector McAfee Cloud SSO supports the DeskCustom cloud application, which uses a proprietary SSO method, with the DeskCustom Cloud Connector. 1 In the Management Console: In the DeskCustom Cloud Connector wizard, open the SSO Configuration step. 2 Specify values for the following SSO options. Table 6-37 Option definitions for a DeskCustom Cloud Connector Option Desk.com Domain Site Key Definition Specifies the name of your Desk.com domain. Example: If your Desk.com service URL is then mydomain is the name of your Desk.com domain. Specifies the name of your Desk.com domain. This option has the same value as the Desk.com Domain option. Secret Key Mail Attribute Specifies the Multipass Key value displayed on the Private Portal page in your Desk.com administrator account. From the drop-down list, select the attribute whose value McAfee Cloud SSO sends to the Desk.com application. McAfee Cloud Single Sign On Product Guide 189

190 6 Cloud Connectors Configuring individual custom Cloud Connectors Configure an EStreamDesk Cloud Connector McAfee Cloud SSO supports the estreamdesk cloud application, which uses a proprietary SSO method, with the EStreamDesk Cloud Connector. 1 In the Management Console: In the estreamdesk Cloud Connector wizard, open the SSO Configuration step. 2 Specify values for the following SSO options. Table 6-38 SSO option definitions for an estreamdesk Cloud Connector Option Domain Name Secret Key Definition Specifies the name of your estreamdesk domain. Example: If your estreamdesk service URL is then mydomain is the name of your estreamdesk domain. Specifies your estreamdesk secret key. To locate this value in your estreamdesk administrator account, select Site Management Site Settings API Key. Mail Attribute From the drop-down list, select the attribute whose value McAfee Cloud SSO sends to the estreamdesk application. Configuring a FreshDesk Cloud Connector Integrating the FreshDesk application and McAfee Cloud SSO using the FreshDesk Cloud Connector requires configuration in your FreshDesk account as well as in the Management Console. Configure SSO in your FreshDesk account You enable SSO in your FreshDesk account, so that McAfee Cloud SSO can connect to the FreshDesk application and provide SSO services for end users. 1 Log on to your FreshDesk administrator account. 2 Click the Admin tab, then click the security icon. 3 Select the Enable Single Sign On checkbox. 4 Copy the value in the Shared Secret field in your FreshDesk account and paste it in the Secret Key field in the Management Console. 5 Copy the SSO Service URL corresponding to the FreshDesk Cloud Connector in the Management Console and paste it in the Remote login URL field in your FreshDesk account. 6 Copy the SLO Service URL corresponding to the FreshDesk Cloud Connector in the Management Console and paste it in the Remote logout URL field in your FreshDesk account. 7 Click Save. To locate the SSO and SLO Service URLs, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the FreshDesk Cloud Connector. Click the General Info tab. In the Service Connection Endpoint Location area, look for the SSO Service and SLO Service URLs. 190 McAfee Cloud Single Sign On Product Guide

191 Cloud Connectors Configuring individual custom Cloud Connectors 6 Configure a FreshDesk Cloud Connector McAfee Cloud SSO supports the FreshDesk cloud application, which uses a proprietary SSO method, with the FreshDesk Cloud Connector. 1 In the Management Console: In the FreshDesk Cloud Connector wizard, open the SSO Configuration step. 2 Specify values for the following SSO options. Table 6-39 SSO option definitions for a FreshDesk Cloud Connector Option Domain Name Secret Key Mail Attribute Name Attribute Definition Specifies the name of your FreshDesk domain. Example: If your FreshDesk service URL is then mydomain is the name of your FreshDesk domain. Specifies your Freshdesk secret key, which is located in your FreshDesk administrator account. From the drop-down list, select the attribute whose value McAfee Cloud SSO sends to the FreshDesk application. From the drop-down list, select the name attribute whose value McAfee Cloud SSO sends to the FreshDesk application. Configuring an IdeaScale Cloud Connector Integrating the IdeaScale application and McAfee Cloud SSO using the IdeaScale Cloud Connector requires configuration in your IdeaScale account as well as in the Management Console. Configure multipass authentication in your IdeaScale account You configure multipass authentication in your IdeaScale account, so that McAfee Cloud SSO can connect to the IdeaScale application and provide SSO services for end users. 1 To access your IdeaScale administrator account, visit: where <yourdomain> specifies the name of your IdeaScale domain. 2 Logon with your administrator credentials. 3 From your logon name drop-down list, select Community Settings. 4 In the Manage Community navigation tree, expand the Security option, then select Single Signon Settings. 5 On the Single Signon Settings page: a From the Single-Signon Type drop-down list, select the Multipass Token option. b c Copy the Multipass Site Key value and paste it in the Site Key field on the SSO Configuration step of the IdeaScale Cloud Connector wizard. Copy the Multipass API Key value and paste it in the Secret Key field on the SSO Configuration step of the IdeaScale Cloud Connector wizard. 6 Click Save Settings. McAfee Cloud Single Sign On Product Guide 191

192 6 Cloud Connectors Configuring individual custom Cloud Connectors Configure an IdeaScale Cloud Connector McAfee Cloud SSO supports the IdeaScale cloud application, which uses a proprietary SSO method, with the IdeaScale Cloud Connector. 1 In the Management Console: In the IdeaScale Cloud Connector wizard, open the SSO Configuration step. 2 Specify values for the following SSO options. Table 6-40 SSO option definitions for an IdeaScale Cloud Connector Option Hostname Site Key Secret Key Mail Attribute Name Attribute Definition Specifies the name of your IdeaScale domain. Example: If your IdeaScale service URL is then mydomain is the name of your IdeaScale domain. Specifies the Multipass Site Key value displayed on the Single Signon Settings page in your IdeaScale administrator account. Specifies the Multipass API Key value displayed on the Single Signon Settings page in your IdeaScale administrator account. From the drop-down list, select the attribute whose value McAfee Cloud SSO sends to the IdeaScale application. From the drop-down list, select the name attribute whose value McAfee Cloud SSO sends to the IdeaScale application. Configuring a NetSuite Cloud Connector Integrating the NetSuite application and McAfee Cloud SSO using the NetSuite Cloud Connector requires an RSA key pair, which is generated using OpenSSL, as well as configuration in the Management Console. The NetSuite inbound single sign-on feature The NetSuite inbound single sign-on feature allows users to authenticate using McAfee Cloud SSO, then access NetSuite without having to log in again. McAfee Cloud SSO passes authentication 192 McAfee Cloud Single Sign On Product Guide

193 Cloud Connectors Configuring individual custom Cloud Connectors 6 information to NetSuite in an encrypted token. When integrated with NetSuite, McAfee Cloud SSO is called the external application. Figure 6-5 NetSuite inbound single sign-on feature 1 The end user requests access to the NetSuite application or web store through McAfee Cloud SSO. 2 McAfee Cloud SSO authenticates the end user against the Identity Provider. 3 McAfee Cloud SSO redirects the end user to NetSuite with the encrypted token and the authentication information. 4 NetSuite decrypts the token and checks the timestamp. If the timestamp is valid, NetSuite grants access to the end user. Format of the NetSuite token To implement SSO with NetSuite, McAfee Cloud SSO generates a custom token. The token is a hex-encoded, encrypted string. Before encryption, the token string has the following format: <companyid><space><userid><space><timestamp> Table 6-41 String components of the NetSuite token String Definition Company ID Specifies the identifier assigned by the McAfee Cloud SSO administrator to the company associated with the end user. The Company ID is also known as the remote company ID. This string value cannot contain spaces. User ID Timestamp Specifies the identifier that McAfee Cloud SSO uses to uniquely identify the user. This string value cannot contain spaces. Specifies the time of token creation as a decimal string that represents the number of milliseconds since January 1, 1970, 00:00:00 GMT. McAfee Cloud Single Sign On Product Guide 193

194 6 Cloud Connectors Configuring individual custom Cloud Connectors Generate an RSA key pair for NetSuite using OpenSSL An RSA key pair is needed for encrypting and decrypting security tokens. McAfee Cloud SSO uses the private key to encrypt the security token, and NetSuite uses the public key paired with the private key to decrypt the security token. You need to generate the public-private key pair, the public key to NetSuite, and import the private key in the Management Console. 1 Download the inbound single sign-on kit from NetSuite: 2 Install OpenSSL from one of the following locations: The OpenSSL subdirectory in the inbound single sign-on kit The OpenSSL website: 3 In a command window, type: openssl. 4 At the OpenSSL prompt, type the following command: genrsa out <privkey.pem> -rand <f1><s><f2><s><f3><s><f4><s><f5> 1024 where <privkey.pem> specifies the name of the output file, <f1>... <f5> specify the names of five files that are used as random seeds, and <s> specifies one of the following separators. ; semicolon Windows, comma OpenVMS : colon all other operating systems A private key having the length 1024 is generated. 5 Convert the private key from the PEM format to the DER format as follows: java com.netledger.forpartners.encryption.pem2der <privkey.pem> <privkey.der> where <privkey.pem> specifies the name of the output file in PEM format and <privkey.der> specifies the name of the output file in DER format. 6 Extract the public key from the private key as follows: java com.netledger.forpartners.encryption.priv2pub <privkey.der> <pubkey.der> where <privkey.der> specifies the private key generated using OpenSSL and <pubkey.der> specifies the public key extracted from the private key. 7 Send the public key to NetSuite using the following address: CertSignReq@netsuite.com. a In the subject line, include your NetSuite Company ID and your company s name. b c In the message body, include the address of the NetSuite account administrator who is setting up inbound single sign-on. Attach the public key DER file in zipped format. 8 In the Management Console: On the SSO Configuration step of the Netsuite Cloud Connector wizard, import the RSA private key. 194 McAfee Cloud Single Sign On Product Guide

195 Cloud Connectors Configuring individual custom Cloud Connectors 6 Configure a NetSuite Cloud Connector McAfee Cloud SSO supports the NetSuite cloud application, which uses a proprietary SSO method, with the NetSuite Cloud Connector. 1 In the Management Console: In the NetSuite Cloud Connector wizard, open the SSO Configuration step. 2 Specify values for the following SSO options. Table 6-42 SSO option definitions for a NetSuite Cloud Connector Option Upload Key Company ID Definition Opens the Import Key dialog box, where you can upload the RSA private key generated using OpenSSL. Specifies the identifier that you assign to the company associated with the end user in your NetSuite administrator account. The Company ID is also known as the remote company ID. The Company ID cannot contain spaces. Partner ID Target Service Landing URL Specifies the identifier that NetSuite customer support assigns to McAfee Cloud SSO after you purchase the inbound single sign-on feature. From the drop-down list, select one of the following NetSuite services. McAfee Cloud SSO redirects the user to the specified service with the encrypted token. Application The user is redirected to a NetSuite application. Web Store The user is redirected to a NetSuite Ecommerce website. (Optional) Specifies the webpage to which NetSuite redirects the user. This page is called the inbound single sign-on login page. NetSuite application format: &pid=<partner-id>&pacct=<company-id> NetSuite Ecommerce website format: &pid=<partner-id>&hideloginpage=true&returnurl=<return-url> &c=<netsuite-company-id>&n=<site-id> Hide Login Page Return URL When selected Specifies using the Return URL value in place of the Landing URL s value When deselected Specifies using the Landing URL value Specifies a webpage to which users are redirected when they log off, a session times out, or an error occurs. This option is required when the Hide Login Page checkbox is selected. Web store options Specify Site Domain When selected Allows you to configure a custom domain name for your company s web store When deselected Specifies using the default NetSuite domain name for your company s web store Site Domain Specifies a custom domain name for accessing your company s web store. McAfee Cloud Single Sign On Product Guide 195

196 6 Cloud Connectors Configuring individual custom Cloud Connectors Table 6-42 SSO option definitions for a NetSuite Cloud Connector (continued) Option NetSuite Company ID Site ID Definition Specifies the identifier assigned by NetSuite to your company. This value is required when the target service is a web store, and the domain name option is the NetSuite default. Identifies the website when you have more than one website in your Web store. This value is required when the target service is a web store and the domain name option is the NetSuite default. You can view the site ID on your website preview page by selecting Setup Web Site Preview Web Site. Configure a Schoology Cloud Connector McAfee Cloud SSO supports the Schoology cloud application, which uses a proprietary SSO method, with the Schoology Cloud Connector. 1 In the Management Console: In the Schoology Cloud Connector wizard, open the SSO Configuration step. 2 Specify values for the following SSO options. Table 6-43 SSO option definitions for a Schoology Cloud Connector Option Specify Schoology private_token Definition When selected You configure global values for the private_token and school_id options. When deselected The private_token and school_id values are mapped from individual user accounts to the Schoology application. See the Attribute Mapping area. Specifies a token value that members of your school community need to access the Schoology application. To locate this value: From the homepage of your Schoology account, select System Settings Integration Remote Authentication. The value is located in the Configure tab. school_id Specifies the identifier that Schoology assigns to your school. To locate this value: From the homepage of your Schoology account, select System Settings Integration Remote Authentication. The value is located in the Usage Instructions tab. 196 McAfee Cloud Single Sign On Product Guide

197 Cloud Connectors Configuring individual custom Cloud Connectors 6 Table 6-43 SSO option definitions for a Schoology Cloud Connector (continued) Option Attribute Mapping Remote Authentication URL Return URL Definition Maps an attribute that uniquely identifies the user in McAfee Cloud SSO to the school_uid attribute in the Schoology application. Copy the values in these fields and paste them in the corresponding fields in your Schoology account: Remote Authentication URL Specifies the URL of the McAfee Cloud SSO single sign-on service. Return URL Specifies the URL of the McAfee Cloud SSO single logoff service. To locate these fields: From the homepage of your Schoology account, select System Settings Integration Remote Authentication. The fields are located in the Configure tab. Configuring a TenderSupport Cloud Connector Integrating the Tender Support application with McAfee Cloud SSO using the Tender Support Cloud Connector requires configuration in your Tender Support account as well as in the Management Console. Configure SSO in your Tender Support Account You configure SSO in your Tender Support account, so that McAfee Cloud SSO can connect to the Tender Support application and provide SSO services for end users. 1 To access the Tender Support administration page, visit: where <yourdomain> specifies the name of your Tender Support domain. 2 Provide the logon credentials for your administrator account. 3 From the Account & Settings drop-down list, select Extras. 4 In the navigation tree, select Single Sign-On. 5 On the Single Sign-On page: a Verify that the Single Sign-On switch is set to ON. b c Copy the SSO API key value and paste it in the API Key field on the SSO Configuration step of the Tender Support Cloud Connector wizard. Copy the Site key value and paste it in the Site Key field on the SSO Configuration step of the Tender Support Cloud Connector wizard. 6 Click Save your changes. McAfee Cloud Single Sign On Product Guide 197

198 6 Cloud Connectors Configuring individual custom Cloud Connectors Configure a TenderSupport Cloud Connector McAfee Cloud SSO supports the Tender Support cloud application, which uses a proprietary SSO method, with the TenderSupport Cloud Connector. 1 In the Management Console: In the TenderSupport Cloud Connector wizard, open the SSO Configuration step. 2 Specify values for the following SSO options. Table 6-44 SSO option definitions for a TenderSupport Cloud Connector Option Domain Name Site Key API Key Mail Attribute Name Attribute Definition Specifies the name of your Tender Support domain. Example: If your Tender Support service URL is then mydomain is the name of your Tender Support domain. Specifies the Site key value displayed on the Single Sign-On page in your Tender Support administrator account. Specifies the SSO API key value displayed on the Single Sign-On page in your Tender Support administrator account. From the drop-down list, select the attribute whose value McAfee Cloud SSO sends to the Tender Support application. From the drop-down list, select the name attribute whose value McAfee Cloud SSO sends to the Tender Support application. Configuring a UserVoice Cloud Connector Integrating a UserVoice application and McAfee Cloud SSO requires configuration in your UserVoice account as well as in the Management Console. Configure SSO in your UserVoice account You configure SSO in your UserVoice account, so that McAfee Cloud SSO can connect to the UserVoice application and provide SSO services for end users. 1 To access the UserVoice administration page, visit: where <yourdomain> specifies the name of your UserVoice domain. 2 Provide the logon credentials for your administrator account. 3 In the navigation tree, expand Settings, then click General. 4 In the User Authentication/Site-wide Access area: In the UserVoice Authentication (default) area, click Edit. 198 McAfee Cloud Single Sign On Product Guide

199 Cloud Connectors Configure just-in-time user provisioning 6 5 In the User Authentication dialog box, provide values for the following options. Table 6-45 SSO option definitions in your UserVoice account Option SIGN-IN METHOD SSO KEY SSO REMOTE SIGN-IN URL (REQUIRED) Definition Select the Single Sign-On (SSO) option. Copy this value and paste it in the Secret Key field on the SSO Configuration step of the UserVoice Cloud Connector wizard. Copy the McAfee Cloud SSO SSO Service URL and paste it in SSO REMOTE SIGN-IN URL field in your UserVoice account. To locate this value, open the Management Console, click the Cloud Connectors tab, then click the troubleshooting icon corresponding to the UserVoice Cloud Connector. Click the General Info tab. In the Application Endpoint Location area, look for the SSO Service URL. 6 Click Save authentication settings. Configure a UserVoice Cloud Connector McAfee Cloud SSO supports the UserVoice cloud application, which uses a proprietary SSO method, with the UserVoice Cloud Connector. 1 In the Management Console: In the UserVoice Cloud Connector wizard, open the SSO Configuration step. 2 Specify values for the following SSO options. Table 6-46 SSO option definitions for a UserVoice Cloud Connector Option Domain Name Secret Key Mail Attribute Name Attribute Definition Specifies the name of your UserVoice domain. Example: If your UserVoice service URL is then mydomain is the name of your UserVoice domain. Specifies the SSO KEY value displayed in the User Authentication dialog box in your UserVoice administrator account. From the drop-down list, select the attribute whose value McAfee Cloud SSO sends to the UserVoice application. From the drop-down list, select the name attribute whose value McAfee Cloud SSO sends to the UserVoice application. Configure just-in-time user provisioning When user account mapping is enabled, McAfee Cloud SSO automatically provisions user accounts from the authentication source to the target application as users log in. User accounts in the target application are created and updated to reflect the status of the corresponding accounts in the authentication source using identity mapping rules that you configure. On-demand or dynamic user provisioning is also called just-in-time (JIT) user provisioning. 1 In the Management Console: In the Cloud Connector wizard, open the Just-in-Time User Provisioning step. 2 Specify values for the provisioning options in the following table. McAfee Cloud Single Sign On Product Guide 199

200 6 Cloud Connectors Configuring an authorization policy Table 6-47 Option definitions for configuring JIT provisioning Option Enable user account mapping Admin Admin Password Test User Account Mapping New attribute mapping Definition When selected, enables provisioning to the cloud application. Specifies the address of your administrator account in the cloud application. Specifies the password to your administrator account in the cloud application. Tests the connection to the cloud application using your administrator credentials. Click one or more of the following options: Add Opens the New attribute mapping dialog box, where you can configure a new attribute mapping. Edit Opens the Edit attribute mapping dialog box, where you can edit the selected attribute mapping. Remove Removes the selected attribute mapping. (Dialog box) Specify values for the following options, then click OK: Target name Specifies the name of the attribute in the cloud application. Source type From the drop-down list, select the type of identity information to map from the McAfee Cloud SSO source to the target application, then configure the source. CONSTANT Specifies a constant value. The value is mapped to the target application. AUTHN_RESULT_FIELD From the drop-down list, select an attribute name. The value of the attribute is mapped to the target application. EXPRESSION Specifies an expression. The result of the expression is mapped to the target application. Configuring an authorization policy You can build an authorization policy that determines which users can access your cloud application and under what conditions. To build the policy, you configure individual policy rules and add them to the overall policy. Each rule consists of an expression, which can be made up of sub expressions. When you configure an expression, you first select the expression type or condition. When the condition is met, the expression evaluates to TRUE. The conditions and corresponding Boolean expressions are shown in the following table. Table 6-48 Policy conditions and their Boolean expressions Condition Access Time Day of Week Client IP Address Client Device Subject Attribute Match Advanced Expression Boolean expression The time of access falls within the specified time range. The day of the week belongs to the specified set of days. The client IP address falls within the specified address range. The client device has one of the specified types. The user attribute value meets the specified match. The specified Boolean expression evaluates to TRUE. 200 McAfee Cloud Single Sign On Product Guide

201 Cloud Connectors Configuring an authorization policy 6 Each rule has an action, as does the overall policy. The rule action is to permit or deny access to your cloud application when the rule evaluates to TRUE. The overall policy action the default action is to permit or deny access to your cloud application when none of the rules in the policy evaluates to TRUE. When the policy configuration area first opens, the default policy action is set to deny access. Configure an authorization policy You configure the default policy action and one or more policy rules. 1 In the Management Console: In the Cloud Connector wizard, open the Authorization Enforcement step. 2 Select the Enable Authorization Policy checkbox. 3 (Optional) To open the Change Default Action dialog box, where you can modify the overall policy action, click Permit access to <myapp> Deny access to <myapp> where myapp is the name of your cloud application. 4 Click Add Rule. 5 In the Rule Action dialog box, select a rule action, then click OK. Permit access to <myapp> Permits access to the cloud application when the rule evaluates to TRUE. Deny access to <myapp> Denies access to the cloud application when the rule evaluates to TRUE. 6 Configure the new rule by clicking the options in the following table. Table 6-49 Option definitions for configuring a policy rule Option Permit access to <myapp> Deny access to <myapp> Delete Rule Move Up Move Down AND OR Definition Opens the Change Default Action dialog box, where you can modify the rule s action. <myapp> is the name you assign to the Cloud Connector. Removes the rule. Moves the rule up or down one position in the rule list in the configuration area. Toggles the Boolean operators that specify whether the relationship among the expressions in the group at the current level in the rule have an AND relationship or an OR relationship. All expressions at one level in the rule have the same Boolean relationship. + Opens the Add Expression dialog box where you can configure an expression and add it to the rule. Clicking the + sign above a group of expressions adds the expression to the bottom of the group. Clicking the + sign to the right side of an individual expression creates a sub group that consists of the selected expression and the new expression.! Alternately adds the NOT operator to and removes the NOT operator from the group of expressions at the current level in the rule. McAfee Cloud Single Sign On Product Guide 201

202 6 Cloud Connectors Configuring an authorization policy Table 6-49 Option definitions for configuring a policy rule (continued) Option Add Expression Expression Editor Definition (Dialog box) From the Expression Type drop-down list, select a policy condition, then configure values for the selected condition. To open the Expression Editor, select Advanced Expression, then click Edit. Access Time Restricts access to a specified time range. Day of Week Restricts access to specified days of the week. Client IP Address Restricts access to users having an IP address in the specified range. Client Device Restricts access to specified client devices. Subject Attribute Match Restricts access to users having the specified attribute value. Advanced Expression Restricts access based on the specified expression. To build an expression, you select and combine built-in functions, variables, attributes, and operators from the drop-down lists with text that you type in the expression editor. Built-in Library Function: $AuthnResult.isIPInRange Tests whether the client computer s IP address falls within the specified range. Syntax: $AuthnResult.isIPInRange(low_IP,high_IP,target_IP) where low_ip specifies the beginning value of the IP address range, high_ip specifies the ending value of the IP address range, and target_ip specifies the IP address of the client computer seeking access to the application. Returns one of the following values: TRUE The client IP address falls within the specified range. FALSE The client IP address does not fall within the specified range. Built-in Library Variable: $IP Retrieves the IP address of the client computer seeking access to the application. Built-in Library Variable: $UserAgent Retrieves the web browser s user agent which provides information about whether the browser is running on a personal computer or mobile device. AuthnResult Retrieves the specified user attribute value. Operator Lists the operators that you can add to the expression. Example of expression that retrieves the user attribute mail: $AuthnResult.getField("mail") Example of expression that restricts access to users whose address contains the string "mcafee.com": $AuthnResult.getField("mail") contains "mcafee.com" See also Attribute mapping and expressions in McAfee Cloud SSO on page 327 Build an expression: example 1 The expression in the following example retrieves the attribute corporation from the authentication results and compares its value to the empty string on the right side of the expression. If the expression evaluates to TRUE, the user is not part of any corporation. If the Rule Effect is set to Deny, the user is denied access to the SaaS or web application. 202 McAfee Cloud Single Sign On Product Guide

203 Cloud Connectors Configuring an authorization policy 6 Expression: $AuthnResult.getField( corporation )== To create this expression: 1 Select the attribute corporation from the AuthnResult drop-down list. 2 Select the operator == from the Operator drop-down list. 3 Type the double quotes in the Expression editor field. 4 Click OK. Build an expression: example 2 The expression in the following example uses the built-in library function $AuthnResult.isIPInRange and the built-in library variables: $IP and $UserAgent. The expression evaluates to TRUE if one or more of the following conditions are met. If the expression evaluates to TRUE and the Rule Effect is set to Permit, the user is granted access to the SaaS or web application. The client computer IP address falls within the specified range. The client computer IP address equals the specified value. The web browser is running on an iphone. Expression: $AuthnResult.isIPInRange( , , $IP) $IP $UserAgent contains iphone To create this expression: 1 From the Built-in Library Function drop-down list, select $AuthnResult.isIPInRange. 2 Inside the parentheses: Inside the first two pairs of quotes, type the low and high IP addresses that specify the range respectively. 3 Replace the third pair of quotes with the Built-in Library Variable $IP. This variable is the IP address of the client computer seeking access to the application. 4 From the Operator drop-down list, select the operator. 5 From the Built-in Library Variable drop-down list, select $IP. 6 From the Operator drop-down list, select the operator ==. 7 In the Expression editor field, type an IP address enclosed in quotes. 8 From the Operator drop-down list, select the operator. 9 From the Built-in Library Variable drop-down list, select $UserAgent. 10 From the Operator drop-down list, select the operator contains. McAfee Cloud Single Sign On Product Guide 203

204 6 Cloud Connectors Review the Cloud Connector configuration 11 In the Expression editor field, type iphone (including the quotes). 12 Click OK. Review the Cloud Connector configuration You can review, test, and save the Cloud Connector configuration. 1 In the Management Console: In the Cloud Connector wizard, open the Review step. 2 Review the Cloud Connector options in the following table. Table 6-50 Cloud Connector configuration summary Option SSO Test URL Alias Cloud Connector Type Cloud Connector Name Identity Connector Application Category Definition Specifies the URL of a demonstration portal that you can use to test the Cloud Connector configuration and access the cloud application. Example: portal Specifies a short URL that you can use in place of the longer SSO Test URL to access the demonstration portal. Example: Specifies the type of Cloud Connector. Specifies the name of the Cloud Connector. Specifies the name of the Identity Connector configured for this Cloud Connector. (Optional) Specifies a user-defined portal category assigned to this Cloud Connector. Cloud Connectors tagged with the same category are displayed together on the application portal. 3 To save the configuration, click Finish. Cloud Connector SSO methods reference Knowing the SSO method or protocol used by a cloud application, you can locate documentation, such as an overview of the SSO method or instructions on how to configure the Cloud Connector in the wizard. Table 6-51 Cloud Connector types and SSO methods Cloud Connector type ABIresearch Accellion AceProjects ActiveCollab ActiveGiving ActiveHosted ActiveNetworketeamz ActiveWorks SSO method Custom 204 McAfee Cloud Single Sign On Product Guide

205 Cloud Connectors Cloud Connector SSO methods reference 6 Table 6-51 Cloud Connector types and SSO methods (continued) Cloud Connector type SSO method Acunote AdaptiveCurriculum AdaptivePlanning AddThis AdknowledgeAdvertiser AdminiTrack ADP SAML 2.0 AdReady ADrive AdSpeed AerLingus Agilewords AgreenSign Agresso SAML 2.0 AirCanada AlaskaAirlines AlbridgeSolutions AlertGrid AllClients AltoSoftInsightOnDemand AmazonAWS Custom AmericanAirlines Apperian SAML 2.0 AppHarbor AppleDeveloper ApplicantStack AppShore Appsplit ArenaSolutionsBOMControl ArenaSolutionsPartsList ArenaSolutionsPDXViewer AribaExchange Asana Assembla Atlassian AtMail AxedaServiceLink Backupify Balsamiq McAfee Cloud Single Sign On Product Guide 205

206 6 Cloud Connectors Cloud Connector SSO methods reference Table 6-51 Cloud Connector types and SSO methods (continued) Cloud Connector type SSO method BarracudaNetworks BeanStalk BenchMark BetterLesson BidSpeed BigCommerce Bijk Bill BillingOrchard Bime BitBucket BlackberryDeveloperZone Blogger Bloomberg Boomerang BlueFolder Bontq BookFresh Box BoxNet SAML 2.0 Brainpop BrightCove Brightpearl BrixHQ BTwoBee Buffer BugAware BugHost BUGtrack BusinessExchange BusinessITOnline CacheFly Cacoo Cak CampaignMonitor CapriccioFuzion CapsuleCRM Captoom Carbonite 206 McAfee Cloud Single Sign On Product Guide

207 Cloud Connectors Cloud Connector SSO methods reference 6 Table 6-51 Cloud Connector types and SSO methods (continued) Cloud Connector type SSO method CareTwo CDWG Certify Chargify CheckboxOnline CheckFront Clarizen SAML 2.0 ClickTale ClickTime Clicktools ClientSpot CloudApp Cloudbees CloudFlare CloudSharePro Cloudwords CodebaseHQ Codesion ConceptShare Concur ConferenceCalls ConstantContact ContactChamp Contactology ContractPal ConvertExperiments CostcoPhotoCenter Coupa SAML 2.0 Cozimo Craigslist CrazyEgg Creately Custom CriteriaHireSelect Crocodoc CrowdSpring CroweHorwath CrunchBase CurdBee Cvent McAfee Cloud Single Sign On Product Guide 207

208 6 Cloud Connectors Cloud Connector SSO methods reference Table 6-51 Cloud Connector types and SSO methods (continued) Cloud Connector type SSO method Danaher DeemAtWork DeltaSkyMiles Desk Deskaway DeskCustom Custom DigitalBucket Diigo DirectIQ Disqus DNSstuff Do.com DocLanding Docstoc DocumenTree DocVerify dotphoto DreamBox DriveHQ Dropbox DropSend DynDNS ebay EBSuiteCRM ECA360 Token User-defined EchoSign SAML 2.0 EchoSpan Edmodo edocr EggZack Egnyte SAML 2.0 eifrs ELeaP Elementool ElephantDrive Elite Eloqua Brain EmpireAvenue 208 McAfee Cloud Single Sign On Product Guide

209 Cloud Connectors Cloud Connector SSO methods reference 6 Table 6-51 Cloud Connector types and SSO methods (continued) Cloud Connector type SSO method Endomondo EngineYard EnterpriseWizardEndUser EnterpriseWizardStaff Enthusem EStreamDesk Custom Etsy Eventzilla Evernote Expedia ExpenseCloud Expensify EzineArticles Facebook FairmontHotels FanTools FatWallet FaxItNice FedEx Feedity FengOffice Fidessa FilesAnywhere FivePM FlavorsMe Flickr FlipDrive Flipkart FluidSurveys Flurry FogBugz Fontdeck Force.com SAML 2.0 FormStack Fotki Freckle FreeAgent FreeOnlineSurveys FreshBooks McAfee Cloud Single Sign On Product Guide 209

210 6 Cloud Connectors Cloud Connector SSO methods reference Table 6-51 Cloud Connector types and SSO methods (continued) Cloud Connector type SSO method Freshdesk Custom FunctionFox Fus GeoOp Geotoko GetDashboard GetSatisfaction GigPark Ginzametrics GitHub Glance Gliffy gofms Google SAML 2.0 GoToMeeting SAML 2.0 GoToTraining SAML 2.0 GoToWebinar SAML 2.0 GoSquared GrapevineSurveys Gravatar GreenRope Grockit HeapCRM HelpOnClick Heroku Hightail HiltonHotels HipChat HootSuite HostAnalytics SAML 2.0 Hotels.com Hotwire Generic HtwoDesk HubPages HubSpot Iacez IBMGERS ICanMakeItBetter 210 McAfee Cloud Single Sign On Product Guide

211 Cloud Connectors Cloud Connector SSO methods reference 6 Table 6-51 Cloud Connector types and SSO methods (continued) Cloud Connector type SSO method icontact icyte IdeaScale Custom IDrive ImpelCRM Impersonation Kerberos Indicee InDinero InformaticaCommunity IntuitOnlinePayroll InsideSales InsideView InstantSurvey Instapaper IntelForum Interstate Intervals IntuitQuickBooks InvoiceDude InvoiceJournal InvoiceMachine InvoicePlace Invoicera Invotrak iperceptions IronMountain Jigsaw Jira JitbitHelpDesk Jive SAML 2.0 JobScoreJobSeeker Jobvite JoyentCloud KarmaCRM KashFlow Ketera KeySurvey KnowledgeTree LandslideCRM McAfee Cloud Single Sign On Product Guide 211

212 6 Cloud Connectors Cloud Connector SSO methods reference Table 6-51 Cloud Connector types and SSO methods (continued) Cloud Connector type SSO method LAssuranceMaladie LeadMaster LessAnnoyingCRM LetterGenie Liftshare LightCMS LightHouse Lijit LinkedIn LiquidPlanner Litmos LiveChat LivePerson LogMeIn LogMeInRescue Lokad LongJump SAML 2.0 LoopFuse LucidChart LuxorCRM MaaSThreeSixty MailChimp Malse MantisBT Marketo SAML 2.0 MarriottHotels Mediacore Meetup Metacafe Metricly MFG MindSalt MindTouch SAML 2.0 Mint Mixpanel MongoHQ MongoLab Monster MyERP 212 McAfee Cloud Single Sign On Product Guide

213 Cloud Connectors Cloud Connector SSO methods reference 6 Table 6-51 Cloud Connector types and SSO methods (continued) Cloud Connector type SSO method MYOBLiveAccounts myphotopipe Neosites Netbiscuits NetConference NetDocuments NetSuite Custom NewRelic Nexonia NexTag NMQuote Nomadesk NomadeskPartner Notable NoviSystems Nozbe Nutshell Office365 WS-Federation Office365SAML SAML 2.0 Olark OneHub OnePlace OnSIPAdmin OnTwentyFour oovoo OpenDrive OpenID Generic OpenID OpenTable Oprius OrangeHRMLive Orbitz Osmek PageDNA Paymo Paypal PBase Pbworks Pingdom Pipedrive McAfee Cloud Single Sign On Product Guide 213

214 6 Cloud Connectors Cloud Connector SSO methods reference Table 6-51 Cloud Connector types and SSO methods (continued) Cloud Connector type SSO method PipelineDeals PitneyBowes PlanDone Plaxo Podio PollEverywhere PressKing Priceline ProofHQ Proofhub Proposable ProtoShare Putio Qhub Qualtrics QualysGuardPCI Quantcast QuestionPro RaceResults RationalSurvey Raven ReallySimpleSystems RealtyLogGuest RealtyLogMember ReardenCommerce RecruiterBox Recurly Relenta RemedyForce RemotiaCRM Replicon SAML 1.1 Reviewsnap RightScale RightSignature Saasu Salesboom Salesforce SAML 2.0 SalesGenius SalesJunction 214 McAfee Cloud Single Sign On Product Guide

215 Cloud Connectors Cloud Connector SSO methods reference 6 Table 6-51 Cloud Connector types and SSO methods (continued) Cloud Connector type SSO method SAML1.1 Generic SAML 1.1 SAML2.0 Generic SAML 2.0 SAML2.0 Proxy SAML 2.0 SAP SAML 2.0 SAPCloud SAML 2.0 Sazneo Schoology Custom SearchMetrics SendGrid SendSix SendThisFile ServiceMax ServiceMEight ServiceNow SAML 2.0 Severa ShareFile SAML 2.0 SharePoint WS-Federation ShiftPlanning ShoeBoxed SilkRoad SAML 2.0 Simplicant SimplyBill SiteKreator Skedge.Me Slickdeals SlideRocket SmartBrief Smarter SmarterTravel SmartQWeb Smartsheet SnapBill SnapFish Southwest SpotlightReporting Spreedly SpringCM SAML 2.0 Springpad StandingCloud McAfee Cloud Single Sign On Product Guide 215

216 6 Cloud Connectors Cloud Connector SSO methods reference Table 6-51 Cloud Connector types and SSO methods (continued) Cloud Connector type SSO method StarwoodHotels StreamSend SuccessFactors SAML 2.0 SugarCRM SAML 2.0 SugarSync SurveyGizmo SurveyMonkey SurveyShare Survs Syncd Syncplicity SAML 2.0 TactileCRM TappIn Teambox TeamDesk TeamWorkLive TeamWorkProjectManager TenderSupport Custom TestFlight Theresumator ThirtySevenSignals TickSpot TimeBridge Timetonote Toodledo TrackVia Travelocity TribeHR TrueShare Twitter Unbounce UsabilityHub Usabilla UseKitProBindr UserVoice Custom VersionOne VersionOneUltimate SAML 2.0 VerticalResponse VigLink 216 McAfee Cloud Single Sign On Product Guide

217 Cloud Connectors Cloud Connector SSO methods reference 6 Table 6-51 Cloud Connector types and SSO methods (continued) Cloud Connector type SSO method VisionHelpdesk VisualWebsiteOptimizer Vitalist VMwareAccountLogin Volusion WalgreensPhoto WebCargo webcrm WebEx SAML 2.0 WebExConnect SAML 2.0 WebExPCNow WebSuitePro WeCollaborate Wedoist Weebly Wistia WizeHive Woopra Woot WorkdayCommunity WorkforceGrowth WorkforceTrack Wrike Wufoo Xactly Xpressdocs YahooMail Yapta YouTube SAML 2.0 ZAPSurvey Zendesk SAML 2.0 Zepppelin ZipDX ZipRecruiter ZipSurvey ZocDoc Zoho SAML 2.0 McAfee Cloud Single Sign On Product Guide 217

218 6 Cloud Connectors Cloud Connector SSO methods reference 218 McAfee Cloud Single Sign On Product Guide

219 7 7 Cloud authenticators and application adapters Using the cloud authenticator and application adapter, administrators can configure multiple authentication options for a single Cloud Connector. Without the cloud authenticator and application adapter, administrators must configure a separate Cloud Connector for each authentication method. Table 7-1 Cloud authenticators and application adapters Component Definition Cloud authenticator The cloud authenticator is an authentication chain that is configured for a specific application adapter. The cloud authenticator maps the source attributes output by the authentication chain to the target attributes expected by the application adapter and passes the attributes to the application adapter in a custom ECA360 Token. Application adapter The application adapter is a connector to a service that consumes ECA360 Tokens. The ECA360 Token consumer service can be provided by an ECA360 Token Identity Connector or Intel AppUp service. The application adapter can connect to any Cloud Connector that is configured with an ECA360 Token Identity Connector. Contents Single Identity Provider Multiple Identity Providers Configuration tasks McAfee Cloud Single Sign On Product Guide 219

220 7 Cloud authenticators and application adapters Single Identity Provider Single Identity Provider In this use case, you can present the end user with one authentication option on the login page and multiple options in the application portal. One Identity Connector is used by multiple Cloud Connectors. Each Cloud Connector is configured for one cloud application. Figure 7-1 Single Identity Provider Multiple Identity Providers In this use case, multiple cloud authenticators and a single application adapter allow you to present the end user with multiple authentication options on the login page. Adding an ECA360 Token Identity 220 McAfee Cloud Single Sign On Product Guide

221 Cloud authenticators and application adapters Multiple Identity Providers 7 Connector to the configuration allows you to also present the end user with multiple options in the application portal. Each cloud authenticator is configured for one identity store or authentication service. Multiple cloud authenticators are configured for one application adapter. Figure 7-2 Multiple Identity Providers To complete the configuration, you need to add an ECA360 Token Identity Connector. This addition allows the application adapter to connect to any Cloud Connector that is configured with the ECA360 Token Identity Connector. As a result, you can present the end user with multiple authentication options on the login page and multiple options in the application portal. Figure 7-3 Multiple Identity Providers and application options McAfee Cloud Single Sign On Product Guide 221

222 7 Cloud authenticators and application adapters Configuration tasks Configuration tasks To configure multiple authentication options on the login page for a single Cloud Connector and optionally, to configure multiple options in the application portal, perform the following steps in the order shown. 1 Configure an ECA360 Token Identity Connector. 2 Configure an application adapter that connects to the ECA360 Token Identity Connector. 3 Using the application adapter, configure a separate cloud authenticator for each Identity Provider. 4 Using the ECA360 Token Identity Connector, configure a Cloud Connector for each cloud application. See also Configure an ECA360 Token Identity Connector on page 67 Configure a cloud authenticator The cloud authenticator outputs the attributes expected by the application adapter in a custom ECA360 Token. The application adapter is a connector to any service that consumes custom ECA360 Tokens. 1 In the Management Console, select Cloud Authenticators from the Application Adapters tab drop-down list, then click New Cloud Authenticator. 2 Specify values for the following options, then click Save. Table 7-2 Option definitions for a cloud authenticator Option Cloud Authenticator Name Associated Adapter Definition Specifies a name that uniquely identifies the cloud authenticator in the McAfee Cloud SSO system. From the drop-down list, select a pre-configured application adapter or click New Adapter to create a new application adapter. Token attributes configured for the selected application adapter are populated as target attributes in the Attribute Mapping for Adapter area. New Adapter Login Modules in Authenticator When clicked, opens the New Application Adapter wizard. Specify the modules in the authentication chain. Click one or more options: Up Down Allow you to modify the order of modules in the authentication chain. New Opens the authentication module wizard, where you can configure a module and add it to the authentication chain. 222 McAfee Cloud Single Sign On Product Guide

223 Cloud authenticators and application adapters Configuration tasks 7 Table 7-2 Option definitions for a cloud authenticator (continued) Option Attribute Mapping for Adapter New attribute mapping Subject for Application Adapter Definition Specify the attributes to map from the authentication chain to the application adapter in the custom ECA360 Token. Target Lists the names of the target attributes expected by the application adapter. Source Lists the names of the source attributes output by the authentication chain. Source Type Lists the source attributes types. Select one or more options: Add Opens the New attribute mapping dialog box, where you can configure a new target-source attribute mapping. Edit Opens the Edit attribute mapping dialog box, where you can modify an existing target-source attribute mapping. Remove Deletes an existing target-source attribute mapping. (Dialog box) Target name Specifies the name of the target attribute in the application adapter. Source type Specifies the type of attribute output by the authentication chain. From the drop-down list, select an attribute type: CONSTANT The source is a constant. Specify the constant in the Constant value field. AUTHN_RESULT_FIELD The source is a user attribute. From the drop-down list, select a user attribute output by the authentication chain. EXPRESSION The source is an expression. Specify the expression in the Expression value field. Specifies the target attribute that uniquely identifies the user. Configure an application adapter Configure the custom connection so that the application adapter can connect to the ECA360 Token consumer service. Configure the token profile to specify which attributes the cloud authenticator passes to the application adapter. Table 7-3 Application adapter configuration wizard Step Description Custom Connection Options allow the application adapter to connect to the ECA360 Token consumer service. The consumer service can be an ECA360 Token Identity Connector, an Intel AppUp service, or a Cloud Connector that is configured with an ECA360 Token Identity Connector. Token Profile Options specify the names of attributes that the cloud authenticator passes in the custom ECA360 Token to the application adapter. The application adapter passes these attributes in the custom ECA360 Token to the specified ECA360 Token consumer service. McAfee Cloud Single Sign On Product Guide 223

224 7 Cloud authenticators and application adapters Configuration tasks 1 In the Management Console, select Application Adapters from the Application Adapters tab drop-down list, then click New Application Adapter. 2 On the first step of the New Application Adapter wizard, specify values for the following options, then click Next. Table 7-4 Application adapter name and type Option Definition Application adapter type Select an application adapter type: ECA360 Token Allows you to configure a custom connection to a cloud application or service. AppUp Allows you to enable a connection to an Intel AppUp service. Application Adapter Name Specifies a name that uniquely identifies the application adapter in the McAfee Cloud SSO system. 3 On the Custom Connection step of the New Application Adapter wizard, specify values for the following options, then click Next. Table 7-5 Option definitions for the application adapter Custom Connection step Option Authn Response Binding Definition Select an option: HTTP_POST Specifies that the authentication response and URL of the cloud application or service are placed in the HTTP body. HTTP_REDIRECT Specifies that the authentication response and URL of the cloud application or service are placed in the URL query string. AppUp Token Service Endpoint area Endpoint Cloud App Logout Location area Cloud App Logout Location Location (AppUp) Specifies the URL to use when sending an Intel AppUp session request to Intel Expressway Service Gateway. Select this checkbox when configuring IdP-initiated SLO. Specifies the SLO endpoint URL of the cloud application or service. When IdP-initiated SLO is configured, logging off the Identity Provider also logs the user off the cloud application or service. Default Cloud App Page area 224 McAfee Cloud Single Sign On Product Guide

225 Cloud authenticators and application adapters Configuration tasks 7 Table 7-5 Option definitions for the application adapter Custom Connection step (continued) Option Default Cloud App Page Endpoint Definition Select this checkbox when configuring IdP-initiated SSO. Specifies the SSO endpoint URL of the cloud application or service. When IdP-initiated SSO is configured, logging in to the Identity Provider also logs the user in to the cloud application or service. 4 On the Token Profile step of the New Application Adapter wizard, expand the Conditions, Signature, and Token Attributes areas, specify values for the following options, then click Finish. Table 7-6 Option definitions for the application adapter Token Profile step Option Conditions Definition Add audience Restricts the token s audience to the specified URLs. The cloud application or service uses the audience to verify that it is the intended recipient of the token. Clock Skew Specifies a value to use when calculating the token s expiration time. This value is designed to offset small differences between clocks in different security domains. Default value: 20 Units: seconds Lifetime Specifies a lifetime value to use when calculating the token s expiration time. When the expiration time is exceeded, the token is invalidated by the token consumer. When specifying the lifetime value, consider the estimated transmission latency between security domains. Default value: 60 Units: seconds Signature Signature generation method From the drop-down list, select RSA_WITH_SHA_1. Select a key pair From the drop-down list, select the key pair that McAfee Cloud SSO uses to sign the token. Specify Issuer When selected, allows you to specify the issuer of the key pair. Issuer Specifies the URL of the McAfee Cloud SSO service that issues the signing key pair. The cloud application or service uses the issuer URL and key pair to verify the token. Token Attributes Specifies the attributes that are passed to the cloud application or service in the token. McAfee Cloud Single Sign On Product Guide 225

226 7 Cloud authenticators and application adapters Configuration tasks 226 McAfee Cloud Single Sign On Product Guide

227 8 Integrating McAfee Cloud SSO with Web Gateway Web Gateway is a web security software appliance that protects your network from external threats on the web and prevents sensitive content from leaving your network. Integrating McAfee Cloud SSO with Web Gateway combines the SSO role of McAfee Cloud SSO with the enhanced web security provided by Web Gateway. Authentication can be performed by McAfee Cloud SSO or by Web Gateway. The global option that determines which product performs authentication is configured in the Web Gateway user interface. Contents Benefits of Web Gateway integration How enabling and disabling Web Gateway integration affects SSO How McAfee Cloud SSO and Web Gateway implement SSO together Configure McAfee Cloud SSO and Web Gateway to work together Web Gateway integration and Cloud Connector reference Benefits of Web Gateway integration In addition to providing a layer of security between users in your network and the web, Web Gateway adds to the functionality provided by McAfee Cloud SSO. Specific benefits include the following. Table 8-1 Benefits of Web Gateway integration Benefit Support for additional cloud applications Hidden password Description Web Gateway supports cloud applications that provide login page information dynamically (such as DropBox) and therefore, are not supported by McAfee Cloud SSO. Web Gateway modifies the login page by adding Javascript. The Javascript dynamically formats the login page with fields that are specific to the cloud application and completes the fields with information in the custom ECA360 Token already provided by McAfee Cloud SSO. Web Gateway hides the password of the already authenticated user from the client computer (where the user is seeking access to a cloud application) by replacing the real password with a placeholder. McAfee Cloud Single Sign On Product Guide 227

228 8 Integrating McAfee Cloud SSO with Web Gateway How enabling and disabling Web Gateway integration affects SSO How enabling and disabling Web Gateway integration affects SSO You can enable and disable Web Gateway integration globally or individually for POST Cloud Connectors that support SSO through Web Gateway. The effect of the integration option on SSO depends on whether a particular Cloud Connector supports SSO through McAfee Cloud SSO, Web Gateway, or through both products. McAfee Cloud SSO supports SSO to POST cloud applications that provide login page information dynamically (such as DropBox) with dynamic Cloud Connectors. Dynamic Cloud Connectors only support SSO through integration with Web Gateway. Table 8-2 How enabling and disabling Web Gateway integration affects SSO Web Gateway integration Cloud Connectors that support SSO through... Enabled Disabled McAfee Cloud SSO only The integration option has no effect. SSO takes place through McAfee Cloud SSO. Web Gateway only (Dynamic Cloud Connectors) McAfee Cloud SSO or Web Gateway SSO takes place through Web Gateway. SSO takes place through Web Gateway. Dynamic Cloud Connectors that depend on Web Gateway integration are disabled. SSO takes place through McAfee Cloud SSO. 228 McAfee Cloud Single Sign On Product Guide

229 Integrating McAfee Cloud SSO with Web Gateway How McAfee Cloud SSO and Web Gateway implement SSO together 8 How McAfee Cloud SSO and Web Gateway implement SSO together Web Gateway supports additional cloud applications by dynamically modifying the login page using Javascript and replaces the real password with a placeholder. The user can be authenticated by McAfee Cloud SSO or by Web Gateway. For the authenticated user, the integrated SSO process consists of the following steps. Figure 8-1 How McAfee Cloud SSO and Web Gateway implement SSO together 1 On the application launch portal in a web browser, the end user requests access to a cloud application that is enabled for integration with Web Gateway. 2 McAfee Cloud SSO redirects the end user 's request through the web browser to Web Gateway, passing an encrypted custom ECA360 Token containing user attributes in the MWGSSOInfo parameter in the URL. 3 Web Gateway removes the token from the URL, stores the token internally, then forwards the end user's request to the server where the cloud application is running. 4 The cloud application returns a login page to Web Gateway. Users of cloud applications manage their own POST credentials. The first time they request access to an cloud application, they provide their POST credentials on the login form. McAfee Cloud SSO saves the POST credentials in a credential store. Users do not need to provide their credentials again unless the administrator cleans the credential store. This onetime step is not shown in the diagram. 5 Web Gateway adds Javascript to the login page. The Javascript dynamically formats the login page with fields that are specific to the cloud application and completes them with the information already provided in the custom ECA360 Token. Web Gateway replaces the actual password with a placeholder, then forwards the modified login page to the client computer (where the end user selected the cloud application on the portal page). 6 The Javascript extends the login page, so that the user agent on the client computer immediately submits the login form to the cloud application through Web Gateway. The end user does not see the form and does not need to log in a second time. McAfee Cloud Single Sign On Product Guide 229

230 8 Integrating McAfee Cloud SSO with Web Gateway Configure McAfee Cloud SSO and Web Gateway to work together 7 Web Gateway replaces the placeholder password with the real password and forwards the login form to the cloud application. 8 The cloud application logs in the end user. Configure McAfee Cloud SSO and Web Gateway to work together Complete the following high-level tasks so that McAfee Cloud SSO and Web Gateway can implement SSO together. 1 Install McAfee Cloud SSO and Web Gateway on separate appliances running MLOS (McAfee Linux Operating System) in your network. software versions are: McAfee Cloud SSO or later Web Gateway or later For more information about installing Web Gateway, see the McAfee Web Gateway Product Guide. 2 Enable integration with Web Gateway in the Management Console. On the Connector Plug-ins page, you can enable and disable integration with Web Gateway globally and individually for the Cloud Connectors that support SSO through Web Gateway. The options include the secret key that McAfee Cloud SSO and Web Gateway share. 3 Integrate Web Gateway with McAfee Cloud SSO in the Web Gateway user interface. For more information about configuring Web Gateway, see the McAfee Web Gateway Product Guide. 4 (Optional) If Web Gateway is configured to verify the signed custom ECA360 Token that McAfee Cloud SSO sends, provide the X.509 certificate, which can be exported in the Management Console. 5 To synchronize time on the McAfee Cloud SSO and Web Gateway appliances, configure MLOS to use the NTP (Network Time Protocol) service. Web Gateway integration and Cloud Connector reference When configuring a POST Cloud Connector, you need to know whether the connector supports or requires Web Gateway integration. You can find this information in the following table. Table 8-3 Web Gateway integration and Cloud Connector reference Cloud Connector ABIresearch AceProjects ActiveCollab ActiveGiving ActiveHosted ActiveNetworketeamz Web Gateway integration Required Required 230 McAfee Cloud Single Sign On Product Guide

231 Integrating McAfee Cloud SSO with Web Gateway Web Gateway integration and Cloud Connector reference 8 Table 8-3 Web Gateway integration and Cloud Connector reference (continued) Cloud Connector ActiveWorks Acunote AdaptiveCurriculum AdaptivePlanning AddThis AdknowledgeAdvertiser AdminiTrack AdReady ADrive AdSpeed AerLingus Agilewords AgreenSign AirCanada AlaskaAirlines AlbridgeSolutions AlertGrid AllClients AltoSoftInsightOnDemand AmericanAirlines AppHarbor AppleDeveloper ApplicantStack AppShore Appsplit ArenaSolutionsBOMControl ArenaSolutionsPartsList ArenaSolutionsPDXViewer AribaExchange Asana Assembla Atlassian AtMail AxedaServiceLink Backupify Balsamiq BarracudaNetworks BeanStalk BenchMark Web Gateway integration Required Required Required Required Required Required Required Required Required Required Required McAfee Cloud Single Sign On Product Guide 231

232 8 Integrating McAfee Cloud SSO with Web Gateway Web Gateway integration and Cloud Connector reference Table 8-3 Web Gateway integration and Cloud Connector reference (continued) Cloud Connector BetterLesson BidSpeed BigCommerce Bijk Bill BillingOrchard Bime BitBucket BlackberryDeveloperZone Blogger Bloomberg BlueFolder Bontq BookFresh Boomerang Box Brainpop BrightCove Brightpearl BrixHQ BTwoBee Buffer BugAware BugHost BUGtrack BusinessExchange BusinessITOnline CacheFly Cacoo Cak CampaignMonitor CapriccioFuzion CapsuleCRM Captoom Carbonite Care2 CDWG Certify Chargify Web Gateway integration Required Required Required Required Required Not supported Required Required Required Required Required Required 232 McAfee Cloud Single Sign On Product Guide

233 Integrating McAfee Cloud SSO with Web Gateway Web Gateway integration and Cloud Connector reference 8 Table 8-3 Web Gateway integration and Cloud Connector reference (continued) Cloud Connector CheckboxOnline CheckFront ClickTale ClickTime Clicktools ClientSpot CloudApp Cloudbees CloudFlare CloudSharePro Cloudwords CodebaseHQ Codesion ConceptShare Concur ConferenceCalls ConstantContact ContactChamp Contactology ContractPal ConvertExperiments CostcoPhotoCenter Cozimo Craigslist CrazyEgg CriteriaHireSelect Crocodoc CrowdSpring CroweHorwath CrunchBase CurdBee Cvent Danaher DeemAtWork DeltaSkyMiles Desk Deskaway DigitalBucket Diigo Web Gateway integration Required Required Required Not supported Required Required Required Required Required Required Required Required Required Not supported Required McAfee Cloud Single Sign On Product Guide 233

234 8 Integrating McAfee Cloud SSO with Web Gateway Web Gateway integration and Cloud Connector reference Table 8-3 Web Gateway integration and Cloud Connector reference (continued) Cloud Connector DirectIQ Disqus DNSstuff Do.com DocLanding Docstoc DocumenTree DocVerify dotphoto DreamBox DriveHQ DropBox DropSend DynDNS ebay EBSuiteCRM EchoSpan Edmodo edocr EggZack eifrs ELeaP Elementool ElephantDrive Elite Eloqua Brain EmpireAvenue Endomondo EngineYard EnterpriseWizardEndUser EnterpriseWizardStaff Enthusem Etsy Eventzilla Evernote Expedia ExpenseCloud Expensify Web Gateway integration Required Required Required Required Required Required Required Required Required Required Required Required 234 McAfee Cloud Single Sign On Product Guide

235 Integrating McAfee Cloud SSO with Web Gateway Web Gateway integration and Cloud Connector reference 8 Table 8-3 Web Gateway integration and Cloud Connector reference (continued) Cloud Connector EzineArticles Facebook FairmontHotels FanTools FatWallet FaxItNice FedEx Feedity FengOffice Fidessa FilesAnywhere FivePM Flavors Flickr FlipDrive Flipkart FluidSurveys Flurry FogBugz Fontdeck FormStack Fotki Freckle FreeAgent FreeOnlineSurveys FreshBooks FunctionFox Fus GeoOp Geotoko GetDashboard GetSatisfaction GigPark Ginzametrics GitHub Glance Gliffy gofms GoSquared Web Gateway integration Required Required Not supported Required Not supported Required Required Required Required McAfee Cloud Single Sign On Product Guide 235

236 8 Integrating McAfee Cloud SSO with Web Gateway Web Gateway integration and Cloud Connector reference Table 8-3 Web Gateway integration and Cloud Connector reference (continued) Cloud Connector GrapevineSurveys Gravatar GreenRope Grockit HeapCRM HelpOnClick Heroku Hightail HiltonHotels HipChat HootSuite Hotels.com Hotwire HTwoDesk HubPages HubSpot Iacez IBMGERS ICanMakeItBetter icontact icyte IDrive ImpelCRM Indicee InDinero InformaticaCommunity InsideSales InsideView InstantSurvey Instapaper IntelForum Interstate Intervals IntuitOnlinePayroll IntuitQuickBooks InvoiceDude InvoiceJournal InvoiceMachine InvoicePlace Web Gateway integration Required Not supported Required Required Not supported 236 McAfee Cloud Single Sign On Product Guide

237 Integrating McAfee Cloud SSO with Web Gateway Web Gateway integration and Cloud Connector reference 8 Table 8-3 Web Gateway integration and Cloud Connector reference (continued) Cloud Connector Invoicera Invotrak iperceptions IronMountain Jigsaw Jira JitbitHelpDesk JobScoreJobSeeker Jobvite JoyentCloud KarmaCRM KashFlow Ketera KeySurvey KnowledgeTree LandslideCRM LAssuranceMaladie LeadMaster LessAnnoyingCRM LetterGenie Liftshare LightCMS LightHouse Lijit LinkedIn LiquidPlanner Litmos LiveChat LivePerson LogMeIn LogMeInRescue Lokad LoopFuse LucidChart LuxorCRM MaaSThreeSixty MailChimp Malse MantisBT Web Gateway integration Required Required Required Not supported Not supported Not supported McAfee Cloud Single Sign On Product Guide 237

238 8 Integrating McAfee Cloud SSO with Web Gateway Web Gateway integration and Cloud Connector reference Table 8-3 Web Gateway integration and Cloud Connector reference (continued) Cloud Connector MarriottHotels Mediacore Meetup Metacafe Metricly MFG MindSalt Mint Mixpanel MongoHQ MongoLab Monster MyERP MYOBLiveAccounts myphotopipe Neosites Netbiscuits NetConference NetDocuments NewRelic Nexonia NexTag NMQuote Nomadesk NomadeskPartner Notable NoviSystems Nozbe Nutshell Olark OneHub OnePlace OnSIPAdmin OnTwentyFour oovoo OpenDrive OpenTable Oprius OrangeHRMLive Web Gateway integration Not supported Not supported Not supported Not supported Required 238 McAfee Cloud Single Sign On Product Guide

239 Integrating McAfee Cloud SSO with Web Gateway Web Gateway integration and Cloud Connector reference 8 Table 8-3 Web Gateway integration and Cloud Connector reference (continued) Cloud Connector Orbitz Osmek PageDNA Paymo Paypal PBase Pbworks Pingdom Pipedrive PipelineDeals PitneyBowes PlanDone Plaxo Podio PollEverywhere PressKing Priceline ProofHQ Proofhub Proposable ProtoShare Putio Qhub Qualtrics QualysGuardPCI Quantcast QuestionPro RaceResults RationalSurvey Raven ReallySimpleSystems RealtyLogGuest RealtyLogMember ReardenCommerce RecruiterBox Recurly Relenta RemedyForce RemotiaCRM Web Gateway integration Not supported Required Not supported McAfee Cloud Single Sign On Product Guide 239

240 8 Integrating McAfee Cloud SSO with Web Gateway Web Gateway integration and Cloud Connector reference Table 8-3 Web Gateway integration and Cloud Connector reference (continued) Cloud Connector Reviewsnap RightScale RightSignature Saasu Salesboom SalesGenius SalesJunction Sazneo SearchMetrics SendGrid SendSix SendThisFile ServiceMax ServiceMEight Severa ShiftPlanning ShoeBoxed Simplicant SimplyBill SiteKreator SkedgeMe Slickdeals SlideRocket SmartBrief Smarter SmarterTravel SmartQWeb Smartsheet SnapBill SnapFish Southwest SpotlightReporting Spreedly Springpad StandingCloud StarwoodHotels StreamSend SugarSync SurveyGizmo Web Gateway integration Required Not supported Required Required Not supported Not supported 240 McAfee Cloud Single Sign On Product Guide

241 Integrating McAfee Cloud SSO with Web Gateway Web Gateway integration and Cloud Connector reference 8 Table 8-3 Web Gateway integration and Cloud Connector reference (continued) Cloud Connector SurveyMonkey SurveyShare Survs Syncd TactileCRM TappIn Teambox TeamDesk TeamWorkLive TeamWorkProjectManager TestFlight Theresumator ThirtySevenSignals TickSpot TimeBridge Timetonote Toodledo TrackVia Travelocity TribeHR TrueShare Twitter Unbounce UsabilityHub Usabilla usekitprobindr VersionOne VerticalResponse VigLink VisionHelpdesk VisualWebsiteOptimizer Vitalist VMwareAccountLogin Volusion WalgreensPhoto WebCargo webcrm WebExPCNow WebSuitePro Web Gateway integration Required Not supported Not supported Required Required Required McAfee Cloud Single Sign On Product Guide 241

242 8 Integrating McAfee Cloud SSO with Web Gateway Web Gateway integration and Cloud Connector reference Table 8-3 Web Gateway integration and Cloud Connector reference (continued) Cloud Connector WeCollaborate Wedoist Weebly Wistia WizeHive Woopra Woot WorkdayCommunity WorkforceGrowth WorkforceTrack Wrike Wufoo Xactly Xpressdocs YahooMail Yapta ZAPSurvey Zepppelin ZipDX ZipRecruiter ZipSurvey ZocDoc Web Gateway integration Required Required Not supported 242 McAfee Cloud Single Sign On Product Guide

243 9 Logging and monitoring McAfee Cloud SSO offers audit logging and alerts, transaction and error logging, and the metrics and login history features. Each type of log or data can be filtered and viewed, downloaded to a file, or cleared in the McAfee Cloud SSO system. Contents What the logs and monitoring features record Audit logging and alerts Manage audit logging Manage alerts Manage the alert log Audit events reference Manage transaction and error logging Use cloud metrics to monitor end-user events Use login history to monitor login and logoff events What the logs and monitoring features record The logs and monitoring features record different types of data, as shown in the following table. Table 9-1 Data recorded Log or feature What is recorded? Audit log Records all events generated by administrative user actions in the Management Console. The audit log is monitored through the alerts feature. Alert log Transaction log Cloud metrics Login history Records selected events generated by administrative user actions in the Management Console. Alerts are set up to monitor events in the audit log. Records all identity service operations as one of the following types: Transaction The identity service operation completed successfully. Exception The identity service operation did not complete successfully. Records and counts end-user events. Records login and logoff events for all administrative users and end users. McAfee Cloud Single Sign On Product Guide 243

244 9 Logging and monitoring Audit logging and alerts Audit logging and alerts McAfee Cloud SSO uses an events-based auditing model that records all events generated by administrative user actions in the Management Console. Using the events-based model, administrators can configure auditing policies and alert triggers that support the security and compliance requirements of their organizations. They can view audit events in the audit and alert logs. While both logs are based on audit events, they are otherwise independent. Table 9-2 Events-based audit logging and alerts Log Configuration Use when Audit log Configure an auditing policy. Use audit logging to record every event you want to view. Alert log Configure alert triggers. Use the alert feature to log selected events. Manage audit logging Audit logging is managed through the auditing policy that determines which events are entered in the audit log. You can configure and apply a filter to the audit log and view the results. You can download the audit log to a.zip file, and you can purge or clear the audit log. Configure the auditing policy Specify the maximum audit log size and the log archive location. When you enable or disable the auditing policy, you enable or disable logging of individual audit event types. The auditing policy is effective as soon as you save it. 1 In the Management Console, select the Logs tab, select the Auditing tab, then click Configure. 2 In the Configure the Auditing Policy dialog box, specify values for the following options, then click OK. Table 9-3 Option definitions for the audit log policy Option Maximum log entries Database archive location Enable event logging Definition Specifies the maximum number of audit log entries to store in the database. When the audit log reaches the specified maximum size, the log is archived and the database is cleared. Default: (100 million) Specifies the location of the archived audit log. Select an option: True Enables event logging False Disables event logging For each event in the table: Select the Enable checkbox to enable logging of the event, Deselect the Enable checkbox to disable logging of the event 244 McAfee Cloud Single Sign On Product Guide

245 Logging and monitoring Manage audit logging 9 Configure a filter for the audit log The audit log filter allows you to configure and view a subset of all entries in the audit log. 1 In the Management Console, select the Logs tab, then select the Auditing tab. 2 Specify values for the following options, then click Apply Filter. Table 9-4 Filter options for the audit log Option Duration Event Name User ID Event Node Message Text Event Issuer Source Component Definition Limits the display to events generated in the specified time period. Limits the display to events having the specified names. Limits the display to events generated by the specified users. Limits the display to events generated on the specified instances of McAfee Cloud SSO. Limits the display to events having the specified message text. Limits the display to events issued by the specified event source. Limits the display to events that are executed and logged by the specified McAfee Cloud SSO component. View the audit log You can view all entries in the audit log, or you can configure and apply a filter to view selected entries. 1 In the Management Console, select the Logs tab, then select the Auditing tab. 2 For each event in the display, you can view the following options. Table 9-5 Audit log viewing options Column heading Definition Creation Time Event Node Event Name Source Component Status Message Specifies the date and time when the event was generated. Specifies the server where the event was generated. Specifies the name of the event. Specifies the McAfee Cloud SSO component that executed and logged the event. Specifies the outcome of the event. Describes the event. To view the details, click the message. Download the audit log To save the audit log locally on your computer, download it to a.zip file in your web browser s download directory. 1 In the Management Console, select the Logs tab, select the Auditing tab, then click Download. 2 In the dialog box, configure the following options, then click OK. McAfee Cloud Single Sign On Product Guide 245

246 9 Logging and monitoring Manage alerts Table 9-6 Option definitions for downloading a audit log Option Download As Interval Definition Select a format for the data downloaded to the.zip file: XML CSV Select a time interval for the entries downloaded to the.zip file: Before Date All entries logged before the specified date and time are downloaded. Between Dates All entries logged between the specified dates and times are downloaded. Purge the audit log You can clear all entries in the audit log or only the entries in a specified range of dates. For example, you can clear only the oldest entries. 1 In the Management Console, select the Logs tab, select the Auditing tab, then click Purge Log. 2 In the dialog box, configure the following options, click OK, then click Yes to confirm. Table 9-7 Option definitions for purging a log Option Interval Definition Select a time interval for the entries to be cleared from the log: Before Date All entries logged before the specified date and time are purged. Between Dates All entries logged between the specified dates and times are purged. Manage alerts The alerts feature allows you to configure which audit events you want logged to the alert log, ed to you, or both. You can configure alerts in the Management Console or import custom notification methods configured using the SDK that comes with McAfee Cloud SSO. Create an alert Configure the alert s trigger conditions and notification methods in the New Alert wizard. You can also import and manage alert notification plug-ins developed using the SDK that comes with McAfee Cloud SSO. 1 In the Management Console, select Alerts from the Monitoring tab drop-down list. 2 Click the Configure Alerts tab, then click New Alert. 3 In the New Alert wizard: On the General Settings step, specify values for the following options. 246 McAfee Cloud Single Sign On Product Guide

247 Logging and monitoring Manage alerts 9 Table 9-8 Option definitions for General Settings Option Alert Name Alert Severity Definition Specifies a name that uniquely identifies the alert in the McAfee Cloud SSO system. Example: User_login_failure From the drop-down list, select a severity level: High Medium Low When you configure a filter for the alert log, you can use this option to specify which alerts you want to view in the filtered results. Alert Message Head Type a summary of the alert in this field. Body Type the alert details in this field. 4 In the New Alert wizard: On the Trigger Conditions step, specify values for the following options, then click Next. Table 9-9 Option definitions for Trigger Conditions Option Add Event Add Auditing Event dialog box Max Occurrences Effective Date Definition When clicked, opens the Add Auditing Event dialog box. Auditing Event Name From the drop-down list, select the name of the event that you want to trigger an alert. Auditing Event Action (Optional) For events that have actions associated with them, select an action from the drop-down list. Only the selected event and action trigger an alert. Auditing Event Status From the drop-down list, select an option. Only the selected event and status trigger an alert. Success Specifies that the event completed successfully Failure Specifies that the event did not complete successfully Specifies the maximum number of alerts that can be generated by all trigger conditions that are configured for the alert. From the drop-down list, select an option: Always Specifies that the alert is always enabled From Specifies a date after which the alert is enabled To Specifies a date before which the alert is enabled Interval Specifies a time interval during which the alert is enabled McAfee Cloud Single Sign On Product Guide 247

248 9 Logging and monitoring Manage alerts Table 9-9 Option definitions for Trigger Conditions (continued) Option Target Users Target Users dialog box Definition Select an option: All Users Specifies that all users trigger the alert Specify Specifies that only users whose names or groups are listed trigger the alert Edit When clicked, opens the Target Users dialog box Configuring the following options populates the Available Users area with users and groups that can be selected and added to the alert: Identity Store From the drop-down list, select the identity store where the users and groups reside. Base DN Specifies the entry in the LDAP tree, where the search for users and groups begins. Example: ou=users,ou=system 5 In the New Alert wizard: On the Notification Setup step, specify values for the following options, then click Finish. Table 9-10 Option definitions for Notification Setup Option Shortcut Setup Custom Notifications Definition Select one or more built-in alert notification methods: Send an to admin@<server> Write to the alert log Select an option: New Notification When clicked, opens the New Alert Notification dialog box, where you can configure an alert notification method. Manage Custom Notifier When clicked, opens the Custom Notifier Plug-ins dialog box, where you can import, view, and manage user-defined alert notification plug-ins. New Alert Notification dialog box To configure an alert notification method, specify values for the following options: Notifier Name Specifies a name that uniquely identifies the alert notification method in the McAfee Cloud SSO system. Notifier Type From the drop-down list, select an alert notification type: LogNotifier Writes the alert to the alert log Notifier Allows you to configure an alert notification CustomNotifier Allows you to select a user-defined alert notification plug-in from the Plug-in Name drop-down list 248 McAfee Cloud Single Sign On Product Guide

249 Logging and monitoring Manage alerts 9 Table 9-10 Option definitions for Notification Setup (continued) Option Custom Notifier Plug-ins dialog box Upload Custom Plug-in dialog box Definition View and manage the alert notification plug-ins in the McAfee Cloud SSO system. Plug-in Name Lists the name assigned when the alert notification method was uploaded in a.jar file. Plug-in File Lists the name of the.jar file that was uploaded. Plug-in ID Lists a unique identifier generated by McAfee Cloud SSO. Actions Allow you to manage the alert notification plug-ins: Remove Deletes the corresponding alert notification plug-in Update Opens the Upload Custom Plug-in dialog box, where you replace the current plug-in with a new one Active Activates or deactivates the alert notification plug-in Import New Plug-in When clicked, opens the Upload Custom Plug-in dialog box, where you can upload a user-defined alert notification method. Specify values for the following options, then click Submit: Plug-in Name Specifies a name that uniquely identifies the user-defined alert notification plug-in for the McAfee Cloud SSO system. File Browse for and select the.jar file containing the configuration for the custom alert notification plug-in. View alerts You can view the configured alerts. 1 In the Management Console, select Alerts from the Monitoring tab drop-down list, then click Configure Alerts. 2 In the Alert Name area, select the alert you want to view. The selected alert s trigger conditions and notification methods are displayed in the Triggers area and Notifications area, respectively. Delete an alert You can delete an alert that you no longer need. 1 In the Management Console, select Alerts from the Monitoring tab drop-down list, then select Configure Alerts. 2 In the Alert Name area, click the delete icon corresponding to the alert you want to delete, then click Yes to confirm. McAfee Cloud Single Sign On Product Guide 249

250 9 Logging and monitoring Manage the alert log Modify an alert You can modify an alert that has been saved in the McAfee Cloud SSO system. 1 In the Management Console, select Alerts from the Monitoring tab drop-down list, then click Configure Alerts. 2 In the Alert Name area, click the edit icon corresponding to the alert you want to modify. 3 In the Edit Alert wizard, make changes as needed, then click Finish. Manage the alert log You can configure and apply a filter to the alert log and view the results. Configure a filter for the alert log The alert log filter allows you to configure and view a subset of all entries in the alert log. 1 In the Management Console, select Alerts from the Monitoring tab drop-down list, then click Filter Alerts. 2 Specify values for the following options, then click Apply Filter. Table 9-11 Filter option definitions for the alert log Option Duration Alert Name Alert Severity Alert Summary Alert Detail Alert Node Definition Limits the display to alerts generated in the specified time period. Limits the display to alerts having the specified names. Limits the display to alerts having the specified severity levels. Limits the display to alerts having the specified summary text. Limits the display to alerts having the specified details. Limits the display to alerts generated on the specified instances of McAfee Cloud SSO. 250 McAfee Cloud Single Sign On Product Guide

251 Logging and monitoring Manage the alert log 9 View the alert log You can view all entries in the alert log, or you can configure and apply a filter to view selected entries. 1 In the Management Console, select Alerts from the Monitoring tab drop-down list, then click Filter Alerts. 2 For each alert in the display, you can view the following options. Table 9-12 View entries in the alert log Column Alert Time Alert Node Alert Severity Alert Name Alert Summary Alert Detail Definition Specifies the date and time when the alert was generated. Specifies the server where the alert was generated. Specifies the severity level of the alert. Specifies the name of the alert. Specifies the summary that describes the alert. Specifies the details that describe the alert. Download the alert log To save the alert log locally on your computer, you can download it to a.zip file in your web browser s download directory. 1 In the Management Console, select Alerts from the Monitoring tab drop-down list, then click Download. 2 In the dialog box, configure the following options, then click OK. Table 9-13 Option definitions for downloading a log Option Download As Interval Definition Select a format for the data downloaded to the.zip file: XML CSV Select a time interval for the entries downloaded to the.zip file: Before Date All entries logged before the specified date and time are downloaded. Between Dates All entries logged between the specified dates and times are downloaded. Purge the alert log You can clear all entries in the alert log or only the entries in a specified range of dates. For example, you can clear only the oldest entries. 1 In the Management Console, select Alerts from the Monitoring tab drop-down list, then click Purge Log. 2 In the dialog box, configure the following options, click OK, then click Yes to confirm. McAfee Cloud Single Sign On Product Guide 251

252 9 Logging and monitoring Audit events reference Table 9-14 Option definitions for purging a log Option Interval Definition Select a time interval for the entries to be cleared from the log: Before Date All entries logged before the specified date and time are purged. Between Dates All entries logged between the specified dates and times are purged. Audit events reference Audit events are all events generated by administrator and administrative user actions in the Management Console. Some events have actions associated with them. Source components are the system components that execute and log each event and action. Table 9-15 Audit events Event name Event action Source component User_Provisioned create, update, delete CloudAccess360_Identity_Runtime User_Deprovisioned none CloudAccess360_Identity_Runtime Authentication pass, block CloudAccess360_Identity_Runtime Authorization permit, deny CloudAccess360_Identity_Runtime CloudAccess360_IDP_SSO none CloudAccess360_Identity_Runtime CloudAccess360_IDP_SLO none CloudAccess360_Identity_Runtime CloudAccess360_SP_SSO none CloudAccess360_Identity_Runtime CloudAccess360_SP_SLO none CloudAccess360_Identity_Runtime IdentityMapped none CloudAccess360_Identity_Runtime Trust_Broker_Change create, update, delete CloudAccess360_Identity_Config Identity_Store_Change create, update, delete CloudAccess360_Identity_Config XACML_Policy_Change create, update, delete CloudAccess360_Identity_Config XACML_PDP_Change create, update, delete CloudAccess360_Identity_Config User_Role_Change create, update, delete CloudAccess360_Identity_Config Provision_Plugin_Change create, update, delete CloudAccess360_Identity_Config Service_Enable none CloudAccess360_System_Config Service_Disable none CloudAccess360_System_Config CloudAccess360_API_Access none CloudAccess360_System_Config CloudAccess360_Login_Attempt none CloudAccess360_System_Config CloudAccess360_Logout_Attempt none CloudAccess360_System_Config CloudAccess360_User_Management create, update, delete CloudAccess360_System_Config Proxy_Configuration_Change create, update, delete CloudAccess360_System_Config ReverseProxy_Configuration_Change create, update, delete CloudAccess360_System_Config Hibernate_Configuration_Change create, update, delete CloudAccess360_System_Config OSGI_Configuration_Change none CloudAccess360_System_Config New_Service_Deployed none CloudAccess360_WebIDE Service_Undeployed none CloudAccess360_WebIDE 252 McAfee Cloud Single Sign On Product Guide

253 Logging and monitoring Manage transaction and error logging 9 Table 9-15 Audit events (continued) Event name Event action Source component REST_Configuration_Change none CloudAccess360_WebIDE Service_Update none CloudAccess360_WebIDE Manage transaction and error logging McAfee Cloud SSO records two types of entries in the transaction log: transactions and exceptions. A transaction, such as logging on, is defined as a completed identity service operation. Each transaction is a process with multiple steps. McAfee Cloud SSO assigns transactions unique identifiers and records the transaction steps in the log. An exception is defined as a transaction that failed to complete without an error. The transaction logging feature allows you to configure which transactions you want logged to the transaction log. You can configure and apply a filter to the transaction log and view the results. You can download the transaction log to a.zip file, and you can purge or clear the transaction log. Configure the transaction log To configure which transactions are entered in the transaction log, select a minimum log level. The log levels are listed by severity from the most severe (FATAL) to the least severe (TRACE). Only transaction steps having a log level of the selected severity or higher are logged. 1 In the Management Console, click the Logs tab, click the Transaction and Error Logging tab, then click Configure. 2 In the Log Configuration dialog box, select a severity level from the Log Level drop-down list, then click OK. Table 9-16 Transaction log levels Severity level (from most to least severe) Fatal Error Warning Info Verbose Debug Trace Definition Specifies a fatal error. By definition, a fatal error is an error from which McAfee Cloud SSO cannot recover. As a result of a fatal error, the McAfee Cloud SSO service might shut down. Specifies an unexpected event from which McAfee Cloud SSO can recover. Specifies an unusual event and provides information so that the event can be studied. Provides information for developers to use in understanding or debugging the code. Provides more detailed information for developers to use in understanding or debugging the code. Provides system information for developers to use in debugging and troubleshooting the code. Provides detailed system information for developers to use in debugging and troubleshooting the code. McAfee Cloud Single Sign On Product Guide 253

254 9 Logging and monitoring Manage transaction and error logging Configure a filter for the transaction log The transaction log filter allows you to configure and view a subset of all entries in the transaction log. 1 In the Management Console, click the Logs tab, then click the Transaction and Error Logging tab. 2 Specify values for the following options, then click Apply Filter. Table 9-17 Filter option definitions for the transaction log Option Duration Log Level Class Log Message Log Type Definition Limits the display to transactions that occurred in the specified time period. Limits the display to transactions having the specified severity level or higher. Limits the display to transactions logged by the specified Java classes. Limits the display to transactions having the specified message text. Select one or more checkboxes: Transaction When selected, transactions that complete without an exception are displayed. Exception When selected, transactions that do not complete without an exception are displayed. You can specify individual transaction IDs separated by semicolons. To view only transactions having a specified ID, set the Log Type to this transaction ID. Log Node Limits the display to transactions that occurred on the specified instances of McAfee Cloud SSO. View the transaction log You can view all entries in the transaction log, or you can configure and apply a filter to view selected entries. 1 In the Management Console, click the Logs tab, then click the Transaction and Error Logging tab. 2 For each transaction in the display, you can view the following options. Table 9-18 View the entries in the transaction log Column heading Definition Log Time Node Log Level Log Type Specifies the date and time when the transaction occurred. Specifies the server where the transaction occurred. Specifies the severity level of the transaction. Specifies the transaction type: Transaction The transaction completed without an exception. Exception The transaction did not complete without an exception. Transaction ID Class Name Log Message Specifies the transaction s ID. All steps in one transaction share this ID. Specifies the Java class that logged information about this transaction step. Specifies the message generated by the Java class that logged information about this transaction step. To view the details, click the message. 254 McAfee Cloud Single Sign On Product Guide

255 Logging and monitoring Use cloud metrics to monitor end-user events 9 Download the transaction log To save the transaction log locally on your computer, download it to a.zip file in your web browser s download directory. 1 In the Management Console, click the Logs tab, click the Transaction and Error Logging tab, then click Download. 2 In the dialog box, configure the following options, then click OK. Table 9-19 Option definitions for downloading a log Option Download As Interval Definition Select a format for the data downloaded to the.zip file: XML CSV Select a time interval for the entries downloaded to the.zip file: Before Date All entries logged before the specified date and time are downloaded. Between Dates All entries logged between the specified dates and times are downloaded. Purge the transaction log You can clear all entries in the transaction log or only the entries in a specified range of dates. For example, you can clear only the oldest entries. 1 In the Management Console, click the Logs tab, click the Transaction and Error Logging tab, then click Purge Log. 2 In the dialog box, configure the following options, click OK, then click Yes to confirm. Table 9-20 Option definitions for purging a log Option Interval Definition Select a time interval for the entries to be cleared from the log: Before Date All entries logged before the specified date and time are purged. Between Dates All entries logged between the specified dates and times are purged. Use cloud metrics to monitor end-user events Cloud metrics are counts of end-user events maintained by the McAfee Cloud SSO system. End-user events include SSO, SLO, authorization, provisioning, and de-provisioning. For each metric, you can configure filter options, apply the filter, and view the results. You can download the filtered metrics to a.zip file, and you can purge or clear the cloud metrics in the McAfee Cloud SSO system. McAfee Cloud Single Sign On Product Guide 255

256 9 Logging and monitoring Use cloud metrics to monitor end-user events Configure a filter for the selected metrics When you apply a filter to a cloud metric, McAfee Cloud SSO counts the recorded instances of the selected metric. McAfee Cloud SSO totals the number of occurrences of the selected metric over 15-minute time intervals and displays the counts and times. Counts are displayed even when they equal zero. You can configure the filter to limit and customize the results. For example, instead of counting every successful SSO event recorded in the system, you can count only successful SSO events to a particular application. 1 In the Management Console, select Metrics from the Monitoring tab drop-down list, then click the Cloud Metrics tab. 2 Specify values for the following options, then click Apply Filter. Table 9-21 Filter option definitions Option Counter Identity Connector User Name Duration Application Node Definition From the drop-down list, select one or more metrics that you want counted. Counts only instances of metrics associated with the specified Identity Connectors. Counts only instances of metrics associated with the specified end users. Counts only instances of metrics generated in the specified time period. Counts only instances of metrics associated with the specified Cloud Connectors. Counts only instances of metrics that are generated on the specified instances of McAfee Cloud SSO. 256 McAfee Cloud Single Sign On Product Guide

257 Logging and monitoring Use cloud metrics to monitor end-user events 9 View the cloud metrics You can view all cloud metrics, which are counts of end-user events, or you can configure and apply a filter to view selected metrics. 1 In the Management Console, select Metrics from the Monitoring tab drop-down list, then click the Cloud Metrics tab. 2 For each metric in the display, you can view the following options. Table 9-22 Viewing counts for end-user events Column heading Definition Metric Node Specifies the end-user event that is counted. Only instances of the event that occurred on this McAfee Cloud SSO instance are included in the count. Date and Time ID Application User Name Count Specifies the 15-minute interval during which the end-user event is counted. Only instances of the end-user event associated with this Identity Connector are included in the count. Only instances of the end-user event associated with this Cloud Connector are included in the count. Only instances of the end-user event associated this end user are included in the count. Specifies the instances of the end-user event counted for the specified server, time interval, Identity Connector, Cloud Connector, and user. Download the cloud metrics To save the filtered cloud metrics locally on your computer, download them to a.zip file in your web browser s download directory. 1 In the Management Console, select Metrics from the Monitoring tab drop-down list, click the Cloud Metrics tab, then click Download. 2 In the dialog box, configure the following options, then click OK. Table 9-23 Option definitions for downloading a log Option Download As Interval Definition Select a format for the data downloaded to the.zip file: XML CSV Select a time interval for the entries downloaded to the.zip file: Before Date All entries logged before the specified date and time are downloaded. Between Dates All entries logged between the specified dates and times are downloaded. McAfee Cloud Single Sign On Product Guide 257

258 9 Logging and monitoring Use login history to monitor login and logoff events Purge all cloud metrics in the McAfee Cloud SSO system You can clear all cloud metrics in the McAfee Cloud SSO system or only the metrics in a specified range of dates. For example, you can clear only the oldest cloud metrics. 1 In the Management Console, select Metrics from the Monitoring tab drop-down list, click the Cloud Metrics tab, then click Purge Log. 2 In the dialog box, configure the following options, click OK, then click Yes to confirm. Table 9-24 Option definitions for purging a log Option Interval Definition Select a time interval for the entries to be cleared from the log: Before Date All entries logged before the specified date and time are purged. Between Dates All entries logged between the specified dates and times are purged. Use login history to monitor login and logoff events McAfee Cloud SSO collects login and logoff data for administrators who are using the Management Console and end users in the enterprise. You can configure and apply a filter to the login history and view the results. You can download the filtered login history to a.zip file and you can purge or clear the login history in the McAfee Cloud SSO system. 258 McAfee Cloud Single Sign On Product Guide

259 Logging and monitoring Use login history to monitor login and logoff events 9 Configure a filter for the login history The login history filter allows you to configure and view a subset of the login history in the McAfee Cloud SSO system. 1 In the Management Console, select Login History from the Monitoring tab drop-down list. 2 Specify values for the following options, then click Apply Filter. Table 9-25 Filter option definitions Option Duration Client IP Identity Connector Login Node User ID Login Type Application Definition Limits the display to login and logoff events that occurred in the specified time period. Limits the display to login and logoff events coming from the specified IP addresses. Limits the display to login and logoff events associated with the specified Identity Connectors. Limits the display to login and logoff events associated with the specified instances of McAfee Cloud SSO. Limits the display to login and logoff events associated with the specified users. Limits the display to login and logoff events of the specified types. Limits the display to login and logoff events associated with the specified Cloud Connectors. McAfee Cloud Single Sign On Product Guide 259

260 9 Logging and monitoring Use login history to monitor login and logoff events View the login history You can view the complete login history, or you can configure and apply a filter to view selected events. 1 In the Management Console, select Login History from the Monitoring tab drop-down list. 2 For each entry in the display, you can view the following options. Table 9-26 Viewing options for the login history Option User Node Time Client IP Client Browser Client Platform Identity Connector Application Login Type Status Definition Specifies the user that initiated the login or logoff event. Specifies the McAfee Cloud SSO instance associated with the login or logoff event. Specifies the date and time when the login or logoff event occurred. Specifies the user s IP address. Specifies the name and version of the user s web browser. Specifies the name and version of the user s operating system. Specifies the name of the Identity Connector associated with the login or logoff event. Specifies the name of the Cloud Connector associated with the login or logoff request. Specifies the type of login or logoff event. Example: Console Login Specifies whether the login or logoff event succeeded or failed. Download the login history To save the filtered login history locally on your computer, download it to a.zip file in your web browser s download directory. 1 In the Management Console, select Login History from the Monitoring tab drop-down list, then click Download. 2 In the dialog box, configure the following options, then click OK. Table 9-27 Option definitions for downloading a log Option Download As Interval Definition Select a format for the data downloaded to the.zip file: XML CSV Select a time interval for the entries downloaded to the.zip file: Before Date All entries logged before the specified date and time are downloaded. Between Dates All entries logged between the specified dates and times are downloaded. 260 McAfee Cloud Single Sign On Product Guide

261 Logging and monitoring Use login history to monitor login and logoff events 9 Purge the login history You can clear the login history in the McAfee Cloud SSO system or only the history in a specified range of dates. For example, you can clear only the oldest login data. 1 In the Management Console, select Login History from the Monitoring tab drop-down list, then click Purge Log. 2 In the dialog box, configure the following options, click OK, then click Yes to confirm. Table 9-28 Option definitions for purging a log Option Interval Definition Select a time interval for the entries to be cleared from the log: Before Date All entries logged before the specified date and time are purged. Before Date All entries logged before the specified date and time are purged. McAfee Cloud Single Sign On Product Guide 261

262 9 Logging and monitoring Use login history to monitor login and logoff events 262 McAfee Cloud Single Sign On Product Guide

263 10 Add-on services McAfee Cloud SSO offers an identity proxy service and an OAuth service. Identity proxy service This service supports SSO to Salesforce through the Salesforce Connect for Outlook plug-in installed on the end user s computer. Through the plug-in, end users can access Salesforce through Outlook, and the two applications can share data. McAfee Cloud SSO implements SSO through the plug-in using a SAML token and token validation service. OAuth service McAfee Cloud SSO supports OAuth Service Providers Google and Salesforce with an OAuth service that is configured in the Management Console. Using the OAuth service, end users can securely download data from a supported Google or Salesforce application in the cloud to a computer where they can manage the data locally. Contents Implementing SSO to Salesforce through Connect for Outlook Downloading user data from Google and Salesforce applications securely Implementing SSO to Salesforce through Connect for Outlook After McAfee Cloud SSO establishes an SSO session with the end user, Outlook and Salesforce can share and synchronize the user s data. McAfee Cloud SSO implements SSO to Salesforce through the Salesforce Connect for Outlook plug-in by providing two services, an identity proxy service and a token validation service. McAfee Cloud Single Sign On Product Guide 263

264 10 Add-on services Implementing SSO to Salesforce through Connect for Outlook Identity proxy service This service authenticates the end user against an enterprise LDAP identity store. Configuring the service is similar to configuring an LDAP Identity Connector. Token validation service This service verifies that the SAML token passed from the end user to Salesforce is valid. Configuring the token validation service is similar to configuring a Cloud Connector. Figure 10-1 Implementing SSO to Salesforce through Connect for Outlook 1 In Outlook, the end user requests access to a Salesforce application. The Salesforce Connect for Outlook plug-in installed on the user s computer calls the identity proxy service provided by McAfee Cloud SSO. 2 The identity proxy service authenticates the end user s enterprise account credentials against the enterprise identity directory. 3 The service maps the enterprise identity to the Salesforce identity and returns a SAML token to the Outlook plug-in. 4 The plug-in logs the end user in to Salesforce using the SAML token to establish the user s identity. 5 Salesforce calls the token validation service provided by McAfee Cloud SSO with the SAML token. 6 When the service validates the SAML token, the login process is complete. The end user can access Salesforce through Outlook without logging in again. Salesforce and Outlook can share and synchronize data. 264 McAfee Cloud Single Sign On Product Guide

265 Add-on services Implementing SSO to Salesforce through Connect for Outlook 10 Salesforce requirements for integrating Connect for Outlook To provide SSO services to Salesforce through Salesforce Connect for Outlook, McAfee Cloud SSO must meet the following Salesforce requirements. Table 10-1 Salesforce requirements Requirement McAfee Cloud SSO server and token validation service port number SSL certificate provided by McAfee Cloud SSO Description Salesforce can call the McAfee Cloud SSO token validation service when the following requirements are met: The server where McAfee Cloud SSO is installed has a public IP address or host name. The token validation service listens on a port in the range The Salesforce Connect for Outlook plug-in and delegated authentication service enable server authentication when an SSL connection is established. Salesforce and McAfee Cloud SSO can establish an SSL connection, when the X.509 certificate provided by McAfee Cloud SSO meets the following requirements: The X.509 certificate s CN attribute must match the name of the Salesforce domain specified when configuring the identity proxy and token validation services. The X.509 certificate must be signed by a commercial CA trusted by Salesforce. For a complete list of Salesforce-trusted CAs, visit the following location: See also Managing X.509 certificates for SAML authentication on page 280 Configuring SSO to Salesforce through Connect for Outlook Configuring SSO to Salesforce through Connect for Outlook requires completing tasks in the Management Console, your Salesforce administrator account, and on the end user s computer. Table 10-2 High-level tasks for configuring SSO to Salesforce through Connect for Outlook Where Management Console Salesforce administrator account End user's computer Configure the identity proxy and token validation services. Configure delegated authentication. Install and configure the Salesforce Connect for Outlook plug-in. Manage instances of the identity proxy service You can create one or more instances of the identity proxy service and activate, duplicate, modify, or delete each instance. After an instance is created, you can view the identity proxy and token validation service URLs. Create an instance of the identity proxy service Create and configure the identity proxy and token validation services so that McAfee Cloud SSO can connect to an LDAP identity store and the Salesforce application, respectively. 1 In the Management Console: From the Addons drop-down list, select Identity Proxy. 2 In the Identity Proxy window, click New Identity Proxy. 3 In the Identity Proxy dialog box: From the Identity Connector Type drop-down list, select LDAP. McAfee Cloud Single Sign On Product Guide 265

266 10 Add-on services Implementing SSO to Salesforce through Connect for Outlook Table 10-3 Configuring the identity proxy and token validation services Configuration area Configure the LDAP options Output attributes User Attribute Mapping Description To configure the LDAP Identity Connector with an identity store, perform one of the following steps: Use an existing LDAP identity store From the Identity Store drop-down list, select an identity store. Use a new LDAP identity store Click New LDAP, create a new LDAP identity store, and select it from the Identity Store drop-down list. Allows you to customize the source attributes output by the LDAP Identity Connector. Attributes are used for credential mapping and user provisioning to the Salesforce application. Allows you to the map source attributes output by the LDAP Identity Connector to target attributes in the Salesforce application. Salesforce connection option definitions Domain State Specifies the name of your Salesforce domain. From the drop-down list, select an option: ACTIVE Specifies that the connection between Salesforce and McAfee Cloud SSO is active. INACTIVE Specifies that the connection between Salesforce and McAfee Cloud SSO is not active Cloud Service Security Token Lifetime (minutes) Select a key pair From the drop-down list, select Specifies a lifetime value to use when calculating the SAML assertion s expiration time. When the expiration time is exceeded, the SAML assertion is invalidated by the assertion consumer. When specifying the lifetime value, consider the estimated transmission latency between security domains. From the drop-down list, select the key pair that McAfee Cloud SSO uses to sign SAML assertions. See also Configure an LDAP Identity Connector on page 74 Configure credential mapping on page 137 Configuring SAML Cloud Connectors on page 141 Configure just-in-time user provisioning on page 199 View the identity proxy and token validation service URLs After you configure an instance of the identity proxy service, you can view the identity proxy and token validation service URLs. You need the identity proxy service URL when you install the Salesforce Connect for Outlook plug-in on the end user s computer. You need the token validation service URL when you configure delegated authentication in your Salesforce administrator account. 266 McAfee Cloud Single Sign On Product Guide

267 Add-on services Implementing SSO to Salesforce through Connect for Outlook 10 1 In the Management Console: From the Addons drop-down list, select Identity Proxy. 2 In the Identity Proxy window, click the Config link corresponding to the identity proxy and token validation services that you configured. 3 In the Identity Proxy dialog box, scroll to the bottom, where you can view the following URLs. Identity Proxy Service URL: Token Validation Service URL: where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed and <domain_name> specifies the name of your Salesforce domain. Activate an instance of the identity proxy service Activating an instance of the identity proxy service allows McAfee Cloud SSO to provide SSO services to Salesforce through Connect for Outlook. 1 In the Management Console: From the Addons drop-down list, select Identity Proxy. 2 In the Identity Proxy window: In the Actions column and row corresponding to the instance of the identity proxy service, click Activate. Duplicate and modify an instance of the identity proxy service You can duplicate an existing instance of the identity proxy service and use the configuration as a template for a new instance of the service. 1 In the Management Console: From the Addons drop-down list, select Identity Proxy. 2 In the Identity Proxy window: In the Actions column and row corresponding to the existing instance of the identity proxy service, click Duplicate. 3 In the Identity Proxy window: In the Actions column and row corresponding to the new instance of the identity proxy service, click Config. Delete an instance of the identity proxy service When you no longer need an instance of the identity proxy service, you can delete it. 1 In the Management Console: From the Addons drop-down list, select Identity Proxy. 2 In the Identity Proxy window: In the Actions column and row corresponding to the instance of the identity proxy service, click Delete, then click OK to confirm. McAfee Cloud Single Sign On Product Guide 267

268 10 Add-on services Downloading user data from Google and Salesforce applications securely Configure delegated authentication in Salesforce Specify the token validation service URL so that Salesforce can call the token validation service provided by McAfee Cloud SSO. Specify the IP address ranges used by your organization so that Salesforce can trust the responses McAfee Cloud SSO sends from within the enterprise. The delegated authentication feature in Salesforce must be enabled for your organization. To enable delegated authentication, contact Salesforce technical support. 1 Log on to your administrator account in Salesforce.com. 2 Select Setup Administration Setup Security Controls Single Sign-On Settings. 3 In the Delegated Gateway URL field, specify the McAfee Cloud SSO token validation service URL. 4 Select Setup Administration Setup Security Controls Network Access. 5 Specify your enterprise IP address ranges as the IP address ranges that Salesforce can trust. Install and configure the Salesforce Connect for Outlook plugin Install and configure the Salesforce Connect for Outlook plug-in on the end user s computer so that Connect for Outlook can call the McAfee Cloud SSO identity proxy service. Configure Outlook to work with the plug-in. 1 Log on to your administrator account in Salesforce.com. 2 Select Setup Desktop Integration Salesforce for Outlook Connect for Microsoft Outlook. 3 Download the latest installation package and follow the installation instructions. 4 To open the Windows Registry Editor, run regedit. 5 Navigate to the following registry key and set its value equal to the URL of the McAfee Cloud SSO identity proxy service: HKEY_CURRENT_USER Software Salesforce.com SM ServerURL 6 Start Microsoft Outlook, select Tools Salesforce.com Options, then configure user name, password, and preferences. 7 Click Verify. Downloading user data from Google and Salesforce applications securely Service Providers Google and Salesforce use the OAuth authorization protocol to support enterprise users who want to download application data stored in the cloud to a computer where they can manage the data locally. McAfee Cloud SSO provides an OAuth service that downloads the data in XML format, reformats the data according to a custom XML stylesheet if one is provided, and sends the data to the enterprise user. An OAuth transaction between McAfee Cloud SSO and a Google or Salesforce application requires a consumer key and a consumer secret. 268 McAfee Cloud Single Sign On Product Guide

269 Add-on services Downloading user data from Google and Salesforce applications securely 10 Access to data is through an authorized access token rather than conventional user name and password credentials, thereby protecting credentials from exposure. Each token, which authorizes access by specified users to a specified cloud application, is configured in the Management Console. For more information about the OAuth standard, visit How McAfee Cloud SSO implements the OAuth authorization protocol McAfee Cloud SSO implements the OAuth authorization protocol through an OAuth service and policy. The policy is configured by administrators in the Management Console. In the following example, the administrator has configured an OAuth policy that gives enterprise users access to Google Calendar. Figure 10-2 How McAfee Cloud SSO implements the OAuth service 1 In the Management Console, the administrator configures an OAuth policy that allows enterprise users to access the Google Calendar application. 2 An enterprise user requests access to Google Calendar. 3 Google redirects the enterprise user s request to McAfee Cloud SSO. 4 If the enterprise user does not have a login session with McAfee Cloud SSO, the OAuth service presents a login page. If the enterprise user has a login session with McAfee Cloud SSO, the OAuth service redirects the user to Google with the required access token. 5 Google grants the enterprise user access to Google Calendar based on the access token. 6 The enterprise user accesses Google Calendar and is authorized to download data for use on a local computer. Manage instances of the OAuth service In the Management Console, you can create, modify, and delete instances of the OAuth service and view all configured instances of the OAuth service in the McAfee Cloud SSO system. McAfee Cloud Single Sign On Product Guide 269

270 10 Add-on services Downloading user data from Google and Salesforce applications securely Create an instance of the OAuth service for a Google or Salesforce application When you create an instance of the OAuth service for a Google or Salesforce application, users in your enterprise organization can download application data from the cloud to a computer, where they can manage the data locally. 1 In the Management Console: From the Addons drop-down list, select OAuth Plug-in. 2 Click New OAuth Driver. 3 In the OAuth Creation dialog box, specify values for the following options, then click OK. Table 10-4 Option definitions for creating an instance of the OAuth service Option Template Consumer Key Definition From the drop-down list, select an option: Google Allows you to configure an OAuth policy for a supported Google application. Salesforce Allows you to configure an OAuth policy for a supported Salesforce application. Specifies a value that identifies the enterprise organization to the Google or Salesforce Service Provider. This value is provided by the Service Provider. Consumer Secret Specifies a value that the enterprise organization uses to show ownership of the Consumer Key. This value is provided by the Service Provider. Advanced Stylesheet URL (Optional) Opens the Advanced dialog box, where you can specify the Stylesheet URL. Specifies the URL of the XML stylesheet that the OAuth service uses to format the downloaded data before sending it to the enterprise user s web browser for display. 270 McAfee Cloud Single Sign On Product Guide

271 Add-on services Downloading user data from Google and Salesforce applications securely 10 Table 10-4 Option definitions for creating an instance of the OAuth service (continued) Option Service Service Name Definition In the table, select a supported cloud application or service. Google options: Google Mail Google Calendar Google Docs Google Contacts Salesforce options: Leads Accounts Contacts Specifies a name that uniquely identifies the specified OAuth service in the McAfee Cloud SSO system. This name is appended to the McAfee Cloud SSO OAuth service URL. Format: where <mcsso-server> specifies the host name or IP address of the server where McAfee Cloud SSO is installed and <service_name> specifies the name you type in the Service Name field. Modify an instance of the OAuth service You can modify an instance of the OAuth service in the McAfee Cloud SSO system. 1 In the Management Console: From the Addons drop-down list, select OAuth Plug-in. 2 In the OAuth Management window: In the Action column, click the Edit link corresponding to the OAuth service you want to modify. 3 In the OAuth Creation dialog box, make changes as needed, then click OK. Delete an instance of the OAuth service You can delete an instance of the OAuth service that you no longer need. 1 In the Management Console: From the Addons drop-down list, select OAuth Plug-in. 2 In the OAuth Management window: In the Action column, click the Delete link corresponding to the OAuth service you want to remove. McAfee Cloud Single Sign On Product Guide 271

272 10 Add-on services Downloading user data from Google and Salesforce applications securely View all configured instances of the OAuth service You can view all configured instances of the OAuth service in the McAfee Cloud SSO system. 1 In the Management Console: From the Addons drop-down list, select OAuth Plug-in. 2 In the OAuth Management window: For each OAuth service, you can view the options or take the actions in the following table. Table 10-5 Configured OAuth policies Option ID Service URL Action Definition Displays the name that uniquely identifies the OAuth service in the McAfee Cloud SSO system. Displays the URL that the Service Provider calls to access the OAuth service in McAfee Cloud SSO. Displays the actions that you can apply to the OAuth service: Edit Allows you to modify the configuration of the OAuth service. Delete Allows you to remove the OAuth service from the McAfee Cloud SSO system. Enable the OAuth service provided by McAfee Cloud SSO in Google Enable the OAuth service provided by McAfee Cloud SSO in your Google administrator account, so that McAfee Cloud SSO can provide a data fetching service for Google application users. 1 Log on to Google Apps as the domain administrator. 2 Select Advanced tools Manage OAuth Domain Key. 3 On the Manage OAuth key and secret for this domain page, copy the Google-generated OAuth consumer key and consumer secret values and paste them in the corresponding fields in the OAuth Creation dialog box in the Management Console. 4 Select the Enable this consumer key checkbox. 5 Click Save changes. Configure a new remote access application in Salesforce Configure a new remote access application in your Salesforce administrator account, so that McAfee Cloud SSO can provide a data fetching service for Salesforce application users. 1 Log on to Salesforce as the administrator. 2 Click the down arrow beside your user name. 3 From the drop-down list, select Setup. 4 From App Setup, select Develop Remote Access, then click New. 272 McAfee Cloud Single Sign On Product Guide

273 Add-on services Downloading user data from Google and Salesforce applications securely 10 5 Specify values for the remote access application options as shown in the following table, then save the remote access application. Table 10-6 Remote access application options in Salesforce Option Value Workflow type OAuth 1.0a Callback URL 6 Copy the Salesforce-generated OAuth consumer key and secret values and paste them in the corresponding fields in the OAuth Creation dialog box in the Management Console. oob McAfee Cloud Single Sign On Product Guide 273

274 10 Add-on services Downloading user data from Google and Salesforce applications securely 274 McAfee Cloud Single Sign On Product Guide

275 11 Advanced configuration Many administrative tasks need to be performed only once or occasionally. Many advanced configuration tasks can performed on an as-needed basis. Contents Configure runtime data and audit log storage in a MySQL database Configure network proxy addresses Configure a timeout value for end-user sessions Enable your custom portal configuration Managing administrative user accounts Managing X.509 certificates for SAML authentication Manage Cloud Connector plug-ins Export system configuration data Import system configuration data Restart the McAfee Cloud SSO service Import a license file Configure a fully qualified domain name Configure SMTP and remote OTP options Select a language Configure runtime data and audit log storage in a MySQL database McAfee Cloud SSO stores runtime data in a system file or a MySQL database. The database storage option, which is configured in the installer, can be updated in the Management Console. Before you begin Before you can configure the MySQL database option in the Management Console, you must install MySQL on the same computer as McAfee Cloud SSO or on another computer in the network and start the database. The McAfee Cloud SSO service must be restarted for the changes to take effect. You can configure one MySQL database for storing runtime data and another for storing the audit log. 1 In the Management Console: From the Admin tab drop-down list, select Database Management. 2 In the Storage window, configure the options in the following table, then click Save Settings. McAfee Cloud Single Sign On Product Guide 275

276 11 Advanced configuration Configure network proxy addresses Table 11-1 Configure runtime data and audit log storage in a MySQL database Option Storage Type Configure Default Database Definition Select an option for storing runtime data: Database Opens the Configure Default Database area where you can configure data storage in a MySQL database. File Stores all McAfee Cloud SSO runtime data in a system file. Connection String Specifies the address of the MySQL database server where all runtime data is stored. Format: jdbc:mysql://<ip_address hostname>/<database_name> Enable Standalone Audit Log Database If the port number of the MySQL Server has the default value of 3306, you can omit the port number when specifying the connection string. Otherwise, you must specify the port number in the string. User Name Specifies the user name for the root user account created when the MySQL database is installed. Password Specifies the password for the root user account created when the MySQL database is installed. Use SSL When selected, specifies using a secure SSL connection. When selected, allows you to configure a separate MySQL database for storing the audit log and opens the following options. Connection String Specifies the address of the MySQL database server where the audit log is stored. Format: jdbc:mysql://<ip_address hostname>/<database_name> If the port number of the MySQL Server has the default value of 3306, you can omit the port number when specifying the connection string. Otherwise, you must specify the port number in the string. User Name Specifies the user name for the root user account created when the MySQL database is installed. Password Specifies the password for the root user account created when the MySQL database is installed. Use SSL When selected, specifies using a secure SSL connection. Text Connection Tests the configured MySQL database connections. Configure network proxy addresses McAfee Cloud SSO uses the Enterprise Service Proxy address to pass user data from inside the enterprise to a SaaS or web application. The Route Proxy addresses are used to route outgoing HTTP and HTTPS (SSL) messages, respectively, across Internet domains. The McAfee Cloud SSO service must be restarted for the changes to take effect. 276 McAfee Cloud Single Sign On Product Guide

277 Advanced configuration Configure a timeout value for end-user sessions 11 1 In the Management Console: From the Admin tab drop-down list, select Proxy Management. 2 In the Network window: In the Enterprise Service Proxy tab, select the Enable checkbox, configure the options as shown in the following table, then click Save Settings. Table 11-2 Option definitions for Enterprise Service Proxy configuration Option Proxy Name Definition Specifies the host name of the proxy. When calling the enterprise service, the SaaS or web application uses the proxy name as the user name. Proxy Listening Port Encryption Key Specifies the number of the TCP listening port used by the service proxy. Specifies the encryption key used by the SaaS or web application to encrypt the custom token before sending it to McAfee Cloud SSO. When calling the enterprise service, the SaaS or web application uses the encrypted token as the password. Clock Skew Specifies a value to use when calculating the expiration time. This value is designed to offset small differences between clocks in different security domains. Units: seconds 3 In the Network window: In the Route Proxy tab, configure the options as shown in the following table, then click Save Settings. Table 11-3 Option definitions for HTTP and HTTPS Route Proxy configuration Option Server Port User Name Password No Proxy For Definition Specifies the host name of the HTTP or SSL proxy server. Specifies the port number of the HTTP or SSL proxy server. (Optional) Specifies a user name for access to the proxy server. (Optional) Specifies a password for access to the proxy server. Specifies the host name of one or more servers separated by commas. This option allows McAfee Cloud SSO to connect to the servers directly without going through the network proxy. Configure a timeout value for end-user sessions You can configure a timeout value for the SSO sessions that McAfee Cloud SSO establishes with end users. The timeout value is a global option that affects all end-user sessions. When sessions expire, end users are prompted to re-authenticate the next time they log in. 1 In the Management Console: From the Admin tab drop-down list, select Session Management. 2 In the Session window: From the Timeout Value drop-down list, select a time interval after which all end-user sessions expire. 3 Click Save Setting. McAfee Cloud Single Sign On Product Guide 277

278 11 Advanced configuration Enable your custom portal configuration Enable your custom portal configuration You can enable and disable the use of your custom login, error, and portal pages. After authenticating on the login page, end users select and open the cloud applications that they are allowed to access on the portal page. 1 In the Management Console: From the Admin tab drop-down list, select Portal Configuration. 2 In the Portal Configuration window, select the Customize Pages checkbox, then click Save Setting. Use of your custom login, error, and portal pages is enabled. Managing administrative user accounts As a McAfee Cloud SSO administrator, you can create, delete, and modify administrative user accounts. The built-in administrator vs. administrative user accounts McAfee Cloud SSO comes with a built-in administrator account. The administrator using the built-in account can add any number of administrative user accounts to the system. Administrative users can log on to the Management Console and perform all administrative functions that the administrator using the built-in account performs, including creating and modifying the built-in administrator and administrative user accounts. To monitor administrator and administrative user actions in the Management Console, you can configure the auditing policy and create one or more alerts. When McAfee Cloud SSO is installed, the built-in administrator account is created with the user name admin and password passwd. The administrator uses these initial credentials to log on to the Management Console for the first time. While the built-in administrator account is integral to the McAfee Cloud SSO system and cannot be deleted, you can personalize the initial account settings to include first and last names, an address, and an updated password. To keep McAfee Cloud SSO secure, we recommend changing the built-in administrator account password at the initial logon and updating it at regular intervals. See also Audit logging and alerts on page McAfee Cloud Single Sign On Product Guide

279 Advanced configuration Managing administrative user accounts 11 Create an administrative user account You can add administrative user accounts to the primary administrator account that comes preconfigured with the McAfee Cloud SSO system. 1 In the Management Console: From the Admin tab drop-down list, select Admin Accounts. 2 In the Administrative Users window, click New Administrative User. 3 In the Adding New Administrator dialog box, provide values for the following fields, then click OK. Table 11-4 Option definitions for creating an administrative user account Option User Name Password Confirm First Name Last Name Creation Date Definition Specifies the administrative user s name in the McAfee Cloud SSO system. Specifies the administrative user s password. Retype the password to confirm. (Optional) Specifies the administrative user s first name. (Optional) Specifies the administrative user s last name. (Optional) Specifies the administrative user s address. Specifies the date and time the administrative user was created in the McAfee Cloud SSO system. This value is system-generated and cannot be modified. Modification Date Specifies the date and time when the administrative user was last updated in the McAfee Cloud SSO system. This value is system-generated and cannot be modified. Delete an administrative user account You can delete an administrative user from the McAfee Cloud SSO system. 1 In the Management Console: From the Admin tab drop-down list, select Admin Accounts. 2 In the Administrative Users window, select the user account you want to delete, click Remove, then click OK to confirm. McAfee Cloud Single Sign On Product Guide 279

280 11 Advanced configuration Managing X.509 certificates for SAML authentication Modify an administrative user account You can modify the information in an administrative user account. 1 In the Management Console: From the Admin tab drop-down list, select Admin Accounts. 2 In the Administrative Users window, select the user account you want to modify, then click Config. 3 In the Configure User dialog box, update the following fields as needed, then click OK. Table 11-5 Option definitions for modifying an administrative user account Option User Name Password Confirm First Name Last Name Creation Date Definition Specifies the administrative user s name in the McAfee Cloud SSO system. Specifies the administrative user s password. Retype the password to confirm. (Optional) Specifies the administrative user s first name. (Optional) Specifies the administrative user s last name. (Optional) Specifies the administrative user s address. Specifies the date and time the administrative user was created in the McAfee Cloud SSO system. This value is system-generated and cannot be modified. Modification Date Specifies the date and time when the administrative user was last updated in the McAfee Cloud SSO system. This value is system-generated and cannot be modified. Managing X.509 certificates for SAML authentication Many cloud applications use SAML authentication. SAML authentication requires X.509 certificates for signing outgoing SAML assertions and verifying incoming signatures. SAML assertions are signed by binding X.509 certificate data to the assertion. McAfee Cloud SSO supports many management options for X.509 certificates. How X.509 certificates work An X.509 certificate contains a public key and is signed by a certificate authority. Signing an X.509 certificate requires an X.509 certificate key pair, which consists of an X.509 certificate containing a public key and a separate private key. The CA uses its private key and the certificate s public key to generate the certificate s signature. Signature verification only requires the signature and the X.509 certificate containing the CA s public key. If the X.509 certificate is not trusted, however, signature verification involves traversing a chain of X.509 certificates until a trusted X.509 certificate is reached. This is known as certificate validation. Certificate validation involves traversing a certificate chain from the certificate you are validating to a trusted intermediate or root CA. The certificate chain is also known as a certification path. 280 McAfee Cloud Single Sign On Product Guide

281 Advanced configuration Managing X.509 certificates for SAML authentication 11 Traversing a certification path is sometimes called name chaining, because it involves matching the issuer name in one certificate with the subject name in the parent certificate that signed it. This process is continued until the parent certificate is a trusted or root CA. Both the issuer name and subject name values are Distinguished Names. Some certificates are self-signed. For example, the certificate that comes installed with McAfee Cloud SSO is self-signed. Certificates that are issued and held by a Root CA are self-signed by the Root CA. When certificates are self-signed, the Issuer Name and Subject Name are the same. McAfee Cloud SSO includes Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) checking in the validation process: CRL checking A CA publishes a CRL or list of certificates that it issued, but that have been revoked and are no longer valid. CRL entries identify the subscriber for whom the certificate was issued, the certificate status, one or more reasons for revocation, the date of issue, the issuing entity, the date of revocation, and the next issue date. When a user attempts to access a server, the server checks the CRL and allows or denies access based on that user s CRL entry. OCSP checking CRL checking requires frequent downloading of the most recent CRL. OCSP checking is an alternative to CRL. When a user attempts to access a server, the server sends an OCSP request for the user s certificate status to the CA. The CA responds with a certificate status of current, expired, or unknown. OCSP also allows users with expired certificates a grace period, during which they can access servers for a limited time before having to renew. McAfee Cloud SSO preconfigured key pair The preconfigured key pair that comes installed with McAfee Cloud SSO is a self-signed X.509 certificate with the alias intel cloud expressway. The alias is the name of the X.509 certificate in the McAfee Cloud SSO system. To have this default X.509 certificate signed by a CA, you first export it in the Management Console, have it signed by the CA, then import it. The signed certificate replaces the original certificate in the McAfee Cloud SSO keystore, but retains the alias intel cloud expressway. McAfee Cloud SSO also comes installed with the following demo certificate files: intel_demo_cert.crt intel_demo_cert_ca.crt You can locate these demo certificate files in the following folder: <install_dir>\current\configuration\templates\security\certificates where <install_dir> specifies the name of the directory where McAfee Cloud SSO is installed. Acquiring an X.509 certificate McAfee Cloud SSO needs X.509 certificates to sign outgoing SAML assertions and to verify incoming signatures. There are three ways you can acquire an X.509 certificate: Use the pre-configured X.509 certificate key pair that comes installed with McAfee Cloud SSO. Generate a new X.509 certificate key pair. McAfee Cloud Single Sign On Product Guide 281

282 11 Advanced configuration Managing X.509 certificates for SAML authentication Import an X.509 certificate key pair or a trusted X.509 certificate. X.509 certificate key pair An X.509 certificate key pair consists of an X.509 certificate containing a public key paired with its private key. McAfee Cloud SSO uses X.509 certificate key pairs to sign outgoing SAML assertions. Trusted X.509 certificate A trusted X.509 certificate contains a public key that is trusted by the McAfee Cloud SSO administrator. McAfee Cloud SSO uses trusted certificates to verify incoming signatures View all X.509 certificates You can view all X.509 certificates in the McAfee Cloud SSO system on the Certificate Management page. 1 In the Management Console: From the Admin tab drop-down list, select Certificate Management. 2 In the Certificate Management window, you can view the following information about each X.509 certificate in the McAfee Cloud SSO system. Table 11-6 View all X.509 certificates on the Certificate Management page Column heading Name Serial Number Distinguished Name Expiration Date and Time Type Description Lists the name that uniquely identifies the X.509 certificate in the McAfee Cloud SSO system. This value is also known as the alias. Lists the serial number of the X.509 certificate. This value corresponds to the Serial Number in the certificate data and is assigned by the entity that created the certificate. Lists the Distinguished Name of the X.509 certificate. This value corresponds to the Subject Name in the certificate data and uniquely identifies the certificate holder. When McAfee Cloud SSO generates a new key pair, it forms the DN by combining the values specified for the following fields in the Generate New Key Pair dialog box: CN Common Name OU Organizational Unit O Organization L Locality ST State C Country Lists the expiration day, month, and year of the X.509 certificate. Lists the type of X.509 certificate: Tools icon Specifies an X.509 certificate key pair which consists of an X.509 certificate containing a public key paired with its private key. McAfee Cloud SSO uses this type of certificate to sign outgoing SAML assertions. Folder icon Specifies a trusted X.509 certificate which contains a public key that is trusted by the administrator. McAfee Cloud SSO uses trusted certificates to verify incoming signatures. 282 McAfee Cloud Single Sign On Product Guide

283 Advanced configuration Managing X.509 certificates for SAML authentication 11 Table 11-6 View all X.509 certificates on the Certificate Management page (continued) Column heading Status Actions Description Lists the status of the X.509 certificate: Green check Specifies a valid X.509 certificate. Blue i Specifies a self-signed X.509 certificate. McAfee Cloud SSO returns this status when the X.509 certificate is self-signed or the CRL or OCSP distribution point URL is not found in the X.509 certificate. Red x Specifies an invalid X.509 certificate. McAfee Cloud SSO returns the invalid status when the certificate is expired or there is a validation error. Select an action to perform on the corresponding X.509 certificate: View View details about the X.509 certificate. Delete Delete the X.509 certificate. Export Export the X.509 certificate. Import Replace the X.509 certificate with the imported certificate. The imported certificate retains the alias of the certificate that it replaces. Validate Validate the X.509 certificate. Validation updates the status of the X. 509 certificate. View one X.509 certificate You can view detailed information about an individual X.509 certificate. 1 In the Management Console: From the Admin tab drop-down list, select Certificate Management. 2 Click the View link corresponding to the X.509 certificate you want to view. 3 In the Certificate Detail dialog box, you can view the following information about each X.509 certificate. Table 11-7 View one X.509 certificate in the Certificate Detail dialog box Field Alias Item Type Subject Definition Specifies the name that uniquely identifies the X.509 certificate in the McAfee Cloud SSO system. Specifies whether the X.509 certificate is paired with the private key, as follows: Certificate Specifies that the X.509 certificate is not paired with the private key. KEY_PAIR Specifies that the X.509 certificate is paired with the private key. Specifies the Distinguished Name of the X.509 certificate. This value corresponds to the Subject Name in the certificate data and uniquely identifies the certificate holder. CN Specifies the full name of the server where McAfee Cloud SSO is installed. OU Specifies the name of the division within the organization. O Specifies the name of the organization. McAfee Cloud Single Sign On Product Guide 283

284 11 Advanced configuration Managing X.509 certificates for SAML authentication Table 11-7 View one X.509 certificate in the Certificate Detail dialog box (continued) Field Issuer Validity Algorithm Definition Specifies the Distinguished Name of the X.509 certificate issuer. When the Issuer name and Subject name are the same, the certificate is self-signed. CN Specifies the Common Name of the X.509 certificate issuer. OU Specifies the name of the division within the organization. O Specifies the name of the organization. Specifies the range of dates on which the certificate is valid. Issued On Specifies the issue date or date when the certificate becomes valid. Issued To Specifies the expiration date or date when the certificate is no longer valid. Specifies the algorithm used to generate the key pair. RSA is the only algorithm supported in the current release. Serial Number Specifies the serial number assigned to the X.509 certificate by the entity that created it. Export an X.509 certificate You have the option of exporting the X.509 certificate only or the key pair. Export an X.509 certificate to have it signed by a trusted CA or to publish it to a third party. If the certificate is a trusted certificate, your only option is to export the certificate only. 1 In the Management Console: From the Admin tab drop-down list, select Certificate Management. 2 Click the Export link corresponding to the X.509 certificate you want to export. 3 In the Export Certificate dialog box, select an Export Type option. Table 11-8 Export certificate option definitions Option Export Certificate Only Export Key Pair Definition Saves the certificate in a Security Certificate (.crt) file in your web browser s download directory. While an X.509 certificate contains a public key, it does not contain the associated private key that together with the public key makes up the key pair. Select this option, click Export, then click Save File. Saves the public key certificate and associated private key that make up the key pair in a PKCS #12 (.p12) file in your web browser s download directory. A.p12 file is protected by a password which the party encrypting the file shares with parties that need to decrypt the file. Select this option, specify a password in the Passphrase field, click Export, then click Save File. The.crt and.p12 file names have the format alias.crt and alias.p12, respectively, where alias is the name of the X.509 certificate in the system. If the alias contains spaces, McAfee Cloud SSO converts the spaces to hyphens. For example, if the alias is mcafee cloud sso, the corresponding.crt file name is mcafee-cloud-sso.crt. 284 McAfee Cloud Single Sign On Product Guide

285 Advanced configuration Managing X.509 certificates for SAML authentication 11 Delete an X.509 certificate You can delete an X.509 certificate that you no longer need. 1 In the Management Console: From the Admin tab drop-down list, select Certificate Management. 2 Click the Delete link corresponding to the X.509 certificate you want to delete, then click OK to confirm. Import an X.509 certificate Import an X.509 certificate when you want to sign and replace a self-signed certificate in the McAfee Cloud SSO system. X.509 certificate key pairs generated by McAfee Cloud SSO are self-signed. To generate a Certificate Signing Request (CSR) and have the certificate signed by a trusted CA, first export the certificate to a.crt file. After the certificate is signed by a trusted CA, import the certificate file, which replaces the original X.509 certificate with the signed certificate. The imported certificate retains the original certificate s alias. To add a trusted certificate to the McAfee Cloud SSO system, select the Import Trusted Certificate option. 1 In the Management Console: From the Admin tab drop-down list, select Certificate Management. 2 Click the Import link corresponding to the X.509 certificate you want to replace. 3 In the Import Certificate Chain dialog box, type or browse for the names of the following certificate files: X509 Certificate Specifies the name of the X.509 certificate that you want to import. Interim CA (Optional) Specifies the name of the certificate file corresponding to an intermediate CA. Root CA (Optional) Specifies the name of the certificate file corresponding to a trusted root CA. 4 Click Upload Certificates, click OK, then click OK. Validate an X.509 certificate Certificate validation involves traversing a certificate chain from the certificate you are validating to a trusted intermediate or root CA. The validation process returns one of two results: SELF_SIGNED The selected X.509 certificate is self-signed. TRUSTED_CERT The selected X.509 certificate is trusted by the McAfee Cloud SSO administrator. 1 In the Management Console: From the Admin tab drop-down list, select Certificate Management. 2 Verify that certificate validation is enabled. 3 Click the Validate link corresponding to the X.509 certificate you want to validate. McAfee Cloud Single Sign On Product Guide 285

286 11 Advanced configuration Managing X.509 certificates for SAML authentication Generate a new key pair You can generate a new X.509 certificate key pair and use it to sign SAML assertions. X.509 certificate key pairs generated by McAfee Cloud SSO are self-signed. 1 In the Management Console: From the Admin tab drop-down list, select Certificate Management. 2 Click Generate New Key Pair. 3 Specify values for the following fields, then click OK. Table 11-9 Option definitions for generating a new key pair Option Alias CN OU O L ST C Valid Until Algorithm Definition Specifies the name that uniquely identifies the key pair in the McAfee Cloud SSO system. (Optional) Specifies the full name of the server where McAfee Cloud SSO is installed. (Optional) Specifies the name of the division within the organization. (Optional) Specifies the name of the organization. (Optional) Specifies a location, such as a city. (Optional) Specifies a state. (Optional) Specifies a two-character country code. Specifies the month, day, and year that the newly generated certificate expires. You can accept the default value, or specify a new value by clicking the calendar icon. From the drop-down list, select the algorithm to use when generating the key. RSA is the only algorithm supported in the current release. Length From the drop-down list, select a key length: 1024 Specifies a key length of 1024 bits 2048 Specifies a key length of 2048 bits Import key pairs A key pair is an X.509 certificate containing a public key paired with its private key. Key pairs are stored as entries in files known as keystores. You import key pairs by importing a keystore file. The following file types store key pairs and are supported by McAfee Cloud SSO: JKS Specifies a Java keystore file. P12 Specifies a file format based on the PKCS #12: Personal Information Exchange Syntax Standard. PFX Specifies a file based on the PKCS #12: Personal Information Exchange Syntax Standard. While the P12 and PFX file formats are the same, the PFX format was developed first. Since its introduction, the P12 file format has largely replaced the PFX file format. 1 In the Management Console: From the Admin tab drop-down list, select Certificate Management. 2 Click Import Key Pairs. 286 McAfee Cloud Single Sign On Product Guide

287 Advanced configuration Managing X.509 certificates for SAML authentication 11 3 In the Import KeyPairs dialog box, browse for the keystore file containing the key pairs. It can be a.jks,.p12, or.pfx file. 4 In the Password field, specify the password that protects the keystore file. 5 Click Upload Key Pairs, then click OK. Import a trusted certificate A trusted certificate is an X.509 certificate containing a public key which is trusted by the McAfee Cloud SSO administrator. The X.509 certificate is imported from a.crt file and used to verify incoming signatures. 1 In the Management Console: From the Admin tab drop-down list, select Certificate Management. 2 Click Import Trusted Certificate. 3 In the Import Trusted Certificate dialog box: a In the Alias field, specify the name that uniquely identifies the trusted certificate in the McAfee Cloud SSO system. b Browse for the.crt file containing the trusted certificate, click Upload Certificate, then click OK. Replace the SSL key pair You can replace the SSL key pair or certificate that McAfee Cloud SSO uses to secure connections between its web server and web browsers with your own custom SSL certificate file. 1 In the Management Console: From the Admin tab drop-down list, select Certificate Management. 2 Click Replace SSL KeyPair. 3 In the Replace SSL KeyPair dialog box: a Click Browse to locate and select your custom SSL certificate file. The file format must be.jks or.p12. b c Type the password that secures the file in the Password field. McAfee Cloud SSO uses this password to decrypt the SSL certificate file. Click OK. 4 Restart the McAfee Cloud SSO service for your SSL certificate to take effect. Enable certificate validation To validate the status of an X.509 certificate, first enable certificate validation. For system performance reasons, certificate validation is disabled by default. 1 In the Management Console: From the Admin tab drop-down list, select Certificate Management. 2 Click Enable Certificate Validation. McAfee Cloud Single Sign On Product Guide 287

288 11 Advanced configuration Manage Cloud Connector plug-ins Manage Cloud Connector plug-ins McAfee Cloud SSO offers built-in and plug-in Cloud Connectors. The built-in Cloud Connectors are part of the McAfee Cloud SSO system and cannot be managed in any way. The plug-in Cloud Connectors that come installed with the product are like the custom Cloud Connector plug-ins developed and installed by customers. Plug-in Cloud Connectors can be installed, enabled and disabled, modified, and deleted. For the plug-in Cloud Connectors that support SSO through Web Gateway, you can enable and disable integration with Web Gateway globally or individually in the plug-in management interface. View all Cloud Connector plug-ins You can view all Cloud Connector plug-ins in the McAfee Cloud SSO system, including plug-ins developed and installed by customers. 1 In the Management Console: From the Admin tab drop-down list, select Connector Management. 2 In the Connector Plug-ins window, you can view the following information about each Cloud Connector plug-in in the McAfee Cloud SSO system. Table View all Cloud Connector plug-ins Plug-in Name Connector Type SSO Protocol Version Provider Actions Description Specifies the name that uniquely identifies the plug-in type in the McAfee Cloud SSO system. For custom plug-ins, you specify the name when you install the plug-in. For plug-ins that come installed with the product, the plug-in name is the same as the Cloud Connector type. Specifies the Cloud Connector type. Specifies the SSO method used by the plug-in. Specifies the version number of the plug-in currently installed. When a newer version of the plug-in is installed, the version number is automatically updated. Specifies the name of the Service Provider that developed the plug-in. You can perform the following actions on individual plug-ins. The actions are available when they are highlighted. Disable Enable Disables or enables the plug-in in the McAfee Cloud SSO system. Modify Allows you to replace the current version of a plug-in in the McAfee Cloud SSO system with an updated version. Delete Removes the plug-in from the McAfee Cloud SSO system. Disable MWG-SSO Enable MWG-SSO Disables or enables SSO through Web Gateway for the selected plug-ins. Enable or disable a Cloud Connector plug-in You can enable or disable a Cloud Connector plug-in. 1 In the Management Console: From the Admin tab drop-down list, select Connector Management. 2 In the Connector Plug-ins window, click the Enable or Disable link corresponding to the plug-in you want to update. 288 McAfee Cloud Single Sign On Product Guide

289 Advanced configuration Manage Cloud Connector plug-ins 11 Modify a Cloud Connector plug-in You can modify the configuration of any Cloud Connector plug-in in the McAfee Cloud SSO system, including the plug-ins that come installed with McAfee Cloud SSO. Before you begin Delete any configured Cloud Connectors of the plug-in type you want to modify from the McAfee Cloud SSO system. 1 In the Management Console: From the Admin tab drop-down list, select Connector Management. 2 In the Connector Plug-ins window, disable the plug-in type you want to modify. 3 Click the Modify link corresponding to the plug-in type. 4 In the Install Custom Connector dialog box: a Specify a name for the new version of the plug-in. b c Browse for the.jar file containing the new version of the plug-in. Click Submit. Delete a Cloud Connector plug-in You can delete a Cloud Connector plug-in type that you no longer need. Before you begin Delete any configured Cloud Connectors of the plug-in type you want to delete from the McAfee Cloud SSO system. 1 In the Management Console: From the Admin tab drop-down list, select Connector Management. 2 In the Connector Plug-ins window, click the Delete link corresponding to the plug-in, then click Yes to confirm. Configure Web Gateway integration You can enable or disable integration with Web Gateway globally or individually for Cloud Connector plug-ins that support SSO through Web Gateway. 1 In the Management Console: From the Admin tab drop-down list, select Connector Management. 2 In the Connector Plug-ins window, configure Web Gateway globally or for individual Cloud Connector plug-ins as shown in the following table. McAfee Cloud Single Sign On Product Guide 289

290 11 Advanced configuration Export system configuration data Table Steps to configure Web Gateway integration Configuration Global Steps to configure Web Gateway integration To configure Web Gateway integration globally: 1 Click Configure MWG-SSO. 2 In the Configure MWG-SSO dialog box, select an Enable MWG-SSO option: True Enables SSO through Web Gateway for all Cloud Connectors that support Web Gateway integration False Disables SSO through Web Gateway for all Cloud Connectors that support Web Gateway integration 3 Type the secret shared by Web Gateway and McAfee Cloud SSO in the MWG Shared Secret field. 4 Click OK. Individual Cloud Connector plug-ins To configure Web Gateway integration for an individual Cloud Connector plug-in: 1 In the Plug-in Name column, locate the Cloud Connector plug-in. 2 In the Action column, perform the available action: If Web Gateway integration is disabled, click Enable MWG-SSO. If Web Gateway integration is enabled, click Disable MWG-SSO. Install a custom Cloud Connector plug-in You can create a custom Cloud Connector plug-in using the SDK that comes with McAfee Cloud SSO and install it in the system. When installed, the plug-in is automatically enabled. 1 In the Management Console: From the Admin tab drop-down list, select Connector Management. 2 In the Connector Plug-ins window, click Install. 3 In the Install Custom Connector dialog box: In the Plug-in Name field, specify a name that uniquely identifies the custom plug-in in the McAfee Cloud SSO system. The plug-in name can only contain uppercase and lowercase alphabetic characters. 4 Browse for and select the.jar file containing the plug-in configuration, then click Submit. The.jar file can be uploaded from a local or remote file system. Export system configuration data You can export the system configuration data to a.zip file for backup or archival. The export option does not save runtime data, such as log files, certificates, and administrator account information. To include runtime data, use the backup and restore utilities. 290 McAfee Cloud Single Sign On Product Guide

291 Advanced configuration Import system configuration data 11 1 In the Management Console: From the Admin tab drop-down list, select Export Configuration. 2 In the Opening ECA360Configuration.zip dialog box, open or save the.zip file containing the system configuration data. Import system configuration data You can restore system configuration data that you previously backed up using the export option. When you import the system configuration data, the options that allow you to enable and disable integration with Web Gateway globally and for individual Cloud Connector plug-ins are reset to the default values. 1 In the Management Console: From the Admin tab drop-down list, select Import Configuration. 2 In the System Configuration Upload dialog box, browse for and select the.zip file containing the system configuration data, then click Submit. 3 Click OK to close the Upload Successful message. Restart the McAfee Cloud SSO service Some changes require a restart of the McAfee Cloud SSO system to take effect. For example, after you register a custom authentication module in the Management Console, you must restart McAfee Cloud SSO before you can configure a module of that type. 1 In the Management Console: From the Admin tab drop-down list, select Restart Server, then click OK to confirm. Your session terminates, the server restarts, and the Management Console logon page opens. 2 Type your user name and password in the fields on the logon page, then click Log on. Import a license file To access all functionality provided by McAfee Cloud SSO, you need a valid license. You can purchase a license and import the license file in the Management Console. The license file is a text file that contains your license number. After you import the license file, you must restart all McAfee Cloud SSO services for the imported license to take effect. You can restart the SSO service as soon as you import the license file or wait until later. You must restart the McAfee OTP and Provisioning services manually. 1 In the Management Console: From the Admin tab drop-down list, select License. 2 In the License window, click Change License. McAfee Cloud Single Sign On Product Guide 291

292 11 Advanced configuration Configure a fully qualified domain name 3 In the Import License dialog box, browse for and select the license file, then click Upload License. 4 Click OK to close the Upload Successful message, then click OK to close the Import License dialog box. 5 In the Confirm dialog box, select an option: To restart the SSO service now, click OK. To restart the SSO service later, click Cancel. Configure a fully qualified domain name When you access the Management Console in your web browser, McAfee Cloud SSO saves the host name or IP address that you enter and uses it to generate all McAfee Cloud SSO service URLs. When McAfee Cloud SSO uses the local name for your computer to generate the service URLs, users on other computers might not be able to access McAfee Cloud SSO services. To ensure that users on other computers can access services, we strongly recommend that you configure a fully qualified domain name in the Management Console. McAfee Cloud SSO must be installed on a computer that has a fully qualified domain name. 1 In the Management Console: From the Admin tab drop-down list, select Domain Settings. 2 In the Domain Settings window, configure values for the following options. Table FQDN and service binding domain name options Option Enable Domain Name Name Definition When selected, allows you to specify the FQDN of the computer where McAfee Cloud SSO is installed. Specifies the FQDN of the computer where McAfee Cloud SSO is installed. (Optional) Specifies one or more alternative names based on the FQDN called service binding domain names. See the following example. FQDN: mcsso-service.com Service binding domain name: cloudapp1.mcsso-service.com 3 Click Save Settings. 292 McAfee Cloud Single Sign On Product Guide

293 Advanced configuration Configure SMTP and remote OTP options 11 Configure SMTP and remote OTP options SMTP (Simple Mail Transfer Protocol) is a widely-used protocol for sending . In delivery of one time passwords, the OTP server sends the one time password to an address using an service. 1 In the Management Console: From the Admin tab drop-down list, select Miscellaneous Settings. 2 In the Miscellaneous Settings window, configure values for the following options, then click Save. Table SMTP and remote OTP option definitions Option Remote OTP Password Definition Specifies the password that allows McAfee Cloud SSO to access the McAfee OTP server when the server is installed with McAfee Cloud SSO. An administrator can update this password in the One Time Password server using the McAfee remote OTP configuration tool. If the password is updated in the server, it must also be updated in the Management Console. SMTP Host SMTP Port Sender Contact Admin Specifies the host name or IP address of the SMTP server that sends the messages. Default: smtp.mcafee.com Specifies the port number of the SMTP server that sends the messages. Default: 25 Specifies the address from where the messages are sent. Default: MCSSOAdmin@mcafee.com From the drop-down list, select an administrator. The specified administrator is the OTP technical support contact and must have an address configured in the McAfee Cloud SSO system. See also Configure an OTP self-service authentication module on page 119 Select a language You can select the language displayed in the Management Console. 1 In the Management Console: From the Admin tab drop-down list, select Language Settings. 2 In the Language Setting window: From the drop-down list, select a language. languages: English 3 Click Save. McAfee Cloud Single Sign On Product Guide 293

294 11 Advanced configuration Select a language 294 McAfee Cloud Single Sign On Product Guide

295 A Integrating RCDevs OpenOTP Authentication Server Any OTP service can be integrated with McAfee Cloud SSO and used in place of the OTP service that comes with McAfee Cloud SSO. Using the SDK provided with McAfee Cloud SSO, you can write a user-defined OTP authentication module for the alternative OTP service, then register and configure the module in the Management Console. For example, RCDevs OpenOTP Authentication Server provides an OTP service alternative to McAfee OTP. For more information about RCDevs OpenOTP Authentication Server and other RCDevs products, visit the RCDevs Documentation Library: Contents RCDevs OpenOTP Authentication Server overview RCDevs OpenOTP high-level integration tasks Install RCDevs OpenOTP Authentication Server Configure RCDevs OpenOTP Authentication Server RCDevs OpenOTP Authentication Server overview RCDevs OpenOTP Authentication Server includes VMware appliances that are installed on a Linux operating system and come preconfigured with the following services and interfaces. LDAP directory servers SQL databases OpenOTP Radius Bridge services RCDevs WebADM Server including HTTP/HTTPS, PKI, SOAP/XML, and Session Manager services WebADM services are managed by LDAP administrators using a web-based management console. Through OpenOTP Radius Bridge, RCDevs OpenOTP Authentication Server supports the following two-factor authentication schemes for LDAP users. OATH Time-based, Event-based, and Challenge-based Software Token OATH Time-based, Event-based, and Challenge-based Hardware Token SMS One Time Passwords Mail and Secure Mail One Time Passwords McAfee Cloud Single Sign On Product Guide 295

296 A Integrating RCDevs OpenOTP Authentication Server RCDevs OpenOTP high-level integration tasks Yubico Key Hardware Token motp Software Token For more information, visit RCDevs OpenOTP high-level integration tasks Integrating RCDevs OpenOTP Authentication Server with McAfee Cloud SSO requires the following high-level tasks. 1 Install and configure RCDevs OpenOTP Authentication Server. 2 Using the SDK provided with McAfee Cloud SSO, create a user-defined OpenOTP authentication module. For more information, see the McAfee Cloud Single Sign On Developer s Guide. 3 In the McAfee Cloud SSO Management Console, register the user-defined OpenOTP authentication module. 4 In the McAfee Cloud SSO Management Console, configure two-factor authentication, adding the user-defined OpenOTP authentication module as the second module in the authentication chain. See also Two-factor authentication using one time passwords on page 80 Register a user-defined authentication module on page 129 Install RCDevs OpenOTP Authentication Server You install RCDevs OpenOTP Authentication Server, so that it can provide OTP authentication services for McAfee Cloud SSO. Before you begin Oracle VM VirtualBox must be installed on your Linux system. VirtualBox is virtualization software that allows guest operating systems to run in separate virtual environments. 1 Download and install the VMware appliances that come with RCDevs OpenOTP Authentication Server on a Linux server. VMware is downloaded and installed as part of an OVF package. 2 Start VMware on Oracle VM VirtualBox. The first time Linux is started, the WebADM setup script runs automatically and prompts you for the information in the next step. 296 McAfee Cloud Single Sign On Product Guide

297 Integrating RCDevs OpenOTP Authentication Server Configure RCDevs OpenOTP Authentication Server A 3 Specify values for the options in the following table. Table A-1 Option definitions for installing RCDevs OpenOTP Authentication Server Option Server Fully Qualified Host Name (FQHN) Organization Name Add scripts that start when WebADM is started? Register the WebADM logrotate script? Generate a new LDAP data encryption key in /opt/webadm/conf/webadm.conf? Definition Specifies the domain name and host name of the server where VMware is installed. This is also where OpenOTP is installed. Example: domainname. Specifies the name of your certificate authority. Example: MyOrg Enter y in response to this prompt. Enter y in response to this prompt. Enter y in response to this prompt. The setup script starts all VMware services, the LDAP directory and MySQL database are set up and ready to use, and the WebADM graphical setup is complete. 4 To open WebADM, visit: where <your_server_address> specifies the host name or IP address of the server where VMware is installed. This location is also where OpenOTP is installed. 5 Log on with user name admin and password password. Configure RCDevs OpenOTP Authentication Server To configure RCDevs OpenOTP authentication server, you create and edit a sample user in the WebADM management console. 1 To open the WebADM management console, visit: where <your_server_address> specifies the host name or IP address of the server where VMware is installed. This location is also where OpenOTP is installed. 2 Log on with your user name and password. 3 On the menu at the top of the management console, click Create. The Create New Object pane opens. 4 Select the WebADM Account option, then click Proceed. The Create object of Type WebADM Account pane opens. 5 Specify values for the mandatory attributes in the following fields: Container, Common Name, Login Name, and Last Name. 6 Specify a value in the Address field, then click Proceed. The new user account is created. McAfee Cloud Single Sign On Product Guide 297

298 A Integrating RCDevs OpenOTP Authentication Server Configure RCDevs OpenOTP Authentication Server 7 On the menu at the top of the management console, click Applications. The Web Services pane opens and lists the installed web services, including the OTP Authentication Server. 8 To configure the OTP Authentication Server, click Configure. The Authentication Settings pane opens. 9 Select the Login Mode checkbox, then select OTP from the drop-down list. 10 Select the OTP Type checkbox, then select a value from the drop-down list: MAIL Select this option to receive the one-time password by . TOKEN (Default) Select this option to receive the one-time password from a hardware or software token. 11 Open the user account that you created in the object editor. 12 In the Application Actions box, click OTP Authentication Server. 13 Click Register/Unregister Token. The Register/Unregister Token pane opens for the user whose account you are editing. 14 From the Token Type drop-down list, select a type. 15 From the Key Mode drop-down list, select an option: Key generated by Token (Default) Key generated by Server 16 From the Key Format drop-down list, select a format. Default: Hex 17 In the Token Key field, type a key value using the key format selected from the drop-down list. 18 Click Register. 298 McAfee Cloud Single Sign On Product Guide

299 B Accessing Salesforce Chatter from a mobile device You can configure access to Salesforce Chatter from a mobile device for end users in your organization. Contents Implementing SSO for Salesforce Chatter users on a mobile device Salesforce Chatter high-level integration tasks Management Console tasks required to integrate Salesforce Chatter Create a custom Salesforce domain name for your organization Configure SSO and SLO in your Salesforce administrator account Set up the Salesforce Chatter Mobile client on the mobile device Setting up the Pledge OTP client on the mobile device McAfee Cloud Single Sign On Product Guide 299

300 B Accessing Salesforce Chatter from a mobile device Implementing SSO for Salesforce Chatter users on a mobile device Implementing SSO for Salesforce Chatter users on a mobile device Whenever end users access resources, such as Chatter Mobile, from outside the organization, we recommend configuring two-factor authentication. In the following example, McAfee Cloud SSO and Salesforce Chatter implement two-factor authentication through an LDAP identity store and Pledge, a mobile OTP client, installed on the mobile device. Access to Salesforce Chatter from a mobile device also requires installing the Salesforce Chatter Mobile client on the device. Figure B-1 Implementing SSO for Salesforce Chatter users on a mobile device 1 An end user requests access to an organization s Salesforce Chatter domain through the Salesforce Chatter Mobile client installed on a mobile device. The client is configured to forward the request to the organization s Salesforce domain. 2 Salesforce is configured to redirect the request to McAfee Cloud SSO for authentication. The redirect takes place through the Salesforce Chatter Mobile client. 3 McAfee Cloud SSO prompts the end user for credentials, which the user provides. 4 McAfee Cloud SSO authenticates the credentials against an LDAP identity store. 5 McAfee Cloud SSO prompts the end user for a one time password, which the user provides. 6 McAfee Cloud SSO validates the one time password against the McAfee OTP service. 7 McAfee Cloud SSO redirects the end user to Salesforce with the authentication result. The redirect takes place through the Salesforce Chatter Mobile client. 8 Salesforce grants the end user access to the organization s Salesforce Chatter domain. 300 McAfee Cloud Single Sign On Product Guide

301 Accessing Salesforce Chatter from a mobile device Salesforce Chatter high-level integration tasks B Salesforce Chatter high-level integration tasks Integrating Salesforce Chatter with McAfee Cloud SSO requires the following high-level tasks. Table B-1 Salesforce Chatter high-level integration tasks Where? Management Console Salesforce administrator account Mobile device s Create a Salesforce Cloud Connector Disable SSL in the bootstrap.xml file Create a custom Salesforce domain name for your organization Configure SSO and SLO Set up the Salesforce Chatter Mobile client Set up the Pledge OTP client Management Console tasks required to integrate Salesforce Chatter Create a Salesforce Cloud Connector in the Management Console. The connector allows McAfee Cloud SSO to provide identity and SSO services to end users who want to access Salesforce Chatter from outside the organization on a mobile device. Table B-2 Management Console tasks required to integrate Salesforce Chatter Create a Salesforce Cloud Connector in the Management Console Description Create a Salesforce Cloud Connector, so that McAfee Cloud SSO can connect to and communicate with the Salesforce application, the LDAP identity store, and the McAfee OTP service. 1 Create an authentication chain Identity Connector consisting of an LDAP and an OTP authentication module. When configuring the OTP authentication module, select UID from the Target OTP Attribute drop-down list. 2 Create a Salesforce Cloud Connector and select the Identity Connector you configured in the previous step. Disable SSL in the bootstrap.xml file Comment out the code in the bootstrap.xml file that enables SSL in McAfee OTP. When SSL is enabled, the Chatter login fails. The SSL certificate is signed, and Chatter does not allow self-signed certificates. 1 Locate the bootstrap.xml file in the following directory: C:\Program Files\McAfee\CIM\SSO\current\configuration 2 Open the file in a text editor and comment out the following lines of code: <SSLConfiguration> <certificatealias>jetty</certificatealias> <keystore>keystore</keystore> <keystorepassword>... </keystorepassword> </SSLConfiguration> Disabling SSL is a requirement. McAfee Cloud Single Sign On Product Guide 301

302 B Accessing Salesforce Chatter from a mobile device Create a custom Salesforce domain name for your organization Create a custom Salesforce domain name for your organization When members of your organization log in to Salesforce and use Salesforce applications, your domain name appears in the URLs. 1 In your Salesforce administrator account, select Setup Administration Setup Company Profile My Domain. The My Domain page opens. 2 Select, register, test, and deploy a custom Salesforce domain name for your organization. Format: where <your-domain-name> specifies the domain name you select. Example: Configure SSO and SLO in your Salesforce administrator account To allow end users in your organization to access Salesforce Chatter from a mobile device, configure SSO and SLO in your Salesforce administrator account. Before you begin To configure SSO and SLO in your Salesforce account, acquire the values for the following options located on the SAML Assertion step of the Salesforce Cloud Connector wizard: SAML assertion issuer Identity Provider Login URL Identity Provider Logout URL 1 In your Salesforce administrator account, select Setup Administration Setup Security Controls Single Sign-On Settings. The Single Sign-On Settings page opens. 2 Click Edit, then select SAML Version To specify the SAML User ID Type, select the Assertion contains the Federation ID from the User object option. 4 To specify the SAML User ID Location, select the User ID is in an Attribute element option. 5 Copy the name from the SAML Assertion Issuer field on the SAML Assertion step of the Salesforce Cloud Connector wizard to the Issuer field in your Salesforce account. 6 Upload the public certificate to Salesforce. The public certificate corresponds to the signing key pair you selected on the SAML Assertion step of the Salesforce Connector wizard. The Identity Provider Certificate field populates with the certificate information. 7 Specify mail in the Attribute name field. 8 Copy and paste the Identity Provider Login URL from the SAML Assertion step of the Salesforce Cloud Connector wizard to the corresponding field in your Salesforce account. 302 McAfee Cloud Single Sign On Product Guide

303 Accessing Salesforce Chatter from a mobile device Set up the Salesforce Chatter Mobile client on the mobile device B 9 Copy and paste the Identity Provider Logout URL from the SAML Assertion step of the Salesforce wizard to the corresponding field in your Salesforce account. 10 Save the settings. SSO and SLO are enabled in Salesforce. Set up the Salesforce Chatter Mobile client on the mobile device To access Salesforce Chatter from the mobile device, download and set up the Salesforce Chatter Mobile client on the mobile device. 1 From the Salesforce store, download the Salesforce Chatter Mobile client to the mobile device. 2 On the mobile device, specify the domain name that you registered in Salesforce for the Custom Host. Omit the string from the domain name. Example: mcsso-org.my.salesforce.com Setting up the Pledge OTP client on the mobile device To support two-factor authentication with one time password as the second factor, download and set up the Pledge OTP client on the mobile device. For more information, see the McAfee One Time Password Product Guide. McAfee Cloud Single Sign On Product Guide 303