1 Cloud Authentication Getting Started Guide Version
2 ii Copyright 2011 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate. SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice. SafeNet, SafeNet Authentication Manager and SafeNet Authentication Client are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners. SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications. Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification. Date of Original Publication: March 2010 PN Last update: May 5, 2011
3 iii Contacting SafeNet We work closely with our reseller partners to offer the best worldwide technical support services. Your reseller is the first line of support when you have questions about products and services. However, if you require additional assistance you can contact the SafeNet technical support team helpdesk which is available 24 hours a day, seven days a week: Country/Region Telephone USA International For further assistance submit additional questions to the SafeNet technical support team at the following web page: For assistance via to SafeNet technical support send the request to the following address: Target Audience This Getting Started Guide should be read by system administrators who wish to integrate SafeNet Cloud Authentication.
5 v Table of Contents Introduction... 1 Summary... 2 Prerequisites and requirements... 2 Product Requirements... 3 Configuring the Cloud Server and the Cloud Portal... 5 Adding a Portal Connection... 6 Configuring a Portal Connection... 9 Customizing the Cloud Portal Manually configuring the AAA Server for the Portal Using the Cloud Portal... 21
7 Chapter 1 Introduction This guide describes installing and using the SafeNet Cloud Authentication feature. It includes information about setting up and administering the Cloud Authentication Server and the Cloud Portal. This chapter contains the following information: Summary of the Cloud Authentication Server and Cloud Portal Prerequisites and requirements
8 2 Summary The Cloud Authentication Server and the Cloud Portal component provide seamless SafeWord strong authentication for SafeWord token users accessing SaaS (Software as a Service) applications Google Apps and Salesforce.com. When a user accesses the Cloud Portal as initiated by either the Identity Provider (SafeWord 2008), or the Service Provider (Google Apps or Salesforce.com), they are prompted for their credentials, authenticated, and then logged in to the SaaS application. The Cloud Server runs on Windows Server 2003 and The Server should be installed internally, but the userfacing Cloud Portal can be installed in a DMZ for external access. Prerequisites and requirements This section outlines the components, the prerequisites and requirements for installing and using the Cloud Authentication Server and the Cloud Portal. For complete network, hardware/software, and component and optional SafeWord agent requirements, see the SafeWord 2008 Administration Guide. The Cloud Authentication components include: SafeWord 2008, version with ESP Cloud Authentication Server (must be installed on at least one machine in your network) Cloud Portal Note: You will need a valid ESP (Enterprise Solution Pack) license to use Cloud Authentication. Your SafeWord package includes a 30-day evaluation of ESP features, including Cloud Authentication. Please contact your SafeWord reseller or browse to the SafeNet corporate site at to purchase a valid ESP license.
9 3 Product Requirements The minimum hardware and software requirements for installing and running SafeWord 2008, the Cloud Server, and the Cloud Portal are summarized below: CPU: Pentium IV or 1.8 GHz (minimum) 2 GHz (recommended) OS: Server: 32- or 64-bit Windows Server 2003 (R2 SP2), Windows 2008 (R2 SP1) Desktop: 32- or 64-bit Windows XP (SP2), Windows 7, Vista RAM: Disk Space: 1 GB (minimum), 4 GB (recommended) 3 to 5 GB (minimum), 10 GB (recommended) on NTFS-formatted drive Cloud Server and Portal:.NET Framework 2.0 IIS with ASP.NET 2.0 enabled Note: The SafeWord installation will automatically attempt to install the Cloud Server and Portal prerequisties if they are not already present. Additionally, SafeNet recommends the following user storage options: When users are stored inside the firewall: When some users are stored inside the firewall, and others are stored outside the firewall: When all users are stored outside the firewall: Install the Cloud Server and the Cloud Portal inside the firewall. Install the Cloud Server inside the firewall. Install the Cloud Portal outside the firewall. Install the Cloud Server inside the firewall. Install the Cloud Portal outside the firewall. For complete cloud authentication installation information, refer to the SafeWord 2008 Administration Guide. It is available for download at
11 Chapter 2 Configuring the Cloud Server and the Cloud Portal This chapter explains how to configure the Cloud Authentication Server and the Cloud Portal. It includes the following sections: Adding a Portal Connection Configuring a Portal Connection Customizing the Cloud Portal Manually configuring the AAA Server for the Portal
12 6 Adding a Portal Connection A connection to the Cloud Server must be added for the Cloud Portal. This connection is configured using the Portals Configuration tool on the machine where the Cloud Portal is installed. To add a portal connection: 1. On the machine where the portal is installed, click the Windows Start menu, and then select Programs > Aladdin > SafeWord > Portals Configuration. The SafeNet Authentication Manager Portals Configuration window is displayed: 2. Select the Connections tab, and then click the Add button. The Connection Details window is displayed: This is the connection to the Cloud Server where strong authentication occurs via the Cloud Portal. You configure the Cloud Portal to communicate with the Cloud Server here. Ensure that Ports 5030 and/or 5031 are open for successful authentications.
13 7 The Cloud Server need not reside on the same machine as the machine where SafeWord 2008 is installed. The Cloud Server must be installed on a machine somewhere in your network. 3. Complete the following fields: a. Enter a Name for this connection in the Connection Name field. b. Enter the Cloud Server URL in the Backend Server URL field. This is the host name of the Cloud Server in URL format. c. Enter a Username in the Username field. This is the credential for connecting to the Cloud Server as specified during the installation. d. Enter the Password in the Password field. This password is used for logging on to the Cloud Server. It was set during installation. e. Click the Select button. The Select SAM Instance window displays: 4. Select SafeWord from the SAM Instance Name menu. 5. Click OK. A message window is displayed:
14 8 The message informs you to restart the SAMPortalsAppPool IIS Application Pool for the configuration changes to take effect. When the configuration is changed, the SAMPortalsAppPool IIS Application Pool automatically restarts when the Portals Configuration window is closed. 6. Click the Yes button. The New Connection window is displayed: The new connection is added to the list of connections in the Portals Configuration window.
15 9 Configuring a Portal Connection Using the Cloud Configuration tab on the Portals Configuration tool, configure a Cloud Portal connection. To configure a portal connection: 1. Open the Portals Configuration tool by selecting Start > Programs > Aladdin > SafeWord > Portals Configuration. 2. On the Portals Configuration window, click the Cloud Configuration tab: 3. Click the Add button. The Cloud Configuration Settings window is displayed:
16 10 4. On the Cloud Configuration Settings window, under the General pane, enter a Name for this configuration in the Configuration Name field. 5. Select Google Apps or Force.com from the Service Providers list. When users log onto the Cloud Portal, they enter their usual SafeWord username. The username that is passed to the Cloud application can be configured to be the same name as the SafeWord username, a personalization data attribute for users stored in the SafeWord database, or an attribute stored in Active Directory. Each user who will log onto the Cloud Portal must have an account at the service provider. 6. From the Username Passed to the Service Provider pane, select how the username will be passed to the service provider: If the Username entered in the cloud portal option is selected, ensure that the SafeWord username is exactly the same as the name used in Google Apps or Salesforce.com, and then continue to the next numbered step. If the User attribute in the user store option is selected: o For users stored in the SafeWord database, select an attribute from the fixed set of attribute values (CloudName1 through CloudName5). Also, ensure that the personalization data attribute name matches the name used in the SafeWord database. For more information about associating user attributes using the Administration Console, see the SafeWord 2008 Administration Guide.
17 11 o For users stored in Active Directory, select the attribute name (mail for example) from the list. Also, ensure that the user attribute value (mail) matches the users cloud ID. 7. Select who will initiate authentication by choosing one of the following: Authentication requests must be initiated by the Service Provider only - Select when the user will log in using the Service Provider URL. Authentication requests can be initiated by either the Service Provider or the SafeNet Identity Provider - Select when the user will log in using the SafeNet Cloud Portal URL or the Service Provider URL. (Supported in the Salesforce.com environment only.) 8. Click OK. You are returned to the Cloud Configuration tab. The new configuration(s) appear under the Name column. 9. Restart the SAMPortalsAppPool for the changes to take effect.
18 12 Customizing the Cloud Portal The Portal Settings feature allows you to customize the Cloud Portal. You can configure the links that will display, configure Single Sign-on (SSO), export server certificates, set up arbitrary values, and associate user attributes using the Administration Console. To configure displayed links: 1. From the Cloud Configuration tab, select one of the provider names and highlight it, and then click the Portal Options button. The Portal Settings window appears: The settings in this window are optional. They apply to Google Apps and Salesforce.com. The option to send the OTP in a message is only available when using a Messaging token. The Challenge Code option is not available with SafeWord 2008 at this time. 2. In the Displayed Links pane, select the Send me the OTP in a message check box.
19 13 To configure SSO: 1. Browse to the sccservers file at <install_dir>\servers\shared\sccservers.ini. 2. Set the SSO feature to ON by adding the lines below to the sccservers file: Cloud_Enable_SSO=on Cloud_SSO_Timeout=30 The SSO timeout unit is minutes. 3. Save and close the sccservers file. 4. Open the Portal Settings window: 5. Select the End SSO session upon sign-out check box located in the lower pane of the window. The users browser will now delete the cookie when the user logs out of their cloud application session. The user will be forced to re-authenticate when accessing multiple cloud providers. If this check box is left clear, users authenticate once, and are able to access multiple cloud providers without reauthenticating. For security purposes, SafeNet recommends selecting the End SSO session upon sign-out option, and forcing the user to re-authenticate when they sign out of one cloud provider and access another. 6. Click OK. You are returned to the Cloud Configuration tab.
20 14 7. Select the required provider from the list, and then click the Info for Service Provider... button. The selected service provider s Cloud Configuration Information window and the Domain URL window appear: 8. In the Domain URL field, enter the URL of the server where you installed the Cloud Portal, and then click OK. The Cloud Configuration window with your custom information appears: To export server certificates: 1. From the Cloud Configuration Info window, click the Export Certificate button in the lower pane. The Save As window appears. 2. Enter a file name for this certificate, and then click the Save button. The certificate is imported into the Google Apps or the Force.com portal when you configure SSO for that provider. 3. You are returned to the Cloud Configuration Info window. Click Close.
21 15 To use arbitrary attributes: 1. Administrators set arbitrary attributes in the user record by customizing the web.config file. Locate and open the web.config file at: <install_dir>program Files\SafeNet\Authentication\SAM\x64\Web\samwebapi (for 64-bit systems) <install_dir>program Files\SafeNet\Authentication\SAM\x32\Web\samwebapi (for 32-bit systems) The web.config file is located on the machine where the backend server is installed. 2. Add the following line at the end of the appsettings module in the file: <add key= CloudIDMappings value= department=department;division=division /> 3. Restart the IIS server (for the changes to take effect). If your users are stored in ADUC, the new attribute appears in the menu on the Edit Configuration screen. If your users are stored in the SafeWord database, refer to the SafeWord 2008 Administration Guide to associate the attribute using the SafeWord Administration Console.
22 16 To configure SSO in Google Apps: 1. Ensure that the Google App cloud portal is configured. 2. Browse to Google Apps, and select Advanced Tools > Authentication > Set up Single Single-on (SSO). 3. Select the Enable Single Sign-on option. 4. Using the information displayed in the Cloud Configuration Info window, do the following: a. Add the Sign-in page URL in the Sign-in page field. b. Add the Sign-out page URL in the Sign-out page URL field. c. Add the Change password URL in the Change password URL field. The sign-in URL, sign-out URL, and change password URL fields must be exactly the same as those used on the Cloud Configuration tab. 5. In the Verification Certificate field, click the Browse button, and then do the following: a. Navigate to the verification certificate. b. Select the certificate. The verification certificate is the certificate exported in the Cloud Configuration Info window.
23 17 To configure SSO in Force.com: 1. Ensure that the Force.com cloud portal is configured. 2. Browse to Force.com and log in. 3. Select Setup > Security controls > Single sign-on settings. 4. Select SAML Enabled. 5. Select SAML version Click the Browse button (located next to the Identity Provider Certificate field), and then navigate to the certificate that was exported in the Cloud Configuration Info window. 7. Enter the Issuer into Issuer field. This is the issuer shown on the Cloud Configuration Info window The field is case-sensitive; ensure that the information is exactly as displayed in the Cloud Configuration window. 8. Click the Save button. The salesforce.com login URL is displayed. 9. If you are using the Identity Provider-initiated setup, copy the salesforce.com login URL, and then paste it into the Service provider s login URL field on the Edit Configuration window.
24 18 Manually configuring the AAA Server for the Portal You can manually configure the AAA Server to communicate with the Cloud Portal using the Internet Information Services (IIS) Manager tool. The process varies slightly between Windows 2008 and Windows If you are configuring the AAA Server on a Windows 2008 machine, continue to the next section. If you are configuring on a Windows 2003 machine, see To configure the AAA Server on a Windows 2003 machine. To configure the AAA Server on a Windows 2008 machine: 1. On a Windows 2008 machine where the Cloud Server is installed, select Start > All Programs > Administrative Tools > Internet Administrative Services (IIS) Manager. 2. Expand the directory tree in the far left column, and then highlight the samwebapi icon. 3. Double-click the Application Settings icon. 4. On the Application Settings window, select the AAAHost line, and then click Edit on the far right-side of the pane under the Actions column. 5. Set the desired host name or IP address value for the AAAHost. 6. Click OK and restart IIS.
25 19 To configure the AAA Server on a Windows 2003 machine: 1. On a Windows 2003 machine where the Cloud Server is installed, select Start > All Programs > Administrative Tools > Internet Administrative Services (IIS) Manager. 2. Expand the directory tree in the far left column, and then highlight the samwebapi virtual directory. 3. Right-click on the virtual directory, and then select Properties. 4. Select the ASP.NET tab, and then click the Edit Configuration button. The ASP.NET Configuration Settings appears. 5. Click the General tab: 6. Select the AAAHost line, and then click the Edit button. 7. Set the desired host name or IP address value for the AAAHost. 8. Click OK and restart IIS.
27 Chapter 3 Using the Cloud Portal This chapter explains how end users log onto the portal. Once an application has been configured for cloud portal authentication, the administrator should provide users with the following instructions for logging onto the portal: 1. Open a web browser, and do one of the following: If the authentication request is being initiated by the Service Provider, navigate to the SaaS application s website. If the authentication request is being initiated by the Identity Provider, navigate to the Cloud Authentication Portal Logon Page. The Cloud Authentication Portal window displays: Ensure that the Web browser is configured to accept cookies for successful authentications to the Cloud Portal.
28 22 2. Enter your username in the Username field. 3. Depending on the type of token you are using, do one of the following: For software and hardware token users, generate a passcode on the device. For messaging token users, click Send me an OTP in a message on the logon page. A passcode is sent to your mobile device or address, and a Message Sent confirmation displays. If you do not have a token assigned, enter your memorized password (users in the SafeWord database) or your Active Directory password. The Message Sent window displays: 4. Enter the passcode into the OTP Authentication Code field. 5. Select the Remember username check box if you want this computer to remember your name the next time the Cloud Authentication Portal opens. 6. Click the Log on button. You are authenticated to the applications site.