This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:"

Transcription

1 CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access Service SAML 2.0 SSO Solutions on page 1 Secure Access Service SAML 2.0 Configuration Tasks on page 6 SAML Web Browser SSO Example: Google Apps on page 26 Junos Pulse Secure Access Service SAML 2.0 SSO Solutions This section provides a brief overview of the Security Assertion Markup Language (SAML) standard produced and approved by the Organization for the Advancement of Structured Information Standards (OASIS). It includes the following topics: Understanding SAML SSO on page 1 Secure Access Service SAML Supported Features Reference on page 2 Understanding SAML SSO This topic provides a reference to the Security Assertion Markup Language (SAML) standard and an overview of SAML use cases. It includes the following information: About SAML on page 1 SAML Use Cases on page 2 About SAML SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. The standard defines the XML-based assertions, protocols, bindings, and profiles used in communication between SAML entities. SAML is used primarily to implement Web browser single sign-on (SSO). SAML enables businesses to leverage an identity-based security system like the Junos Pulse Secure Access Service to enforce secure access to Web sites and other resources without prompting the user with more than one authentication challenge. For complete details on the SAML standard, see the OASIS website: 1

2 SAML Use Cases This section provides a brief summary of the primary SAML use cases. It includes the following information: SAML SSO on page 2 SAML ACL on page 2 SAML SSO SAML is primarily used to enable Web browser single sign-on (SSO). The user experience objective for SSO is to allow a user to authenticate once and gain access to separately secured systems without resubmitting credentials. The security objective is to ensure the authentication requirements are met at each security checkpoint. In an SSO transaction, the SAML services implemented at each secured system exchange requests and assertions to determine whether to allow access. The SAML assertions used in SSO transactions include authentication statements and attribute statements. SAML ACL SAML can be used to enforce access control list (ACL) permissions. In an ACL transaction, the SAML services implemented for each secured system exchange assertions to determine whether a user can access the resource. The SAML assertions used in ACL transactions include authorization requests and authorization decision statements. Related Documentation Secure Access Service SAML Supported Features Reference on page 2 Configuring Secure Access Service as a SAML Service Provider on page 10 Configuring Secure Access Service as a SAML Identity Provider on page 14 Configuring a SAML ACL Web Policy on page 24 Secure Access Service SAML Supported Features Reference This topic provides an overview of Junos Pulse Secure Access Service support for Security Assertion Markup Language (SAML) single sign-on (SSO). It includes the following information: Supported SAML SSO Deployment Modes on page 2 Supported SAML SSO Profiles on page 5 Supported SAML SSO Deployment Modes In a SAML deployment, a SAML service provider (SP) is a secured resource (an application, Web site, or service) that is configured to request authentication from a SAML identity provider (IdP). The SAML IdP responds with assertions regarding the identity, attributes, and entitlements (according to your configuration). The exchange enforces security and enables the SSO user experience. 2

3 Chapter 1: SAML Single Sign-On The Secure Access Service can act as a SAML SP, a SAML IdP, or both. The following sections provide illustrations: Secure Access Service As a SAML SP on page 3 Secure Access Service As a SAML IdP (Gateway Mode) on page 4 Secure Access Service As a SAML IdP (Peer Mode) on page 4 Secure Access Service As a SAML SP If you are working with a partner that has implemented SAML IdP, you can deploy the Secure Access Service as a SAML SP to interoperate with it, thereby enabling SSO for users who should have access to resources in both networks. Figure 1 illustrates this scenario. In this model, the user is authenticated by the SAML IdP. The Secure Access Service uses the SAML response containing the assertion to make an authentication decision. The choices the identity provider makes to implement SAML determine the Secure Access Service deployment choices, for example whether to use SAML 2.0 or SAML 1.1, whether to reference a published metadata configuration file, and whether to use a POST or Artifact profile. When you deploy the Secure Access Service as a SAML SP, you create a SAML Authentication Server that references the partner SAML IdP, and a set of Secure Access Service access management framework objects (Realm, Role Mapping rules, and Sign-In Policy) that reference the SAML Authentication Server. Figure 1: Secure Access Service As a SAML SP User 1 or 2 1 or 2 SAML IdP 3 SAML SP g and 2 A user logs into your enterprise Secure Access Service or a secure partner site. If the user tries to access the resource protected by the SAML SP first, the SAML SP redirects the user to the SAML IdP sign-in page. This order of events is called SP-initiated SSO. If the user logs into the SAML IdP site first and then accesses a resource hosted on the SAML SP site, the user is not prompted by the SAML IdP a second time. This is called IdP-initiated SSO. 3 The SAML exchange of requests and assertions substitutes for user interaction. The SAML exchange conducts the security without interrupting the user. 3

4 Secure Access Service As a SAML IdP (Gateway Mode) When you deploy the Secure Access Service in front of enterprise resources that support SAML and have been configured as a SAML SP, the Secure Access Service acts as a gateway for user access to the secured resource, just as it does with its other resource policies. The Secure Access Service maintains the session and uses its rewriting or pass-through proxy (PTP) features to render data to the user. In the SAML exchange, the Secure Access Service acts as a SAML IdP. When deployed as a gateway, the SAML SSO communication is always IdP-initiated. Figure 2 illustrates this scenario. Figure 2: Secure Access Service As a SAML IdP (Gateway Mode) User 1 2 SAML IdP 3 g SAML SP 1 A user logs into the Secure Access Service. 2 Later, the user requests a resource protected by a security system that supports SAML and has implemented a SAML SP. 3 In gateway mode deployments, the Secure Access Service acts as a SAML IdP. The SAML IdP initiates the SAML authentication request to the SAML SP. Particular users are granted access to particular resources according to the Secure Access Service SAML SSO resource policy. Secure Access Service As a SAML IdP (Peer Mode) When deployed to support access to external resources (example: public cloud resources), the Secure Access Service does not have to be a gateway to user access. The user can 4

5 Chapter 1: SAML Single Sign-On access the external resource directly, and the traffic does not flow through the Secure Access Service device. You configure the Secure Access Service as a SAML IdP to correspond with the external SAML SP, and you configure an External Apps SSO resource policy to determine the users and resources to which the SAML SSO experience applies. Figure 3 illustrates this scenario. Figure 3: Secure Access Service As a SAML IdP (Peer Mode) User 1 or 2 1 or 2 SAML SP 3 SAML IdP g and 2 A user logs into your enterprise Secure Access Service or a secure partner site. If the user tries to access the resource protected by the SAML SP first, the SAML SP redirects the user to the SAML IdP sign-in page. This order of events is called SP-initiated SSO. If the user logs into the SAML IdP site first and then accesses a resource hosted on the SAML SP site, the user is not prompted by the SAML IdP a second time. This is called IdP-initiated SSO. When you configure the SAML IdP, some settings are necessary to support either IdP-initiated or SP-initiated SSO. The documentation makes note of these. Regardless, you configure the SAML IdP to support both IdP-initiated and SP-initiated SSO. 3 The SAML exchange of requests and assertions substitutes for user interaction. The SAML exchange conducts the security without interrupting the user. Supported SAML SSO Profiles Table 1 summarizes support for SAML 2.0 deployment profiles. 5

6 Table 1: Supported SAML 2.0 Deployment Profiles Profile Message Flows Binding SP IdP (Gateway) IdP (Peer) Web Browser SSO <AuthnRequest> from SP to IdP HTTP Redirect HTTP POST Supported Not Applicable Not Applicable Supported Supported HTTP Artifact Not Applicable IdP <Response> to SP HTTP POST Supported Supported Supported HTTP Artifact Supported Supported Supported Assertion Query / Request Artifact Resolution <ArtifactResolve> <ArtifactResponse> SOAP Supported Supported Supported Single Logout Logout Request HTTP Redirect Supported HTTP POST HTTP Artifact SOAP LogoutResponse HTTP Redirect Supported HTTP POST HTTP Artifact SOAP Related Documentation Understanding SAML SSO on page 1 Configuring Secure Access Service as a SAML Service Provider on page 10 Configuring Secure Access Service as a SAML Identity Provider on page 14 Secure Access Service SAML 2.0 Configuration Tasks This section includes the tasks you perform to enable and configure SAML services. It includes the following information: Configuring SAML Global s on page 7 Configuring Secure Access Service as a SAML Service Provider on page 10 Configuring Secure Access Service as a SAML Identity Provider on page 14 Configuring a SAML ACL Web Policy on page 24 6

7 Chapter 1: SAML Single Sign-On Configuring SAML Global s This section describes tasks related to configuring system-wide SAML settings. It includes the following topics: Configuring Global SAML s on page 7 Managing SAML Metadata Files on page 8 Configuring Global SAML s The system-wide SAML settings impact all SAML SP instances and SAML IdP instances. To configure global SAML settings: 1. In the admin console, select System > Configuration > SAML. 2. Click the s button. 3. Complete the settings described in Table Click Save Changes. Table 2: SAML Global s Timeout value for metadata fetch request If the peer SAML entity publishes its metadata at a remote location, the Secure Access Service downloads the metadata file from the specified location. Specify the number of seconds after which this download request is abandoned. Validity of uploaded/downloaded metadata file Specify the maximum duration for which the Secure Access Service considers the metadata file of the peer SAML entity to be valid. If the metadata file provided by the peer SAML entity contains validity information, the lower value takes precedence. Host FQDN for SAML Specify the fully qualified domain name for the Secure Access Service host. The value you specify here is used to generate the SAML entity ID and to generate URLs for SAML services, including: Entity ID for SAML SP and SAML IdP instances. The SAML entitiy ID is the URL where the Secure Access Service publishes its SAML metadata file. Single Sign-On Service URL Single Logout Service URL Assertion Consumer Service URL Artifact Resolution Service URL BEST PRACTICE: The Secure Access Service uses HTTPS for these services. Therefore, we recommend that you assign a valid certificate to the interface that has the IP address to which this FQDN resolves so that users do not see invalid certificate warnings. 7

8 Table 2: SAML Global s (continued) Alternate Host FQDN for SAML Optional. If you have enabled the Reuse Existing NC (Pulse) Session on the SAML Identify Provider Sign-In page, specify the fully qualified domain name used to generate the Secure Access Service SSO Service URL. Set up your DNS service to ensure that the alternate host name resolves to a different IP addresses when a session is established and when not established. We recommend the following DNS behavior: If the NC (Pulse) session is not established, the IP address of the alternate host name should resolve to the public IP address on the Secure Access Service external port. If the NC (Pulse) session is established, the IP address of the alternate host name should resolve to the private IP address on the Secure Access Service internal port. BEST PRACTICE: The Secure Access Service uses HTTPS for this service. Therefore, we recommend that you assign a valid certificate to the interface that has the IP address to which this FQDN resolves so that users do not see invalid certificate warnings. Update Entity IDs Use this button to regenerate the SAML entity ids of all configured SPs and IdPs. Typically, you take this action when the Host FQDN for SAML is changed. Related Documentation Managing SAML Metadata Files on page 8 Managing SAML Metadata Files You use the System > Configuration > SAML pages to maintain a table of SAML metadata files for the SAML SPs and IdPs in your network. Using SAML metadata files makes configuration easier and less prone to error. You can add the metadata files to the Secure Access Service by: Uploading a metadata file Retrieving the metadata file from a well-known URL To add metadata files: 1. In the admin console, choose System > Configuration > SAML. 2. Click New Metadata Provider. 3. Complete the settings described in Table Click Save Changes. 8

9 Chapter 1: SAML Single Sign-On Table 3: SAML Metadata Provider s Metadata Provider Location Configuration Use one of the following methods: Local. Click Browse and locate the metadata file on your local host or file system. Remote. Enter the URL of the metadata file. Only http and https protocols are supported. Metadata Provider Verification Configuration Select options: Accept Untrusted Server Certificate. If you specify a URL for the metadata provider, select this option to allow the Secure Access Service to download the metadata file even if the server certificate is not trusted. This is necessary only for HTTPS URLs. Accept Only Signed Metadata. Allow only signed metadata files. If this option is not selected, unsigned metadata is imported. Signed metadata is imported only after signature verification. Signing Certificate. Click Browse and locate the certificate that verifies the signature in the metadata file. This certificate overrides the certificate specified in the signature of the received metadata. If no certificate is uploaded here then the certificate present in the signature of the received metadata is used. Enable Certificate Status Checking. Verify the certificate before using it. Certificate verification applies both to the certificate specified here and the certificate specified in the signature in the metadata file. Metadata Provider Filter Configuration Select options and enter Entity IDs: Roles. Select whether the metadata file includes configuration details for a SAML SP, IdP, or Policy Decision Point. You may select more than one. If you select a role that is not in the metadata file, it is ignored. If none of the selected roles are present in the metadata file, Secure Access Service returns an error. Entity IDs To Import. Enter the SAML Entity IDs to import from the metadata files. Enter only one ID per line. Leave this field blank to import all IDs. This option is available only for uploading local metadata files. The Refresh button downloads the metadata files from the remote location even if these files have not been modified. This operation applies only to remote locations; local metadata providers are ignored if selected. To refresh a metadata file: 1. In the admin console, choose System > Configuration > SAML. 2. Select the metadata file to refresh and click Refresh. To delete a metadata file: 1. In the admin console, choose System > Configuration > SAML. 2. Select the metadata file to delete and click Delete. Related Documentation Configuring Peer SAML Service Provider s on page 17 9

10 Configuring Secure Access Service as a SAML Service Provider This topic describes how to configure the Secure Access Service as a SAML service provider (SP). When the Secure Access Service is a SAML SP, it relies on the SAML IdP authentication and attribute assertions when users attempt to sign in to the Secure Access Service. Note that authentication is only part of the Secure Access Service security system. The access management framework determines access to the Secure Access Service and protected resources. Secure Access Service supports: HTTP-Redirect binding for sending AuthnRequests HTTP-Redirect binding for sending/receiving SingleLogout requests/responses HTTP-POST and HTTP-Artifact bindings for receiving SAML responses Before you begin, check to see whether the SAML IdP uses HTTP-POST or HTTP-Artifact bindings for SAML assertions. Also, check to see whether the SAML IdP has published a SAML metadata file that defines its configuration. If the SAML IdP metadata file is available, configuration is simpler and less prone to error. To configure the Secure Access Service as a SAML SP: 1. If you have not already done so, complete the Secure Access Service system-wide SAML settings. Go to System > Configuration > SAML > s. For details, see Configuring Global SAML s on page If you have not already done so, add metadata for the SAML IdP to the metadata provider list. Go to System > Configuration > SAML. For details, see Managing SAML Metadata Files on page In the admin console, select Authentication > Auth. Servers. 4. Select SAML Server from the New list and then click New Server. 5. Complete the settings as described in Table Click Save Changes. After you save changes for the first time, the page is redisplayed and now has two tabs. The s tab allows you to modify any of the settings pertaining to the SAML Server instance. The Users tab lists valid users of the server. 7. Next steps: Configure the access management framework to use the SAML authentication server. Start with Realm and Role Mapping rules. For details, see Creating an Authentication Realm and Specifying Role Mapping Rules for an Authentication Realm. Configure a Sign-In Policy. When using a SAML authentication server, the sign-in policy can map to a single realm only. For details, see Defining a Sign-In Policy. 10

11 Chapter 1: SAML Single Sign-On Table 4: SAML SP Profile (POST and Artifact) Name Specify a name to identify the server instance. s SAML Version Select 2.0. SA Entity Id This value is prepopulated. It is generated by the system, based on the value for the Host FQDN for SAML setting on the System > Configuration > SAML > s page. Configuration Mode Select Manual or Metadata. If a metadata file or location is available from the SAML IdP, use the metadata option to make configuration simpler and less prone to error. To upload or set the location for the published metadata file, go to System > Configuration > SAML and click the New Metadata Provider button. Identity Provider Entity ID The IdP entity ID is sent as the Issuer value in the assertion generated by the SAML IdP. If you use the metadata option, this setting can be completed by selecting the IdP entity ID from the list. The list is populated by the IdP entities defined in metadata files added to the System > Configuration > SAML page. If you complete this setting manually, specify the Issuer value in assertions generated by the SAML IdP. Typically, you ask the SAML IdP administrator for this setting. Identity Provider Single Sign On Service URL The IdP SSO service URL is a URL provisioned by the SAML IdP. The setting is required to support SP-initiated SSO. If missing, the Secure Access Service cannot successfully redirect the user request. If you use the metadata option, this setting can be completed by selecting the SSO service URL from the list. The list is populated by the IdP entities defined in metadata files added to the System > Configuration > SAML page. If you complete this setting manually, ask the SAML IdP administrator for this setting. User Name Template Specify how the Secure Access Service is to derive the username from the assertion. If the field is left blank, it uses the string received in the NameID field of the incoming assertion as the username. If you choose a certificate attribute with more than one value, the Secure Access Service uses the first matched value. For example, if you enter <certdn.ou> and the user has two values for the attribute (ou=management, ou=sales), the Secure Access Service uses management. To use all values, add the SEP attribute to the variable. For example, if you enter <certdn.out SEP= : >, the Secure Access Service uses management:sales. The attributes received in the attribute statement in the incoming assertion are saved under userattr. These variables can also be used with angle brackets and plain text. If the user name cannot be generated using the specified template, the login fails. If the NameID filed of the incoming assertion is of type X509Nameformat, then the individual fields can be extracted using system variable assertionnamedn. Allowed Clock Skew Determines the maximum allowed difference in time between the Secure Access Service clock and the SAML IdP server clock. 11

12 Table 4: SAML SP Profile (POST and Artifact) (continued) Support Single Logout Single logout is a mechanism provided by SAML for logging out a particular user from all the sessions created by the IdP. Select this option if the Secure Access Service must receive and send single logout request for the peer SAML IdP. If you use the metadata option, the Single Logout Service URL setting can be completed by selecting the SLO service URL from the list. The list is populated by the IdP entities defined in metadata files added to the System > Configuration > SAML page. The Secure Access Service sends Single Logout requests to this URL. In addition, if you use the metadata option, the Single Logout Response URL setting is completed based on your selection for Single Logout Service URL. If the IdP has left this setting empty in its metadata file, the Secure Access Service sends the Single Logout response to the SLO service URL. If you complete these settings manually, ask the SAML IdP administrator for guidance. SSO Method Artifact When configured to use the Artifact binding, the Secure Access Service contacts the Artifact Resolution Services (ARS) to fetch the assertion using SOAP protocol. If the ARS is hosted on a HTTPS URL, then the certificate presented by the ARS is verified by the Secure Access Service. For this verification to pass successfully, the CA of the server certificate issued to the IdP ARS must be added to the Trusted Server CA on the Secure Access Service. Complete the following settings to configure SAML using the HTTP Artifact binding: Source ID. Enter the source ID for the IdP ARS. Source ID is Base64 encoded 20 byte identifier for the IdP ARS. If left blank, this value is generated by the Secure Access Service. Source Artifact Resolution Service URL. For metadata-based configuration, this field is completed automatically from the metadata file and is not configurable. For manual configurations, enter the URL of the service to which the SP ACS is to send ArtifactResolve requests. ArtifactResolve requests are used to fetch the assertion from the artifact received by it. SOAP Client Authentication. Select HTTP Basic or SSL Client Certificate and complete the related settings. If you use an SSL client certificate, select a certificate from the Secure Access Service device certificate list. Select Device Certificate for Signing. Select the device certificate the Secure Access Service uses to sign the AuthnRequest sent to the IdP SSO service. If you do not select a certificate, the Secure Access Service does not sign AuthnRequest. Select Device Certificate for Encryption. Select the device certificate the Secure Access Service uses to decrypt encrypted data received in the SAML response. The public key associated with the device certificate is used by the IdP for encryption. 12

13 Chapter 1: SAML Single Sign-On Table 4: SAML SP Profile (POST and Artifact) (continued) POST When configured to use the POST binding, the Secure Access Service uses a response signing certificate to verify the signature in the incoming response or assertion. The certificate file must be in PEM or DER format. The certificate you select should be the same certificate used by the IdP to sign SAML responses. Complete the following settings to configure SAML using the HTTP POST binding: Response Signing Certificate. If you use the metadata-based configuration option, select a certificate from the list. The list is populated by the IdP entities defined in metadata files added to the System > Configuration > SAML page. If you configure these settings manually, browse to and upload the certificate to be used to validate the signature in the incoming response or assertion. If no certificate is specified, the certificate embedded in the response is used. Enable Signing Certificate status checking. Select this option to check the validity of the signing certificate before verifying the signature. This setting applies to any certificate used for signature verification. If this option is enabled, the response will be rejected if the certificate is revoked, expired, or untrusted. If this option is selected, the certificate CA must be added to the Secure Access Service Trusted Client CA store. If this option is not enabled then the certificate is used without any checks. Select Device Certificate for Signing. Select the device certificate the Secure Access Service uses to sign the AuthnRequest sent to the IdP SSO service. If you do not select a certificate, the Secure Access Service does not sign AuthnRequest. Select Device Certificate for Encryption. Select the device certificate the Secure Access Service uses to decrypt encrypted data received in the SAML response. The public key associated with the device certificate is used by the IdP for encryption. Service Provider Metadata s Metadata Validity Enter the number of days the Secure Access metadata is valid. Valid values are 0 to specifies the metadata does not expire. Do Not Publish SA Metadata Select this option if you do not want the Secure Access Service to publish the metadata at the location specified by the SA Entity ID field. Download Metadata This button appears only after you have saved the Authentication Server configuration. Use this button to download the metadata of the current SAML SP. User Record Synchronization Enable User Record Synchronization Allow users to retain their bookmarks and individual preferences regardless of which Secure Access Service device they log in to. Logical Auth Server Name Related Documentation Understanding SAML SSO on page 1 Secure Access Service SAML Supported Features Reference on page 2 13

14 Configuring Secure Access Service as a SAML Identity Provider This topic describes how to configure the Secure Access Service as a SAML identity provider (IdP). It includes the following sections: Basic Steps on page 14 Configuring Sign-In SAML Metadata Provider s on page 14 Configuring Sign-In SAML Identity Provider s on page 15 Configuring Peer SAML Service Provider s on page 17 Configuring a SAML SSO Resource Policy for Gateway Mode Deployments on page 20 Configuring a SAML External Apps SSO Resource Policy for External Resources on page 22 Basic Steps Implementing Secure Access Service as a SAML IdP includes the following basic steps. 1. Configure system-wide SAML settings. Go to System > Configuration > SAML > s. See Configuring Global SAML s on page Add SAML metadata provider files. Go to System > Configuration > SAML. See Managing SAML Metadata Files on page Configure Sign-In SAML metadata provider settings. See Configuring Sign-In SAML Metadata Provider s on page Configure Sign-In SAML identity provider settings. See Configuring Sign-In SAML Identity Provider s on page Configure peer SP settings. See Configuring Peer SAML Service Provider s on page Configure a resource policy: For gateway mode deployments, configure a SAML SSO resource policy. See Configuring a SAML SSO Resource Policy for Gateway Mode Deployments on page 20. For peer mode deployments, configure an External Apps SSO resource policy. See Configuring a SAML External Apps SSO Resource Policy for External Resources on page 22. Configuring Sign-In SAML Metadata Provider s Sign-In SAML metadata provider settings determine how Secure Access Service IdP metadata is published. To configure the IdP metadata publication settings: 1. In the admin console, go to Authentication > Signing In > Sign-In SAML > Metadata Provider. 2. Complete the settings described in Table Table 5. 14

15 Chapter 1: SAML Single Sign-On 3. Click Save Metadata Provider to save your changes. Table 5: Sign-In SAML IdP Metadata Provider s Entity ID This value is prepopulated. It is generated by the system, based on the value for the Host FQDN for SAML setting on the System > Configuration > SAML > s page. Metadata Validity Specify the maximum duration for which a peer SAML entity can cache the Secure Access Service SAML metadata file. Valid values are 1 to The default is 365 days. Do Not Publish SA Metadata Select this option if you do not want the Secure Access Service to publish the metadata at the location specified by the SA Entity ID field. You can use this option to toggle off publication without deleting your settings. Download Metadata Use this button to download the Secure Access Service SAML IdP metadata. Configuring Sign-In SAML Identity Provider s The settings defined in this procedure are the default settings for Secure Access Service SAML IdP communication with all SAML SPs. If necessary, you can use the Peer SP configuration to override these settings for particular SPs. To configure Sign-In SAML IdP settings: 1. In the admin console, go to Authentication > Signing In > Sign-In SAML > Identity Provider. 2. Complete the settings described in Table Click Save Changes. Table 6: Sign-In SAML Identity Provider s Basic Identity Provider (IdP) Configuration (Published in Metadata) Protocol Binding to use for SAML Response Select POST, Artifact, or both, depending on your total requirements. Signing Certificate Select the certificate used to sign the SAML messages sent by the Secure Access Service. The certificates listed here are configured in System > Configuration > Certificate > Device Certificates. Decryption Certificate Select the certificate used to decrypt the SAML messages sent by peer SPs. The public key associated with this certificate is used by the peer SP to encrypt SAML messages exchanged with this IdP. The decryption certificate must be configured if the Peer SP encrypts the SAML messages sent to the Secure Access Service. The certificates listed here are configured in System > Configuration > Certificate > Device Certificates. 15

16 Table 6: Sign-In SAML Identity Provider s (continued) Other Configurations Reuse Existing NC (Pulse) Session. This feature applies to an SP-initiated SSO scenario that is, when a user clicks a link to log into the SP site. The SP redirects the user to the IdP SSO Service URL. If this option is selected, a user with an active NC/Pulse session is not prompted to authenticate. The Secure Access Service uses information from the existing session to form the SAML response. Accept unsigned AuthnRequest. In an SP-initiated SSO scenario, the SP sends an AuthnRequest to the IdP. This AuthnRequest could be either signed or unsigned. If this option is unchecked, the Secure Access Service rejects unsigned AuthnRequests. Note that the Secure Access Service also rejects signed AuthnRequests if signature verification fails. Service-Provider-Related IdP Configuration Relay State SAML RelayState attribute sent to SP in an IdP-initiated SSO scenario. If left blank, the RelayState value is the URL identifier of the resource being accessed. Session Lifetime Suggested maximum duration of the session at the SP created as a result of the SAML SSO. None. The IdP does not suggest a session duration. Role Based. Suggest the value of the session lifetime configured for the user role. Customized. If you select this option, the user interface displays a text box in which you specify a maximum in minutes. Sign-In Policy Select the Sign-In URL to which the user is redirected in an SP-initiated scenario. The list is populated by the sign-in pages configured in Authentication > Signing In > Sign-in Policies. Note: If the user already has a session with the Secure Access Service, then it is not validated if the user session was created as a result of authenticating via this configured sign-in policy. Force Authentication Behavior In an SP-initiated scenario, the SP sends an AuthnRequest to the IdP. If the SP AuthnRequest includes the ForceAuthn attribute set to true and the user has a valid Secure Access Service session, this setting determines how the IdP responds. Specify: Reject AuthnRequest. Do not honor the SAML SSO request. Re-Authenticate User. Invalidate the user session and prompt for reauthentication. Note: This setting prevails over the Pulse session re-use setting. User Identity Subject Name Format. Format of NameIdentifier field in generated Assertion. Select: DN. Username in the format of DN(distinguished name). address. Username in the format of an address. Windows. Username in the format of a Windows domain qualified username. Other. Username in an unspecified format. Subject Name. Template for generating the username that is sent as the value of the NameIdentifier field in the assertion. You may use any combination of available system/custom variables contained in angle brackets and plain text. 16

17 Chapter 1: SAML Single Sign-On Table 6: Sign-In SAML Identity Provider s (continued) Web Service Authentication These settings apply when the HTTP Artifact binding is used. Authentication Type. Method used to authenticate the service provider (SP) assertion consumer service to the identity provider (IdP) on the Secure Access Service system. None. Do not authenticate the assertion consumer service. Username/Password. If you select this option, use the controls to specify username and password settings. Certificate. For certificate-based authentication, the Client CA of the SP should be present in Secure Access Service system Trusted Client CA list (System > Configuration > Certificates > Trusted Client CAs). Artifact configuration These settings apply when the HTTP Artifact binding is used. Source ID. This is the base64-encoded, 20-byte identifier of the Artifact resolution service on the IdP. Enable Artifact Response Signing and Encryption. If checked, the IdP signs and encrypts the Artifact response. Configuring Peer SAML Service Provider s The Peer SP list defines the set of SPs configured to communicate with the Secure Access Service SAML IdP. When you add a Peer SP to the list, you can customize the SAML IdP settings used to communicate with the individual SP. If the SP provides a SAML metadata file, you can use it to simplify configuration, or you can complete more detailed manual steps. If available, we recommend you use metadata so that configuration is simpler and less prone to error. To configure peer SAML SP settings: 1. In the admin console, go to Authentication > Signing In > Sign-In SAML > Identity Provider. 2. Under Peer Service Provider Configuration, create a list of service providers (SP) that are SAML peers to the Secure Access Service SAML IdP. To add a service provider to the list, click Add SP. 3. Complete the settings described in Table Click Save Changes. Table 7: Peer Service Provider Configuration Configuration Mode Select Manual or Metadata. Service Provider Configuration - Metadata 17

18 Table 7: Peer Service Provider Configuration (continued) Entity Id If you use metadata, select the SAML Entity ID of the SP. This list contains all the SPs specified in all the metadata files added to the System > Configuration > SAML page. Select certificates manually When you use the metadata configuration, the Secure Access Service SAML IdP iterates through all the signature verification certificates specified when verifying the incoming SAML messages coming from the SP. Similarly, when encrypting the SAML messages going out, the Secure Access Service SAML IdP encrypts the messages with the first valid encryption certificate encountered in the metadata. Select this option to override this default behavior and select certificates manually. Signature Verification Certificate If you select the Select certificates manually option, select the certificate to be used by the IdP to verify the signature of incoming SAML messages. Encryption Certificate If you select the Select certificates manually option, select the certificate to be used if the assertions sent by the IdP must be encrypted. Service Provider Configuration - Manual Entity Id If you are completing a manual configuration, ask the SAML SP administrator for this setting. Assertion Consumer Service URL URL of the service on SP that receives the assertion/artifact sent by the IdP. Protocol Binding supported by the Assertion Consumer Service at the SP Select POST, Artifact, or both. This setting must be consistent with the SAML IdP configuration. Default Binding If both Post and Artifact are supported, which is the default? Post Artifact This setting must be consistent with the SAML IdP configuration. Signature Verification Certificate Upload the certificate to be used by the IdP to verify the signature of incoming SAML messages. If no certificate is specified, the certificate embedded in the incoming SAML message is used for signature verification. Encryption Certificate Upload the certificate to be used if the assertions sent by the IdP must be encrypted. If not certificate is specified, the assertions sent by the IdP are not encrypted. Certificate Attribute Configuration for Artifact Resolution Service Optional. Specify attributes that must be present in the certificate presented to the Artifact Resolution Service (ARS) at the IdP by the SP Assertion Consumer Service. This option appears only if the SAML SP supports the HTTP Artifact binding, the Secure Access Service SAML IdP has been configured to support the HTTP Artifact binding, and the Web Service Authentication type specified for the SP is Certificate. Certificate Status Checking Configuration 18

19 Chapter 1: SAML Single Sign-On Table 7: Peer Service Provider Configuration (continued) Enable signature verification certificate status checking Select this option to enable revocation checks for the signing certificate. Uses the configuration in System > Configuration > Certificates > Trusted Client CAs. Enable encryption certificate status checking Select this option to enable revocation checks for the encryption certificate. Uses the configuration in System > Configuration > Certificates > Trusted Client CAs. Customize IdP Behavior Override Default Configuration Select this option to set custom behavior of the Secure Access Service SAML IdP for this SP instance. If you select this option, the user interface displays the additional options listed next. Reuse Existing NC (Pulse) Session This option cannot be enabled here if it is not selected for the Sign-In SAML Identity Provider default settings. Accept unsigned AuthnRequest Individual SPs can choose to accept unsigned AuthnRequest. Relay State SAML RelayState attribute sent to SP in an IdP-initiated SSO scenario. If left blank, the RelayState value is the URL identifier of the resource being accessed. Session Lifetime Suggested maximum duration of the session at the SP created as a result of the SAML SSO. None. The IdP does not suggest a session duration. Role Based. Suggest the value of the session lifetime configured for the user role. Customized. If you select this option, the user interface displays a text box in which you specify a maximum in minutes. Sign-In Policy Select the Sign-In URL to which the user is redirected in an SP-initiated scenario. The list is populated by the sign-in pages configured in Authentication > Signing In > Sign-in Policies. Note: If the user already has a session with the Secure Access Service, then it is not validated if the user session was created as a result of authenticating via this configured sign-in policy. Force Authentication Behavior In an SP-initiated scenario, the SP sends an AuthnRequest to the IdP. If the SP AuthnRequest includes the ForceAuthn attribute set to true and the user has a valid Secure Access Service session, this setting determines how the IdP responds. Specify: Reject AuthnRequest. Do not honor the SAML SSO request. Re-Authenticate User. Invalidate the user session and prompt for reauthentication. Note: This setting prevails over the Pulse session re-use setting. 19

20 Table 7: Peer Service Provider Configuration (continued) User Identity Subject Name Format. Format of NameIdentifier field in generated Assertion. Select: DN. Username in the format of DN(distinguished name). address. Username in the format of an address. Windows. Username in the format of a Windows domain qualified username. Other. Username in an unspecified format. Subject Name. Template for generating the username that is sent as the value of the NameIdentifier field in the assertion. You may use any combination of available system/custom variables contained in angle brackets and plain text. Web Service Authentication These settings apply when the HTTP Artifact binding is used. Authentication Type. Method used to authenticate the service provider (SP) assertion consumer service to the identity provider (IdP) on the Secure Access Service system. None. Do not authenticate the assertion consumer service. Username/Password. If you select this option, use the controls to specify username and password settings. Certificate. For certificate-based authentication, the Client CA of the SP should be present in Secure Access Service system Trusted Client CA list (System > Configuration > Certificates > Trusted Client CAs). Artifact configuration These settings apply when the HTTP Artifact binding is used. Source ID. This is the base64-encoded, 20-byte identifier of the Artifact resolution service on the IdP. Enable Artifact Response Signing and Encryption. If checked, the IdP signs and encrypts the Artifact response. Configuring a SAML SSO Resource Policy for Gateway Mode Deployments When deployed as a gateway in front of enterprise resources, the SAML SSO policy acts like other Secure Access Service resource policies. The Secure Access Service maintains the session and uses its rewriting or pass-through proxy (PTP) features to render data to the user. You use a SAML SSO resource policy when the protected resource supports SAML SSO and has been configured as a SAML SP. When deployed as a gateway, the SAML SSO communication is always IdP-initiated. Figure 4 illustrates a gateway mode deployment. 20

21 Chapter 1: SAML Single Sign-On Figure 4: Secure Access Service As a SAML IdP (Gateway Mode) User 1 2 SAML IdP 3 g SAML SP 1 A user logs into the Secure Access Service. 2 Later, the user requests a resource protected by a security system that supports SAML and has implemented a SAML SP. 3 In gateway mode deployments, the Secure Access Service acts as a SAML IdP. The SAML IdP initiates the SAML authentication request to the SAML SP. Particular users are granted access to particular resources according to the Secure Access Service SAML SSO resource policy. To configure a SAML SSO resource policy: 1. In the admin console, go to Users > Resource Policies > Web. 2. Use the tabs to display the SSO > SAML page. If your administrator view is not configured to show SAML policies, click the Customize button in the upper-right corner of the page and select the SSO and SAML check boxes. 3. Click New Policy. 4. Complete the settings described in Table Click Save Changes. 21

22 Table 8: SAML SSO Resource Policy s Name Type a name for the policy. Type a description that would be meaningful to other administrators. Resources Specify the fully qualified domain name for the resources for which this policy applies. These are the resources protected at the SAML SP. Roles Select one of the following options: Policy applies to ALL roles. To apply this policy to all users Policy applies to SELECTED roles. To apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. Policy applies to all roles OTHER THAN those selected below. To apply this policy to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. Action Select one of the following: Use the SAML SSO defined below. Typically, this is the setting you use for a SAML SSO resource policy. The Secure Access Service SAML IdP makes the SSO request when a user tries to access to a SAML resource specified in the Resources list. Do NOT use SAML. Secure Access Service does not perform an SSO request. Use this if there is a problem with the SAML SP and you want to allow access. Use Detailed Rules. Use this option to configure advanced rules. SAML SSO Details SAML Version. Select 2.0. Service Provider Entity ID. Select the Service provider entity ID for which you would like to configure Secure Access Service to act as an IdP. The SP Entity IDs listed here are configured in Authentication > Signing In > Sign-in SAML > Identity Provider > Peer Service Provider configuration. Cookie Domain. Enter a comma-separated list of domains to which Secure Access Service sends the SSO cookie. NOTE: The SAML SSO resource policy settings are different in Secure Access Service 7.2 from 7.1. Policies you created with Secure Access Service 7.1 are preserved in edit-only mode for legacy use. Configuring a SAML External Apps SSO Resource Policy for External Resources When deployed to support access to external resources (example: public cloud resources), the Secure Access Service does not have to be a gateway to user access. The user can access the external resource directly, and the traffic does not flow through the Secure Access Service device. You configure the Secure Access Service as a SAML IdP to correspond with the external SAML SP, and you configure an SSO SAML External Apps resource policy to determine the users and resources to which the SAML SSO experience applies. 22

23 Chapter 1: SAML Single Sign-On To configure a SAML External Apps resource policy: 1. In the admin console, go to Users > Resource Policies > Web. 2. Use the tabs to display the SSO > SAML External Apps page. If your administrator view is not configured to show SAML policies, click the Customize button in the upper-right corner of the page and select the SSO and SAML check boxes. 3. Click New Policy. 4. Complete the settings described in Table Click Save Changes. Table 9: SAML SSO External Apps Policy s Name Type a name for the policy. Type a description that would be meaningful to other administrators. Resources Specify the fully qualified domain name for the resources for which this policy applies. These are the resources protected at the SAML SP. Roles Select one of the following options: Policy applies to ALL roles. To apply this policy to all users Policy applies to SELECTED roles. To apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. Policy applies to all roles OTHER THAN those selected below. To apply this policy to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. Action Select one of the following: Use the SAML SSO defined below. Typically, this is the setting you use for a SAML SSO resource policy. The Secure Access Service SAML IdP makes the SSO request when a user tries to access to a SAML resource specified in the Resources list. Do NOT use SAML. Secure Access Service does not perform an SSO request. Use this if there is a problem with the SAML SP and you want to allow access. Use Detailed Rules. Use this option to configure advanced rules. SAML SSO Details SAML Version. Select 2.0. Service Provider Entity ID. Select the Service provider entity ID for which you would like to configure Secure Access Service to act as an IdP. The SP Entity IDs listed here are configured on the Authentication > Signing In > Sign-in SAML > Identity Provider > Peer Service Provider pages. Related Documentation SAML Web Browser SSO Example: Google Apps on page 26 23

24 Configuring a SAML ACL Web Policy To configure the Secure Access Service as a policy enforcement point, you must create a SAML ACL web policy. To configure a SAML ACL web policy: 1. In the admin console, select Users > Resource Policies > Web. 2. Select the Access > SAML ACL tab. If your administrator view is not configured to show SAML policies, click the Customize button in the upper-right corner of the page and select the SAML ACL check boxes. 3. On the SAML Access Control Policies page, click New Policy. 4. Complete the settings described in Table Click Save Changes. 6. On the SAML Access Control Policies page, order the policies according to how you want the Secure Access Service to evaluate them. Keep in mind that once the Secure Access Service matches the resource requested by the user to a resource in a policy s (or a detailed rule s) Resource list, it performs the specified action and stops processing policies. Table 10: SAML ACL Web Policy s Name Type a name for the policy. Type a description that would be meaningful to other administrators. Resources Specify the fully qualified domain name for the resources for which this policy applies. These are the resources protected at the SAML SP. Roles Select one of the following options: Policy applies to ALL roles. To apply this policy to all users Policy applies to SELECTED roles. To apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. Policy applies to all roles OTHER THAN those selected below. To apply this policy to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. Action Select one of the following: Use the SAML Access Control checks defined below. Secure Access Service performs an access control check to the specified URL using the data specified in the SAML Access Control Details section. Do not use SAML Access. The Secure Access Service does not perform an access control check. Use Detailed Rules. Use this option to configure advanced rules. 24

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS APPLICATION NOTE IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS SAML 2.0 combines encryption and digital signature verification across resources for a more

More information

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta Configuration Guide Product Release Document Revisions Published Date 1.0 1.0 May 2016 Pulse Secure, LLC 2700 Zanker Road, Suite 200 San

More information

McAfee Cloud Identity Manager

McAfee Cloud Identity Manager SAML2 Cloud Connector Guide McAfee Cloud Identity Manager version 1.2 or later COPYRIGHT Copyright 2013 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed,

More information

Configuring Salesforce

Configuring Salesforce Chapter 94 Configuring Salesforce The following is an overview of how to configure the Salesforce.com application for singlesign on: 1 Prepare Salesforce for single sign-on: This involves the following:

More information

Using SAML for Single Sign-On in the SOA Software Platform

Using SAML for Single Sign-On in the SOA Software Platform Using SAML for Single Sign-On in the SOA Software Platform SOA Software Community Manager: Using SAML on the Platform 1 Policy Manager / Community Manager Using SAML for Single Sign-On in the SOA Software

More information

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Implementation Guide SAP NetWeaver Identity Management Identity Provider Implementation Guide SAP NetWeaver Identity Management Identity Provider Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.10 2011-07-18 Document History CAUTION Before

More information

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1 PingFederate Salesforce Connector Version 4.1 Quick Connection Guide 2011 Ping Identity Corporation. All rights reserved. PingFederate Salesforce Quick Connection Guide Version 4.1 June, 2011 Ping Identity

More information

SAML Single-Sign-On (SSO)

SAML Single-Sign-On (SSO) C O L A B O R A T I V E I N N O V A T I O N M A N A G E M E N T Complete Feature Guide SAML Single-Sign-On (SSO) 1. Features This feature allows administrators to setup Single Sign-on (SSO) integration

More information

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication

More information

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce. Chapter 41 Configuring Salesforce The following is an overview of how to configure the Salesforce.com application for singlesign on: 1 Prepare Salesforce for single sign-on: This involves the following:

More information

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved. Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,

More information

Flexible Identity Federation

Flexible Identity Federation Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services

More information

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity DEPLOYMENT GUIDE SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity Table of Contents SAML Overview...3 Integration Topology...3 Deployment Requirements...4 Configuration Steps...4 Step

More information

Introduction to Directory Services

Introduction to Directory Services Introduction to Directory Services Overview This document explains how AirWatch integrates with your organization's existing directory service such as Active Directory, Lotus Domino and Novell e-directory

More information

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN INTEGRATION GUIDE IDENTIKEY Federation Server for Juniper SSL-VPN Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO

More information

Dell One Identity Cloud Access Manager 8.0.1 - How to Configure for SSO to SAP NetWeaver using SAML 2.0

Dell One Identity Cloud Access Manager 8.0.1 - How to Configure for SSO to SAP NetWeaver using SAML 2.0 Dell One Identity Cloud Access Manager 8.0.1 - How to Configure for SSO to SAP NetWeaver using SAML 2.0 May 2015 About this guide Prerequisites and requirements NetWeaver configuration Legal notices About

More information

Configuring. Moodle. Chapter 82

Configuring. Moodle. Chapter 82 Chapter 82 Configuring Moodle The following is an overview of the steps required to configure the Moodle Web application for single sign-on (SSO) via SAML. Moodle offers SP-initiated SAML SSO only. 1 Prepare

More information

Connected Data. Connected Data requirements for SSO

Connected Data. Connected Data requirements for SSO Chapter 40 Configuring Connected Data The following is an overview of the steps required to configure the Connected Data Web application for single sign-on (SSO) via SAML. Connected Data offers both IdP-initiated

More information

Certificate technology on Junos Pulse Secure Access

Certificate technology on Junos Pulse Secure Access Certificate technology on Junos Pulse Secure Access How-to Introduction:... 1 Creating a Certificate signing request (CSR):... 1 Import Intermediate CAs: 3 Using Trusted Client CA on Juno Pulse Secure

More information

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide Version 27.0: Spring 13 Single Sign-On Implementation Guide Last updated: February 1, 2013 Copyright 2000 2013 salesforce.com, inc. All rights reserved. Salesforce.com is a registered trademark of salesforce.com,

More information

SAML Authentication Quick Start Guide

SAML Authentication Quick Start Guide SAML Authentication Quick Start Guide Powerful Authentication Management for Service Providers and Enterprises Authentication Service Delivery Made EASY Copyright 2013 SafeNet, Inc. All rights reserved.

More information

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx Configuring Single Sign-on from the VMware Identity Manager Service to WebEx VMware Identity Manager SEPTEMBER 2015 V 2 Configuring Single Sign-On from VMware Identity Manager to WebEx Table of Contents

More information

Siteminder Integration Guide

Siteminder Integration Guide Integrating Siteminder with SA SA - Siteminder Integration Guide Abstract The Junos Pulse Secure Access (SA) platform supports the Netegrity Siteminder authentication and authorization server along with

More information

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide Salesforce.com: Salesforce Winter '09 Single Sign-On Implementation Guide Copyright 2000-2008 salesforce.com, inc. All rights reserved. Salesforce.com and the no software logo are registered trademarks,

More information

Certificate technology on Pulse Secure Access

Certificate technology on Pulse Secure Access Certificate technology on Pulse Secure Access How-to Guide Published Date July 2015 Contents Introduction: 3 Creating a Certificate signing request (CSR): 3 Import Intermediate CAs: 5 Using Trusted Client

More information

SAP NetWeaver AS Java

SAP NetWeaver AS Java Chapter 75 Configuring SAP NetWeaver AS Java SAP NetWeaver Application Server ("AS") Java (Stack) is one of the two installation options of SAP NetWeaver AS. The other option is the ABAP Stack, which is

More information

CA Nimsoft Service Desk

CA Nimsoft Service Desk CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

Authentication Methods

Authentication Methods Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the

More information

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0 1 2 3 4 5 6 7 8 9 10 11 Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0 Version 3.2.2 Editor: Kyle Meadors, Drummond Group Inc. Abstract: This document describes the test steps to

More information

Configuring SuccessFactors

Configuring SuccessFactors Chapter 117 Configuring SuccessFactors The following is an overview of the steps required to configure the SuccessFactors Enterprise Edition Web application for single sign-on (SSO) via SAML. SuccessFactors

More information

Copyright Pivotal Software Inc, 2013-2015 1 of 10

Copyright Pivotal Software Inc, 2013-2015 1 of 10 Table of Contents Table of Contents Getting Started with Pivotal Single Sign-On Adding Users to a Single Sign-On Service Plan Administering Pivotal Single Sign-On Choosing an Application Type 1 2 5 7 10

More information

SAM Context-Based Authentication Using Juniper SA Integration Guide

SAM Context-Based Authentication Using Juniper SA Integration Guide SAM Context-Based Authentication Using Juniper SA Integration Guide Revision A Copyright 2012 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete

More information

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page 108-10.

SAP NetWeaver Fiori. For more information, see Creating and enabling a trusted provider for Centrify on page 108-10. Chapter 108 Configuring SAP NetWeaver Fiori The following is an overview of the steps required to configure the SAP NetWeaver Fiori Web application for single sign-on (SSO) via SAML. SAP NetWeaver Fiori

More information

Sharepoint server SSO

Sharepoint server SSO Configuring g on-premise Sharepoint server SSO Chapter 99 You can now provide single sign-on to your on-premise Sharepoint server applications. This section includes the following topics: "An overview

More information

CA Performance Center

CA Performance Center CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

More information

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview) Chapter 83 WebEx This chapter includes the following sections: An overview of configuring WebEx for single sign-on Configuring WebEx for SSO Configuring WebEx in Cloud Manager For more information about

More information

SAML single sign-on configuration overview

SAML single sign-on configuration overview Chapter 46 Configurin uring Drupal Configure the Drupal Web-SAML application profile in Cloud Manager to set up single sign-on via SAML with a Drupal-based web application. Configuration also specifies

More information

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG-201406--R001.

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG-201406--R001. Fairsail Implementer Microsoft Active Directory Federation Services 2.0 Version 1.92 FS-SSO-XXX-IG-201406--R001.92 Fairsail 2014. All rights reserved. This document contains information proprietary to

More information

CA CloudMinder. Getting Started with SSO 1.5

CA CloudMinder. Getting Started with SSO 1.5 CA CloudMinder Getting Started with SSO 1.5 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is for your

More information

Deploying RSA ClearTrust with the FirePass controller

Deploying RSA ClearTrust with the FirePass controller Deployment Guide Deploying RSA ClearTrust with the FirePass Controller Deploying RSA ClearTrust with the FirePass controller Welcome to the FirePass RSA ClearTrust Deployment Guide. This guide shows you

More information

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines Ameritas Single Sign-On (SSO) and Enterprise SAML Standard Architectural Implementation, Patterns and Usage Guidelines 1 Background and Overview... 3 Scope... 3 Glossary of Terms... 4 Architecture Components...

More information

SAML 2.0 SSO Deployment with Okta

SAML 2.0 SSO Deployment with Okta SAML 2.0 SSO Deployment with Okta Simplify Network Authentication by Using Thunder ADC as an Authentication Proxy DEPLOYMENT GUIDE Table of Contents Overview...3 The A10 Networks SAML 2.0 SSO Deployment

More information

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated. Chapter 87 Configuring Smartsheet The following is an overview of the steps required to configure the Smartsheet Web application for single sign-on (SSO) via SAML. Smartsheet offers both IdP-initiated

More information

McAfee Cloud Identity Manager

McAfee Cloud Identity Manager Salesforce Cloud Connector Guide McAfee Cloud Identity Manager version 1.1 or later COPYRIGHT Copyright 2013 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted,

More information

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox VMware Identity Manager SEPTEMBER 2015 V1 Configuring Single Sign-On from VMware Identity Manager to Dropbox Table of Contents

More information

Configuring. SuccessFactors. Chapter 67

Configuring. SuccessFactors. Chapter 67 Chapter 67 Configuring SuccessFactors The following is an overview of the steps required to configure the SuccessFactors Enterprise Edition Web application for single sign-on (SSO) via SAML. SuccessFactors

More information

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide Single Sign-On Implementation Guide Salesforce, Winter 16 @salesforcedocs Last updated: November 4, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark

More information

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide Single Sign-On Implementation Guide Salesforce, Summer 15 @salesforcedocs Last updated: July 1, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of

More information

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services 1 HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided

More information

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML --------------------------------------------------------------------------------------------------------------------------- Contents Overview...

More information

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications VMware Identity Manager AUGUST 2015 V1 Configuring Single Sign-On from VMware Identity Manager to AirWatch Applications

More information

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them. This chapter provides information about the Security Assertion Markup Language (SAML) Single Sign-On feature, which allows administrative users to access certain Cisco Unified Communications Manager and

More information

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview)

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview) Chapter 94 Intacct This section contains the following topics: "An overview of configuring Intacct for single sign-on" on page 94-710 "Configuring Intacct for SSO" on page 94-711 "Configuring Intacct in

More information

Setup Guide Access Manager 3.2 SP3

Setup Guide Access Manager 3.2 SP3 Setup Guide Access Manager 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE

More information

Configuring Sponsor Authentication

Configuring Sponsor Authentication CHAPTER 4 Sponsors are the people who use Cisco NAC Guest Server to create guest accounts. Sponsor authentication authenticates sponsor users to the Sponsor interface of the Guest Server. There are five

More information

Configuring. SugarCRM. Chapter 121

Configuring. SugarCRM. Chapter 121 Chapter 121 Configuring SugarCRM The following is an overview of the steps required to configure the SugarCRM Web application for single sign-on (SSO) via SAML. SugarCRM offers both IdP-initiated SAML

More information

IBM WebSphere Application Server

IBM WebSphere Application Server IBM WebSphere Application Server SAML 2.0 web single-sign-on 2012 IBM Corporation This presentation describes support for SAML 2.0 web browser Single Sign On profile included in IBM WebSphere Application

More information

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview) Chapter 190 WebEx This chapter includes the following sections: "An overview of configuring WebEx for single sign-on" on page 190-1600 "Configuring WebEx for SSO" on page 190-1601 "Configuring WebEx in

More information

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1 Overview, page 1 Using SSO with the Cisco WebEx and Cisco WebEx Meeting Applications, page 1 Requirements, page 2 Configuration of in Cisco WebEx Messenger Administration Tool, page 3 Sample Installation

More information

Administrator Guide. v 11

Administrator Guide. v 11 Administrator Guide JustSSO is a Single Sign On (SSO) solution specially developed to integrate Google Apps suite to your Directory Service. Product developed by Just Digital v 11 Index Overview... 3 Main

More information

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365 Configuring Single Sign-On from the VMware Identity Manager Service to Office 365 VMware Identity Manager JULY 2015 V1 Table of Contents Overview... 2 Passive and Active Authentication Profiles... 2 Adding

More information

How to Configure Captive Portal

How to Configure Captive Portal How to Configure Captive Portal Captive portal is one of the user identification methods available on the Palo Alto Networks firewall. Unknown users sending HTTP or HTTPS 1 traffic will be authenticated,

More information

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE Legal Marks No portion of this document may be reproduced or copied in any form, or by

More information

SafeNet Authentication Manager

SafeNet Authentication Manager SafeNet Authentication Manager TECHNICAL BRIEF Using SafeNet Authentication Manager as Identity Provider for AirWatch Contents Description... 2 Single Sign-On Dataflow... 2 Identity Provider Configuration...

More information

The IVE also supports using the following additional features with CA certificates:

The IVE also supports using the following additional features with CA certificates: 1 A CA certificate allows you to control access to realms, roles, and resource policies based on certificates or certificate attributes. For example, you may specify that users must present a valid client-side

More information

BlackBerry Enterprise Service 10. Universal Device Service Version: 10.2. Administration Guide

BlackBerry Enterprise Service 10. Universal Device Service Version: 10.2. Administration Guide BlackBerry Enterprise Service 10 Universal Service Version: 10.2 Administration Guide Published: 2015-02-24 SWD-20150223125016631 Contents 1 Introduction...9 About this guide...10 What is BlackBerry

More information

How to Implement Enterprise SAML SSO

How to Implement Enterprise SAML SSO How to Implement Enterprise SSO THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY How to Implement Enterprise SSO Introduction Security Assertion Markup Language, or, provides numerous The advantages and

More information

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS Applies to: SAP Gateway 2.0 Summary This guide describes how you install and configure SAML 2.0 on Microsoft ADFS server and SAP NetWeaver

More information

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE SAML 2.0 CONFIGURATION GUIDE Roy Heaton David Pham-Van Version 1.1 Published March 23, 2015 This document describes how to configure OVD to use SAML 2.0 for user

More information

Single Sign On for ShareFile with NetScaler. Deployment Guide

Single Sign On for ShareFile with NetScaler. Deployment Guide Single Sign On for ShareFile with NetScaler Deployment Guide This deployment guide focuses on defining the process for enabling Single Sign On into Citrix ShareFile with Citrix NetScaler. Table of Contents

More information

Egnyte Single Sign-On (SSO) Installation for OneLogin

Egnyte Single Sign-On (SSO) Installation for OneLogin Egnyte Single Sign-On (SSO) Installation for OneLogin To set up Egnyte so employees can log in using SSO, follow the steps below to configure OneLogin and Egnyte to work with each other. 1. Set up OneLogin

More information

SAML v2.0 for.net Developer Guide

SAML v2.0 for.net Developer Guide SAML v2.0 for.net Developer Guide Copyright ComponentSpace Pty Ltd 2004-2015. All rights reserved. www.componentspace.com Contents 1 Introduction... 1 1.1 Features... 1 1.2 Benefits... 1 1.3 Prerequisites...

More information

TIB 2.0 Administration Functions Overview

TIB 2.0 Administration Functions Overview TIB 2.0 Administration Functions Overview Table of Contents 1. INTRODUCTION 4 1.1. Purpose/Background 4 1.2. Definitions, Acronyms and Abbreviations 4 2. OVERVIEW 5 2.1. Overall Process Map 5 3. ADMINISTRATOR

More information

ADFS Integration Guidelines

ADFS Integration Guidelines ADFS Integration Guidelines Version 1.6 updated March 13 th 2014 Table of contents About This Guide 3 Requirements 3 Part 1 Configure Marcombox in the ADFS Environment 4 Part 2 Add Relying Party in ADFS

More information

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Sverview Trust between SharePoint 2010 and ADFS 2.0 Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies

More information

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Certificate Management. PAN-OS Administrator s Guide. Version 7.0 Certificate Management PAN-OS Administrator s Guide Version 7.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us

More information

Configuring Parature Self-Service Portal

Configuring Parature Self-Service Portal Configuring Parature Self-Service Portal Chapter 2 The following is an overview of the steps required to configure the Parature Self-Service Portal application for single sign-on (SSO) via SAML. Parature

More information

Agenda. How to configure

Agenda. How to configure dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services

More information

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other. w w w. e g n y t e. c o m Egnyte Single Sign-On (SSO) Installation for VMware Horizon To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to

More information

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow VMware Identity Manager AUGUST 2015 V1 Configuring Single Sign-On from VMware Identity Manager to ServiceNow Table of Contents

More information

App Orchestration 2.5

App Orchestration 2.5 Configuring NetScaler 10.5 Load Balancing with StoreFront 2.5.2 and NetScaler Gateway for Prepared by: James Richards Last Updated: August 20, 2014 Contents Introduction... 3 Configure the NetScaler load

More information

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11 Investment Management System Connectivity Guide IMS Connectivity Guide Page 1 of 11 1. Introduction This document details the necessary steps and procedures required for organisations to access the Homes

More information

QualysGuard SAML 2.0 Single Sign-On. Technical Brief

QualysGuard SAML 2.0 Single Sign-On. Technical Brief QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,

More information

PingFederate. IWA Integration Kit. User Guide. Version 2.6

PingFederate. IWA Integration Kit. User Guide. Version 2.6 PingFederate IWA Integration Kit Version 2.6 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate IWA Integration Kit User Guide Version 2.6 March, 2012 Ping Identity Corporation

More information

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

DocuSign Single Sign On Implementation Guide Published: March 17, 2016 DocuSign Single Sign On Implementation Guide Published: March 17, 2016 Copyright Copyright 2003-2016 DocuSign, Inc. All rights reserved. For information about DocuSign trademarks, copyrights and patents

More information

Setup Guide Access Manager Appliance 3.2 SP3

Setup Guide Access Manager Appliance 3.2 SP3 Setup Guide Access Manager Appliance 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS

More information

Architecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference

Architecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise

More information

Administering Jive Mobile Apps

Administering Jive Mobile Apps Administering Jive Mobile Apps Contents 2 Contents Administering Jive Mobile Apps...3 Configuring Jive for Android and ios... 3 Native Apps and Push Notifications...4 Custom App Wrapping for ios... 5 Native

More information

Chapter 7 Managing Users, Authentication, and Certificates

Chapter 7 Managing Users, Authentication, and Certificates Chapter 7 Managing Users, Authentication, and Certificates This chapter contains the following sections: Adding Authentication Domains, Groups, and Users Managing Certificates Adding Authentication Domains,

More information

The increasing popularity of mobile devices is rapidly changing how and where we

The increasing popularity of mobile devices is rapidly changing how and where we Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to

More information

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce SafeNet Authentication Service Integration Guide Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1 Document Information

More information

This section includes troubleshooting topics about single sign-on (SSO) issues.

This section includes troubleshooting topics about single sign-on (SSO) issues. This section includes troubleshooting topics about single sign-on (SSO) issues. SSO Fails After Completing Disaster Recovery Operation, page 1 SSO Protocol Error, page 1 SSO Redirection Has Failed, page

More information

SAML Authentication with BlackShield Cloud

SAML Authentication with BlackShield Cloud SAML Authentication with BlackShield Cloud Powerful Authentication Management for Service Providers and Enterprises Version 3.1 Authentication Service Delivery Made EASY Copyright Copyright 2011. CRYPTOCARD

More information

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010 DEPLOYMENT GUIDE Version 2.1 Deploying F5 with Microsoft SharePoint 2010 Table of Contents Table of Contents Introducing the F5 Deployment Guide for Microsoft SharePoint 2010 Prerequisites and configuration

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

PingFederate. IWA Integration Kit. User Guide. Version 3.0

PingFederate. IWA Integration Kit. User Guide. Version 3.0 PingFederate IWA Integration Kit Version 3.0 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate IWA Integration Kit User Guide Version 3.0 April, 2012 Ping Identity Corporation

More information

Salesforce1 Mobile Security Guide

Salesforce1 Mobile Security Guide Salesforce1 Mobile Security Guide Version 1, 1 @salesforcedocs Last updated: December 8, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,

More information

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication Authentication is about security and user experience and balancing the two goals. This document describes the authentication

More information

T his feature is add-on service available to Enterprise accounts.

T his feature is add-on service available to Enterprise accounts. SAML Single Sign-On T his feature is add-on service available to Enterprise accounts. Are you already using an Identity Provider (IdP) to manage logins and access to the various systems your users need

More information

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites Single Sign On (SSO) Implementation Manual For Connect 5 & MyConnect Sites Version 6 Release 5.7 September 2013 1 What is Blackboard Connect Single Sign On?... 3 How it Works... 3 Drawbacks to Using Single

More information