INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

Transcription

1 INTEGRATION GUIDE DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

2 Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright Copyright 2013 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO, Vacman, IDENTIKEY, axsguard, DIGIPASS and logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Data Security Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners. 1 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

3 Table of Contents 1 Overview Architecture Two factor authentication Technical Concepts SimpleSAMLphp VASCO IDENTIKEY Federation Server IDENTIKEY Authentication Server Configuration details Architecture Pre-requisites SimpleSAMLphp configuration Authentication source Adding Metadata Setting up a signing certificate IDENTIKEY Federation Server configuration Create application Basic IDENTIKEY Federation Setup Setup Back-ends LDAP IDENTIKEY Authentication Server IDENTIKEY Authentication Server Client Creating a demo user Attaching a DIGIPASS Additional authentication methods DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

4 4.3.1 MYDIGIPASS.com Test SimpleSAMLphp connection IDENTIKEY Federation Server Response only Challenge response and Backup Virtual DIGIPASS Attachments Authsources DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

5 1 Overview 1.1 Architecture IFS Ifs.labs.vasco.com SAML OAuth SimpleSAMLphp MyDIGIPASS.com RADIUS LDAP IDENTIKEY Server 1.2 Two factor authentication Active Directory Many organizations still rely on a username and password to protect their data or external access. However passwords are often very simple and very easy guessed, cracked or even stolen. Once it is compromised it can take quite a lot of time before anyone notices that it has been compromised. Recently a lot of services are being moved to the cloud where anyone can access the service from anywhere. This means that the users are often accessing it from outside the safe network, making protecting your password even more important and harder. Two factor authentication of VASCO Data Security will add an additional factor, called DIGIPASS, to your password. The DIGIPASS will generate a One Time Password, or OTP, which you can use in combination with your password. This means that people will need a specific device and password if they want to gain access. Imagine if the device were to be stolen, this will be noticed quickly and that way access using that device can be denied, stopping any attacker quickly. With this in mind you can secure your WEB accounts, granting you the comfort of Single Sign-On with the hardened security of two factor authentication. 4 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

6 2 Technical Concepts 2.1 SimpleSAMLphp If you have a web application that needs to authenticate users, simplesamlphp can help you out. In addition to support local authentication with one of the authentication module, you can use the service provider functionality. If you are using SimpleSAMLphp as a service provider, it will communicate and delegate authentication with an Identity Provider. More information can be found on their website VASCO IDENTIKEY Federation Server IDENTIKEY Federation Server is a virtual appliance providing you with the most powerful identity & access management platform. It is used to validate user credentials across multiple applications and disparate networks. The solution validates users and creates an identity ticket enabling web single sign-on for different applications across organizational boundaries. As validated credentials can be reused, once a user s identity is confirmed, access to authorized services and applications is granted. Users can securely switch between the different applications and collaborate with colleagues, business partners, suppliers, customers and partners using one single identity. IDENTIKEY Federation Server works as an Identity Provider within the local organization, but can also delegate authentication requests (for unknown users) to other Identity Providers. In a Federated Model, IDENTIKEY Federation Server does not only delegate but also receives authentication requests from other Identity Providers, when local users want to access applications from other organizations within the same federated infrastructure IDENTIKEY Authentication Server IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server that supports the deployment, use and administration of DIGIPASS strong user authentication. It offers complete functionality and management features without the need for significant budgetary or personnel investments. IDENTIKEY Authentication Server is supported on 32bit systems as well as on 64bit systems. IDENTIKEY Appliance is a standalone authentication appliance that secures remote access to corporate networks and web-based applications. The use and configuration of an IDENTIKEY Authentication Server and an IDENTIKEY Appliance is similar. 5 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

7 3 Configuration details 3.1 Architecture IFS Ifs.labs.vasco.com SAML SimpleSAMLphp 3.2 Pre-requisites In our test environment we used a Windows server and installed WAMP. To install SimpleSAMLphp on your server please follow the steps by this guide: Make sure that you have enabled OpenSSL on your webserver. 3.3 SimpleSAMLphp configuration Authentication source Once the initial setup is completed you must add some additional lines of code to authsources.php. This file can be found under the install folder: <simplesamlphpx.x>/config/authsources.php. In here add a new authsource; find an example in the last chapter. 6 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

8 3.3.2 Adding Metadata Start by downloading the Metadata from the IDENTIKEY Federation Server by navigating to (in our environment: Open the file and copy the contents in the Metadata converter of SimpleSAMLphp. You can find the Metadata converter here: Now you copy the output and paste it in the saml20-idpremote.php file. This file can be found in your SimpleSAMLphp install folder under: metadata/saml20-idp-remote.php Setting up a signing certificate By default the SimpleSAMLphp has a signing certificate. This certificate is widely known and holds very little security. Open a command window and navigate to <simplesamlphp-install-folder>/cert/. in the command window: enter openssl req -newkey rsa:2048 -new -x509 -days nodes - out labs.crt -keyout labs.pem. 7 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

9 It is very likely that your server does not recognize the openssl command even though OpenSSL is installed together with WAMP. Use <wamp-installfolder>/bin/apache/apachex.x.x/bin/openssl instead. Edit the authsources.php file and change the privatekey and the certificate variables in openaselect to match the newly created certificate. Certificate: labs.crt Privatekey: labs.pem You can use your own certificates as well. To do so, copy the certificate and the private key file to <simplesamlphp-install-folder>/cert/ and change the values in authsources.php. 3.4 IDENTIKEY Federation Server configuration Create application Navigate to your IDENTIKEY Federation Server manager console, (in our environment: and go to Applications/Add Application. Select SAML generic and enter as the Metadata URL. 8 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

10 4 Basic IDENTIKEY Federation Setup 4.1 Setup IFS Ifs.labs.vasco.com SAML OAuth MYDIGIPASS.com RADIUS LDAP IDENTIKEY Server Back-ends LDAP Active Directory Log into IDENTIKEY Federation Server s management web console and navigate to Authentication, LDAP. LDAP URL: ldap:// :389 DN base: DC=labs,DC=vasco,DC=com 9 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

11 DN user field: CN Security principal DN: CN=Administrator,CN=Users,DC=labs,DC=vasco,DC=com Security principal password: <administrator password> Check Allow user attribute gathering Click Save By clicking on Test Connection you can verify if the data you set is correct IDENTIKEY Authentication Server Log into IDENTIKEY Federation Server s management web console and navigate to Authentication, Manage methods. Edit DIGIPASS authentication. Friendly name: DIGIPASS authentication Maximum retries: 3 Method: PAP Server address: Server port: 1812 NAS-IP-Address: Shared secret: <RADIUS secret> (can be chosen) Click Save IDENTIKEY Authentication Server Client Log into your IDENTIKEY Authentication Server and go to Clients, Register. Client Type : select Radius Client from select from list Location : DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

12 Policy ID : Select a policy Protocol ID: RADIUS Shared Secret: <RADIUS secret> Confirm Shared Secret: re-enter the <RADIUS secret> Click Create Make sure that the <RADIUS secret> is the same on both IDENTIKEY Federation Server and IDENTIKEY Authentication Server Creating a demo user The user created in the IDENTIKEY Authentication Server has to exist in the Active Directory. Log into your IDENTIKEY Authentication Server and go to Users, Create. User ID: <your-user> (in our setup: Demo) Domain: <your-domain> (in our setup: labs.vasco.com) Organizational unit: <your-ou> (OPTIONAL, in our setup: WEB Users) Enter static password: <your-password> Confirm static password: <your-password> Local Authentication: Default Back-end Authentication: Default Click on Create You have now added a user in your IDENTIKEY Authentication Server Attaching a DIGIPASS Log into your IDENTIKEY Authentication Server and type the name of a user in the FIND field then click SEARCH. Click on the User ID and navigate to Assigned DIGIPASS. 11 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

13 Click on ASSIGN. Click NEXT. Click ASSIGN. Click FINISH. With the DIGIPASS assigned, the user is now ready for testing. 12 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

14 4.3 Additional authentication methods MYDIGIPASS.com To illustrate adding an OAuth provider, MYDIGIPASS.com s sandbox environment will be used as example. If you do not have a MYDIGIPASS developer account, you can create one for free on Log into your MYDIGIPASS.com developer account and go to Sandbox. Click on Connect your test site. Identifier: IFS_vasco (this must be a unique identifier) Name: Vasco Federated Login Redirect uri: (in our application: Click on Create application Go to Sandbox and click on your newly generated test site. Take note of the client_id and the client_secret. Log into your IDENTIKEY Federation Server s management web console and go to Federated authentication, Manage OAuth providers. 13 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

15 Check Enabled for MYDIGIPASS.COM (Sandbox) Fill in the client_id of your OAuth provider Fill in the client_secret of your OAuth provider Click Save 5 Test SimpleSAMLphp connection 5.1 IDENTIKEY Federation Server Response only To test if the SimpleSAMLphp and the IDENTIKEY Federation Server are both configured correctly you can open a browser and navigate to: and select openaselect. Then you will be asked to select the Identity Provider. In our example this is Labs. Now you are redirected to the login page on the IDENTIKEY Federation Server using the authentication method selected in the application. Username: Demo (this is the user we added in Creating a demo user) Password: One Time Password (this is an OTP received from the device assigned to the user in Attaching a DIGIPASS) Once you entered your login data you are redirected to the screen of SimpleSAMLphp giving you information about your user (if the information is set in the attributes, see administrative guide). 14 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

16 5.1.2 Challenge response and Backup Virtual DIGIPASS The IDENTIKEY Federation Server version 1.2 does not yet support challenge response and Backup Virtual DIGIPASS. 6 Attachments 6.1 Authsources 'openaselect' => array( 'saml:sp', // The entity ID of this SP. // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL. 'entityid' => 'NULL', // The entity ID of the IdP this should SP should contact. // Can be NULL/unset, in which case the user will be shown a list of available IdPs. 'idp' => NULL, will be used. // The URL to the discovery service. // Can be NULL/unset, in which case a builtin discovery service 'discourl' => NULL, 'certificate' => 'server.crt', 'privatekey' => 'server.pem', 'redirect.sign' => TRUE, 'redirect.validate' => false, //'NameIDPolicy' => 'urn:oasis:names:tc:saml:2.0:nameidformat:persistent', //'NameIDPolicy' => 'urn:oasis:names:tc:saml:1.1:nameidformat: address', //'NameIDPolicy' => 'urn:oasis:names:tc:saml:1.1:nameidformat:unspecified', //'NameIDFormat' => 'urn:oasis:names:tc:saml:2.0:nameidformat:transient', 'NameIDPolicy' => null, 15 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

17 'AuthnContextClassRef' => 'urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtransport', //'AuthnContextClassRef' => 'urn:oasis:names:tc:saml:2.0:attrnameformat:unspecified', //WORKING: 'IsPassive' => TRUE, ) 16 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server