This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Transcription

1 CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access Service SAML 2.0 SSO Solutions on page 1 Secure Access Service SAML 2.0 Configuration Tasks on page 6 SAML Web Browser SSO Example: Google Apps on page 26 Junos Pulse Secure Access Service SAML 2.0 SSO Solutions This section provides a brief overview of the Security Assertion Markup Language (SAML) standard produced and approved by the Organization for the Advancement of Structured Information Standards (OASIS). It includes the following topics: Understanding SAML SSO on page 1 Secure Access Service SAML Supported Features Reference on page 2 Understanding SAML SSO This topic provides a reference to the Security Assertion Markup Language (SAML) standard and an overview of SAML use cases. It includes the following information: About SAML on page 1 SAML Use Cases on page 2 About SAML SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. The standard defines the XML-based assertions, protocols, bindings, and profiles used in communication between SAML entities. SAML is used primarily to implement Web browser single sign-on (SSO). SAML enables businesses to leverage an identity-based security system like the Junos Pulse Secure Access Service to enforce secure access to Web sites and other resources without prompting the user with more than one authentication challenge. For complete details on the SAML standard, see the OASIS website: 1

2 SAML Use Cases This section provides a brief summary of the primary SAML use cases. It includes the following information: SAML SSO on page 2 SAML ACL on page 2 SAML SSO SAML is primarily used to enable Web browser single sign-on (SSO). The user experience objective for SSO is to allow a user to authenticate once and gain access to separately secured systems without resubmitting credentials. The security objective is to ensure the authentication requirements are met at each security checkpoint. In an SSO transaction, the SAML services implemented at each secured system exchange requests and assertions to determine whether to allow access. The SAML assertions used in SSO transactions include authentication statements and attribute statements. SAML ACL SAML can be used to enforce access control list (ACL) permissions. In an ACL transaction, the SAML services implemented for each secured system exchange assertions to determine whether a user can access the resource. The SAML assertions used in ACL transactions include authorization requests and authorization decision statements. Related Documentation Secure Access Service SAML Supported Features Reference on page 2 Configuring Secure Access Service as a SAML Service Provider on page 10 Configuring Secure Access Service as a SAML Identity Provider on page 14 Configuring a SAML ACL Web Policy on page 24 Secure Access Service SAML Supported Features Reference This topic provides an overview of Junos Pulse Secure Access Service support for Security Assertion Markup Language (SAML) single sign-on (SSO). It includes the following information: Supported SAML SSO Deployment Modes on page 2 Supported SAML SSO Profiles on page 5 Supported SAML SSO Deployment Modes In a SAML deployment, a SAML service provider (SP) is a secured resource (an application, Web site, or service) that is configured to request authentication from a SAML identity provider (IdP). The SAML IdP responds with assertions regarding the identity, attributes, and entitlements (according to your configuration). The exchange enforces security and enables the SSO user experience. 2

3 Chapter 1: SAML Single Sign-On The Secure Access Service can act as a SAML SP, a SAML IdP, or both. The following sections provide illustrations: Secure Access Service As a SAML SP on page 3 Secure Access Service As a SAML IdP (Gateway Mode) on page 4 Secure Access Service As a SAML IdP (Peer Mode) on page 4 Secure Access Service As a SAML SP If you are working with a partner that has implemented SAML IdP, you can deploy the Secure Access Service as a SAML SP to interoperate with it, thereby enabling SSO for users who should have access to resources in both networks. Figure 1 illustrates this scenario. In this model, the user is authenticated by the SAML IdP. The Secure Access Service uses the SAML response containing the assertion to make an authentication decision. The choices the identity provider makes to implement SAML determine the Secure Access Service deployment choices, for example whether to use SAML 2.0 or SAML 1.1, whether to reference a published metadata configuration file, and whether to use a POST or Artifact profile. When you deploy the Secure Access Service as a SAML SP, you create a SAML Authentication Server that references the partner SAML IdP, and a set of Secure Access Service access management framework objects (Realm, Role Mapping rules, and Sign-In Policy) that reference the SAML Authentication Server. Figure 1: Secure Access Service As a SAML SP User 1 or 2 1 or 2 SAML IdP 3 SAML SP g and 2 A user logs into your enterprise Secure Access Service or a secure partner site. If the user tries to access the resource protected by the SAML SP first, the SAML SP redirects the user to the SAML IdP sign-in page. This order of events is called SP-initiated SSO. If the user logs into the SAML IdP site first and then accesses a resource hosted on the SAML SP site, the user is not prompted by the SAML IdP a second time. This is called IdP-initiated SSO. 3 The SAML exchange of requests and assertions substitutes for user interaction. The SAML exchange conducts the security without interrupting the user. 3

4 Secure Access Service As a SAML IdP (Gateway Mode) When you deploy the Secure Access Service in front of enterprise resources that support SAML and have been configured as a SAML SP, the Secure Access Service acts as a gateway for user access to the secured resource, just as it does with its other resource policies. The Secure Access Service maintains the session and uses its rewriting or pass-through proxy (PTP) features to render data to the user. In the SAML exchange, the Secure Access Service acts as a SAML IdP. When deployed as a gateway, the SAML SSO communication is always IdP-initiated. Figure 2 illustrates this scenario. Figure 2: Secure Access Service As a SAML IdP (Gateway Mode) User 1 2 SAML IdP 3 g SAML SP 1 A user logs into the Secure Access Service. 2 Later, the user requests a resource protected by a security system that supports SAML and has implemented a SAML SP. 3 In gateway mode deployments, the Secure Access Service acts as a SAML IdP. The SAML IdP initiates the SAML authentication request to the SAML SP. Particular users are granted access to particular resources according to the Secure Access Service SAML SSO resource policy. Secure Access Service As a SAML IdP (Peer Mode) When deployed to support access to external resources (example: public cloud resources), the Secure Access Service does not have to be a gateway to user access. The user can 4

5 Chapter 1: SAML Single Sign-On access the external resource directly, and the traffic does not flow through the Secure Access Service device. You configure the Secure Access Service as a SAML IdP to correspond with the external SAML SP, and you configure an External Apps SSO resource policy to determine the users and resources to which the SAML SSO experience applies. Figure 3 illustrates this scenario. Figure 3: Secure Access Service As a SAML IdP (Peer Mode) User 1 or 2 1 or 2 SAML SP 3 SAML IdP g and 2 A user logs into your enterprise Secure Access Service or a secure partner site. If the user tries to access the resource protected by the SAML SP first, the SAML SP redirects the user to the SAML IdP sign-in page. This order of events is called SP-initiated SSO. If the user logs into the SAML IdP site first and then accesses a resource hosted on the SAML SP site, the user is not prompted by the SAML IdP a second time. This is called IdP-initiated SSO. When you configure the SAML IdP, some settings are necessary to support either IdP-initiated or SP-initiated SSO. The documentation makes note of these. Regardless, you configure the SAML IdP to support both IdP-initiated and SP-initiated SSO. 3 The SAML exchange of requests and assertions substitutes for user interaction. The SAML exchange conducts the security without interrupting the user. Supported SAML SSO Profiles Table 1 summarizes support for SAML 2.0 deployment profiles. 5

6 Table 1: Supported SAML 2.0 Deployment Profiles Profile Message Flows Binding SP IdP (Gateway) IdP (Peer) Web Browser SSO <AuthnRequest> from SP to IdP HTTP Redirect HTTP POST Supported Not Applicable Not Applicable Supported Supported HTTP Artifact Not Applicable IdP <Response> to SP HTTP POST Supported Supported Supported HTTP Artifact Supported Supported Supported Assertion Query / Request Artifact Resolution <ArtifactResolve> <ArtifactResponse> SOAP Supported Supported Supported Single Logout Logout Request HTTP Redirect Supported HTTP POST HTTP Artifact SOAP LogoutResponse HTTP Redirect Supported HTTP POST HTTP Artifact SOAP Related Documentation Understanding SAML SSO on page 1 Configuring Secure Access Service as a SAML Service Provider on page 10 Configuring Secure Access Service as a SAML Identity Provider on page 14 Secure Access Service SAML 2.0 Configuration Tasks This section includes the tasks you perform to enable and configure SAML services. It includes the following information: Configuring SAML Global s on page 7 Configuring Secure Access Service as a SAML Service Provider on page 10 Configuring Secure Access Service as a SAML Identity Provider on page 14 Configuring a SAML ACL Web Policy on page 24 6

7 Chapter 1: SAML Single Sign-On Configuring SAML Global s This section describes tasks related to configuring system-wide SAML settings. It includes the following topics: Configuring Global SAML s on page 7 Managing SAML Metadata Files on page 8 Configuring Global SAML s The system-wide SAML settings impact all SAML SP instances and SAML IdP instances. To configure global SAML settings: 1. In the admin console, select System > Configuration > SAML. 2. Click the s button. 3. Complete the settings described in Table Click Save Changes. Table 2: SAML Global s Timeout value for metadata fetch request If the peer SAML entity publishes its metadata at a remote location, the Secure Access Service downloads the metadata file from the specified location. Specify the number of seconds after which this download request is abandoned. Validity of uploaded/downloaded metadata file Specify the maximum duration for which the Secure Access Service considers the metadata file of the peer SAML entity to be valid. If the metadata file provided by the peer SAML entity contains validity information, the lower value takes precedence. Host FQDN for SAML Specify the fully qualified domain name for the Secure Access Service host. The value you specify here is used to generate the SAML entity ID and to generate URLs for SAML services, including: Entity ID for SAML SP and SAML IdP instances. The SAML entitiy ID is the URL where the Secure Access Service publishes its SAML metadata file. Single Sign-On Service URL Single Logout Service URL Assertion Consumer Service URL Artifact Resolution Service URL BEST PRACTICE: The Secure Access Service uses HTTPS for these services. Therefore, we recommend that you assign a valid certificate to the interface that has the IP address to which this FQDN resolves so that users do not see invalid certificate warnings. 7

8 Table 2: SAML Global s (continued) Alternate Host FQDN for SAML Optional. If you have enabled the Reuse Existing NC (Pulse) Session on the SAML Identify Provider Sign-In page, specify the fully qualified domain name used to generate the Secure Access Service SSO Service URL. Set up your DNS service to ensure that the alternate host name resolves to a different IP addresses when a session is established and when not established. We recommend the following DNS behavior: If the NC (Pulse) session is not established, the IP address of the alternate host name should resolve to the public IP address on the Secure Access Service external port. If the NC (Pulse) session is established, the IP address of the alternate host name should resolve to the private IP address on the Secure Access Service internal port. BEST PRACTICE: The Secure Access Service uses HTTPS for this service. Therefore, we recommend that you assign a valid certificate to the interface that has the IP address to which this FQDN resolves so that users do not see invalid certificate warnings. Update Entity IDs Use this button to regenerate the SAML entity ids of all configured SPs and IdPs. Typically, you take this action when the Host FQDN for SAML is changed. Related Documentation Managing SAML Metadata Files on page 8 Managing SAML Metadata Files You use the System > Configuration > SAML pages to maintain a table of SAML metadata files for the SAML SPs and IdPs in your network. Using SAML metadata files makes configuration easier and less prone to error. You can add the metadata files to the Secure Access Service by: Uploading a metadata file Retrieving the metadata file from a well-known URL To add metadata files: 1. In the admin console, choose System > Configuration > SAML. 2. Click New Metadata Provider. 3. Complete the settings described in Table Click Save Changes. 8

9 Chapter 1: SAML Single Sign-On Table 3: SAML Metadata Provider s Metadata Provider Location Configuration Use one of the following methods: Local. Click Browse and locate the metadata file on your local host or file system. Remote. Enter the URL of the metadata file. Only http and https protocols are supported. Metadata Provider Verification Configuration Select options: Accept Untrusted Server Certificate. If you specify a URL for the metadata provider, select this option to allow the Secure Access Service to download the metadata file even if the server certificate is not trusted. This is necessary only for HTTPS URLs. Accept Only Signed Metadata. Allow only signed metadata files. If this option is not selected, unsigned metadata is imported. Signed metadata is imported only after signature verification. Signing Certificate. Click Browse and locate the certificate that verifies the signature in the metadata file. This certificate overrides the certificate specified in the signature of the received metadata. If no certificate is uploaded here then the certificate present in the signature of the received metadata is used. Enable Certificate Status Checking. Verify the certificate before using it. Certificate verification applies both to the certificate specified here and the certificate specified in the signature in the metadata file. Metadata Provider Filter Configuration Select options and enter Entity IDs: Roles. Select whether the metadata file includes configuration details for a SAML SP, IdP, or Policy Decision Point. You may select more than one. If you select a role that is not in the metadata file, it is ignored. If none of the selected roles are present in the metadata file, Secure Access Service returns an error. Entity IDs To Import. Enter the SAML Entity IDs to import from the metadata files. Enter only one ID per line. Leave this field blank to import all IDs. This option is available only for uploading local metadata files. The Refresh button downloads the metadata files from the remote location even if these files have not been modified. This operation applies only to remote locations; local metadata providers are ignored if selected. To refresh a metadata file: 1. In the admin console, choose System > Configuration > SAML. 2. Select the metadata file to refresh and click Refresh. To delete a metadata file: 1. In the admin console, choose System > Configuration > SAML. 2. Select the metadata file to delete and click Delete. Related Documentation Configuring Peer SAML Service Provider s on page 17 9

10 Configuring Secure Access Service as a SAML Service Provider This topic describes how to configure the Secure Access Service as a SAML service provider (SP). When the Secure Access Service is a SAML SP, it relies on the SAML IdP authentication and attribute assertions when users attempt to sign in to the Secure Access Service. Note that authentication is only part of the Secure Access Service security system. The access management framework determines access to the Secure Access Service and protected resources. Secure Access Service supports: HTTP-Redirect binding for sending AuthnRequests HTTP-Redirect binding for sending/receiving SingleLogout requests/responses HTTP-POST and HTTP-Artifact bindings for receiving SAML responses Before you begin, check to see whether the SAML IdP uses HTTP-POST or HTTP-Artifact bindings for SAML assertions. Also, check to see whether the SAML IdP has published a SAML metadata file that defines its configuration. If the SAML IdP metadata file is available, configuration is simpler and less prone to error. To configure the Secure Access Service as a SAML SP: 1. If you have not already done so, complete the Secure Access Service system-wide SAML settings. Go to System > Configuration > SAML > s. For details, see Configuring Global SAML s on page If you have not already done so, add metadata for the SAML IdP to the metadata provider list. Go to System > Configuration > SAML. For details, see Managing SAML Metadata Files on page In the admin console, select Authentication > Auth. Servers. 4. Select SAML Server from the New list and then click New Server. 5. Complete the settings as described in Table Click Save Changes. After you save changes for the first time, the page is redisplayed and now has two tabs. The s tab allows you to modify any of the settings pertaining to the SAML Server instance. The Users tab lists valid users of the server. 7. Next steps: Configure the access management framework to use the SAML authentication server. Start with Realm and Role Mapping rules. For details, see Creating an Authentication Realm and Specifying Role Mapping Rules for an Authentication Realm. Configure a Sign-In Policy. When using a SAML authentication server, the sign-in policy can map to a single realm only. For details, see Defining a Sign-In Policy. 10

11 Chapter 1: SAML Single Sign-On Table 4: SAML SP Profile (POST and Artifact) Name Specify a name to identify the server instance. s SAML Version Select 2.0. SA Entity Id This value is prepopulated. It is generated by the system, based on the value for the Host FQDN for SAML setting on the System > Configuration > SAML > s page. Configuration Mode Select Manual or Metadata. If a metadata file or location is available from the SAML IdP, use the metadata option to make configuration simpler and less prone to error. To upload or set the location for the published metadata file, go to System > Configuration > SAML and click the New Metadata Provider button. Identity Provider Entity ID The IdP entity ID is sent as the Issuer value in the assertion generated by the SAML IdP. If you use the metadata option, this setting can be completed by selecting the IdP entity ID from the list. The list is populated by the IdP entities defined in metadata files added to the System > Configuration > SAML page. If you complete this setting manually, specify the Issuer value in assertions generated by the SAML IdP. Typically, you ask the SAML IdP administrator for this setting. Identity Provider Single Sign On Service URL The IdP SSO service URL is a URL provisioned by the SAML IdP. The setting is required to support SP-initiated SSO. If missing, the Secure Access Service cannot successfully redirect the user request. If you use the metadata option, this setting can be completed by selecting the SSO service URL from the list. The list is populated by the IdP entities defined in metadata files added to the System > Configuration > SAML page. If you complete this setting manually, ask the SAML IdP administrator for this setting. User Name Template Specify how the Secure Access Service is to derive the username from the assertion. If the field is left blank, it uses the string received in the NameID field of the incoming assertion as the username. If you choose a certificate attribute with more than one value, the Secure Access Service uses the first matched value. For example, if you enter <certdn.ou> and the user has two values for the attribute (ou=management, ou=sales), the Secure Access Service uses management. To use all values, add the SEP attribute to the variable. For example, if you enter <certdn.out SEP= : >, the Secure Access Service uses management:sales. The attributes received in the attribute statement in the incoming assertion are saved under userattr. These variables can also be used with angle brackets and plain text. If the user name cannot be generated using the specified template, the login fails. If the NameID filed of the incoming assertion is of type X509Nameformat, then the individual fields can be extracted using system variable assertionnamedn. Allowed Clock Skew Determines the maximum allowed difference in time between the Secure Access Service clock and the SAML IdP server clock. 11

12 Table 4: SAML SP Profile (POST and Artifact) (continued) Support Single Logout Single logout is a mechanism provided by SAML for logging out a particular user from all the sessions created by the IdP. Select this option if the Secure Access Service must receive and send single logout request for the peer SAML IdP. If you use the metadata option, the Single Logout Service URL setting can be completed by selecting the SLO service URL from the list. The list is populated by the IdP entities defined in metadata files added to the System > Configuration > SAML page. The Secure Access Service sends Single Logout requests to this URL. In addition, if you use the metadata option, the Single Logout Response URL setting is completed based on your selection for Single Logout Service URL. If the IdP has left this setting empty in its metadata file, the Secure Access Service sends the Single Logout response to the SLO service URL. If you complete these settings manually, ask the SAML IdP administrator for guidance. SSO Method Artifact When configured to use the Artifact binding, the Secure Access Service contacts the Artifact Resolution Services (ARS) to fetch the assertion using SOAP protocol. If the ARS is hosted on a HTTPS URL, then the certificate presented by the ARS is verified by the Secure Access Service. For this verification to pass successfully, the CA of the server certificate issued to the IdP ARS must be added to the Trusted Server CA on the Secure Access Service. Complete the following settings to configure SAML using the HTTP Artifact binding: Source ID. Enter the source ID for the IdP ARS. Source ID is Base64 encoded 20 byte identifier for the IdP ARS. If left blank, this value is generated by the Secure Access Service. Source Artifact Resolution Service URL. For metadata-based configuration, this field is completed automatically from the metadata file and is not configurable. For manual configurations, enter the URL of the service to which the SP ACS is to send ArtifactResolve requests. ArtifactResolve requests are used to fetch the assertion from the artifact received by it. SOAP Client Authentication. Select HTTP Basic or SSL Client Certificate and complete the related settings. If you use an SSL client certificate, select a certificate from the Secure Access Service device certificate list. Select Device Certificate for Signing. Select the device certificate the Secure Access Service uses to sign the AuthnRequest sent to the IdP SSO service. If you do not select a certificate, the Secure Access Service does not sign AuthnRequest. Select Device Certificate for Encryption. Select the device certificate the Secure Access Service uses to decrypt encrypted data received in the SAML response. The public key associated with the device certificate is used by the IdP for encryption. 12

13 Chapter 1: SAML Single Sign-On Table 4: SAML SP Profile (POST and Artifact) (continued) POST When configured to use the POST binding, the Secure Access Service uses a response signing certificate to verify the signature in the incoming response or assertion. The certificate file must be in PEM or DER format. The certificate you select should be the same certificate used by the IdP to sign SAML responses. Complete the following settings to configure SAML using the HTTP POST binding: Response Signing Certificate. If you use the metadata-based configuration option, select a certificate from the list. The list is populated by the IdP entities defined in metadata files added to the System > Configuration > SAML page. If you configure these settings manually, browse to and upload the certificate to be used to validate the signature in the incoming response or assertion. If no certificate is specified, the certificate embedded in the response is used. Enable Signing Certificate status checking. Select this option to check the validity of the signing certificate before verifying the signature. This setting applies to any certificate used for signature verification. If this option is enabled, the response will be rejected if the certificate is revoked, expired, or untrusted. If this option is selected, the certificate CA must be added to the Secure Access Service Trusted Client CA store. If this option is not enabled then the certificate is used without any checks. Select Device Certificate for Signing. Select the device certificate the Secure Access Service uses to sign the AuthnRequest sent to the IdP SSO service. If you do not select a certificate, the Secure Access Service does not sign AuthnRequest. Select Device Certificate for Encryption. Select the device certificate the Secure Access Service uses to decrypt encrypted data received in the SAML response. The public key associated with the device certificate is used by the IdP for encryption. Service Provider Metadata s Metadata Validity Enter the number of days the Secure Access metadata is valid. Valid values are 0 to specifies the metadata does not expire. Do Not Publish SA Metadata Select this option if you do not want the Secure Access Service to publish the metadata at the location specified by the SA Entity ID field. Download Metadata This button appears only after you have saved the Authentication Server configuration. Use this button to download the metadata of the current SAML SP. User Record Synchronization Enable User Record Synchronization Allow users to retain their bookmarks and individual preferences regardless of which Secure Access Service device they log in to. Logical Auth Server Name Related Documentation Understanding SAML SSO on page 1 Secure Access Service SAML Supported Features Reference on page 2 13

14 Configuring Secure Access Service as a SAML Identity Provider This topic describes how to configure the Secure Access Service as a SAML identity provider (IdP). It includes the following sections: Basic Steps on page 14 Configuring Sign-In SAML Metadata Provider s on page 14 Configuring Sign-In SAML Identity Provider s on page 15 Configuring Peer SAML Service Provider s on page 17 Configuring a SAML SSO Resource Policy for Gateway Mode Deployments on page 20 Configuring a SAML External Apps SSO Resource Policy for External Resources on page 22 Basic Steps Implementing Secure Access Service as a SAML IdP includes the following basic steps. 1. Configure system-wide SAML settings. Go to System > Configuration > SAML > s. See Configuring Global SAML s on page Add SAML metadata provider files. Go to System > Configuration > SAML. See Managing SAML Metadata Files on page Configure Sign-In SAML metadata provider settings. See Configuring Sign-In SAML Metadata Provider s on page Configure Sign-In SAML identity provider settings. See Configuring Sign-In SAML Identity Provider s on page Configure peer SP settings. See Configuring Peer SAML Service Provider s on page Configure a resource policy: For gateway mode deployments, configure a SAML SSO resource policy. See Configuring a SAML SSO Resource Policy for Gateway Mode Deployments on page 20. For peer mode deployments, configure an External Apps SSO resource policy. See Configuring a SAML External Apps SSO Resource Policy for External Resources on page 22. Configuring Sign-In SAML Metadata Provider s Sign-In SAML metadata provider settings determine how Secure Access Service IdP metadata is published. To configure the IdP metadata publication settings: 1. In the admin console, go to Authentication > Signing In > Sign-In SAML > Metadata Provider. 2. Complete the settings described in Table Table 5. 14

15 Chapter 1: SAML Single Sign-On 3. Click Save Metadata Provider to save your changes. Table 5: Sign-In SAML IdP Metadata Provider s Entity ID This value is prepopulated. It is generated by the system, based on the value for the Host FQDN for SAML setting on the System > Configuration > SAML > s page. Metadata Validity Specify the maximum duration for which a peer SAML entity can cache the Secure Access Service SAML metadata file. Valid values are 1 to The default is 365 days. Do Not Publish SA Metadata Select this option if you do not want the Secure Access Service to publish the metadata at the location specified by the SA Entity ID field. You can use this option to toggle off publication without deleting your settings. Download Metadata Use this button to download the Secure Access Service SAML IdP metadata. Configuring Sign-In SAML Identity Provider s The settings defined in this procedure are the default settings for Secure Access Service SAML IdP communication with all SAML SPs. If necessary, you can use the Peer SP configuration to override these settings for particular SPs. To configure Sign-In SAML IdP settings: 1. In the admin console, go to Authentication > Signing In > Sign-In SAML > Identity Provider. 2. Complete the settings described in Table Click Save Changes. Table 6: Sign-In SAML Identity Provider s Basic Identity Provider (IdP) Configuration (Published in Metadata) Protocol Binding to use for SAML Response Select POST, Artifact, or both, depending on your total requirements. Signing Certificate Select the certificate used to sign the SAML messages sent by the Secure Access Service. The certificates listed here are configured in System > Configuration > Certificate > Device Certificates. Decryption Certificate Select the certificate used to decrypt the SAML messages sent by peer SPs. The public key associated with this certificate is used by the peer SP to encrypt SAML messages exchanged with this IdP. The decryption certificate must be configured if the Peer SP encrypts the SAML messages sent to the Secure Access Service. The certificates listed here are configured in System > Configuration > Certificate > Device Certificates. 15

16 Table 6: Sign-In SAML Identity Provider s (continued) Other Configurations Reuse Existing NC (Pulse) Session. This feature applies to an SP-initiated SSO scenario that is, when a user clicks a link to log into the SP site. The SP redirects the user to the IdP SSO Service URL. If this option is selected, a user with an active NC/Pulse session is not prompted to authenticate. The Secure Access Service uses information from the existing session to form the SAML response. Accept unsigned AuthnRequest. In an SP-initiated SSO scenario, the SP sends an AuthnRequest to the IdP. This AuthnRequest could be either signed or unsigned. If this option is unchecked, the Secure Access Service rejects unsigned AuthnRequests. Note that the Secure Access Service also rejects signed AuthnRequests if signature verification fails. Service-Provider-Related IdP Configuration Relay State SAML RelayState attribute sent to SP in an IdP-initiated SSO scenario. If left blank, the RelayState value is the URL identifier of the resource being accessed. Session Lifetime Suggested maximum duration of the session at the SP created as a result of the SAML SSO. None. The IdP does not suggest a session duration. Role Based. Suggest the value of the session lifetime configured for the user role. Customized. If you select this option, the user interface displays a text box in which you specify a maximum in minutes. Sign-In Policy Select the Sign-In URL to which the user is redirected in an SP-initiated scenario. The list is populated by the sign-in pages configured in Authentication > Signing In > Sign-in Policies. Note: If the user already has a session with the Secure Access Service, then it is not validated if the user session was created as a result of authenticating via this configured sign-in policy. Force Authentication Behavior In an SP-initiated scenario, the SP sends an AuthnRequest to the IdP. If the SP AuthnRequest includes the ForceAuthn attribute set to true and the user has a valid Secure Access Service session, this setting determines how the IdP responds. Specify: Reject AuthnRequest. Do not honor the SAML SSO request. Re-Authenticate User. Invalidate the user session and prompt for reauthentication. Note: This setting prevails over the Pulse session re-use setting. User Identity Subject Name Format. Format of NameIdentifier field in generated Assertion. Select: DN. Username in the format of DN(distinguished name). address. Username in the format of an address. Windows. Username in the format of a Windows domain qualified username. Other. Username in an unspecified format. Subject Name. Template for generating the username that is sent as the value of the NameIdentifier field in the assertion. You may use any combination of available system/custom variables contained in angle brackets and plain text. 16

17 Chapter 1: SAML Single Sign-On Table 6: Sign-In SAML Identity Provider s (continued) Web Service Authentication These settings apply when the HTTP Artifact binding is used. Authentication Type. Method used to authenticate the service provider (SP) assertion consumer service to the identity provider (IdP) on the Secure Access Service system. None. Do not authenticate the assertion consumer service. Username/Password. If you select this option, use the controls to specify username and password settings. Certificate. For certificate-based authentication, the Client CA of the SP should be present in Secure Access Service system Trusted Client CA list (System > Configuration > Certificates > Trusted Client CAs). Artifact configuration These settings apply when the HTTP Artifact binding is used. Source ID. This is the base64-encoded, 20-byte identifier of the Artifact resolution service on the IdP. Enable Artifact Response Signing and Encryption. If checked, the IdP signs and encrypts the Artifact response. Configuring Peer SAML Service Provider s The Peer SP list defines the set of SPs configured to communicate with the Secure Access Service SAML IdP. When you add a Peer SP to the list, you can customize the SAML IdP settings used to communicate with the individual SP. If the SP provides a SAML metadata file, you can use it to simplify configuration, or you can complete more detailed manual steps. If available, we recommend you use metadata so that configuration is simpler and less prone to error. To configure peer SAML SP settings: 1. In the admin console, go to Authentication > Signing In > Sign-In SAML > Identity Provider. 2. Under Peer Service Provider Configuration, create a list of service providers (SP) that are SAML peers to the Secure Access Service SAML IdP. To add a service provider to the list, click Add SP. 3. Complete the settings described in Table Click Save Changes. Table 7: Peer Service Provider Configuration Configuration Mode Select Manual or Metadata. Service Provider Configuration - Metadata 17

18 Table 7: Peer Service Provider Configuration (continued) Entity Id If you use metadata, select the SAML Entity ID of the SP. This list contains all the SPs specified in all the metadata files added to the System > Configuration > SAML page. Select certificates manually When you use the metadata configuration, the Secure Access Service SAML IdP iterates through all the signature verification certificates specified when verifying the incoming SAML messages coming from the SP. Similarly, when encrypting the SAML messages going out, the Secure Access Service SAML IdP encrypts the messages with the first valid encryption certificate encountered in the metadata. Select this option to override this default behavior and select certificates manually. Signature Verification Certificate If you select the Select certificates manually option, select the certificate to be used by the IdP to verify the signature of incoming SAML messages. Encryption Certificate If you select the Select certificates manually option, select the certificate to be used if the assertions sent by the IdP must be encrypted. Service Provider Configuration - Manual Entity Id If you are completing a manual configuration, ask the SAML SP administrator for this setting. Assertion Consumer Service URL URL of the service on SP that receives the assertion/artifact sent by the IdP. Protocol Binding supported by the Assertion Consumer Service at the SP Select POST, Artifact, or both. This setting must be consistent with the SAML IdP configuration. Default Binding If both Post and Artifact are supported, which is the default? Post Artifact This setting must be consistent with the SAML IdP configuration. Signature Verification Certificate Upload the certificate to be used by the IdP to verify the signature of incoming SAML messages. If no certificate is specified, the certificate embedded in the incoming SAML message is used for signature verification. Encryption Certificate Upload the certificate to be used if the assertions sent by the IdP must be encrypted. If not certificate is specified, the assertions sent by the IdP are not encrypted. Certificate Attribute Configuration for Artifact Resolution Service Optional. Specify attributes that must be present in the certificate presented to the Artifact Resolution Service (ARS) at the IdP by the SP Assertion Consumer Service. This option appears only if the SAML SP supports the HTTP Artifact binding, the Secure Access Service SAML IdP has been configured to support the HTTP Artifact binding, and the Web Service Authentication type specified for the SP is Certificate. Certificate Status Checking Configuration 18

19 Chapter 1: SAML Single Sign-On Table 7: Peer Service Provider Configuration (continued) Enable signature verification certificate status checking Select this option to enable revocation checks for the signing certificate. Uses the configuration in System > Configuration > Certificates > Trusted Client CAs. Enable encryption certificate status checking Select this option to enable revocation checks for the encryption certificate. Uses the configuration in System > Configuration > Certificates > Trusted Client CAs. Customize IdP Behavior Override Default Configuration Select this option to set custom behavior of the Secure Access Service SAML IdP for this SP instance. If you select this option, the user interface displays the additional options listed next. Reuse Existing NC (Pulse) Session This option cannot be enabled here if it is not selected for the Sign-In SAML Identity Provider default settings. Accept unsigned AuthnRequest Individual SPs can choose to accept unsigned AuthnRequest. Relay State SAML RelayState attribute sent to SP in an IdP-initiated SSO scenario. If left blank, the RelayState value is the URL identifier of the resource being accessed. Session Lifetime Suggested maximum duration of the session at the SP created as a result of the SAML SSO. None. The IdP does not suggest a session duration. Role Based. Suggest the value of the session lifetime configured for the user role. Customized. If you select this option, the user interface displays a text box in which you specify a maximum in minutes. Sign-In Policy Select the Sign-In URL to which the user is redirected in an SP-initiated scenario. The list is populated by the sign-in pages configured in Authentication > Signing In > Sign-in Policies. Note: If the user already has a session with the Secure Access Service, then it is not validated if the user session was created as a result of authenticating via this configured sign-in policy. Force Authentication Behavior In an SP-initiated scenario, the SP sends an AuthnRequest to the IdP. If the SP AuthnRequest includes the ForceAuthn attribute set to true and the user has a valid Secure Access Service session, this setting determines how the IdP responds. Specify: Reject AuthnRequest. Do not honor the SAML SSO request. Re-Authenticate User. Invalidate the user session and prompt for reauthentication. Note: This setting prevails over the Pulse session re-use setting. 19

20 Table 7: Peer Service Provider Configuration (continued) User Identity Subject Name Format. Format of NameIdentifier field in generated Assertion. Select: DN. Username in the format of DN(distinguished name). address. Username in the format of an address. Windows. Username in the format of a Windows domain qualified username. Other. Username in an unspecified format. Subject Name. Template for generating the username that is sent as the value of the NameIdentifier field in the assertion. You may use any combination of available system/custom variables contained in angle brackets and plain text. Web Service Authentication These settings apply when the HTTP Artifact binding is used. Authentication Type. Method used to authenticate the service provider (SP) assertion consumer service to the identity provider (IdP) on the Secure Access Service system. None. Do not authenticate the assertion consumer service. Username/Password. If you select this option, use the controls to specify username and password settings. Certificate. For certificate-based authentication, the Client CA of the SP should be present in Secure Access Service system Trusted Client CA list (System > Configuration > Certificates > Trusted Client CAs). Artifact configuration These settings apply when the HTTP Artifact binding is used. Source ID. This is the base64-encoded, 20-byte identifier of the Artifact resolution service on the IdP. Enable Artifact Response Signing and Encryption. If checked, the IdP signs and encrypts the Artifact response. Configuring a SAML SSO Resource Policy for Gateway Mode Deployments When deployed as a gateway in front of enterprise resources, the SAML SSO policy acts like other Secure Access Service resource policies. The Secure Access Service maintains the session and uses its rewriting or pass-through proxy (PTP) features to render data to the user. You use a SAML SSO resource policy when the protected resource supports SAML SSO and has been configured as a SAML SP. When deployed as a gateway, the SAML SSO communication is always IdP-initiated. Figure 4 illustrates a gateway mode deployment. 20

21 Chapter 1: SAML Single Sign-On Figure 4: Secure Access Service As a SAML IdP (Gateway Mode) User 1 2 SAML IdP 3 g SAML SP 1 A user logs into the Secure Access Service. 2 Later, the user requests a resource protected by a security system that supports SAML and has implemented a SAML SP. 3 In gateway mode deployments, the Secure Access Service acts as a SAML IdP. The SAML IdP initiates the SAML authentication request to the SAML SP. Particular users are granted access to particular resources according to the Secure Access Service SAML SSO resource policy. To configure a SAML SSO resource policy: 1. In the admin console, go to Users > Resource Policies > Web. 2. Use the tabs to display the SSO > SAML page. If your administrator view is not configured to show SAML policies, click the Customize button in the upper-right corner of the page and select the SSO and SAML check boxes. 3. Click New Policy. 4. Complete the settings described in Table Click Save Changes. 21

22 Table 8: SAML SSO Resource Policy s Name Type a name for the policy. Type a description that would be meaningful to other administrators. Resources Specify the fully qualified domain name for the resources for which this policy applies. These are the resources protected at the SAML SP. Roles Select one of the following options: Policy applies to ALL roles. To apply this policy to all users Policy applies to SELECTED roles. To apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. Policy applies to all roles OTHER THAN those selected below. To apply this policy to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. Action Select one of the following: Use the SAML SSO defined below. Typically, this is the setting you use for a SAML SSO resource policy. The Secure Access Service SAML IdP makes the SSO request when a user tries to access to a SAML resource specified in the Resources list. Do NOT use SAML. Secure Access Service does not perform an SSO request. Use this if there is a problem with the SAML SP and you want to allow access. Use Detailed Rules. Use this option to configure advanced rules. SAML SSO Details SAML Version. Select 2.0. Service Provider Entity ID. Select the Service provider entity ID for which you would like to configure Secure Access Service to act as an IdP. The SP Entity IDs listed here are configured in Authentication > Signing In > Sign-in SAML > Identity Provider > Peer Service Provider configuration. Cookie Domain. Enter a comma-separated list of domains to which Secure Access Service sends the SSO cookie. NOTE: The SAML SSO resource policy settings are different in Secure Access Service 7.2 from 7.1. Policies you created with Secure Access Service 7.1 are preserved in edit-only mode for legacy use. Configuring a SAML External Apps SSO Resource Policy for External Resources When deployed to support access to external resources (example: public cloud resources), the Secure Access Service does not have to be a gateway to user access. The user can access the external resource directly, and the traffic does not flow through the Secure Access Service device. You configure the Secure Access Service as a SAML IdP to correspond with the external SAML SP, and you configure an SSO SAML External Apps resource policy to determine the users and resources to which the SAML SSO experience applies. 22

23 Chapter 1: SAML Single Sign-On To configure a SAML External Apps resource policy: 1. In the admin console, go to Users > Resource Policies > Web. 2. Use the tabs to display the SSO > SAML External Apps page. If your administrator view is not configured to show SAML policies, click the Customize button in the upper-right corner of the page and select the SSO and SAML check boxes. 3. Click New Policy. 4. Complete the settings described in Table Click Save Changes. Table 9: SAML SSO External Apps Policy s Name Type a name for the policy. Type a description that would be meaningful to other administrators. Resources Specify the fully qualified domain name for the resources for which this policy applies. These are the resources protected at the SAML SP. Roles Select one of the following options: Policy applies to ALL roles. To apply this policy to all users Policy applies to SELECTED roles. To apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. Policy applies to all roles OTHER THAN those selected below. To apply this policy to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. Action Select one of the following: Use the SAML SSO defined below. Typically, this is the setting you use for a SAML SSO resource policy. The Secure Access Service SAML IdP makes the SSO request when a user tries to access to a SAML resource specified in the Resources list. Do NOT use SAML. Secure Access Service does not perform an SSO request. Use this if there is a problem with the SAML SP and you want to allow access. Use Detailed Rules. Use this option to configure advanced rules. SAML SSO Details SAML Version. Select 2.0. Service Provider Entity ID. Select the Service provider entity ID for which you would like to configure Secure Access Service to act as an IdP. The SP Entity IDs listed here are configured on the Authentication > Signing In > Sign-in SAML > Identity Provider > Peer Service Provider pages. Related Documentation SAML Web Browser SSO Example: Google Apps on page 26 23

24 Configuring a SAML ACL Web Policy To configure the Secure Access Service as a policy enforcement point, you must create a SAML ACL web policy. To configure a SAML ACL web policy: 1. In the admin console, select Users > Resource Policies > Web. 2. Select the Access > SAML ACL tab. If your administrator view is not configured to show SAML policies, click the Customize button in the upper-right corner of the page and select the SAML ACL check boxes. 3. On the SAML Access Control Policies page, click New Policy. 4. Complete the settings described in Table Click Save Changes. 6. On the SAML Access Control Policies page, order the policies according to how you want the Secure Access Service to evaluate them. Keep in mind that once the Secure Access Service matches the resource requested by the user to a resource in a policy s (or a detailed rule s) Resource list, it performs the specified action and stops processing policies. Table 10: SAML ACL Web Policy s Name Type a name for the policy. Type a description that would be meaningful to other administrators. Resources Specify the fully qualified domain name for the resources for which this policy applies. These are the resources protected at the SAML SP. Roles Select one of the following options: Policy applies to ALL roles. To apply this policy to all users Policy applies to SELECTED roles. To apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. Policy applies to all roles OTHER THAN those selected below. To apply this policy to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list. Action Select one of the following: Use the SAML Access Control checks defined below. Secure Access Service performs an access control check to the specified URL using the data specified in the SAML Access Control Details section. Do not use SAML Access. The Secure Access Service does not perform an access control check. Use Detailed Rules. Use this option to configure advanced rules. 24