LogMeIn Rescue Web SSO via SAML 2.0 Configuration Guide

LgMeIn Rescue Web SSO via SAML 2.0 LgMeIn Rescue Web SSO via SAML 2.0 Cnfiguratin Guide 02-19-2014 Cpyright 2015 LgMeIn, Inc. 1

LgMeIn Rescue Web SSO via SAML 2.0 Cntents 1 Intrductin... 3 1.1 Dcument verview... 3 1.2 Abbreviatins, Definitins, Acrnyms... 3 1.2.1 Abbreviatins... 3 1.2.2 Definitins... 3 1.3 References... 4 2 LgMeIn Rescue SAML 2.0 Overview... 5 2.1 Physical verview f hw Rescue SSO wrks... 5 2.2 IDP-Initiated SSO with POST Bindings... 6 3 IDP Requirements... 7 3.1 Cnnectin... 7 3.2 SAML 2.0 Web SSO Prfile... 7 3.2.1 Signature... 7 4 Cnfiguratin... 8 4.1 IDP Cnfiguratin... 8 4.1.1 Assertin Cnsumer Service Url:... 8 4.1.2 Imprtant Assertin cnfiguratin fr security cntext... 8 4.2 Rescue Side Cnfiguratin... 9 5 ADFS 2.0 Cnfiguratin... 10 5.1 ADFS Relying Party Cnfiguratin... 10 5.2 ADFS Replying Party Claim Rules... 13 5.2.1 Edit the Claim rules... 13 5.2.2 Cnfigure the claim rule... 15 6 Errrs... 16 6.1 Basic SAML errr cdes... 16 6.2 Rescue specific SAML errr cdes... 17 6.3 Rescue specific lgin errr cdes... 18 6.4 Cmmn mistakes... 18 6.5 Mre Rescue side trubleshting... 18 Cpyright 2015 LgMeIn, Inc. 2

LgMeIn Rescue Web SSO via SAML 2.0 1 Intrductin 1.1 Dcument verview This dcument describes hw t cnfigure LgMeIn Rescue t use SAML 2.0 (Security Assertin Markup Language) with yur Identity Prvider (IDP) (fr example ADFS 2.0). SAML is an XML framewrk fr transmitting authenticatin and authrizatin data ver the Internet. Thrugh this framewrk, SAML enables different security services t exchange and prcess security infrmatin. Fr making this exchange pssible, SAML defines the structure f dcuments that transprt security infrmatin between services. 1.2 Abbreviatins, Definitins, Acrnyms 1.2.1 Abbreviatins 1.2.2 Definitins SAML Security Assertin Markup Language IDP Identity Prvider MAH LgMeIn Rescue Master Accunt Hlder ADFS Active Directy Federatin Services UTC Crdinated Universal Time (UTC) is the primary time standard by which the wrld regulates clcks and time. Master Accunt Hlder: The Master Accunt Hlder is the wner f the LgMeIn Rescue accunt and has cmplete cntrl ver all areas f the Administratin Center. He and the Master Administratrs are the nly users with access t the Glbal Settings tab. Technicians: Technicians prvide remte supprt using the LgMeIn Rescue Technician Cnsle. Technicians can chse t run the Technician Cnsle in a supprted brwser r as a desktp applicatin. Administratin Center: Administratrs use the LgMeIn Rescue Administratin Center t cnfigure LgMeIn Rescue t reflect any supprt rganizatin; frm ne supprt technician, t teams f supprt technicians with different respnsibilities and capabilities. The nline interface is used t create and assign permissins fr ther administratrs and Technician Grups. Administratrs can als create supprt channels, which are web-based links that autmatically cnnect custmers t technicians. CmapanyID: Unique identifier f the Rescue accunt Rescue User SSO ID: A per-technician ID defined in the Single Sign-On ID field n the Organizatin tab f the Administratin Center when adding r editing rganizatin members. Cpyright 2015 LgMeIn, Inc. 3

LgMeIn Rescue Web SSO via SAML 2.0 Certificate Public key/private key: Encryptin that uses a private/public key pair, thus ensuring that data can be encrypted by ne key pair, but nly decrypted by the ther key pair. 1.3 References Wiki SAML 2.0: http://en.wikipedia.rg/wiki/saml_2.0 SAML Specificatins: http://saml.xml.rg/saml-specificatins ADFS 2.0: http://technet.micrsft.cm/en-us/library/adfs2(v=ws.10).aspx Cpyright 2015 LgMeIn, Inc. 4

LgMeIn Rescue Web SSO via SAML 2.0 2 LgMeIn Rescue SAML 2.0 Overview Rescue supprts tw methds f SAML 2.0 Web SSO: SP initiated IDP initiated 2.1 Physical verview f hw Rescue SSO wrks Cpyright 2015 LgMeIn, Inc. 5

LgMeIn Rescue Web SSO via SAML 2.0 2.2 IDP-Initiated SSO with POST Bindings Frm Oasis SAML 2.0 Technical Overview 4.1.4 Cpyright 2015 LgMeIn, Inc. 6

LgMeIn Rescue Web SSO via SAML 2.0 3 IDP Requirements 3.1 Cnnectin The Rescue website uses HTTPS cmmunicatin fr HTTP cnnectin. Yur IDP must supprt the HTTP prtcl ver HTTPS cnnectin (443). 3.2 SAML 2.0 Web SSO Prfile Yur IDP must supprt SAML 2.0 Web SSO Prfile. Oasis SAML 2.0 Technical Overview IDP must supprt the HTTP POST Binding Authenticatin Respnse frmat. Authenticatin data must be sent in this frmat. Fr mre details, see SAML 2.0 Bindings. 3.2.1 Signature We will validate the signature f the Assertin and Respnse. Yu need t sign the Assertin and Respnse with the same private key. Cpyright 2015 LgMeIn, Inc. 7

LgMeIn Rescue Web SSO via SAML 2.0 4 Cnfiguratin 4.1 IDP Cnfiguratin 4.1.1 Assertin Cnsumer Service Url: Yu need t set the ACS URL in yur IDP Federatin cnfiguratin. https://secure.lgmeinrescue.cm/ss/saml2/receive 4.1.2 Imprtant Assertin cnfiguratin fr security cntext NameID [Required] Name ID is part f the Subject sectin in the SAML Respnse message. The IDP must include the user identifier. There are tw ways t prvide the identifier: Technician SSO ID NameID Frmat: persistent urn:asis:names:tc:saml:2.0:nameid-frmat:persistent NameID Value: cntains the Rescue technician SSO ID. It is a prperty f the Rescue technician and yu can edit it in the Admin Center. Sample: <saml:nameid jde </saml:nameid> Technician Email NameID Frmat: emailaddress NameID Value: cntains the Rescue technician Email address. It is a prperty f the Rescue technician and yu can edit it in the Admin Center. Sample: <saml:nameid Frmat="urn:asis:names:tc:SAML:2.0:nameidfrmat:persistent"> urn:asis:names:tc:saml:2.0:nameidfrmat:emailaddress Frmat="urn:asis:names:tc:SAML:2.0:nameidfrmat:emailAddress"> jde@lgmein.cm </saml:nameid> Cpyright 2015 LgMeIn, Inc. 8

LgMeIn Rescue Web SSO via SAML 2.0 CmpanyID Attribute [Required] The IDP must prvide the Rescue CmpanyID, which is a unique identifier per LgMeIn Rescue accunt. The certificate is assigned per Rescue accunt, and we use the CmpanyID t find the public key. Sample: <saml:attribute Name="LMIRescue.CmpanyID" NameFrmat="urn:asis:names:tc:SAML:2.0:attrname-frmat:unspecified"> <saml:attributevalue xsi:type="xs:anytype">123456 </saml:attributevalue> </saml:attribute> Language [Optinal] If the attribute includes a language cde (IETF language tag frmat), the IDP sends it t Rescue. If the cde matches an existing Rescue language, the Rescue website is displayed in that language. See the Administratin Center User Guide fr a list f supprted languages. Sample: <saml:attribute Name="LMIRescue.Language" NameFrmat="urn:asis:names:tc:SAML:2.0:attrname-frmat:unspecified"> <saml:attributevalue xsi:type="xs:anytype">en-us </saml:attributevalue> </saml:attribute> 4.2 Rescue Side Cnfiguratin Fr Rescue side cnfiguratin, call LgMeIn supprt. Cpyright 2015 LgMeIn, Inc. 9

LgMeIn Rescue Web SSO via SAML 2.0 5 ADFS 2.0 Cnfiguratin 5.1 ADFS Relying Party Cnfiguratin It is recmmended t manually cnfigure the Relying Party. Relying Party Cnfiguratin is als pssible by taking the ServiceNw Metadata and imprting it int yur ADFS server. Hwever, manual cnfiguratin f the Relying partner appears t be easier t implement. 1. Open the ADFS 2.0 Management cnsle and select Actin > Relying Party Trusts. The Add Relying Party Trust Wizard is displayed. 2. Click Start t begin. The Select Data Surce windw is displayed. 3. Select Enter data abut the relying party manually. Click Next. The Specify Display Name windw is displayed. 4. Specify a display name,such as LgMeIn Rescue SSO, and enter any ntes yu want. Click Next. The Chse Prfile windw is displayed. 5. Select the ADFS 2.0 Prfile. Click Next. The Cnfigure Certificate windw is displayed. 6. D nt select a tken encryptin certificate, just click Next. The Cnfigure URL windw is displayed. 7. D nt enable any settings, just click Next. The Cnfigure Identifiers windw is displayed. Cpyright 2015 LgMeIn, Inc. 10

LgMeIn Rescue Web SSO via SAML 2.0 8. Enter the URL f the LgMeIn Rescue Web site t which yu cnnect as the Relying Party trust identifier. In this case, use https://secure.lgmeinrescue.cm, and click Add. Click Next. 9. In the Chse Issuance Authrizatin Rules windw, select the Permit all users t access this relying party ptin. Click Next. The Ready t Add Trust windw is displayed. 10. Click Next. The Finish windw is displayed. 11. Clear the Open the Edit Claim Rules dialg fr this relying party when the wizard clses check bx. Click Clse. In the Relying Party Trusts windw, the new Relying Party is displayed. 12. Right-click n the Relying Party yu have just created, and select Prperties. The LgMeIn Rescue SSO Prperties windw is displayed. (Please nte that the name f this windw depends n the display name yu specified earlier.) 13. In the LgMeIn Rescue SSO Prperties windw, select the Endpints tab. 14. In the bttm left crner, click Add. Cpyright 2015 LgMeIn, Inc. 11

LgMeIn Rescue Web SSO via SAML 2.0 The Add an Endpint windw is displayed. 15. Set the fllwing values: Endpint type: SAML Assertin Cnsumer Binding: POST 16. In the URL field, type: https://secure.lgmeinrescue.cm/ss/saml2/receive. 17. Click OK. The new SAML Assertin Cnsumer is displayed in the windw. 18. In the tp right crner, click the Advanced tab. 19. Set the Secure hash algrithm t SHA1. 20. Click OK. The LgMeIn Rescue SSO Prperties windw clses. Cpyright 2015 LgMeIn, Inc. 12

LgMeIn Rescue Web SSO via SAML 2.0 5.2 ADFS Replying Party Claim Rules 5.2.1 Edit the Claim rules This enables prper cmmunicatin with Rescue. 1. In the Relying Paty Trusts windw, right-click n the Relying Party and select Edit Claim Rules. The Edit Claim Rules fr LgMeIn Rescue SSO windw is displayed. (Please nte that the name f this windw depends n the display name yu specified earlier.) 2. On the Issuance Transfrm Rules tab, select Add Rule.. The Select Rule Template windw is displayed. 3. Select Send LDAP Attribute as Claims as the claim rule template. Click Next. The Cnfigure Rule windw is displayed. 4. In the Claim rule name field, give the Claim a name, such as Email. 5. Set the fllwing values: a. Attribute Stre Active Directry b. LDAP Attribute E-Mail-Addresses c. Outging Claim Type E-Mail Address Cpyright 2015 LgMeIn, Inc. 13

LgMeIn Rescue Web SSO via SAML 2.0 6. Select Finish. The new rule is displayed n the list. 7. In the bttm left crner, select Add Rule. The Select Rule Template windw is displayed. 8. Select Transfrm an Incming Claim as the claim rule template t use. Click Next. 9. In the Claim rule name field, give the Claim a name, such as Email T Name ID. 10. Set the fllwing values: a. Incming claim type E-mail Address b. Outging claim type Name ID c. Outging name ID frmat Email (Must match the Outging Claim Type in rule #1.) (This is requested in Rescue requirements.) Nte: In sectin, Imprtant Assertin cnfiguratin fr security cntext yu can set the Name ID t user name r anther custm value. If yu d this, yu must set the Name ID frmat t Persistent. 11. Select Pass thrugh all claim values. Click Finish. The new rule is displayed n the list. Cpyright 2015 LgMeIn, Inc. 14

LgMeIn Rescue Web SSO via SAML 2.0 5.2.2 Cnfigure the claim rule 1. In the Edit Claim Rules fr LgMeIn Rescue SSO windw, Select Add Rule. (Please nte that the name f this windw depends n the display name yu specified earlier.) The Select Rule Template windw is displayed. 2. Select Send Claims Using a Custm Rule as the claim rule template t use. Click Next. 3. In the Claim rule name field, give the Claim a name, such as CmpanyID. 4. Fill the Custm rule field: => issue(type = "LMIRescue.CmpanyID", Value = "[yur cmpany ID]"); 5. Click Finish. The new rule is displayed n the list. 6. Test the implementatin n yur ADFS URL: https://<yurdmain>.cm/adfs/ls/idpinitiatedsignon.aspx Cpyright 2015 LgMeIn, Inc. 15

LgMeIn Rescue Web SSO via SAML 2.0 6 Errrs We indicate the pssible prblems with errr cdes and we als have errr cdes fr unexpected prblems. The cdes r texts may appear as a result r subcde at the client. Belw, yu find a detailed list f the cdes with a few wrds abut the mst cmmn prblems. 6.1 Basic SAML errr cdes RelayStateMissing (1) RelayStateExpired (2) The relaystate is nt fund. The IDP did nt prvide it. The relaystate has expired. The lgin prcess tk t much time. RespnseRelayStateIsWrng (3) The relaystate des nt match the expected state. It may be the respnse fr a different request. RespnseNtSuccess (4) The respnse indicates that the authenticatin failed. RespnseDestinatinIsWrng (5) RespnseExpired (6) The respnse destinatin des nt match with ur address. The respnse has expired. The lgin prcess tk t much time. RespnseNtCntainAssertin (7) Fatal errr: the respnse must cntain at least ne assertin. RespnseIssuerIsEmpty (8) AssertinExpired (9) The respnse issuer was empty. The IDP must prvide the issuer and it must be the same value as in ur cnfiguratin. Assertin has expired. The lgin prcess tk t much time. AssertinSubjectNtValid (10) The assertin cntains an invalid subject. AssertinSubjectDataAddressIsWrng (11) The assertin subject s address is wrng. It must match with the target address (the SP address). AssertinSubjectNtOnOrAfterNtValid (12) The assertin subject has expired. The lgin prcess tk t much time. AssertinCnditinNtOnOrAfterNtValid (13) Cpyright 2015 LgMeIn, Inc. 16

LgMeIn Rescue Web SSO via SAML 2.0 The assertin cnditin has expired. The lgin prcess tk t much time. AssertinCnditinNtBefreNtValid (14) The assertin cnditin has expired. The lgin prcess tk t much time. IDPCnfiguratinIsWrng (15) There is an errr with the IDP cnfiguratin. Ensure that yu cnfigured the Rescue side f the SAML lgin crrectly. Als check the subcde, which may indicate sme cncrete errr. RespnseSignatureNtValid (16) The signature f the respnse is nt valid. Ensure that the cnfigured public key is really the public key f the IDP certificate. AssertinSignatureNtValid (17) The signature f the assertin is nt valid. Ensure that the cnfigured public key is really the public key f the IDP certificate. NameIDNtFund (18) Fatal errr: NameID cannt be fund in the respnse. It is key infrmatin abut the user. SAMLCmpnentErrr (254) Internal errr with the SAML cmpnent. This is a Rescue issue. UnspecifiedErrr (255) We d nt knw what happened. 6.2 Rescue specific SAML errr cdes RescueCmpanyIDMissing (1) Cmpany ID is missing. Prvide yur cmpany ID in the SAML assertin as defined in the dcumentatin. RespnseIssuerIsWrng (2) The issuer value f the SAML respnse is nt the same as the cnfigured ne. It must be exactly the same value. AssertinIssuerIsWrng (3) The issuer value f the SAML assertin is nt the same as the cnfigured ne. It must be exactly the same value. NameIDPlicyFrmatMismatch (4) The NameID plicy frmat is different than the cnfigured ne. Ensure t prvide the same frmat as in the cnfiguratin. UnspecifiedErrr (255) We d nt knw what happened. Cpyright 2015 LgMeIn, Inc. 17

LgMeIn Rescue Web SSO via SAML 2.0 6.3 Rescue specific lgin errr cdes lginsaml_unknwnerrr (999) We d nt knw what happened. It is prbably a Rescue issue. lginsaml_invalidlgin (1120) 6.4 Cmmn mistakes Wrng issuer The lgin failed because f an invalid lgin attempt. It is prbably a Rescue issue. It is very easy t make a mistake here: the Rescue side value f the IDP issuer must be exactly the same as the ne psted by the IDP. Even a ne character difference can cause prblems (mind casing). Wrng cmpany ID The cmpany ID is imprtant because we stre the SAML cnfiguratin n a per-cmpany basis. If the IDP sends a wrng cmpany ID, then we will nt find the crrect cnfiguratin and the lgin prcess will fail. Take special attentin t cmpanies with mre than ne accunt (fr example, a test and a prductin accunt). Wrng NameID frmat We prvide tw ways t send us the identity f the user: email r SSO ID. This ptin is exclusive s the IDP must decide which ne t use, then cnfigure the Rescue side with that value. Then the IDP must send the identity in that frmat. Wrng certificate We need the public key f a certain cmpany s certificate t be upladed n the Rescue side. If the SAML assertin is signed with a different certificate (fr a different certificate there is a different public key) r nt signed at all, then we cannt be sure that the request came frm a trusted partner, s we cannt let the user lg in. 6.5 Mre Rescue side trubleshting If yu are stuck with reslving a prblem, check the fllwing: Is the SAML lgin enabled fr the cmpany? Des the user exist in the Rescue system (nt the cmpany but the actual user)? Are all the cnfiguratins crrect? Cpyright 2015 LgMeIn, Inc. 18

LgMeIn Rescue Web SSO via SAML 2.0 Des the actual cnfiguratin that yu are stuck with really belng t the cmpany ID yu need? (test vs. prductin accunts) Are all the certificates the crrect nes? Cpyright 2015 LgMeIn, Inc. 19