CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER



Similar documents
VMware Identity Manager Integration with Active Directory Federation Services 2.0

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Contents. Introduction. Prerequisites. Requirements. Components Used

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

ADFS Integration Guidelines

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Microsoft Office 365 Using SAML Integration Guide

Lifesize Cloud Table of Contents

CA Nimsoft Service Desk

Security Assertion Markup Language (SAML) Site Manager Setup

Egnyte Single Sign-On (SSO) Installation for OneLogin

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

AWS Management Portal for vcenter. User Guide

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG R001.

Getting Started with AD/LDAP SSO

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

SAML-Based SSO Solution

Egnyte Single Sign-On (SSO) Installation for Okta

Configuring EPM System for SAML2-based Federation Services SSO

T his feature is add-on service available to Enterprise accounts.

360 Online authentication

How To Use Saml 2.0 Single Sign On With Qualysguard

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

Copyright: WhosOnLocation Limited

Exostar LDAP Proxy / Secure Setup Guide. This document provides information on the following topics:

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Configuring Active Directory with AD FS and SAML for Brainloop Secure Dataroom Setup Guide

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Authentication Methods

Please evaluate this documentation on the following site:

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

ADFS for. LogMeIn and join.me authentication

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

SAP NetWeaver AS Java

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

Active Directory integration with CloudByte ElastiStor

SURFconext for SharePoint 2010 Setup guide

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

Active Directory Federation Services

Deploying RSA ClearTrust with the FirePass controller

AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation

ACTIVID APPLIANCE AND MICROSOFT AD FS

OneLogin Integration User Guide

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Using Internet or Windows Explorer to Upload Your Site

User Management Tool 1.5

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

SAML SSO Configuration

NovaBACKUP xsp Version 15.0 Upgrade Guide

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Cloud Services ADM. Agent Deployment Guide

Office 365 deployment checklists

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

SQL Server Setup for Assistant/Pro applications Compliance Information Systems


Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

Office 365 deploym. ployment checklists. Chapter 27

Connected Data. Connected Data requirements for SSO

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

Single Sign On for ShareFile with NetScaler. Deployment Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Use Enterprise SSO as the Credential Server for Protected Sites

Parallels Plesk Panel

VMware Identity Manager Administration

AVG Business SSO Connecting to Active Directory

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

Active Directory Integration. Documentation. v1.02. making your facilities work for you!

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

EVault Endpoint Protection 7.0 Single Sign-On Configuration

Client configuration and migration Guide Setting up Thunderbird 3.1

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Immotec Systems, Inc. SQL Server 2005 Installation Document

HGC SUPERHUB HOSTED EXCHANGE

MultiSite Manager. Using HTTPS and SSL Certificates

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

SAML-Based SSO Solution

SAML Single-Sign-On (SSO)

White Paper. Fabasoft Folio Thin Client Support. Fabasoft Folio 2015 Update Rollup 2

WatchDox for Windows User Guide. Version 3.9.0

Flexible Identity Federation

Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity2

HP Software as a Service. Federated SSO Guide

CloudBerry Dedup Server

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

AD FS 2.0 Step-by-Step Guide: Federation with Ping Identity PingFederate

NAS 206 Using NAS with Windows Active Directory

Application Note. ShoreTel 9: Active Directory Integration. Integration checklist. AN June 2009

Defender Token Deployment System Quick Start Guide


Transcription:

UMANTIS CLOUD SSO CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER THIS DOCUMENT DESCRIBES THE REQUIREMENTS TO SETUP A SINGLE SIGN ON (SSO) CONFIGURATION ON UMANTIS CLOUD BASED SOLUTIONS AGAINST A CUSTOMER S PRIVATE ACTIVE DIRECTORY FEDERATION SERVER (ADFS) Author: Mallku Caballero, Marc Elser Document Version: 1.08 Haufe-umantis AG Untertrasse 11 CH-9001 St. Gallen Tel. +41 71 224 01 01 Fax +41 71 224 01 02 umantis@haufe.com www.haufe.com/umantis

AUDIENCE This document is intended primarily for umantis Technical Consultants and customers IT departments. 2

PRE-REQUISITES The customer is responsible for installing Microsoft Active Directory Federation Server version 2.0 (with Update Rollup 3 or newer) on top of his existing Active Directory infrastructure. The details for this installation and general configuration are not covered in this document. An understanding of the SAML SSO protocol is useful but not absolutely required. Some basic elements are presented in this document but the reader is encouraged to seek relevant resources (e.g. http://saml.xml.org/saml-specifications) for a more complete description. 3

SAML PROTOCOL ELEMENTS umantis Single Sign On architecture is based on the SAML 2 standard and more specifically on the SAML Web Browser SSO Profile that is widely used on the Internet and specifically supported by Microsoft s ADFS technology. The SAML infrastructure defines two key components: the Service Provider (SP), for all practical purposes: the umantis cloud application, and the Identity Provider (IDP) which is responsible for checking credentials and authorizing access to protected resources. SP Browser IDP 1. Access Resource 2. Not signed in - redirect to SSO 2. Request SSO Service 3. Authenticate 4. Authentication Response 5. Success - redirect to Resource 5. Success - redirect to Resource 1. A user interacting via a web browser, attempts to access a resource on the SP 2. The SP determines that a session has not yet been initiated and redirects the user to the IDP for authentication. 3. The IDP request an authentication (e.g. login page) from the user 4. The user provides authentication (e.g. user & password) 5. The IDP authorizes the user and allows the SP to establish a session 4

umantis provides a default IDP for conventional logins where requested user and password credentials are checked against a database managed within its internal infrastructure. Some customers request a tighter integration into their internal working environment so that their existing domain credentials may be used to authorize access to their umantis solution without having to manage a separate set of user and passwords. umantis supports this scenario with its Cloud SSO. 5

CLOUD ADFS-BASED SSO Cloud SSO is rather straightforward as long as the customer can provide his own SAML2-capable Identity Provider. CUSTOMER-PROVIDED IDP: ADFS Where customers already have an Active Directory backed windows domain, the most common configuration involves the usage of Microsoft s ADFS component which is basically a lightweight service that extends Active Directory to make it SAML2-capable. NOTE: ADFS versions older than 2.0 are not supported UMANTIS SERVICE PROVIDER umantis applications are already SAML2-enabled by default, i.e. they are standard SAML Service Providers. CIRCLE OF TRUST A secure SSO configuration requires the SP and the IDP to know of each other, in such a way that they can ascertain that the counterparty is legitimate. In SAML, this is achieved by configuring a CIRCLE OF TRUST that involves exchanging metadata, signing and encryption certificates that ensure mutual authentication as well as the confidentiality of exchanged data. 6

ADFS SSO CONFIGURATION INSTRUCTIONS This section describes the precise elements that umantis and the customer must exchange as well as the configuration the customer must perform on their Active Directory Federation Server in order to establish the Circle of Trust required for Cloud SSO: SEND ADFS METADATA TO UMANTIS Option 1) send the ADFS metadata url to your ADFS metadata to umantis, typically: https://your_adfs_host_name/federationmetadata/2007-06/federationmetadata.xml Option 2) if the ADFS metadata url is not accessible from the Internet, load it in a browser by yourself, save it to a local file named idp.xml and send that file to umantis. ADD ADFS RELYING PARTY 1. Wait for umantis confirmation that your metadata has been activated. You will receive the umantisspentityid and umantisspmetaalias parameters that are required in the following steps in the confirmation email. 2. Use the ADFS 2.0 Management tool. 3. Navigate to Trust Relationships / Relying Party 4. Use the Add Relying Party Trust function to import the umantis service provider using the online url: For customers hosted in Switzerland: https://sso.umantis.com/multitenant-sp/saml2/metadata?metaalias=umantisspmetaalias For customers hosted in Germany: https://sso.de.umantis.com/multitenant-sp/saml2/metadata?metaalias=umantisspmetaalias Note: if no access from the ADFS server to the umantis server is possible, you may save the XML returned from the above url in any workstation and manually import it in ADFS. The following steps remain unchanged. 5. Ignore the warning that not all data could be imported 6. When asked whether you want to add Claim Rules select Yes to enter the Edit Claim Rules dialog. 7

7. Add a generic LDAP rule where you map the internal Active Directory LDAP attribute SAMAccountName (or any other attribute containing an existing umantis login such as E-Mail-Addresses) to the outgoing claim type UPN a. On the Issuance Transform Rules tab, click Add Rule. b. On the Select Rule Template page, select Send LDAP Attributes as Claims. Click Next. c. On the Configure Rule page, type the name of the claim rule in the Claim rule name field. d. From the Attribute Store drop-down list, select Active Directory. e. In the Mapping of LDAP attributes to outgoing claim types section, under LDAP Attribute, select SAMAccount or E-Mail- Addresses or any other suitable unique identifier that maps to existing umantis Talent Management account names. f. Under Outgoing Claim Type, select UPN. g. Click Finish, and then click OK. 8. Create an additional Custom Rule with the following definition: c:[type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.issuer, OriginalIssuer = c.originalissuer, Value = c.value, ValueType = c.valuetype, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:saml:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "youradfsentityid", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "umantisspentityid"); Where: - youradfsentityid is usually of the form: http://your_adfs_host_name/adfs/services/trust - umantisspentityid is provided to you in Step 1 9. After importing the metadata, open the Settings dialog and: a. On the Encryption Tab, check that the umantis_te Certificate is selected. b. On the Signature Tab, check that the umantis_ts Certificate is selected. c. On the Advanced Tab, change the security algorithm to SHA1 8

VALIDATE CONFIGURATION Wait for umantis activation confirmation and point your browser to: For customers hosted in Switzerland: https://sso.umantis.com/multitenant-sp/saml2/spinitiatedsso? metaalias=umantisspmetaalias&redirect_uri=http://www.umantis.com For customers hosted in Germany: https://sso.de.umantis.com/multitenant-sp/saml2/spinitiatedsso? metaalias=umantisspmetaalias&redirect_uri=http://www.umantis.com If you were previously logged in as a Windows domain user you should be automatically redirected to the umantis web site; otherwise this will only happen after successfully supplying your credentials in the Domain Login window that should appear. The address bar should have a url of the following form: http://www.umantis.com/?loginparam= 9

ADDITIONAL CONFIGURATION Beyond the core Cloud SSO configuration described above, more advanced parameters may also be configured by umantis staff to satisfy customer requirements. IP-selective Cloud SSO, for instance, can be configured to precisely determine which IP address ranges (subnets) should participate in Cloud SSO. Advanced SAML2 parameters may also be tweaked to satisfy customerspecific requirements. However, this type of configuration requires a deep understanding of SAML2 and is beyond the scope of this document. Should the need arise; requirements of this nature will be reviewed by a technical expert. 10

FINALLY Once the configuration has been validated, SSO must be activated by umantis on the customer solution. Note: once activated, all logins will be handled by SSO by default (unless IP-Selective SSO has been configured). However, it is possible to force an non-sso login appending the following parameter to a umantis URL: https://some_umantis_url&v4login=1 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information