SAML Authentication within Secret Server



Similar documents
Configuring. Moodle. Chapter 82

Configuring EPM System for SAML2-based Federation Services SSO

How to create a SP and a IDP which are visible across tenant space via Config files in IS

SAML v2.0 for.net Developer Guide

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

SAML single sign-on configuration overview

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

CA Nimsoft Service Desk

JOSSO 2.4. Ws-Federation Integration Tutorial

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Authentication Methods

Using SAML for Single Sign-On in the SOA Software Platform

How To Use Saml 2.0 Single Sign On With Qualysguard

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

Copyright: WhosOnLocation Limited

- Spam Filtering

TIB 2.0 Administration Functions Overview

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

Getting Started with AD/LDAP SSO

InfoRouter LDAP Authentication Web Service documentation for inforouter Versions 7.5.x & 8.x

SAML Single-Sign-On (SSO)

Spring Security SAML module

Connected Data. Connected Data requirements for SSO

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

Security Assertion Markup Language (SAML) Site Manager Setup

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

SAP NetWeaver AS Java

SAML v1.1 for.net Developer Guide

Active Directory Requirements and Setup

Single Sign-On for the UQ Web

OpenLogin: PTA, SAML, and OAuth/OpenID

EVault Endpoint Protection 7.0 Single Sign-On Configuration

Integration of Shibboleth and (Web) Applications

McAfee Cloud Identity Manager

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Lets get a federated identity. Intro to Federated Identity. Feide OpenIdP. Enter your address. Do you have access to your ?

Absorb Single Sign-On (SSO) V3.0

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Single Sign-On Implementation Guide

Configuring Parature Self-Service Portal

WatchDox SharePoint Beta Guide. Application Version 1.0.0

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

Authentication and Single Sign On

How To Connect To Ecs.Org From A Pc Or Mac Or Ipad (For A Laptop) With A Network Connection (For Mac) With The Ipad Or Ipa (For Pc Or Ipac) With An Ipa Or Ip

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Schneps, Leila; Colmez, Coralie. Math on Trial : How Numbers Get Used and Abused in the Courtroom. New York, NY, USA: Basic Books, p i.

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

webnetwork Office 365 SSO integration v

Egnyte Single Sign-On (SSO) Installation for OneLogin

SAML-Based SSO Solution

SAML Authentication Quick Start Guide

Configuring. SugarCRM. Chapter 121

T his feature is add-on service available to Enterprise accounts.

Microsoft Outlook 2010

OIOSAML 2.0 Toolkits Test results May 2009

SAML 2.0 for WIF Service Provider. Installation guideline. SAML 2.0 for WIF. Service Provider. Globeteam A/S SAML 2.0 for WIF, version 1.

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

User Replicator USER S GUIDE

Outlook Express. Make Changes in Red: Open up Outlook Express. From the Menu Bar. Tools to Accounts - Click on Mail Tab.

Single Sign-on to Salesforce.com with CA Federation Manager

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Feide Technical Guide. Technical details for integrating a service into Feide

WebNow Single Sign-On Solutions

Installing Globodox Web Client on Windows Server 2012

Single Sign-On Implementation Guide

Agenda. How to configure

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

SAML 2.0 SSO Deployment with Okta

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

ADFS Integration Guidelines

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Shibboleth User Verification Customer Implementation Guide Version 3.5

Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only)

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

Information Infrastructure Initiative, Kyushu University

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

JOSSO 2.4. Internet Information Server (IIS) Tutorial

Enterprise Knowledge Platform

Federating with Web Applications

Authentication Integration

CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER

Cloud Authentication. Getting Started Guide. Version

MICROSTRATEGY 9.3 Supplement Files Setup Transaction Services for Dashboard and App Developers

Configuring Salesforce

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

Perceptive Experience Single Sign-On Solutions

HP Software as a Service. Federated SSO Guide

PowerLink for Blackboard Vista and Campus Edition Install Guide

Transcription:

SAML Authentication within Secret Server Secret Server allows the use of SAML Identity Provider (IdP) authentication instead of the normal authentication process for single sign-on (SSO). To do this, Secret Server acts as a SAML Service Provider (SP) that can communicate with any configured SAML IdP. The documentation below assumes you have a running IdP with a signed certificate. In the diagram below, Secret Server acts as the Service Provider. Any configured SAML Identity Provider can be used for this process and there are a number of well tested providers, including Shibboleth, SimpleSAMLPhp and Office365.

1. Configure SAML Go to Administration > Configuration, then click the Login tab. Click the Edit button to enable SAML and configure the optional SAML Username Attribute. 2. Perform backend configuration. There are three parts to the backend configuration for SAML. After following these steps, recycle Secret Server s application pool so that the settings can take effect. a. Enable the SAML configuration file (saml.config). b. Modify the Secret Server SAML configuration file to contain your IdP settings. i. This includes referencing the certificates for Secret Server and the IdP. c. Modify the IdP s metadata to contain information on Secret Server as a Service Provider. a. Enable the SAML configuration file (saml.config) Copy the saml.config.template to saml.config. This, along with setting Enable SAML Integration in the Secret Server login configuration page, turns on SAML in your Secret Server installation. b. Modify the Secret Server SAML configuration file to your IdP settings. 1. Fill out the ServiceProvider section in the saml.config file. a. Choose an EntityId for your Secret Server instance. By default, the EntityId in the file is: 'urn:componentspace:secretserverserviceprovider. b. Type this into the [EntityIdForYourSecretServerServiceProvider] section of the saml.config file. c. Verify the AssertionConsumerServiceUrl is: ~/SAML/AssertionConsumerService.aspx.

d. Specify the Certificate to use. Follow the instruction below in How to Specify a Certificate for SAML. 2. Fill out the PartnerIdentityProvider section in the saml.config file. Secret Server currently supports only one Identity Provider at a time. a. Specify the EntityId of the Identity Provider in the Name attribute.. b. Specify the SingleSignOnServiceUrl (the URL on the IdP where users go to sign in). c. Specify the SingleLogoutServiceUrl (the URL on the IDP where users go to sign out). d. Specify the Certificate to use (see the section below How to Specify a Certificate for SAML). e. Specify additional options, such as encryption and signing: i. SingleLogoutServiceBinding 1. The optional SingleLogoutServiceBinding attribute specifies the transport binding to use when sending logout messages to the partner provider s SLO service. The default is to use the HTTP-Redirect binding. ii. LogoutRequestLifeTime 1. The optional LogoutRequestLifeTime attribute specifies the NotOnOrAfter time interval for the logout request. The format is hh:mm:ss. The default is 3 minutes. iii. DisableInboundLogout 1. The optional DisableInboundLogout attribute specifies whether logout requests sent by the partner provider are not supported. The default is iv. DisableOutboundLogout 1. The optional DisableOutboundLogout attribute specifies whether logout requests sent to the partner provider are not supported. The default is v. SignLogoutRequest 1. The optional SignLogoutRequest attribute specifies whether logout requests sent to the partner provider should be signed. The default is vi. SignLogoutResponse 1. The optional SignLogoutResponse attribute specifies whether logout responses sent to the partner provider should be signed. The default is vii. WantLogoutRequestSigned 1. The optional WantLogoutRequestSigned attribute specifies whether the logout request from the partner provider should be signed. The default is viii. WantLogoutResponseSigned 1. The optional WantLogoutResponseSigned attribute specifies whether the logout response from the partner provider should be signed. The default is ix. UseEmbeddedCertificate

1. The optional UseEmbeddedCertificate attribute specifies whether the certificate embedded in the XML signature should be used when verifying the signature. If false, a configured certificate retrieved from the certificate manager is used. The default is x. ClockSkew 1. The optional ClockSkew attribute specifies the time difference allowed between local and partner computer clocks when checking time intervals. The default is no clock skew. xi. DigestMethod 1. The optional DigestMethod attribute specifies the XML signature digest method. The default is: http://www.w3.org/2000/09/xmldsig#sha1. xii. SignatureMethod 1. The optional SignatureMethod attribute specifies the XML signature method. The default is: http://www.w3.org/2000/09/xmldsig#rsa-sha1. xiii. KeyEncryptionMethod 1. The optional KeyEncryptionMethod attribute specifies the XML encryption key encryption method. The default is: http://www.w3.org/2001/04/xmlenc#rsa-1_5. xiv. DataEncryptionMethod 1. The optional DataEncryptionMethod attribute specifies the XML encryption data encryption method. The default is: http://www.w3.org/2001/04/xmlenc#aes128-cbc. How to specify a certificate for SAML X.509 certificates are used for XML signatures and XML encryption. A certificate for SAML can be specified in a number of different ways within the saml.config file. A certificate may be stored in a file or the Windows certificate store. How to specify a certificate for SAML when stored on the file system 1. Specify a CertificateFile. This can be an absolute path or a path relative to the application folder. 2. [optional] Specify a CertificatePassword. This is the password associated with the certificate file. Certificate files (*.pfx) that include the private key should be protected by a password. For a production certificate, the password should be stored encrypted in web.config. Refer to the CertificatePasswordKey attribute directly below for more details. 3. [optional] Specify a CertificatePasswordKey. This specifies the web.config s appsettings key for the certificate file password. For example, if the CertificatePasswordKey attribute value is localcertificatepassword, then under the web.config s appsettings section, an entry with the key name localcertificatepassword is expected and the entry value is used as the password. By encrypting the appsettings section using the aspnet_regiis utility, the certificate file password is secured. How to specify a certificate for SAML when stored in the Windows certificate store One of the following methods must be used to reference the certificate. 1. [optional] Specify a CertificateSerialNumber attribute. Specifies the X.509 certificate by serial number within the certificate store.

2. [optional] Specify a CertificateThumbprint attribute. Specifies the X.509 certificate by thumbprint within the certificate store. 3. [optional] Specify a CertificateSubject attribute. Specifies the X.509 certificate by subject within the certificate store. c. Modify the IdP s metadata for Secret Server integration Following the instructions provided by your IdP, add the appropriate entries for Secret Server as a Service Provider. Secret Server s assertion consumer service is located at: https://<path TO YOUR SECRET SERVER>/SAML/AssertionConsumerService.aspx. Secret Server s SingleLogoutService is located at: https://<path TO YOUR SECRET SERVER>//SAML/sloservice.aspx. Secret Server s EntityId (or URN or other similar reference) is the EntityId chosen above in Section 1a of Modify the Secret Server SAML configuration file to your IdP settings. Example SAML config file for a SimpleSAMLPHP installation: <?xml version="1.0"?> <SAMLConfiguration xmlns="urn:componentspace:saml:2.0:configuration"> <ServiceProvider Name="urn:componentspace:SecretServerServiceProvider" AssertionConsumerServiceUrl="~/SAML/AssertionConsumerService.aspx" CertificateFile="sp.pfx" CertificatePassword="password"/> <PartnerIdentityProvider Name="https://localhost/simplesaml/saml2/idp/metadata.php" SignAuthnRequest="false" WantSAMLResponseSigned="true" WantAssertionSigned="false" WantAssertionEncrypted="false" SingleSignOnServiceUrl="https://localhost/simplesaml/saml2/idp/SSOService.php?sp entityid=urn:componentspace:secretserverserviceprovider" CertificateFile="simplesaml.crt"/> </SAMLConfiguration>

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information