INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server



Similar documents
INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for Office 365 using IDENTIKEY Authentication Server with Basic Web Filter

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

OVERVIEW. DIGIPASS Authentication for Office 365

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

MIGRATION GUIDE. Authentication Server

INTEGRATION GUIDE. General Radius Config

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

DIGIPASS Authentication for Check Point Connectra

DIGIPASS as a Service. Google Apps Integration

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Check Point FDE integration with Digipass Key devices

INTEGRATION GUIDE. DIGIPASS Authentication for Microsoft Exchange ActiveSync 2007

DIGIPASS Authentication for Cisco ASA 5500 Series

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

DIGIPASS Authentication for GajShield GS Series

DIGIPASS Authentication for Check Point Security Gateways

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

IDENTIKEY Appliance Administrator Guide

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

Hyper-V Installation Guide. Version 8.0.0

axsguard Gatekeeper Internet Redundancy How To v1.2

Identikey Server Getting Started Guide 3.1

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Internet Redundancy How To. Version 8.0.0

Identikey Server Windows Installation Guide 3.1

IDENTIKEY Server Windows Installation Guide 3.2

IDENTIKEY Server Windows Installation Guide 3.1

Authentication Methods

DIGIPASS Authentication for Windows Logon Product Guide 1.1

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

DIGIPASS Authentication for Juniper ScreenOS

SAML single sign-on configuration overview

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

VMware Identity Manager Integration with Active Directory Federation Services 2.0

CA Performance Center

DIGIPASS Authentication for SonicWALL SSL-VPN

HOTPin Integration Guide: DirectAccess

SafeNet Authentication Service

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

axsguard Gatekeeper Open VPN How To v1.4

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Configuring. Moodle. Chapter 82

Security Assertion Markup Language (SAML) Site Manager Setup

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Drupal

Secure your business DIGIPASS BY VASCO. The world s leading software company specializing in Internet Security

SAML 2.0 SSO Deployment with Okta

HP Software as a Service. Federated SSO Guide

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

VERALAB LDAP Configuration Guide

Strong Authentication for Juniper Networks SSL VPN

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

Security Provider Integration RADIUS Server

CA Nimsoft Service Desk

365 Services. 1.1 Configuring Access Manager Prerequisite Adding the Office 365 Metadata. docsys (en) 2 August 2012

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

McAfee Cloud Identity Manager

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

Integration Guide. SafeNet Authentication Service. Oracle Secure Desktop Using SAS RADIUS OTP Authentication

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Two-Factor Authentication

Copyright

IDENTIKEY Server Product Guide

uh6 efolder BDR Guide for Veeam Page 1 of 36

SafeNet Authentication Service

Identikey Server Product Guide

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Internet Information Services Integration Kit. Version 2.4. User Guide

Strong Authentication in details

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

Using Vasco IDENTIKEY Server with NetScaler

Section 1, Configuring Access Manager, on page 1 Section 2, Configuring Office 365, on page 4 Section 3, Verifying Single Sign-On Access, on page 5

Strong Authentication for Juniper Networks

Installation Guide. SafeNet Authentication Service

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Egnyte Single Sign-On (SSO) Installation for OneLogin

nexus Hybrid Access Gateway

DIGIPASS CertiID. Getting Started 3.1.0

VMware Identity Manager Administration

Configuring TLS Security for Cloudera Manager

Application Note. Gemalto s SA Server and OpenLDAP

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Digipass for Citrix VM3.0: troubleshooting guide. Creation date: 11/07/2007 Last Review: 30/11/2007 Revision number: 2

Transcription:

INTEGRATION GUIDE DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright Copyright 2013 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO, Vacman, IDENTIKEY, axsguard, DIGIPASS and logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Data Security Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners. 1 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

Table of Contents 1 Overview... 4 1.1 Architecture... 4 1.2 Two factor authentication... 4 2 Technical Concepts... 5 2.1 SimpleSAMLphp... 5 2.2 VASCO... 5 2.2.1 IDENTIKEY Federation Server... 5 2.2.2 IDENTIKEY Authentication Server... 5 3 Configuration details... 6 3.1 Architecture... 6 3.2 Pre-requisites... 6 3.3 SimpleSAMLphp configuration... 6 3.3.1 Authentication source... 6 3.3.2 Adding Metadata... 7 3.3.3 Setting up a signing certificate... 7 3.4 IDENTIKEY Federation Server configuration... 8 3.4.1 Create application... 8 4 Basic IDENTIKEY Federation Setup... 9 4.1 Setup... 9 4.2 Back-ends... 9 4.2.1 LDAP... 9 4.2.2 IDENTIKEY Authentication Server... 10 4.2.2.1 IDENTIKEY Authentication Server Client... 10 4.2.2.2 Creating a demo user... 11 4.2.2.3 Attaching a DIGIPASS... 11 4.3 Additional authentication methods... 13 2 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

4.3.1 MYDIGIPASS.com... 13 5 Test SimpleSAMLphp connection... 14 5.1 IDENTIKEY Federation Server... 14 5.1.1 Response only... 14 5.1.2 Challenge response and Backup Virtual DIGIPASS... 15 6 Attachments... 15 6.1 Authsources... 15 3 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

1 Overview 1.1 Architecture IFS Ifs.labs.vasco.com SAML OAuth SimpleSAMLphp MyDIGIPASS.com RADIUS LDAP IDENTIKEY Server 1.2 Two factor authentication Active Directory Many organizations still rely on a username and password to protect their data or external access. However passwords are often very simple and very easy guessed, cracked or even stolen. Once it is compromised it can take quite a lot of time before anyone notices that it has been compromised. Recently a lot of services are being moved to the cloud where anyone can access the service from anywhere. This means that the users are often accessing it from outside the safe network, making protecting your password even more important and harder. Two factor authentication of VASCO Data Security will add an additional factor, called DIGIPASS, to your password. The DIGIPASS will generate a One Time Password, or OTP, which you can use in combination with your password. This means that people will need a specific device and password if they want to gain access. Imagine if the device were to be stolen, this will be noticed quickly and that way access using that device can be denied, stopping any attacker quickly. With this in mind you can secure your WEB accounts, granting you the comfort of Single Sign-On with the hardened security of two factor authentication. 4 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

2 Technical Concepts 2.1 SimpleSAMLphp If you have a web application that needs to authenticate users, simplesamlphp can help you out. In addition to support local authentication with one of the authentication module, you can use the service provider functionality. If you are using SimpleSAMLphp as a service provider, it will communicate and delegate authentication with an Identity Provider. More information can be found on their website http://simplesamlphp.org/. 2.2 VASCO 2.2.1 IDENTIKEY Federation Server IDENTIKEY Federation Server is a virtual appliance providing you with the most powerful identity & access management platform. It is used to validate user credentials across multiple applications and disparate networks. The solution validates users and creates an identity ticket enabling web single sign-on for different applications across organizational boundaries. As validated credentials can be reused, once a user s identity is confirmed, access to authorized services and applications is granted. Users can securely switch between the different applications and collaborate with colleagues, business partners, suppliers, customers and partners using one single identity. IDENTIKEY Federation Server works as an Identity Provider within the local organization, but can also delegate authentication requests (for unknown users) to other Identity Providers. In a Federated Model, IDENTIKEY Federation Server does not only delegate but also receives authentication requests from other Identity Providers, when local users want to access applications from other organizations within the same federated infrastructure. 2.2.2 IDENTIKEY Authentication Server IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server that supports the deployment, use and administration of DIGIPASS strong user authentication. It offers complete functionality and management features without the need for significant budgetary or personnel investments. IDENTIKEY Authentication Server is supported on 32bit systems as well as on 64bit systems. IDENTIKEY Appliance is a standalone authentication appliance that secures remote access to corporate networks and web-based applications. The use and configuration of an IDENTIKEY Authentication Server and an IDENTIKEY Appliance is similar. 5 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

3 Configuration details 3.1 Architecture IFS Ifs.labs.vasco.com SAML SimpleSAMLphp 3.2 Pre-requisites In our test environment we used a Windows server and installed WAMP. To install SimpleSAMLphp on your server please follow the steps by this guide: http://simplesamlphp.org/docs/stable/simplesamlphp-install. Make sure that you have enabled OpenSSL on your webserver. 3.3 SimpleSAMLphp configuration 3.3.1 Authentication source Once the initial setup is completed you must add some additional lines of code to authsources.php. This file can be found under the install folder: <simplesamlphpx.x>/config/authsources.php. In here add a new authsource; find an example in the last chapter. 6 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

3.3.2 Adding Metadata Start by downloading the Metadata from the IDENTIKEY Federation Server by navigating to http://<ifs-host>/ifs/profiles/saml2 (in our environment: http://ifs.labs.vasco.com/ifs/profiles/saml2). Open the file and copy the contents in the Metadata converter of SimpleSAMLphp. You can find the Metadata converter here: http://<webhost>/admin/metadata-converter.php. Now you copy the output and paste it in the saml20-idpremote.php file. This file can be found in your SimpleSAMLphp install folder under: metadata/saml20-idp-remote.php. 3.3.3 Setting up a signing certificate By default the SimpleSAMLphp has a signing certificate. This certificate is widely known and holds very little security. Open a command window and navigate to <simplesamlphp-install-folder>/cert/. in the command window: enter openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes - out labs.crt -keyout labs.pem. 7 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

It is very likely that your server does not recognize the openssl command even though OpenSSL is installed together with WAMP. Use <wamp-installfolder>/bin/apache/apachex.x.x/bin/openssl instead. Edit the authsources.php file and change the privatekey and the certificate variables in openaselect to match the newly created certificate. Certificate: labs.crt Privatekey: labs.pem You can use your own certificates as well. To do so, copy the certificate and the private key file to <simplesamlphp-install-folder>/cert/ and change the values in authsources.php. 3.4 IDENTIKEY Federation Server configuration 3.4.1 Create application Navigate to your IDENTIKEY Federation Server manager console, http://<ifs-host>/ifsm (in our environment: http://ifs.labs.vasco.com/ifsm), and go to Applications/Add Application. Select SAML generic and enter http://<webhost>/simplesamlphp/module.php/saml/sp/metadata.php/openaselect as the Metadata URL. 8 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

4 Basic IDENTIKEY Federation Setup 4.1 Setup IFS Ifs.labs.vasco.com 10.4.0.198 SAML OAuth MYDIGIPASS.com RADIUS LDAP IDENTIKEY Server 10.4.0.13 4.2 Back-ends 4.2.1 LDAP Active Directory 10.4.0.10 Log into IDENTIKEY Federation Server s management web console and navigate to Authentication, LDAP. LDAP URL: ldap://10.4.0.10:389 DN base: DC=labs,DC=vasco,DC=com 9 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

DN user field: CN Security principal DN: CN=Administrator,CN=Users,DC=labs,DC=vasco,DC=com Security principal password: <administrator password> Check Allow user attribute gathering Click Save By clicking on Test Connection you can verify if the data you set is correct. 4.2.2 IDENTIKEY Authentication Server Log into IDENTIKEY Federation Server s management web console and navigate to Authentication, Manage methods. Edit DIGIPASS authentication. Friendly name: DIGIPASS authentication Maximum retries: 3 Method: PAP Server address: 10.4.0.13 Server port: 1812 NAS-IP-Address: 10.4.0.198 Shared secret: <RADIUS secret> (can be chosen) Click Save 4.2.2.1 IDENTIKEY Authentication Server Client Log into your IDENTIKEY Authentication Server and go to Clients, Register. Client Type : select Radius Client from select from list Location : 10.4.0.198 10 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

Policy ID : Select a policy Protocol ID: RADIUS Shared Secret: <RADIUS secret> Confirm Shared Secret: re-enter the <RADIUS secret> Click Create Make sure that the <RADIUS secret> is the same on both IDENTIKEY Federation Server and IDENTIKEY Authentication Server. 4.2.2.2 Creating a demo user The user created in the IDENTIKEY Authentication Server has to exist in the Active Directory. Log into your IDENTIKEY Authentication Server and go to Users, Create. User ID: <your-user> (in our setup: Demo) Domain: <your-domain> (in our setup: labs.vasco.com) Organizational unit: <your-ou> (OPTIONAL, in our setup: WEB Users) Enter static password: <your-password> Confirm static password: <your-password> Local Authentication: Default Back-end Authentication: Default Click on Create You have now added a user in your IDENTIKEY Authentication Server. 4.2.2.3 Attaching a DIGIPASS Log into your IDENTIKEY Authentication Server and type the name of a user in the FIND field then click SEARCH. Click on the User ID and navigate to Assigned DIGIPASS. 11 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

Click on ASSIGN. Click NEXT. Click ASSIGN. Click FINISH. With the DIGIPASS assigned, the user is now ready for testing. 12 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

4.3 Additional authentication methods 4.3.1 MYDIGIPASS.com To illustrate adding an OAuth provider, MYDIGIPASS.com s sandbox environment will be used as example. If you do not have a MYDIGIPASS developer account, you can create one for free on https://developer.mydigipass.com/. Log into your MYDIGIPASS.com developer account and go to Sandbox. Click on Connect your test site. Identifier: IFS_vasco (this must be a unique identifier) Name: Vasco Federated Login Redirect uri: https://<ifs-host>/ifs/sso/oauth (in our application: https://ifs.labs.vasco.com/ifs/sso/oauth) Click on Create application Go to Sandbox and click on your newly generated test site. Take note of the client_id and the client_secret. Log into your IDENTIKEY Federation Server s management web console and go to Federated authentication, Manage OAuth providers. 13 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

Check Enabled for MYDIGIPASS.COM (Sandbox) Fill in the client_id of your OAuth provider Fill in the client_secret of your OAuth provider Click Save 5 Test SimpleSAMLphp connection 5.1 IDENTIKEY Federation Server 5.1.1 Response only To test if the SimpleSAMLphp and the IDENTIKEY Federation Server are both configured correctly you can open a browser and navigate to: http://webhost/simplesaml/module.php/core/authenticate.php and select openaselect. Then you will be asked to select the Identity Provider. In our example this is Labs. Now you are redirected to the login page on the IDENTIKEY Federation Server using the authentication method selected in the application. Username: Demo (this is the user we added in 4.2.2.2 Creating a demo user) Password: One Time Password (this is an OTP received from the device assigned to the user in 4.2.2.3 Attaching a DIGIPASS) Once you entered your login data you are redirected to the screen of SimpleSAMLphp giving you information about your user (if the information is set in the attributes, see administrative guide). 14 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

5.1.2 Challenge response and Backup Virtual DIGIPASS The IDENTIKEY Federation Server version 1.2 does not yet support challenge response and Backup Virtual DIGIPASS. 6 Attachments 6.1 Authsources 'openaselect' => array( 'saml:sp', // The entity ID of this SP. // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL. 'entityid' => 'NULL', // The entity ID of the IdP this should SP should contact. // Can be NULL/unset, in which case the user will be shown a list of available IdPs. 'idp' => NULL, will be used. // The URL to the discovery service. // Can be NULL/unset, in which case a builtin discovery service 'discourl' => NULL, 'certificate' => 'server.crt', 'privatekey' => 'server.pem', 'redirect.sign' => TRUE, 'redirect.validate' => false, //'NameIDPolicy' => 'urn:oasis:names:tc:saml:2.0:nameidformat:persistent', //'NameIDPolicy' => 'urn:oasis:names:tc:saml:1.1:nameidformat:emailaddress', //'NameIDPolicy' => 'urn:oasis:names:tc:saml:1.1:nameidformat:unspecified', //'NameIDFormat' => 'urn:oasis:names:tc:saml:2.0:nameidformat:transient', 'NameIDPolicy' => null, 15 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

'AuthnContextClassRef' => 'urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtransport', //'AuthnContextClassRef' => 'urn:oasis:names:tc:saml:2.0:attrnameformat:unspecified', //WORKING: 'IsPassive' => TRUE, ) 16 DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information