INTEGRATION GUIDE DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright Copyright 2013 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO, Vacman, IDENTIKEY, axsguard, DIGIPASS and logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Data Security Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners. 1 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
Table of Contents 1 Overview... 4 1.1 Architecture... 4 1.2 Two factor authentication... 4 2 Components... 5 2.1 Salesforce... 5 2.2 VASCO... 5 2.2.1 IDENTIKEY Federation Server... 5 2.2.2 IDENTIKEY Authentication Server... 5 3 Configuration... 6 3.1 Architecture... 6 3.2 Pre-requisites... 6 3.3 Salesforce... 6 3.3.1 Add a Salesforce domain... 6 3.3.2 Federated Single Sign-On using SAML... 7 3.3.3 Export metadata... 8 3.4 IDENTIKEY Federation Server Application... 8 3.5 Adding users... 8 4 Basic IDENTIKEY Federation Setup... 9 4.1 Setup... 9 4.2 Back-ends... 9 4.2.1 LDAP... 9 4.2.2 IDENTIKEY Authentication Server... 10 4.2.2.1 IDENTIKEY Authentication Server Client... 10 4.2.2.2 Creating a demo user... 11 4.2.2.3 Attaching a DIGIPASS... 11 4.3 Additional authentication methods... 12 2 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
4.3.1 MYDIGIPASS.com... 12 5 Enforcing login using your domain... 14 6 Test Salesforce login... 15 6.1 IDENTIKEY Federation Server... 15 6.1.1 Response only... 15 6.1.2 Challenge response and Backup Virtual DIGIPASS... 16 3 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
1 Overview This setup was created in our LABS environment and can be tested on http://labs.vasco.com. 1.1 Architecture IFS Ifs.labs.vasco.com OAuth MyDIGIPASS.com RADIUS SAML LDAP IDENTIKEY Server Salesforce 1.2 Two factor authentication Active Directory Many organizations still rely on a username and password to protect their data or external access. However passwords are often very simple and very easy guessed, cracked or even stolen. Once it is compromised it can take quite a lot of time before anyone notices that it has been compromised. Recently a lot of services are being moved to the cloud where anyone can access the service from anywhere. This means that the users are often accessing it from outside the safe network, making protecting your password even more important and harder. Two factor authentication of VASCO Data Security will add an additional factor, called DIGIPASS, to your password. The DIGIPASS will generate a One Time Password, or OTP, which you can use in combination with your password. This means that people will need a specific device and password if they want to gain access. Imagine if the device were to be stolen, this will be noticed quickly and that way access using that device can be denied, stopping any attacker quickly. With this in mind you can secure your Salesforce accounts, granting you the freedom of Salesforce with the hardened security of two factor authentication. 4 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
2 Components 2.1 Salesforce Salesforce.com is the enterprise cloud computing leader. The social and mobile cloud technologies including our flagship sales and CRM applications help companies connect with customers, partners, and employees in entirely new ways. 2.2 VASCO 2.2.1 IDENTIKEY Federation Server IDENTIKEY Federation Server is a virtual appliance providing you with the most powerful identity & access management platform. It is used to validate user credentials across multiple applications and disparate networks. The solution validates users and creates an identity ticket enabling web single sign-on for different applications across organizational boundaries. As validated credentials can be reused, once a user s identity is confirmed, access to authorized services and applications is granted. Users can securely switch between the different applications and collaborate with colleagues, business partners, suppliers, customers and partners using one single identity. IDENTIKEY Federation Server works as an Identity Provider within the local organization, but can also delegate authentication requests (for unknown users) to other Identity Providers. In a Federated Model, IDENTIKEY Federation Server does not only delegate but also receives authentication requests from other Identity Providers, when local users want to access applications from other organizations within the same federated infrastructure. 2.2.2 IDENTIKEY Authentication Server IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server that supports the deployment, use and administration of DIGIPASS strong user authentication. It offers complete functionality and management features without the need for significant budgetary or personnel investments. IDENTIKEY Authentication Server is supported on 32bit systems as well as on 64bit systems. IDENTIKEY Appliance is a standalone authentication appliance that secures remote access to corporate networks and web-based applications. The use and configuration of an IDENTIKEY Authentication Server and an IDENTIKEY Appliance is similar. 5 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
3 Configuration 3.1 Architecture IFS Ifs.labs.vasco.com 10.4.0.198 SAML Salesforce 3.2 Pre-requisites To complete this integration you will require a developer account on Salesforce.com. This is free and easy to set up. 3.3 Salesforce 3.3.1 Add a Salesforce domain To be able to use Single Sign-On with Salesforce, you need to create a domain on Salesforce that is connected to your Single Sign-On settings. Without this domain users will still have to log in using their username and password on Salesforce.com. Go to your developer account on Salesforce then navigate to Administration Setup, Domain Management, Domains. On this page enter a name (example: labs-vasco-com) and check the availability. If it is available Check the Terms and Conditions and continue. Now you must wait until the domain is ready to use (this may take from 24 to 72 hours). 6 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
Once the domain is ready to use, navigate to the URL and immediately you will be redirected to the IDENTIKEY Federation Server s login page (example: https://labs-vasco-com-deved.my.salesforce.com). To continue you click Deploy to Users. With the domain deployed, 3.3.2 Federated Single Sign-On using SAML Begin by logging into your developer account on Salesforce. If you don t have such an account yet, you can create one for free on http://developer.force.com/. When you re logged in navigate to Administration Setup, Security Controls, Single Sign-On Settings and click on New. Name: IFS API Name: IFS Issuer: Identity provider name (in our example: labs-be-ifs) Upload the certificate of your IDENTIKEY Federation Server Entity ID: https://saml.salesforce.com Login URL https://<ifs-host>/ifs/profiles/saml2/sso/web (in our example: https://ifs.labs.vasco.com/ifs/profiles/saml2/sso/web) Logout URL https://<ifs-host>/ifs/sso/user/logout (in our example: https://ifs.labs.vasco.com/ifs/sso/user/logout) SAML User ID type: Assertion contains the Federation ID from the User object SAML User ID Location: User ID is in the NameIdentifier element of the Subject statement Entity ID: https://saml.salesforce.com Service Provider Initiated Request Binding: HTTP POST 7 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
Click Save The issuer is the name of the server that will send the SAML assertions. If you do not know this, you can log into the management web console of your IDENTIKEY Federation Server and go to System, System information to look it up. When you wish to use multiple Salesforce domains with one IDENTIKEY Federation Server, you will have to change entity id to https://<salesforce-domain> (in our example: https://labs-vasco-com-dev-ed.my.salesforce.com). 3.3.3 Export metadata Next, still on the Single Sign-On Settings page, click Download Metadata. Save it and then the configuration at the Salesforce side is done. 3.4 IDENTIKEY Federation Server Application Go to the management console of your IDENTIKEY Federation Server and navigate to Applications, Add Application. Application type: Salesforce Select an authentication profile Select distribution method: Upload metadata file Metadata file: (See Export metadata) Click Save Having completed this, the basic configuration is done. 3.5 Adding users Go to your developer account on Salesforce then navigate to Administration Setup, Manage Users, Users. Click on New User. Fill in all the data with a red line in front of it. Once all of that information is filled in, fill in the Federation ID. This can be found under the Single Sign On Information. Fill in the email address used on the IDENTIKEY Federation Server and click Save. 8 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
4 Basic IDENTIKEY Federation Setup 4.1 Setup IFS Ifs.labs.vasco.com 10.4.0.198 OAuth MYDIGIPASS.com RADIUS SAML LDAP IDENTIKEY Server 10.4.0.13 Salesforce 4.2 Back-ends 4.2.1 LDAP Log into IDENTIKEY Federation Server s management web console and navigate to Authentication, LDAP. Active Directory 10.4.0.10 LDAP URL: ldap://10.4.0.10:389 DN base: DC=labs,DC=vasco,DC=com DN user field: CN Security principal DN: CN=Administrator,CN=Users,DC=labs,DC=vasco,DC=com Security principal password: <administrator password> 9 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
Check Allow user attribute gathering Click Save By clicking on Test Connection you can verify if the data you set is correct. 4.2.2 IDENTIKEY Authentication Server Log into IDENTIKEY Federation Server s management web console and navigate to Authentication, Manage methods. Edit DIGIPASS authentication. Friendly name: DIGIPASS authentication Maximum retries: 3 Method: PAP Server address: 10.4.0.13 Server port: 1812 NAS-IP-Address: 10.4.0.198 Shared secret: <RADIUS secret> (can be chosen) Click Save 4.2.2.1 IDENTIKEY Authentication Server Client Log into your IDENTIKEY Authentication Server and go to Clients, Register. Client Type : select Radius Client from select from list Location : 10.4.0.198 Policy ID : Select a policy Protocol ID: RADIUS Shared Secret: <RADIUS secret> 10 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
Confirm Shared Secret: reenter the <RADIUS secret> Click Create Make sure that the <RADIUS secret> is the same on both IDENTIKEY Federation Server and IDENTIKEY Authentication Server. 4.2.2.2 Creating a demo user The user created in the IDENTIKEY Authentication Server has to exist in the Active Directory. Log into your IDENTIKEY Authentication Server and go to Users, Create. User ID: <your-user> (in our setup: Demo) Domain: <your-domain> (in our setup: labs.vasco.com) Organizational unit: <your-ou> (OPTIONAL, in our setup: WEB Users) Enter static password: <your-password> Confirm static password: <your-password> Local Authentication: Default Back-end Authentication: Default Click on Create You have now added a user in your IDENTIKEY Authentication Server. 4.2.2.3 Attaching a DIGIPASS Log into your IDENTIKEY Authentication Server and type the name of a user in the FIND field then click SEARCH. Click on the User ID and navigate to Assigned DIGIPASS. 11 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
Click on ASSIGN. Click NEXT. Click ASSIGN. Click FINISH. With the DIGIPASS assigned, the user is now ready for testing. 4.3 Additional authentication methods 4.3.1 MYDIGIPASS.com To illustrate adding an OAuth provider, MYDIGIPASS.com s sandbox environment will be used as example. If you do not have a MYDIGIPASS developer account, you can create one for free on https://developer.mydigipass.com/. Log into your MYDIGIPASS.com developer account and go to Sandbox. 12 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
Click on Connect your test site. Identifier: IFS_vasco (this must be a unique identifier) Name: Vasco Federated Login Redirect uri: https://<ifs-host>/ifs/sso/oauth (in our application: https://ifs.labs.vasco.com/ifs/sso/oauth) Click on Create application Go to Sandbox and click on your newly generated test site. Take note of the client_id and the client_secret. Log into your IDENTIKEY Federation Server s management web console and go to Federated authentication, Manage OAuth providers. Check Enabled for MYDIGIPASS.COM (Sandbox) Fill in the client_id of your OAuth provider Fill in the client_secret of your OAuth provider Click Save 13 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
5 Enforcing login using your domain Make sure that you have created your admin account in the selected back-end, once you have enabled this you can only log in using the IDENTIKEY Federation Server. If you have locked yourself out of the administrator account on Salesforce, click on the Forgot password link on the login page and you will receive an email to confirm. Follow the steps in the email and you will get logged into your Salesforce administrator account. Users are still not enforced to login using your domain, they can still login using https://login.salesforce.com. To enforce using IDENTIKEY Federation Server, navigate to Administration Setup, Domain Management, Domains. Under Logo Page Branding click Edit. Decheck Login Page Check IFS Selecting My SAML IDP will tell the Salesforce.com configuration that users logging in using the domain will be logged in according to the Single Sign-On settings. Now when users try to login using https://login.salesforce.com it will give an error for their account. 14 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
Login using your domain on Salesforce will be the only accepted login from now on. 6 Test Salesforce login 6.1 IDENTIKEY Federation Server 6.1.1 Response only Navigate to the domain for your Salesforce account. Now you are redirected to the login page on the IDENTIKEY Federation Server using the authentication method selected in the application. Username: Demo (this is the user we added in 4.2.2.2 Creating a demo user) Password: One Time Password (this is an OTP received from the device assigned to the user in 4.2.2.3 Attaching a DIGIPASS) Once logged in you will be redirected to your Salesforce account. 15 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
6.1.2 Challenge response and Backup Virtual DIGIPASS The IDENTIKEY Federation Server version 1.2 does not yet support challenge response and Backup Virtual DIGIPASS. 16 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server