INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server



Similar documents
INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for Office 365 using IDENTIKEY Authentication Server with Basic Web Filter

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

OVERVIEW. DIGIPASS Authentication for Office 365

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

DIGIPASS as a Service. Google Apps Integration

INTEGRATION GUIDE. General Radius Config

MIGRATION GUIDE. Authentication Server

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

INTEGRATION GUIDE. DIGIPASS Authentication for Microsoft Exchange ActiveSync 2007

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

DIGIPASS Authentication for Check Point Connectra

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

DIGIPASS Authentication for Cisco ASA 5500 Series

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

Check Point FDE integration with Digipass Key devices

DIGIPASS Authentication for Check Point Security Gateways

DIGIPASS Authentication for GajShield GS Series

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

IDENTIKEY Appliance Administrator Guide

Hyper-V Installation Guide. Version 8.0.0

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Identikey Server Getting Started Guide 3.1

Single Sign-On Implementation Guide

Egnyte Single Sign-On (SSO) Installation for OneLogin

axsguard Gatekeeper Internet Redundancy How To v1.2

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

Authentication Methods

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Configuring Salesforce

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

HOTPin Integration Guide: DirectAccess

WHITE PAPER. Identikey Server 3.1 Strong Authentication solution for On-Demand Applications and SaaS

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

Internet Redundancy How To. Version 8.0.0

Security Assertion Markup Language (SAML) Site Manager Setup

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

DIGIPASS Authentication for Windows Logon Product Guide 1.1

CA Nimsoft Service Desk

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

CA Performance Center

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Getting Started with AD/LDAP SSO

Identikey Server Windows Installation Guide 3.1

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Copyright Pivotal Software Inc, of 10

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

DIGIPASS Authentication for Juniper ScreenOS

Single Sign-On Implementation Guide

DIGIPASS as a Service. Product Guide

Single Sign-On Implementation Guide

IDENTIKEY Server Windows Installation Guide 3.2

SAML Authentication Quick Start Guide

Single Sign-On Implementation Guide

Secure your business DIGIPASS BY VASCO. The world s leading software company specializing in Internet Security

SAML Authentication with BlackShield Cloud

IDENTIKEY Server Windows Installation Guide 3.1

nexus Hybrid Access Gateway

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

axsguard Gatekeeper Directory Services How To v1.2

DIGIPASS Authentication for SonicWALL SSL-VPN

DocuSign Connect for Salesforce Guide

axsguard Gatekeeper Open VPN How To v1.4

SafeNet Authentication Service

HP Software as a Service. Federated SSO Guide

How To Use Salesforce Identity Features

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

VMware Identity Manager Administration

Configuration Guide - OneDesk to SalesForce Connector

Using Vasco IDENTIKEY Server with NetScaler

Strong Authentication in details

Security Provider Integration Kerberos Authentication

IP Tunnels September 2014

McAfee Cloud Identity Manager

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

Configuring EPM System for SAML2-based Federation Services SSO

Identikey Server Administrator Reference 3.1

WHITE PAPER. Identikey Server 3.1 Strong Authentication solution against MITM Attacks for e-banking

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Security Provider Integration RADIUS Server

Digipass Plug-In for IAS troubleshooting guide. Creation date: 15/03/2007 Last Review: 24/09/2007 Revision number: 3

VMware Identity Manager Integration with Active Directory Federation Services 2.0

VERALAB LDAP Configuration Guide

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

SAM Context-Based Authentication Using Juniper SA Integration Guide

ADFS Integration Guidelines

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Transcription:

INTEGRATION GUIDE DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright Copyright 2013 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO, Vacman, IDENTIKEY, axsguard, DIGIPASS and logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Data Security Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners. 1 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Table of Contents 1 Overview... 4 1.1 Architecture... 4 1.2 Two factor authentication... 4 2 Components... 5 2.1 Salesforce... 5 2.2 VASCO... 5 2.2.1 IDENTIKEY Federation Server... 5 2.2.2 IDENTIKEY Authentication Server... 5 3 Configuration... 6 3.1 Architecture... 6 3.2 Pre-requisites... 6 3.3 Salesforce... 6 3.3.1 Add a Salesforce domain... 6 3.3.2 Federated Single Sign-On using SAML... 7 3.3.3 Export metadata... 8 3.4 IDENTIKEY Federation Server Application... 8 3.5 Adding users... 8 4 Basic IDENTIKEY Federation Setup... 9 4.1 Setup... 9 4.2 Back-ends... 9 4.2.1 LDAP... 9 4.2.2 IDENTIKEY Authentication Server... 10 4.2.2.1 IDENTIKEY Authentication Server Client... 10 4.2.2.2 Creating a demo user... 11 4.2.2.3 Attaching a DIGIPASS... 11 4.3 Additional authentication methods... 12 2 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

4.3.1 MYDIGIPASS.com... 12 5 Enforcing login using your domain... 14 6 Test Salesforce login... 15 6.1 IDENTIKEY Federation Server... 15 6.1.1 Response only... 15 6.1.2 Challenge response and Backup Virtual DIGIPASS... 16 3 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

1 Overview This setup was created in our LABS environment and can be tested on http://labs.vasco.com. 1.1 Architecture IFS Ifs.labs.vasco.com OAuth MyDIGIPASS.com RADIUS SAML LDAP IDENTIKEY Server Salesforce 1.2 Two factor authentication Active Directory Many organizations still rely on a username and password to protect their data or external access. However passwords are often very simple and very easy guessed, cracked or even stolen. Once it is compromised it can take quite a lot of time before anyone notices that it has been compromised. Recently a lot of services are being moved to the cloud where anyone can access the service from anywhere. This means that the users are often accessing it from outside the safe network, making protecting your password even more important and harder. Two factor authentication of VASCO Data Security will add an additional factor, called DIGIPASS, to your password. The DIGIPASS will generate a One Time Password, or OTP, which you can use in combination with your password. This means that people will need a specific device and password if they want to gain access. Imagine if the device were to be stolen, this will be noticed quickly and that way access using that device can be denied, stopping any attacker quickly. With this in mind you can secure your Salesforce accounts, granting you the freedom of Salesforce with the hardened security of two factor authentication. 4 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

2 Components 2.1 Salesforce Salesforce.com is the enterprise cloud computing leader. The social and mobile cloud technologies including our flagship sales and CRM applications help companies connect with customers, partners, and employees in entirely new ways. 2.2 VASCO 2.2.1 IDENTIKEY Federation Server IDENTIKEY Federation Server is a virtual appliance providing you with the most powerful identity & access management platform. It is used to validate user credentials across multiple applications and disparate networks. The solution validates users and creates an identity ticket enabling web single sign-on for different applications across organizational boundaries. As validated credentials can be reused, once a user s identity is confirmed, access to authorized services and applications is granted. Users can securely switch between the different applications and collaborate with colleagues, business partners, suppliers, customers and partners using one single identity. IDENTIKEY Federation Server works as an Identity Provider within the local organization, but can also delegate authentication requests (for unknown users) to other Identity Providers. In a Federated Model, IDENTIKEY Federation Server does not only delegate but also receives authentication requests from other Identity Providers, when local users want to access applications from other organizations within the same federated infrastructure. 2.2.2 IDENTIKEY Authentication Server IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server that supports the deployment, use and administration of DIGIPASS strong user authentication. It offers complete functionality and management features without the need for significant budgetary or personnel investments. IDENTIKEY Authentication Server is supported on 32bit systems as well as on 64bit systems. IDENTIKEY Appliance is a standalone authentication appliance that secures remote access to corporate networks and web-based applications. The use and configuration of an IDENTIKEY Authentication Server and an IDENTIKEY Appliance is similar. 5 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

3 Configuration 3.1 Architecture IFS Ifs.labs.vasco.com 10.4.0.198 SAML Salesforce 3.2 Pre-requisites To complete this integration you will require a developer account on Salesforce.com. This is free and easy to set up. 3.3 Salesforce 3.3.1 Add a Salesforce domain To be able to use Single Sign-On with Salesforce, you need to create a domain on Salesforce that is connected to your Single Sign-On settings. Without this domain users will still have to log in using their username and password on Salesforce.com. Go to your developer account on Salesforce then navigate to Administration Setup, Domain Management, Domains. On this page enter a name (example: labs-vasco-com) and check the availability. If it is available Check the Terms and Conditions and continue. Now you must wait until the domain is ready to use (this may take from 24 to 72 hours). 6 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Once the domain is ready to use, navigate to the URL and immediately you will be redirected to the IDENTIKEY Federation Server s login page (example: https://labs-vasco-com-deved.my.salesforce.com). To continue you click Deploy to Users. With the domain deployed, 3.3.2 Federated Single Sign-On using SAML Begin by logging into your developer account on Salesforce. If you don t have such an account yet, you can create one for free on http://developer.force.com/. When you re logged in navigate to Administration Setup, Security Controls, Single Sign-On Settings and click on New. Name: IFS API Name: IFS Issuer: Identity provider name (in our example: labs-be-ifs) Upload the certificate of your IDENTIKEY Federation Server Entity ID: https://saml.salesforce.com Login URL https://<ifs-host>/ifs/profiles/saml2/sso/web (in our example: https://ifs.labs.vasco.com/ifs/profiles/saml2/sso/web) Logout URL https://<ifs-host>/ifs/sso/user/logout (in our example: https://ifs.labs.vasco.com/ifs/sso/user/logout) SAML User ID type: Assertion contains the Federation ID from the User object SAML User ID Location: User ID is in the NameIdentifier element of the Subject statement Entity ID: https://saml.salesforce.com Service Provider Initiated Request Binding: HTTP POST 7 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Click Save The issuer is the name of the server that will send the SAML assertions. If you do not know this, you can log into the management web console of your IDENTIKEY Federation Server and go to System, System information to look it up. When you wish to use multiple Salesforce domains with one IDENTIKEY Federation Server, you will have to change entity id to https://<salesforce-domain> (in our example: https://labs-vasco-com-dev-ed.my.salesforce.com). 3.3.3 Export metadata Next, still on the Single Sign-On Settings page, click Download Metadata. Save it and then the configuration at the Salesforce side is done. 3.4 IDENTIKEY Federation Server Application Go to the management console of your IDENTIKEY Federation Server and navigate to Applications, Add Application. Application type: Salesforce Select an authentication profile Select distribution method: Upload metadata file Metadata file: (See Export metadata) Click Save Having completed this, the basic configuration is done. 3.5 Adding users Go to your developer account on Salesforce then navigate to Administration Setup, Manage Users, Users. Click on New User. Fill in all the data with a red line in front of it. Once all of that information is filled in, fill in the Federation ID. This can be found under the Single Sign On Information. Fill in the email address used on the IDENTIKEY Federation Server and click Save. 8 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

4 Basic IDENTIKEY Federation Setup 4.1 Setup IFS Ifs.labs.vasco.com 10.4.0.198 OAuth MYDIGIPASS.com RADIUS SAML LDAP IDENTIKEY Server 10.4.0.13 Salesforce 4.2 Back-ends 4.2.1 LDAP Log into IDENTIKEY Federation Server s management web console and navigate to Authentication, LDAP. Active Directory 10.4.0.10 LDAP URL: ldap://10.4.0.10:389 DN base: DC=labs,DC=vasco,DC=com DN user field: CN Security principal DN: CN=Administrator,CN=Users,DC=labs,DC=vasco,DC=com Security principal password: <administrator password> 9 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Check Allow user attribute gathering Click Save By clicking on Test Connection you can verify if the data you set is correct. 4.2.2 IDENTIKEY Authentication Server Log into IDENTIKEY Federation Server s management web console and navigate to Authentication, Manage methods. Edit DIGIPASS authentication. Friendly name: DIGIPASS authentication Maximum retries: 3 Method: PAP Server address: 10.4.0.13 Server port: 1812 NAS-IP-Address: 10.4.0.198 Shared secret: <RADIUS secret> (can be chosen) Click Save 4.2.2.1 IDENTIKEY Authentication Server Client Log into your IDENTIKEY Authentication Server and go to Clients, Register. Client Type : select Radius Client from select from list Location : 10.4.0.198 Policy ID : Select a policy Protocol ID: RADIUS Shared Secret: <RADIUS secret> 10 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Confirm Shared Secret: reenter the <RADIUS secret> Click Create Make sure that the <RADIUS secret> is the same on both IDENTIKEY Federation Server and IDENTIKEY Authentication Server. 4.2.2.2 Creating a demo user The user created in the IDENTIKEY Authentication Server has to exist in the Active Directory. Log into your IDENTIKEY Authentication Server and go to Users, Create. User ID: <your-user> (in our setup: Demo) Domain: <your-domain> (in our setup: labs.vasco.com) Organizational unit: <your-ou> (OPTIONAL, in our setup: WEB Users) Enter static password: <your-password> Confirm static password: <your-password> Local Authentication: Default Back-end Authentication: Default Click on Create You have now added a user in your IDENTIKEY Authentication Server. 4.2.2.3 Attaching a DIGIPASS Log into your IDENTIKEY Authentication Server and type the name of a user in the FIND field then click SEARCH. Click on the User ID and navigate to Assigned DIGIPASS. 11 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Click on ASSIGN. Click NEXT. Click ASSIGN. Click FINISH. With the DIGIPASS assigned, the user is now ready for testing. 4.3 Additional authentication methods 4.3.1 MYDIGIPASS.com To illustrate adding an OAuth provider, MYDIGIPASS.com s sandbox environment will be used as example. If you do not have a MYDIGIPASS developer account, you can create one for free on https://developer.mydigipass.com/. Log into your MYDIGIPASS.com developer account and go to Sandbox. 12 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Click on Connect your test site. Identifier: IFS_vasco (this must be a unique identifier) Name: Vasco Federated Login Redirect uri: https://<ifs-host>/ifs/sso/oauth (in our application: https://ifs.labs.vasco.com/ifs/sso/oauth) Click on Create application Go to Sandbox and click on your newly generated test site. Take note of the client_id and the client_secret. Log into your IDENTIKEY Federation Server s management web console and go to Federated authentication, Manage OAuth providers. Check Enabled for MYDIGIPASS.COM (Sandbox) Fill in the client_id of your OAuth provider Fill in the client_secret of your OAuth provider Click Save 13 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

5 Enforcing login using your domain Make sure that you have created your admin account in the selected back-end, once you have enabled this you can only log in using the IDENTIKEY Federation Server. If you have locked yourself out of the administrator account on Salesforce, click on the Forgot password link on the login page and you will receive an email to confirm. Follow the steps in the email and you will get logged into your Salesforce administrator account. Users are still not enforced to login using your domain, they can still login using https://login.salesforce.com. To enforce using IDENTIKEY Federation Server, navigate to Administration Setup, Domain Management, Domains. Under Logo Page Branding click Edit. Decheck Login Page Check IFS Selecting My SAML IDP will tell the Salesforce.com configuration that users logging in using the domain will be logged in according to the Single Sign-On settings. Now when users try to login using https://login.salesforce.com it will give an error for their account. 14 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Login using your domain on Salesforce will be the only accepted login from now on. 6 Test Salesforce login 6.1 IDENTIKEY Federation Server 6.1.1 Response only Navigate to the domain for your Salesforce account. Now you are redirected to the login page on the IDENTIKEY Federation Server using the authentication method selected in the application. Username: Demo (this is the user we added in 4.2.2.2 Creating a demo user) Password: One Time Password (this is an OTP received from the device assigned to the user in 4.2.2.3 Attaching a DIGIPASS) Once logged in you will be redirected to your Salesforce account. 15 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

6.1.2 Challenge response and Backup Virtual DIGIPASS The IDENTIKEY Federation Server version 1.2 does not yet support challenge response and Backup Virtual DIGIPASS. 16 DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information