Getting Started with Clearlogin A Guide for Administrators V1.01



Similar documents
Configuring User Identification via Active Directory

Centrify Cloud Connector Deployment Guide

Active Directory Integration

Cloudwork Dashboard User Manual

OneLogin Integration User Guide

Quick Start Guide Sendio Hosted

Integrating LANGuardian with Active Directory

VMware Identity Manager Administration

Introduction to Directory Services

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

Getting Started with AD/LDAP SSO

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Configuring Sponsor Authentication

Protected Trust Directory Sync Guide

qliqdirect Active Directory Guide

Configuration Guide. BES12 Cloud

VMware Identity Manager Administration

SCOPTEL WITH ACTIVE DIRECTORY USER DOCUMENTATION

Summary. How-To: Active Directory Integration. April, 2006

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

AVG Business Secure Sign On Active Directory Quick Start Guide

Quick Start Guide. Sendio System Protection Appliance. Sendio 5.0

F-Secure Messaging Security Gateway. Deployment Guide

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Test Case 3 Active Directory Integration

Creating a DUO MFA Service in AWS

Integrating Webalo with LDAP or Active Directory

PineApp Surf-SeCure Quick

Configuring and Using the TMM with LDAP / Active Directory

Preparing for GO!Enterprise MDM On-Demand Service

Active Directory Authenication

Introduction to Google Apps for Business Integration

VERALAB LDAP Configuration Guide

How To - Implement Clientless Single Sign On Authentication with Active Directory

VoIPon Tel: +44 (0) Fax: +44 (0)

AVG Business SSO Connecting to Active Directory

User Management Tool 1.5

Siteminder Integration Guide

SchoolBooking LDAP Integration Guide

Workday Mobile Security FAQ

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

How to Logon with Domain Credentials to a Server in a Workgroup

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Skyward LDAP Launch Kit Table of Contents

Copyright Pivotal Software Inc, of 10

How To - Implement Single Sign On Authentication with Active Directory

Okta/Dropbox Active Directory Integration Guide

PriveonLabs Research. Cisco Security Agent Protection Series:

SharePoint AD Information Sync Installation Instruction

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

NSi Mobile Installation Guide. Version 6.2

To enable an application to use external usernames and passwords, you need to first configure CA EEM to use external directories.

Link and Sync Guide for Hosted QuickBooks Files

Configuration Guide BES12. Version 12.3

Conference Controller Deployment Guide

Core Protection Suite

Authentication Methods

F-SECURE MESSAGING SECURITY GATEWAY

Dell Compellent Storage Center

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

SWGFL Video Conferencing Service Registration of Endpoints. South West Grid for Learning. Version 1.1. Steve Cayley Ian White. Date: February 2004

Egnyte Single Sign-On (SSO) Installation for OneLogin

Introduction to Endpoint Security

Flexible Identity Federation

ShadowControl ShadowStream

Configuration Guide BES12. Version 12.2

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Using LDAP Authentication in a PowerCenter Domain

Network Load Balancing

How To Create A Virtual Private Cloud In A Lab On Ec2 (Vpn)

Managing Qualys Scanners

Synchronization Agent Configuration Guide

Setting Up Scan to SMB on TaskALFA series MFP s.

Using LDAP with Sentry Firmware and Sentry Power Manager (SPM)

Important Information

Cloudfinder for Office 365 User Guide. November 2013

Administrator Guide. v 11

Directory Integration with Okta. An Architectural Overview. Okta White paper. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

User Management Tool 1.6

Enterprise Self Service Quick start Guide

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

Managing users. Account sources. Chapter 1

Administering Jive Mobile Apps

iboss Enterprise Firewall Manual iboss Security

Security Provider Integration RADIUS Server

Managing Your Microsoft Windows Server Fleet with AWS Directory Service. May 2015

Amazon WorkDocs. Administration Guide Version 1.0

Active Directory Service. Integration Parameters and Implementation

Installation and Configuration Guide

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

McAfee Directory Services Connector extension

Savvius Insight Initial Configuration

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

User Guide. Version R91. English

Configuring Global Protect SSL VPN with a user-defined port

Folder Proxy + OWA + ECP/EAC Guide. Version 2.0 April 2016

VMware Identity Manager Connector Installation and Configuration

Transcription:

Getting Started with Clearlogin A Guide for Administrators V1.01

Clearlogin makes secure access to the cloud easy for users, administrators, and developers. The following guide explains the functionality and the configuration details to get started with Clearlogin. This guide focuses on integration with Google Apps. Guides for other integrations are available upon request. Clearlogin enables users to authenticate to Google Apps using credentials stored on either OpenLDAP or Active Directory. Clearlogin Configuration and Administration The Admin Dashboard is used to configure Clearlogin and can be reached by navigating to https://admin.clearlogin.com Enter the domain name that is licensed for use with Clearlogin. This is most likely the same domain name as your email address. Clearlogin Configuration Steps Setting up Clearlogin is a three step process: 1. Configure your identity provider 2. Configure Clearlogin for use with Google Apps 3. Configure Google Apps for use with Clearlogin

Configuring Your Identity Provider The following sections will take you through the steps required to configure your identity provider for use with Clearlogin. Once your identity provider has been configured you will then be ready to configure Clearlogin for use with Google Apps. Firewall Requirements Prior to configuring and onboarding users into the Clearlogin application, the firewall protecting the LDAP end point must be configured to allow traffic originating from Clearlogin IPs destined for either TCP port 389 (LDAP) or 636 (LDAPS) to the LDAP end point(s). * As a best practice it is recommended to use LDAPS when possible. The following is a list of IP addresses that requests can originate from: 54.209.59.53 54.84.156.93 54.86.39.216 54.210.149.165 54.187.95.53 54.187.96.193 * Please note that to ensure availability of service, all IPs on the above list must have access to the LDAP endpoint. Configuring and Testing LDAP Servers To configure LDAP servers, navigate to the Settings menu and select LDAP Servers, or use the direct link (https://admin.clearlogin.com/ldap_servers).

To add a new LDAP server, click the Add New LDAP Server link (marked above). Please refer to http://wiki.zimbra.com/wiki/ldap_authentication for more information on configuring LDAP authentication, specifically Search Filter and Search Base. The Search Base can be set high enough to traverse the entire directory. Alternately, if all users are in a specific OU, the base can be narrowed. The most common Search Filter values are: (samaccountname={username}) (mail={username}@customer_domain.com) - Changing customer_domain.com to the real value The Testing section tests both the bind and user lookup operations. Multiple LDAP server configurations are supported and highly recommended. The configuration and testing procedures for a multi-ldap server configuration are nearly

identical to a single LDAP server configuration. If a Google Apps domain leverages the multi-domain feature of Clearlogin, then the Search Filter must do a comparison of the user s email attribute because samaccountname may not be unique across multiple LDAP servers. Other Actions Disable Server - An LDAP server can be manually disabled (not deleted) by clicking the Disable button on the main LDAP list Enable Server - An LDAP server can be brought back into rotation by clicking the Enable button on the main LDAP list The Enable / Disable LDAP actions are most commonly used when performing maintenance on an LDAP server or when an LDAP server is experiencing service impairment. Active Directory The Clearlogin application requires customers using Active Directory to provide an ID that can bind to the AD target with search and execute rights. Configuring Clearlogin for use with Google Apps Navigate to the Google Apps settings page under Settings or use the direct link (https://admin.clearlogin.com/domain/gapps)

Password Sync The Password Sync feature pushes a user s Active Directory password into Google Apps, allowing native mobile apps and authentication routines that don t support SSO to use the same sign-on credentials. To enable Password Sync, you will first need to enable API access in your Google Apps Administration Console. Click Security > API reference Check the box that says Enable API access Once API access is enabled, return to your Clearlogin application. Click Settings > Google Apps Check the box next to Password Update Click Save Changes.

Groups and Policies Groups provide context to one or more users and allow policies to be easily applied across all members of a group. For example, a company can create a designated group that contains only call center employees, allowing administrators to apply a policy to the entire "Call Center" group. Configuring Groups To configure user groups, navigate to the Settings menu and select Manage Groups, or use the direct link (https://admin.clearlogin.com/groups). By default, listed, is a group labeled Default containing a search filter that matches all user accounts. The search filters can be configured to check LDAP group membership by entering an LDAP search filter that queries against the users DN.

The group membership feature applies policies to users that match the search filter. In the example above, the default group will match all users due to the * query. IP Rules can be added here, or alternatively they can be added in the IP Rules page page of the dashboard. If a user matches multiple groups, the policies applied are additive. Example Group 1 IP Whitelist Policy 1 IP Whitelist Policy 2 Group 2 IP Whitelist Policy 3 IP Whitelist Policy 4 If a user matches the search filter for both Group 1 and Group 2 they will be allowed to log in from any location that is allowed by IP whitelist policies 1, 2, 3 or 4. Access Policies To configure Access Policies, navigate to the Access Policies page under the Security menu, or use the direct link (https://admin.clearlogin.com/access_policies).

Access Policies determine if access should be allowed and if multi-factor authentication is required for the user logging in. For example, a company has a call center and only permits call center employees to log into their required applications. The first step of this process is to create an Access Policy to Allow Access for call center employees who are located on the physical call center premises.. There may be a second group of call center managers that have access to applications with secure information and require mult-factor authentication (MFA). A policy can be created to allow access and require multi-factor authentication (MFA). Getting Started with Clearlogin: A Guide for Administrators V1.01

Multi-Factor Authentication (MFA) Multi-Factor Authentication requires users to enter a Clearlogin token in addition to a username and password. As mentioned above Multi-Factor Authentication (MFA) is enabled in the Access Policies. Clearlogin MFA tokens are provided by, Authy, an industry leading authentication platform that simplifies multi-factor authentication for the end user. Authy can be downloaded via your device s App store Once Authy is installed and registered with your mobile phone number you will be able to generate Clearlogin tokens A Getting Started with Clearlogin Multi Factor Authentication User s Guide containing additional details on how the end user multi-factor authentication process works is available upon request. Getting Started with Clearlogin: A Guide for Administrators V1.01

Configuring IP Rules To configure IP Rules, navigate to the IP Rules page under the Security menu, or use the direct link (https://admin.clearlogin.com/ip_rules). IP Rules use CIDR notation (http://en.wikipedia.org/wiki/classless_inter-domain_routing) to create an access control list. When logging in, a user s source IP address is matched to the IP Rules of the user s group, allowing or denying login access appropriately. By default, accounts have an IP Rule assigned to the default group allowing users to login from any source IP address. To add a new IP Rule, use the Add New IP Rule button labeled above. Getting Started with Clearlogin: A Guide for Administrators V1.01

To add a new IP Rule the administrator will need to know the source IP address (or IP range) and the group(s) that the rule should be assigned to. The administrator creates and assigns the rule to the appropriate group(s) in a single step. A default name will be provided for each rule created or optionally the rule can be custom labeled. A CIDR address contains two major components: The IP address - ex: 45.28.60.18 The number of bits in the routing prefix - ex: 32 The number of bits in the routing prefix translate to a subnet mask which dictates how many bits in the 32-bit IP address are required to match and allow the user to login. In the following examples: 45.28.60.18/32 All 32 bits much match, meaning the user must be coming from this specific IP address. 45.28.60.18/24 The first 24 bits must match, meaning that any address in the range 45.28.60.x matches the rule. 45.28.60.18/16 The first 24 bits must match, meaning that any address in the range 45.28.x.x matches the rule. 45.28.60.18/0 None of the bits need to match, and the user can come from any IP address. In this case the IP address that is specified is irrelevant since it is not being matched against the IP Rule. However a rule to allow a user form any IP address is generally written as 0.0.0.0/0 to provide clarity and avoid confusion. Getting Started with Clearlogin: A Guide for Administrators V1.01

Support Clearlogin provides 24x7x365 support. Should you need assistance, please visit the Clearlogin Help Center https://clearlogin.zendesk.com/hc/en-us Feedback We re here to make configuring and using Clearlogin as easy and pleasant as possible. We appreciate any feedback you may have. Please feel free to share with feedback@clearlogin.com Getting Started with Clearlogin: A Guide for Administrators V1.01

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information