INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Similar documents
INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

INTEGRATION GUIDE. DIGIPASS Authentication for Office 365 using IDENTIKEY Authentication Server with Basic Web Filter

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

OVERVIEW. DIGIPASS Authentication for Office 365

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

INTEGRATION GUIDE. General Radius Config

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

MIGRATION GUIDE. Authentication Server

DIGIPASS as a Service. Google Apps Integration

DIGIPASS Authentication for Check Point Connectra

INTEGRATION GUIDE. DIGIPASS Authentication for Microsoft Exchange ActiveSync 2007

DIGIPASS Authentication for Cisco ASA 5500 Series

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Check Point FDE integration with Digipass Key devices

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

DIGIPASS Authentication for Check Point Security Gateways

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

DIGIPASS Authentication for GajShield GS Series

Hyper-V Installation Guide. Version 8.0.0

IDENTIKEY Appliance Administrator Guide

Identikey Server Getting Started Guide 3.1

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

HOTPin Integration Guide: DirectAccess

axsguard Gatekeeper Internet Redundancy How To v1.2

DIGIPASS Authentication for Windows Logon Product Guide 1.1

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

DIGIPASS Authentication for SonicWALL SSL-VPN

Identikey Server Windows Installation Guide 3.1

Internet Redundancy How To. Version 8.0.0

DIGIPASS Authentication for Juniper ScreenOS

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

IDENTIKEY Server Windows Installation Guide 3.2

CA Performance Center

IDENTIKEY Server Windows Installation Guide 3.1

SafeNet Authentication Service

Keeping your VPN protected

Authentication Methods

Security Assertion Markup Language (SAML) Site Manager Setup

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

nexus Hybrid Access Gateway

axsguard Gatekeeper Open VPN How To v1.4

Secure your business DIGIPASS BY VASCO. The world s leading software company specializing in Internet Security

Using Vasco IDENTIKEY Server with NetScaler

IDENTIKEY Server Product Guide

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Strong Authentication for Juniper Networks SSL VPN

Identikey Server Product Guide

CA Nimsoft Service Desk

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

DIGIPASS as a Service. Product Guide

Strong Authentication for Juniper Networks

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Social Application Guide

Copyright

Google Apps Deployment Guide

VERALAB LDAP Configuration Guide

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

How To Use Salesforce Identity Features

Egnyte Single Sign-On (SSO) Installation for OneLogin

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

SafeNet Authentication Service

Security Provider Integration Kerberos Authentication

VMware Identity Manager Administration

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

NetMotion + YubiRADIUS Quick Start Guide

HP Software as a Service. Federated SSO Guide

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

DocuSign Connect for Salesforce Guide

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Strong Authentication for Microsoft SharePoint

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Installation Guide. SafeNet Authentication Service

axsguard Gatekeeper Reverse Proxy How To 1.5

ADFS Integration Guidelines

Security Provider Integration RADIUS Server

BlackShield ID Agent for Remote Web Workplace

Two-Factor Authentication

Defender Token Deployment System Quick Start Guide

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Getting Started with AD/LDAP SSO

Administrator Guide. v 11

Active Directory Self-Service FAQ

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

DualShield. for. Microsoft TMG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Identikey Server Administrator Reference 3.1

Transcription:

INTEGRATION GUIDE DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright Copyright 2013 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO, Vacman, IDENTIKEY, axsguard, DIGIPASS and logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Data Security Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners. 1 DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Table of Contents 1 Overview... 4 1.1 Architecture... 4 1.2 Two factor authentication... 4 2 Technical Concepts... 5 2.1 Google... 5 2.1.1 Google Apps... 5 2.2 VASCO... 5 2.2.1 IDENTIKEY Federation Server... 5 2.2.2 IDENTIKEY Authentication Server... 5 3 Configuration details... 6 3.1 Architecture... 6 3.2 Pre-requisites... 6 3.3 Google Apps Single Sign-On... 6 3.4 IDENTIKEY Federation Server Attribute gathering... 7 3.5 IDENTIKEY Federation Server Application... 7 3.5.1 Application steps... 7 3.5.2 Application attributes... 7 4 Basic IDENTIKEY Federation Setup... 8 4.1 Setup... 8 4.2 Back-ends... 8 4.2.1 LDAP... 8 4.2.2 IDENTIKEY Authentication Server... 9 4.2.2.1 IDENTIKEY Authentication Server Client... 9 4.2.2.2 Creating a demo user... 10 4.2.2.3 Attaching a DIGIPASS... 11 4.3 Additional authentication methods... 12 2 DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

4.3.1 MYDIGIPASS.com... 12 5 Test Google Apps login... 13 5.1 IDENTIKEY Federation Server... 13 5.1.1 Response only... 13 5.1.2 Challenge response and Backup Virtual DIGIPASS... 14 3 DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

1 Overview This setup was created in our LABS environment and can be tested on http://labs.vasco.com. 1.1 Architecture IFS Ifs.labs.vasco.com OAuth MyDIGIPASS.com SAML RADIUS LDAP Google Apps IDENTIKEY Server Active Directory 1.2 Two factor authentication Many organizations still rely on a username and password to protect their data or external access. However passwords are often very simple and very easy guessed, cracked or even stolen. Once it is compromised it can take quite a lot of time before anyone notices that it has been compromised. Recently a lot of services are being moved to the cloud where anyone can access the service from anywhere. This means that the users are often accessing it from outside the safe network, making protecting your password even more important and harder. Two factor authentication of VASCO Data Security will add an additional factor, called DIGIPASS, to your password. The DIGIPASS will generate a One Time Password, or OTP, which you can use in combination with your password. This means that people will need a specific device and password if they want to gain access. Imagine if the device were to be stolen, this will be noticed quickly and that way access using that device can be denied, stopping any attacker quickly. With this in mind you can secure your Google Apps accounts, granting you the freedom of Google Apps with the hardened security of two factor authentication. 4 DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

2 Technical Concepts 2.1 Google 2.1.1 Google Apps With Google Apps, all your work is automatically saved in the cloud. You ll have access to your email, calendar, documents, and sites and be able to work securely, no matter where you are in the world and what device you're on. For your business, this means every employee and everyone you work with can be productive from anywhere, using any device with an Internet connection. 2.2 VASCO 2.2.1 IDENTIKEY Federation Server IDENTIKEY Federation Server is a virtual appliance providing you with the most powerful identity & access management platform. It is used to validate user credentials across multiple applications and disparate networks. The solution validates users and creates an identity ticket enabling web single sign-on for different applications across organizational boundaries. As validated credentials can be reused, once a user s identity is confirmed, access to authorized services and applications is granted. Users can securely switch between the different applications and collaborate with colleagues, business partners, suppliers, customers and partners using one single identity. IDENTIKEY Federation Server works as an Identity Provider within the local organization, but can also delegate authentication requests (for unknown users) to other Identity Providers. In a Federated Model, IDENTIKEY Federation Server does not only delegate but also receives authentication requests from other Identity Providers, when local users want to access applications from other organizations within the same federated infrastructure. 2.2.2 IDENTIKEY Authentication Server IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server that supports the deployment, use and administration of DIGIPASS strong user authentication. It offers complete functionality and management features without the need for significant budgetary or personnel investments. IDENTIKEY Authentication Server is supported on 32bit systems as well as on 64bit systems. IDENTIKEY Appliance is a standalone authentication appliance that secures remote access to corporate networks and web-based applications. The use and configuration of an IDENTIKEY Authentication Server and an IDENTIKEY Appliance is similar. 5 DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

3 Configuration details 3.1 Architecture IFS Ifs.labs.vasco.com SAML Google Apps 3.2 Pre-requisites For the configuration you will need a Google Apps account. 3.3 Google Apps Single Sign-On Log into your Google Apps account and go to Domain Settings, User Settings. Click on Single Sign-on. Check Enable Single Sign-on 6 DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Login URL: https://<ifs-host>/ifs/profiles/saml2/sso/web (in our example: https://ifs.labs.vasco.com/ifs/profiles/saml2/sso/web) Logout URL: https://<ifs-host>/ifs/sso/web (in our example: https://ifs.labs.vasco.com/ifs/sso/web) Password URL: https://<ifs-host>/ifs/profiles/saml2/sso/web (in our example: https://ifs.labs.vasco.com/ifs/profiles/saml2/sso/web) Upload the certificate with the public key of your IDENTIKEY Federation Server Click Save The certificate used should be the signing certificate, not the SSL certificate. 3.4 IDENTIKEY Federation Server Attribute gathering Navigate to the IDENTIKEY Federation Server management web console and go to Authentication, LDAP Settings. On this page make sure that the Allow user attribute gathering is checked. 3.5 IDENTIKEY Federation Server Application 3.5.1 Application steps Go to Applications, Add Application. Select Google Apps Select a profile Enter your registered Google Apps Domain (Example: labs.vasco.com) Click Save Authentication profiles are linked to authentication methods, for more information please view the IDENTIKEY Federation Server manual for more information. 3.5.2 Application attributes When the application is created it also creates an attribute release policy by default. This attribute is later needed by Google apps to link your account. If this value is not set the connection between the IDENTIKEY Federation Server and Google apps will fail. The default attribute release policy is shown here: 7 DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Attribute Release Policy o mail 4 Basic IDENTIKEY Federation Setup 4.1 Setup IFS Ifs.labs.vasco.com 10.4.0.198 OAuth MyDIGIPASS.com SAML RADIUS LDAP Google Apps IDENTIKEY Server 10.4.0.13 Active Directory 10.4.0.10 4.2 Back-ends 4.2.1 LDAP Log into IDENTIKEY Federation Server s management web console and navigate to Authentication, LDAP. 8 DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

LDAP URL: ldap://10.4.0.10:389 DN base: DC=labs,DC=vasco,DC=com DN user field: CN Security principal DN: CN=Administrator,CN=Users,DC=labs,DC=vasco,DC=com Security principal password: <administrator password> Check Allow user attribute gathering Click Save By clicking on Test Connection you can verify if the data you set is correct. 4.2.2 IDENTIKEY Authentication Server Log into IDENTIKEY Federation Server s management web console and navigate to Authentication, Manage methods. Edit DIGIPASS authentication. Friendly name: DIGIPASS authentication Maximum retries: 3 Method: PAP Server address: 10.4.0.13 Server port: 1812 NAS-IP-Address: 10.4.0.198 Shared secret: <RADIUS secret> (can be chosen) Click Save 4.2.2.1 IDENTIKEY Authentication Server Client Log into your IDENTIKEY Authentication Server and go to Clients, Register. 9 DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Client Type : select Radius Client from select from list Location : 10.4.0.198 Policy ID : Select a policy Protocol ID: RADIUS Shared Secret: <RADIUS secret> Confirm Shared Secret: reenter the <RADIUS secret> Click Create Make sure that the <RADIUS secret> is the same on both IDENTIKEY Federation Server and IDENTIKEY Authentication Server. 4.2.2.2 Creating a demo user The user created in the IDENTIKEY Authentication Server has to exist in the Active Directory. Log into your IDENTIKEY Authentication Server and go to Users, Create. User ID: <your-user> (in our setup: Demo) Domain: <your-domain> (in our setup: labs.vasco.com) Organizational unit: <your-ou> (OPTIONAL, in our setup: WEB Users) Enter static password: <your-password> Confirm static password: <your-password> Local Authentication: Default Back-end Authentication: Default Click on Create You have now added a user in your IDENTIKEY Authentication Server. 10 DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

4.2.2.3 Attaching a DIGIPASS Log into your IDENTIKEY Authentication Server and type the name of a user in the FIND field then click SEARCH. Click on the User ID and navigate to Assigned DIGIPASS. Click on ASSIGN. Click NEXT. 11 DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Click ASSIGN. Click FINISH. With the DIGIPASS assigned, the user is now ready for testing. 4.3 Additional authentication methods 4.3.1 MYDIGIPASS.com To illustrate adding an OAuth provider, MYDIGIPASS.com s sandbox environment will be used as example. If you do not have a MYDIGIPASS developer account, you can create one for free on https://developer.mydigipass.com/. Log into your MYDIGIPASS.com developer account and go to Sandbox. Click on Connect your test site. Identifier: IFS_vasco (this must be a unique identifier) Name: Vasco Federated Login 12 DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Redirect uri: https://<ifs-host>/ifs/sso/oauth (in our application: https://ifs.labs.vasco.com/ifs/sso/oauth) Click on Create application Go to Sandbox and click on your newly generated test site. Take note of the client_id and the client_secret. Log into your IDENTIKEY Federation Server s management web console and go to Federated authentication, Manage OAuth providers. Check Enabled for MYDIGIPASS.COM (Sandbox) Fill in the client_id of your OAuth provider Fill in the client_secret of your OAuth provider Click Save 5 Test Google Apps login 5.1 IDENTIKEY Federation Server 5.1.1 Response only Open a browser and navigate to http://www.google.com/apps. Click on log in and enter your registered domain. In the example created by VASCO you can not access the Google mail application. You will be redirected to the IDENTIKEY Federation Server which will display a login page for DIGIPASS authentication. 13 DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Username: Demo (this is the user we added in 4.2.2.2 Creating a demo user) Password: One Time Password (this is an OTP received from the device assigned to the user in 4.2.2.3 Attaching a DIGIPASS) Once you have logged in you will be redirected to the Google Apps page. 5.1.2 Challenge response and Backup Virtual DIGIPASS The IDENTIKEY Federation Server version 1.2 does not yet support challenge response and Backup Virtual DIGIPASS. 14 DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information