SAM Context-Based Authentication Using Juniper SA Integration Guide

SAM Context-Based Authentication Using Juniper SA Integration Guide Revision A

Copyright 2012 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate. SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice. SafeNet, SafeNet Authentication Manager and SafeNet Authentication Client are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners. SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications. Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification. Date of Publication: August 2012 Last update: August 2012 2

Contacting SafeNet We work closely with our reseller partners to offer the best worldwide technical support services. Your reseller is the first line of support when you have questions about products and services. However, if you require additional assistance you can contact the SafeNet technical support team help-desk which is available 24 hours a day, seven days a week: Country/Region Telephone USA +1-800-545-6608 International +1-410-931-7520 For further assistance submit additional questions to the SafeNet technical support team at the following web page: http://c3.safenet-inc.com/secure.asp For assistance via email to SafeNet technical support send the request to the following address: support@safenet-inc.com 3

Table of Contents About This Guide... 5 Intended Audience... 5 Additional Information... 5 Software Requirements... 5 Overview... 6 Security Assertion Markup Language... 6 Context-Based Authentication... 6 Context-Based Authentication Flow... 7 Pre-Configuration... 8 Preparing the Entity Id... 8 Preparing the Identity Provider URL and the Signing Certificate... 9 SAM Portal Configuration for SA... 11 SA Configuration as a Service Provider... 14 Creating an Authentication Server... 14 Setting the User Authentication Realm... 15 KCD Configuration... 17 Configuring the User Account... 17 Creating a KCD User Account in Active Directory... 17 Defining the Delegated Authentication Services... 19 Configuring the Exchange Server... 22 Configuring SA... 24 Configuring Web SSO... 24 Configuring the Constrained Delegation Service List... 26 Configuring SSO Policies... 28 Running the Solution... 32 User Authentication Scenario... 32 Troubleshooting... 35 4

About This Guide The goal of this document is to provide guidance for setting up and managing SafeNet s contextbased authentication solution in a Juniper Networks Junos Pulse Secure Access Service (SA) environment based on SAML 2.0. The information in this guide includes the following: Solution requirement outline, and deployment scenarios for SafeNet s context-based authentication solution Step-by-step instructions for implementing Juniper Networks Junos Pulse Secure Access Service in a SAML solution Intended Audience The guide is intended for Information Technology professionals responsible for the organization s network security. Additional Information For a detailed explanation of SafeNet Authentication Manager (SAM) 8.0 SP4 and the other infrastructure components involved in the solution, or any other SafeNet products mentioned in this guide, refer to SafeNet s product documentation. For additional information on Microsoft or Juniper Networks software and hardware components mentioned in this guide, refer to the relevant manufacturers documentation. Software Requirements For this scenario, the working environment must include the following software: Juniper Networks Junos Pulse Secure Access Service Version 7.1 R5 or later Microsoft Active Directory SafeNet Authentication Manager 8.0 SP4 or later 5

PWR HD TEMP PS FAIL CONSOLE MGT (INT.) 0 1 1000 100 TRAFFIC LINK TX/RX LINK LINK TX/RX 2 3 TX/RX SA6000 SAM Context-Based Authentication Using Juniper SA Overview Security Assertion Markup Language Security Assertion Markup Language (SAML) 2.0 is a standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens (information packets) containing assertions to pass information about a principal (usually an end-user) between an identity provider (IdP) and a web service. SAML 2.0 enables web-based scenarios including single signon (SSO) authentication. SAML 2.0 is supported by Juniper Networks Junos Pulse Secure Access Service (SA), enhancing the SSL VPN s ability to securely integrate single sign-on authentication and authorization with external applications, such as cloud application providers. In this SAML scenario, SA is the service provider, and SafeNet Authentication Manager (SAM) is the Identity Provider. SA implements the authentication result determined by SAM. Juniper SA Gateway SAML 2.0 Service Provider (SP) UNTRUSTED NETWORK e.g. INTERNET Federation Trust OWA 2010 SAM 8.0 SP4 SAML 2.0 Identity Provider (IdP) Context-Based Authentication Context rules define the conditions for determining the authentication risk level. For more information, see the SAM 8.0 SP4 Administrator s Guide. The context-based authentication policies define which authentication information users must provide for each risk level. For more information, see step 7 d of SAM Portal Configuration for SA, on page 12. 6

Context-Based Authentication Flow The following describes the process of SafeNet s SMS Messaging OTP solution. a. The user connects to SA using a web browser. b. SA redirects the user to the SafeNet Authentication Manager (SAM) Authentication Portal. c. The Authentication Portal displays a webpage requesting the authenticating user name. d. The user enters her user name. e. SAM uses its context rule policy configuration to determine the user s authentication risk level. f. If SAM determines that additional user credentials are required, the Authentication Portal displays a new page requesting those credentials. g. The user enters her credentials in the authentication fields. h. SAM verifies the user s credentials. i. SAM sends the SAML token to SA which redirects the user to the SA SSO website. j. The user selects a secure site, such as Outlook Web Access (OWA). k. Juniper SA uses Kerberos Constrained Delegation (Microsoft-based SSO) to automatically authenticate the user to the secure site. 7

Pre-Configuration To retrieve information required for this solution: Use the SA administrator s console for Preparing the Entity Id, on page 8. Use the SAM Configuration Manager for Preparing the Identity Provider URL and the Signing Certificate, on page 9. Preparing the Entity Id Retrieve the Entity Id from SA s SAML settings. To prepare the Entity Id: 1. In the SA administrator s console, go to System > Configuration > SAML > Settings. 2. In the Host FQDN for SAML field, enter the host name for SA when using SAML. 3. Click Save Changes. 4. Click Update Entity Ids. The Confirm Update Entity Ids message is displayed. 5. Click Update Entity Ids. 6. In the SA administrator s console, go to Authentication > Signing In. 8

7. Select the Sign-in SAML tab, and record the Entity Id value. You will need it for step 7 a of SAM Portal Configuration for SA, on page 12. Preparing the Identity Provider URL and the Signing Certificate Use the SAM Configuration Manager to retrieve the sign-in page URL, and the signing certificate. To prepare the sign-in page URL and the signing certificate: 1. From the Start menu, go to All Programs > SafeNet > SafeNet Authentication Manager> Configuration Manager. The Configuration Manager window opens. 2. From the menu bar, go to Action > Cloud Configuration. The Cloud Settings window opens. 9

3. Select the Info for Service Provider tab. 4. Complete the Domain URL of your company s SAM portals. The Single Sign-On URL fields are displayed. 5. Record the Sign-in page URL value. You will need it for step 5 b of Creating an Authentication Server, on page 15. 6. Click Export Certificate, and save the certificate file to a known location. You will need this location for step 6 of Creating an Authentication Server, on page 15. 7. Click OK, and close the SAM Configuration Manager. 10

SAM Portal Configuration for SA SAM s Token Policy Object (TPO) policies include Application Authentication Settings for Juniper SA. These settings are used by the SAM portal to communicate with SA. Note See the SAM 8.0 SP4 Administrator s Guide for general portal configuration. To configure the SAM portal: 1. Open the Token Policy Object Editor for the appropriate group. See the SAM 8.0 SP4 Administrator s Guide for more information. The Token Policy Object Editor window opens. 2. In the left pane, go to Protected Application Settings > User Authentication. Policies are displayed in the right pane. 3. In the right pane, double-click Application Authentication Settings. The Application Authentication Settings Properties window opens. 4. Select Define this policy setting, and select Enabled. 11

5. Click Definitions. The Application Authentication Settings window opens. 6. In the left pane, select Juniper SA. Policies are displayed in the right pane. 7. In the right pane, double-click the following policies, and enter the appropriate information: a. Application Issuer: Enter the Entity Id that was prepared in step 7 of Preparing the Entity Id, on page 9. b. SAM Issuer: Set this to any value. The default value is SAM. You will need this value for step 5 a of Creating an Authentication Server, on page 15. c. Application s login URL: Enter the Juniper SA login URL. This is the AssertionConsumerService > Location value that was recorded in step 11 of Creating an Authentication Server, on page 15, from the SAML Server s metadata file. d. Context-based authentication: The Context-based authentication Properties window opens. 12

Note This example assumes that SAM has been configured for context-based authentication, and that the portal will use context-based authentication. i. Select Define this policy setting. ii. For each Risk Level, open the Authentication Method drop-down menu, and select which authentication information users must provide for that level. iii. Note Selecting Blocked as the authentication method for one risk level automatically sets the higher risk levels to Blocked. Click OK. 8. Click OK until all of the TPO Editor windows are closed. 13

SA Configuration as a Service Provider Configure SA so that it is recognized by SAM as a SAML service provider. Creating an Authentication Server To create an Authentication Server: 1. In the SA administrator s console, go to Authentication > Auth. Servers. 2. From the New drop-down menu, select SAML Server, and click New Server. 3. The New SAML Server window opens. 14

4. Set the Server Name to any value. You will need this value for step 3 of Setting the User Authentication Realm, on page 16. 5. In the Settings area, do the following: a. Enter the Identity Provider Entity Id. This is SAM Issuer that was set in step 7 b of SAM Portal Configuration for SA, on page 12. The default value is SAM. b. Enter the Identity Provider Single Sign On Service URL. This is the Sign-in page URL that was prepared in step 5 of Preparing the Identity Provider URL and the Signing Certificate, on page 10. 6. In the SSO Method area, do the following: Next to Upload Certificate, click Choose File, and upload the certificate that was prepared in step 6 of Preparing the Identity Provider URL and the Signing Certificate, on page 10. 7. In the Service Provider Metadata Settings area, do the following: In the Metadata Validity field, enter the number of days for which the metadata will be valid. 8. Click Save Changes. 9. In the Service Provider Metadata Settings area, click Download Metadata, and download the metadata xml file. 10. Use a text editor to open the downloaded metadata file. 11. Record the metadata file s AssertionConsumerService > Location value, which is the application s login URL, in the format: https://<host name>/dana-na/auth/saml-consumer.cgi. You will need this value for step 7 b of SAM Portal Configuration for SA, on page 12. Setting the User Authentication Realm To set the user authentication realm: 1. In the SA administrator s console, go to Users > User Realms. 15

2. Select the appropriate authentication realm. In this example, the realm is Users. The realm s properties are displayed. 3. In the General tab, in the Servers > Authentication drop-down menu, select the authentication server that was created in step 4 of Creating an Authentication Server, on page 15. 4. Click Save Changes. 16

KCD Configuration Juniper SA is often used to protect Web application resources, such as Outlook Web Access (OWA) and SharePoint, which are based on Windows authentication. Kerberos Constrained Delegation (KCD) enables Single Sign On for the application resource, so that users are required to log on only once per session. The user logs on to SA, and then is not required to authenticate again when accessing Microsoft applications. The following steps are used to authenticate a user to a Web application: 1. SA verifies the user s identity using SAML authentication. 2. SA then impersonates the user and obtains a Kerberos service ticket. 3. The Web application resource uses the Kerberos ticket as proof of authentication, and the user is logged on. Setting up KCD with SA involves the following steps: a. Configuring the User Account, see page 17. b. Configuring the Exchange Server, see page 22. c. Configuring SA, see page 24. Configuring the User Account Creating a KCD User Account in Active Directory KCD requires an Active Directory user account that has Protocol Transition and Delegation rights. This account has rights to request a Kerberos ticket on behalf of a user signing in to SA. To create a new user in Active Directory: 1. From the Windows taskbar, select Start > Programs > Administrative Tools > Active Directory Users and Computers. The Active Directory Users and Computers window opens. 2. In the left pane, expand your domain name, and right-click Users. 17

3. In the drop-down menu, select New > User. The New Object - User window opens. 4. Add the new user's information. This account will be used to access Web application resources, such as OWA. You will need the User logon name value for the following steps: Step 1 of Defining the Delegated Authentication, on page 19 Step 11 c of Configuring the Constrained Delegation Service List, on page 27 In this example, the User logon name of the new account to provide Constrained Delegation is samservice. 18

Defining the Delegated Authentication Services To configure the new account for Web application access, do the following: a. Use the setspn command to enable the Delegation tab in the new user account s Properties window. b. Use the Delegation tab to enable the user to be trusted for delegation to all authentication protocols. To define the Delegated Authentication Services for the new user: 1. Open the Command Prompt window, and enter the command: setspn -A HTTP/<user_account> <domain>\<user_account> where: <user_account>is the User logon name created in step 4 of Creating a KCD User Account in Active Directory, on page 18 <domain> is your domain In the following example, sfnt is the domain, and samservice is the user account s User logon name. 2. In the Active Directory Users and Computers window, right-click the new user. The user s Properties window opens. 19

3. Select the Delegation tab. 4. Select the following options: Trust this user for delegation to specified services only Use any authentication protocol Note Do not select Use Kerberos only because that option is not compatible with Protocol Transition and Constrained Delegation. 5. Click Add. The Add Services window opens. 6. To select the computer hosting the constrained services, click Users or Computers. The Select Users or Computers window opens. 20

7. Enter the name of the protected service s server in the domain. Note In this example, the OWA service is hosted on the same server as Active Directory Domain Controller, so DC is selected. In the Add Services window, the services available on the selected server are displayed. 8. Select the appropriate service type, and click OK. Note In this example, Constrained Delegation must be configured for OWA. Select http to configure for OWA and for any other Web-based applications running on this server, such as Share Point. In the user s Properties window, the delegated services are displayed. 21

9. Click Apply, and then click OK. Active Directory is now configured for this solution. Configuring the Exchange Server Configure the server hosting the web application. Note This solution can be configured for any web application hosted on any server within the domain. In this example, the selected web application is OWA, and it is hosted on the same server as the Active Directory Domain Controller. To configure OWA and ECP: 1. Open the Microsoft Exchange console. 2. In the left pane, go to Server Configuration > Client Access. 3. In the middle pane s Client Access area, select your Exchange server. 4. In the server area, select the Outlook Web App tab. 22

5. Right-click owa (Default Web Site), and select Properties. The owa (Default Web Site) Properties window opens. 6. Select the Authentication tab, and do the following: a. Select Use one or more standard authentication methods. b. Select Integrated Windows Authentication. c. Click OK. 7. In the Microsoft Exchange console, select the Exchange Control Panel tab. 8. Right click ecp (Default Web Site), and select Properties. The ecp (Default Web Site) Properties window opens. 23

9. Select the Authentication tab, and do the following: a. Select Use one or more standard authentication methods. b. Select Integrated Windows Authentication. c. Click OK. 10. To restart IIS so that the configurations take effect, open a terminal and enter iisreset. Configuring SA Configure SA with Constrained Delegation for users connecting via SA to a selected application. This involves the following steps: a. Configuring Web SSO, see page 24. b. Configuring the Constrained Delegation Service List, see page 26. c. Configuring SSO Policies, see page 28. In this example, OWA is the application to which users connect. Configuring Web SSO Add the Kerberos Realm to SA s Kerberos SSO Settings. 1. In the SA administrator s console, go to Users > Resource Policies > Web > SSO (Single Sign-on) > General. 24

The WebPolicySSOGeneral window opens. 2. Select the SSO tab. 3. Select Enable Kerberos SSO. 4. In the Realm Definition area, add the Kerberos realm. You will need this for step 11 b of Configuring the Constrained Delegation Service List, on page 27. In this example, we add the realm sfnt.com. 25

Note the Kerberos Realm is typically the DNS domain. 5. Click Add. 6. Click Save Changes. Note The Site Name field can be used only if your Active Directory is set up with Sites. Configuring the Constrained Delegation Service List Upload a text file to create a Constrained Delegation Service List. To configure the Constrained Delegation Service List: 1. Open Notepad or similar text application, and create a file containing the DC server name. 2. Save the file. You will need it for step 7 of this procedure. 3. In the SA administrator s console, go to Users > Resource Policies > Web > SSO (Single Sign-on) > General. 4. Select the SSO tab. 5. In the Constrained Delegation area, click Edit. The Constrained Delegation Service Lists window opens. 6. Click New Service List. 26

7. In the Name field, enter any value. You will need it for step 11 e of this procedure. 8. Click Choose File, and browse to the text file saved in step 2 of this procedure. 9. Click OK. The Upload Status window opens. 10. When the upload is complete, click Close. 11. In the Constrained Delegation area, do the following: a. In the Label field, enter any value. You will need this for step 10 c of Configuring SSO Policies, on page 31. In this example, we enter sfnt. b. In the Realm drop-down menu, select the Kerberos realm defined in step 4 of Configuring Web SSO, on page 25. c. In the Principal Account field, enter the User logon name created in step 4 of Creating a KCD User Account in Active Directory, on page 18. Note In the example, we enter the samservice account created in Active Directory for Constrained Delegation. d. In the Password field, enter the user s domain password. 27

Note Ensure that the password is entered exactly as defined in the Active Directory. e. In the Service List drop-down menu, select the service list Name defined in step 7 of this procedure. f. Click Add. The realm is displayed in the Constrained Delegation area. Configuring SSO Policies Define the roles and resources for which Constrained Delegation will be performed. To configure SSO policies for OWA: 1. In the SA administrator s console, go to Users > Resource Policies > Web > Kerberos/NTLM/Basic Auth. 2. Select New Policy. The New Web Application Resource Profile window opens. 28

3. In the Type drop-down-down menu, select Microsoft OWA 2010. The OWA 2010 window opens. 4. Select the Resource tab. 29

5. In the Name field, enter any value for the policy name. 6. In the Base URL field, enter the OWA site s base URL. 7. Select Autopolicy: Web Compression. 8. In the Autopolicy: Web Compression area, d0 the following: a. In the Resource column, enter the OWA site. b. In the Action column drop-down menu, select Compress. c. Click Add. The resource is displayed on a new line. 30

9. Select Autopolicy: Single Sign-on. 10. In the Autopolicy: Single Sign-on area, d0 the following: a. Select Constrained Delegation. b. In the Resource field, enter the host FQDN of the web server. c. In the Credential drop-down menu, select the Constrained Delegation s Label defined in step 11 a of Configuring the Constrained Delegation Service List, on page 27. 11. Click Save Changes. 31

Running the Solution User Authentication Scenario In this example, a user named John authenticates to SA in the following environment: An OTP (One-Time-Password) for authentication is sent to John s mobile device as an SMS each time he needs to authenticate. John s authentication conditions match a context-based authentication rule that requires him to enter an OTP Authentication Code. How John authenticates to OWA: 1. John opens a web browser and browses to SA. In this example, the SA site is https://juniper.sfnt.com SA automatically redirects the authentication request to the SAM Authentication Portal. The Authentication Portal s User Identification window opens. 2. John enters his username, and clicks OK. An OTP is sent as an SMS to John s mobile device, and the SAM Authentication Portal s Authentication window opens. 32

3. John copies the OTP from his mobile device display, together with his OTP PIN if required, to the OTP Authentication Code field, and clicks OK. If the credentials are accepted, a message is displayed. John is redirected to the SA portal. 33

4. John clicks the OWA 2010 link. John is automatically authenticated to his OWA account. 34

Troubleshooting Problem Possible cause Solution The SAM Authentication Portal does not open An error message is displayed: Verification cert not available, Signature has no X509Cert An error message is displayed: Unknown issuer value in response An error message is displayed: Your system configuration is incorrect. Contact your administrator. The URL entered is not correct. The Identity Provider Single Sign On Service URL is not correct. The Response Signing Certificate in the authentication server is incorrect or missing. The Identity Provider Entity Id and the SAM Issuer do not match. The Application Issuer in the TPO is incorrect. Ensure that the URL entered is correct. In the SA configuration, ensure that the Identity Provider Single Sign On Service URL is correct. Export the signing certificate using SAM Configuration Manager, and import it again in the SA configuration s Authentication Server page. Ensure that the Identity Provider Entity Id in the SA configuration s Authentication Server page, and the SAM Issuer in the TPO are identical. Enter the correct Application Issuer in the TPO setting. After logon, an error message is displayed: The page you requested could not be found After logon, an error message is displayed: Schema validation failed for response. Audience must have TextContent An error message is displayed: Cloud portal authentication is not configured. Please contact your administrator. The Application s login URL in the TPO is incorrect. The Audience URI in the TPO is not enabled or is empty. Context-based authentication was not configured correctly. Enter the correct Application s login URL in the TPO. Enable the Audience URI option in the TPO, and enter a value. Configure context-based authentication in the TPO. 35

An error message is displayed: The authentication service has determined that this logon request has originated from a suspicious source. Please contact your administrator. The conditions of this contextbased authentication attempt are defined as a higher risk level, for which authentication is Blocked. The company may choose to re-evaluate its rules and risk levels for each group to determine if they are appropriate. 36