How To Use Saml 2.0 Single Sign On With Qualysguard



Similar documents
CA Nimsoft Service Desk

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG R001.

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

ADFS Integration Guidelines

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Microsoft Office 365 Using SAML Integration Guide

Getting Started with AD/LDAP SSO

SAML-Based SSO Solution

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Copyright: WhosOnLocation Limited

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

SAML SSO Configuration

Egnyte Single Sign-On (SSO) Installation for OneLogin

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

Enterprise Knowledge Platform

Connected Data. Connected Data requirements for SSO

SAP NetWeaver AS Java

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

Configuring. Moodle. Chapter 82

idp Connect for OutSystems applications

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Authentication Integration

HP Software as a Service. Federated SSO Guide

Perceptive Experience Single Sign-On Solutions

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

EVault Endpoint Protection 7.0 Single Sign-On Configuration

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

SAML single sign-on configuration overview

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

SAML 2.0 SSO Deployment with Okta

Single Sign On for ShareFile with NetScaler. Deployment Guide

Configuring EPM System for SAML2-based Federation Services SSO

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

Get Success in Passing Your Certification Exam at first attempt!

Configuring Salesforce

SAML-Based SSO Solution

Single Sign-On Implementation Guide

MLSListings Single Sign On Implementation Guide. Compatible with MLSListings Applications

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Single Sign-On Implementation Guide

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

ACTIVID APPLIANCE AND MICROSOFT AD FS

SAML Single-Sign-On (SSO)

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

Authentication Methods

WebNow Single Sign-On Solutions

Using SAML for Single Sign-On in the SOA Software Platform

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only)

Deploying RSA ClearTrust with the FirePass controller

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

How to create a SP and a IDP which are visible across tenant space via Config files in IS

Flexible Identity Federation

ADFS for. LogMeIn and join.me authentication

Agenda. How to configure

Absorb Single Sign-On (SSO) V3.0

T his feature is add-on service available to Enterprise accounts.

CA Performance Center

Getting Started with Single Sign-On

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

Agenda. Federation using ADFS and Extensibility options. Office 365 Identity overview. Federation and Synchronization

Using Exclaimer Signature Manager with Office 365

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

HP Software as a Service

SpringCM SSO and User Management Guide

Egnyte Single Sign-On (SSO) Installation for Okta

PowerLink for Blackboard Vista and Campus Edition Install Guide

SAML Authentication within Secret Server

McAfee Cloud Identity Manager

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview)

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

Web Application Firewall

Getting Started with Single Sign-On

PingFederate. IWA Integration Kit. User Guide. Version 2.6

AVG Business SSO Connecting to Active Directory

Introductions. Christopher Cognetta Practice Manager Client Field Engineering Microsoft Dynamics CRM MVP

The increasing popularity of mobile devices is rapidly changing how and where we

PingFederate. IWA Integration Kit. User Guide. Version 3.0

Copyright Pivotal Software Inc, of 10

Configure Single Sign on Between Domino and WPS

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

SAM Context-Based Authentication Using Juniper SA Integration Guide

Security Assertion Markup Language (SAML) Site Manager Setup

Administering Jive for Outlook

Single Sign-On Implementation Guide

SAML Authentication Quick Start Guide

Transcription:

QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented, QualysGuard users can seamlessly open a session using their corporate credentials and their web browser. QualysGuard acts as a SAML 2.0 Service Provider (SP) and can establish a trust relationship with any customer s SAML 2.0 Identity Provider (IdP). Customers can use any SAML 2.0 IdP vendor of their choice including but not limited to Ping Identity, Shibboleth, Oracle Identity Federation and more. Benefits of the Solution Enabling SAML 2.0 SSO with QualysGuard gives customers many benefits: Provides customers with full control over the authorization and authentication of hosted user accounts that can access QualysGuard. Allows users to use their corporate credentials to open a QualysGuard session. Automatically enforce password policies applied centrally and reduces the risk of having weak passwords or lost passwords by enforcing a single password policy that is unique to the customer s SAML deployment. Simplifies the process of granting and removing the access to QualysGuard from a central management console. Reduces the time that users spend to remember and manage multiple passwords.. On Boarding Process To start using SAML 2.0 SSO to open QualysGuard sessions, the following on boarding process has to be completed: Customer sends an email to support@qualys.com to request SAML 2.0 SSO activation for their QualysGuard subscription. A CRM ticket is automatically created and will be used as a reference and tracking for all discussions concerning the activation of SAML 2.0 SSO. Qualys Support replies to the ticket by email to share and request technical information

used to establish the trusted relationship between the customer s IdP and the QualysGuard SP and as follows (please see the Appendix for full details Warning: this information might not be up to date. Support will share the latest version when the request is filled): Questions about customer s SAML 2.0 Identity Provider (IdP) Technical information about QualysGuard SAML 2.0 Service Provider (SP) that will be used to configure the customer s IdP. Upon receipt of the customer s response, Qualys will configure the trust relationship between the customer Idp and the QualysGuard SP. This process takes approximately one week to complete. Qualys will set up the trust relationship and notifies the customer once SAML has been enabled for their subscription. Then Qualys will provide a new unique URL specific to their subscription that users must use to open a session with SAML SSO (for example https://qualysguard.qualys.com/fo/login.php?idm_key=xyz, where XYZ is a unique numerical identifier generated by Qualys to identify the customer s subscription). How to test? At this point customer can start testing that SAML SSO has been properly configured for their subscription using the following procedure: A QualysGuard Manager enables SAML for a test user as shown in the screenshot here:

Optional: if the customer chose to identify the user using the External ID field in the QualysGuard user settings, this information needs to be added as shown in the screenshot below (more details provided in the User Provisioning section below): In this example, the email address has been used for the External ID Then the user testing SAML SSO should follow these steps Use a web browser and open the unique URL provided by Qualys As a result the web browser should be redirected to the customer s SAML SSO page where the user can enter their corporate login/password (for instance the Active Directory username and password) Upon successful authentication, the web browser should be redirected to QualysGuard and a valid session should be opened with the expected user identity. When logging out from QualysGuard, the web browser should be redirected to the optional exit URL provided by the customer.

User Provisioning QualysGuard SAML 2.0 supports Single Sign On authentication for user accounts that already exist in customer subscriptions. The customer needs to create a process to provision QualysGuard user accounts whether it's a manual process using the QualysGuard User Interface or an automatic process using the QualysGuard API (see further details below). To properly identify each user authenticated using SAML SSO, a mapping between the customer s user identity (in the user store) and the QualysGuard accounts must be provided using one of the methods as described below. The customer has the the option to choose the method that is most convenient for their environment: 1. Add QualysGuard user login names to the SAML user identity (in the user store). 2. Update QualysGuard accounts to add a unique user identifier in the External ID user property. Customers who would like use the QualysGuard API for user creation and provisioning will need to develop a software program. This program will combine user account data extracted from the customer user store (such as first name, last name, email address etc) and additional QualysGuard specific user information including the required QualysGuard user role (Manager, Unit Manager, Scanner, Reader) and user scope (list of asset groups). For example the QualysGuard user role and scope can be derived from a group membership user information in the customer s user store. In this case the framework that describes the mapping logic between these groups and QualysGuard user roles and scopes must be created by the customer. See the QualysGuard API v1 User Guide for complete details about the User API. Conclusion Thank you for your interest in QualysGuard SAML 2.0 Single Sign On. If you have questions or if you want to provide us with feedback, please contact Qualys Support (www.qualys.com/support).

Appendix 1: Customer On Boarding Questionnaire In order to establish the trust relationship between the customer SAML 2.0 Identity Provider and the QualysGuard SAML 2.0 Service Provider, technical information needs to be provided by the customer as listed below (Warning, refer to the information sent by Qualys support for the latest details): Thank you for your interest in SAML. In order to get started with this feature, please provide the following information. Your responses will be entered directly into a request for our Operations team to begin the SAML integration, so filling in the questions individually and completely will assist in efficient turn around of your request. 1. EntityID string from your IdP (SAML Identity Provider) (typically has a format like urn:mace:incommon:example.com) 2. Public key certificate for the IdP (your organization's IdP certificate) 3. Your organization's SAML IdP SSO URL (SP initiated authentication requests) 4. Subscription (QualysGuard Manager Primary Contact username for the subscription such as abcd_ef) grupm_ef 5. Custom exit URL for a subscription (Optional) This is the URL where the user will be redirected when logging out from QualysGuard. For instance it can be the URL of the your corporate web site. For your information, Operations has provided the following: 1. QWEB SP entityid: QualysGuard_SharedPlatform SAML20 SP 2. ACS URL for QWEB: https://qualysguard.qualys.com/idm/saml2/ 3. Managers will be able to enable SAML support for sub accounts after the feature is functioning on your subscription. We will provide an update when SAML integration is complete, or if we need any additional information. Please do let me know if you have any other questions in the meantime.

Appendix 2: FAQ 1. Tell me about the unique QualysGuard SSO URL provided by Qualys a. The unique URL https://qualysguard.qualys.com/fo/login.php?idm_key=xyz provided by Qualys as part of the on boarding process must be used to open a QualysGuard session using SAML SSO. The customer needs to share this URL with all user who will access QualysGuard with SAML SSO. Users can bookmarked the URL in their web browsers. If users will log in from the customer s security intranet, the customer can insert the URL into a web page within their environment. 2. Tell me about two factor authentication a. The customer can choose to implement two factor authentication at their discretion and if their SAML IdP implementation supports this. It is the responsibility of the customer to enable/enforce a two factor authentication mechanism for their SAML SSO IdP. 3. How does a user can change their password? a. When SAML SSO is enabled for a user, passwords are not managed by QualysGuard. Instead, the user should be able to change their SAML SSO password according to its company s policy. 4. Tell me about QualysGuard API access a. QualysGuard API requires valid user credentials for authentication, and SAML SSO can t be used for this. A normal QualysGuard login/password must be used for all QualysGuard API requests. 5. Tell me about users who have two accounts in the same QualysGuard subscription a. Upon successful authentication, QualysGuard will prompt the user to pick the user account that the user would like to use. 6. What if a customer has two QualysGuard subscriptions? a. The on boarding process needs to be done twice. Once per QualysGuard subscription. You will receive two unique URLs, one URL for each subscription. 7. Are there any special QualysGuard account requirements? a. Yes, the subscription must have the New Data Security Model enabled. 8. Is SAML in Qualys 1.1 or 2.0? a. As of august 2012, QualysGuard only supports SAML 2.0. 9. Is it IDP initiated SSO or SP initiated?

a. Service Provider initiated (SP) 10. Which SAML 2.0 binding? (e.g. HTTP POST for SAML 2.0 IdP Initiated or Redirect/POST for SAML 2.0 SP Initiated SSO) a. HTTP POST 11. What format does Qualys expect the NamedID to be in? (depending on the answer, we may need all of Qualys corresponding details, which may include URLs, certificates, entity IDs) a. need details from OPs/ENG 12. When SAML is turned on for our account, can we use our own internal Active Directory user IDs or do we need to have a field in our AD user accounts that match the Qualys usernames (for example aem_dp )? a. Users have the option to either store in their Active Directory the QualysGuard username in each user record, or use a unique ID coming from their AD and stored in QualysGuard user profile under the External ID field. For more details please refer to the User Provisioning paragraph in this document. Appendix 3: Microsoft Active Directory Federation Services Integration Microsoft Active Directory Federation Services (ADFS) is currently supported for authentication. The QualysGuard ADFS integration must be configured as SP initiated. Configuration Microsoft ADFS 2.0 defaults to values that are incompatible with QualysGuard SAML 2.0. The following configuration changes will enable QualysGuard SAML to integrate with your ADFS. Disable encryption AD FS 2.0 automatically configures itself to encrypt token data whenever it receives an encryption certificate from a partner. Turn off encryption in ADFS 2.0 tokens. To disable encryption: 1. On the AD FS 2.0 computer, click Start > Administrative Tools > Windows PowerShell Modules. 2. At the PowerShell command prompt, type: set ADFSRelyingPartyTrust TargetName TFIM SP Example EncryptClaims $False 3. Hit Enter. Change AD FS 2.0 Signature Algorithm

When acting as an identity provider, AD FS 2.0 defaults to using the Secure Hash Algorithm 256 (SHA 256) to digitally sign assertions sent to relying parties. In addition, in cases where relying parties sign authentication requests, AD FS 2.0 defaults to expecting those requests to be signed using SHA 256. In contrast, QualysGuard uses the SHA 1 algorithm to sign authentication requests and validate assertions. Follow the steps below to change the algorithm AD FS 2.0 uses with QualysGuard to the SHA 1 algorithm. To change the AD FS 2.0 signature algorithm 1. In the AD FS 2.0 Management console, in the center pane under Relying Party Trusts, right click QualysGuard SAML, and then click Properties. 2. On the Advanced tab, in the Secure hash algorithm list, select SHA 1, and then click OK. Screenshots Below are screenshot examples of an ADFS configured to integrate with QualysGuard SAML. You may use the your proxy system to forward qualys.your_organization.com to your assigned system generated SSO login URL. Note: Tabs with no screenshot means they were empty or un configured.

Identifiers:

Encryption:

Advanced:

Endpoints:

Edit Endpoint:

Issuance Transform Rules:

Edit Rule Send Email Address:

Edit Rule Send NameID:

Edit Rule Send ID

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information