INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN



Similar documents
INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for Office 365 using IDENTIKEY Authentication Server with Basic Web Filter

MIGRATION GUIDE. Authentication Server

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

INTEGRATION GUIDE. General Radius Config

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

INTEGRATION GUIDE. DIGIPASS Authentication for Microsoft Exchange ActiveSync 2007

DIGIPASS Authentication for Check Point Connectra

DIGIPASS Authentication for Cisco ASA 5500 Series

OVERVIEW. DIGIPASS Authentication for Office 365

DIGIPASS as a Service. Google Apps Integration

DIGIPASS Authentication for Check Point Security Gateways

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

IDENTIKEY Appliance Administrator Guide

Security Assertion Markup Language (SAML) Site Manager Setup

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

DIGIPASS Authentication for GajShield GS Series

Strong Authentication for Juniper Networks SSL VPN

Check Point FDE integration with Digipass Key devices

Hyper-V Installation Guide. Version 8.0.0

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

SafeNet Authentication Service

SAM Context-Based Authentication Using Juniper SA Integration Guide

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Identikey Server Getting Started Guide 3.1

DIGIPASS Authentication for SonicWALL SSL-VPN

Secure your business DIGIPASS BY VASCO. The world s leading software company specializing in Internet Security

Strong Authentication for Juniper Networks

DIGIPASS Authentication for Juniper ScreenOS

HOTPin Integration Guide: DirectAccess

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

DIGIPASS Authentication for Windows Logon Product Guide 1.1

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Juniper SSL VPN Authentication QUICKStart Guide

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

axsguard Gatekeeper Open VPN How To v1.4

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

CA Performance Center

NETASQ ACTIVE DIRECTORY INTEGRATION

CA Nimsoft Service Desk

Flexible Identity Federation

FirePass SSLVPN Client Software Deployment Guide For Windows Mobile 5 and 6 Devices MAN

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

Security Provider Integration Kerberos Authentication

axsguard Gatekeeper Internet Redundancy How To v1.2

McAfee Cloud Single Sign On

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

IDENTIKEY Server Windows Installation Guide 3.2

Internet Redundancy How To. Version 8.0.0

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

Identikey Server Windows Installation Guide 3.1

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

SafeNet Authentication Service

McAfee Cloud Identity Manager

IDENTIKEY Server Product Guide

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

Identikey Server Product Guide

How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P)

IDENTIKEY Server Windows Installation Guide 3.1

Configuring SuccessFactors

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Configuring Sponsor Authentication

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

Active Directory Provider User s Guide

Application Note: Integrate Cisco IPSec or SSL VPN with Gemalto SA Server. January

Strong Authentication in details

HP Software as a Service. Federated SSO Guide

Egnyte Single Sign-On (SSO) Installation for OneLogin

axsguard Gatekeeper IPsec XAUTH How To v1.6

ADFS Integration Guidelines

WatchDox Administrator's Guide. Application Version 3.7.5

SonicWALL SSL VPN 3.5: Virtual Assist

SAML Authentication Quick Start Guide

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Two-Factor Authentication

Agent Configuration Guide

Single Sign-On Implementation Guide

Configuring. SuccessFactors. Chapter 67

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Juniper Networks Secure Access Kerberos Constrained Delegation

Transcription:

INTEGRATION GUIDE IDENTIKEY Federation Server for Juniper SSL-VPN

Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright Copyright 2013 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO, Vacman, IDENTIKEY, axsguard, DIGIPASS and logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners. 1 IDENTIKEY Federation Server for Juniper SSL-VPN

Table of Contents 1 Overview... 4 2 Technical Concepts... 5 2.1 Microsoft... 5 2.1.1 Windows 2008 Server... 5 2.2 Juniper... 5 2.2.1 SA2500... 5 2.3 VASCO... 5 2.3.1 IDENTIKEY Federation Server... 5 2.3.2 IDENTIKEY Authentication Server... 5 3 Setup without IDENTIKEY... 6 3.1 Architecture... 6 3.2 Juniper... 6 3.2.1 Authentication Servers... 6 3.2.2 User Realms... 7 3.2.3 User Roles... 7 3.2.4 Sign-in... 9 3.3 Test the Setup... 9 4 Solution... 11 4.1 Architecture... 11 4.2 Juniper... 11 4.2.1 System Configuration... 11 4.2.2 Authentication Servers... 13 4.2.3 User Realms... 14 4.2.4 Sign-in page... 14 4.3 IDENTIKEY Federation Server... 15 4.3.1 Applications... 15 2 IDENTIKEY Federation Server for Juniper SSL-VPN

4.4 Test the Solution... 16 5 FAQ... 17 6 Appendix... 17 3 IDENTIKEY Federation Server for Juniper SSL-VPN

1 Overview This document describes how to configure a Juniper SA2500 SSL VPN Appliance in combination with the VASCO IDENTIKEY Federation Server. The combination of those two products makes it possible to set up a secure remote connection between the outside world and the company s internal network. This solution makes use of the Security Assertion Markup Language (SAML), an open standard for exchanging authentication and authorization data between parties. SAML is commonly used for web Single Sign On (SSO). More information about SAML: http://en.wikipedia.org/wiki/security_assertion_markup_language Internet Intranet Juniper SA2500 4 IDENTIKEY Federation Server for Juniper SSL-VPN

2 Technical Concepts 2.1 Microsoft 2.1.1 Windows 2008 Server Windows 2008 Server is one of the latest server releases of the Microsoft Family. This server can play different roles, like there are: Domain Controller Web Server Mail Server To use windows server in order to authenticate users, using Juniper, we need a Domain Controller. 2.2 Juniper 2.2.1 SA2500 Juniper Networks SA2500 SSL VPN Appliance enables small to medium-sized companies to deploy cost-effective, secure remote and extranet VPN access, as well as intranet security. 2.3 VASCO 2.3.1 IDENTIKEY Federation Server IDENTIKEY Federation Server is a virtual appliance providing you with the most powerful identity & access management platform. It is used to validate user credentials across multiple applications and disparate networks. The solution validates users and creates an identity ticket enabling web single sign-on for different applications across organizational boundaries. As validated credentials can be reused, once a user s identity is confirmed, access to authorized services and applications is granted. Users can securely switch between the different applications and collaborate with colleagues, business partners, suppliers, customers and partners using one single identity. IDENTIKEY Federation Server works as an Identity Provider within the local organization, but can also delegate authentication requests (for unknown users) to other Identity Providers. In a Federated Model, IDENTIKEY Federation Server does not only delegate but also receives authentication requests from other Identity Providers, when local users want to access applications from other organizations within the same federated infrastructure. 2.3.2 IDENTIKEY Authentication Server IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server that supports the deployment, use and administration of DIGIPASS strong user authentication. It offers complete functionality and management features without the need for significant budgetary or personnel investments. IDENTIKEY Appliance is a standalone authentication appliance that secures remote access to corporate networks and web-based applications. The use and configuration of an IDENTIKEY Authentication Server and an IDENTIKEY Appliance is similar. 5 IDENTIKEY Federation Server for Juniper SSL-VPN

3 Setup without IDENTIKEY Before adding 2 factor authentication it is important to validate a standard configuration without One Time Password (OTP). 3.1 Architecture Internet Juniper SA2500 IP: 10.4.0.168 Active Directory IP: 10.4.0.10 3.2 Juniper 3.2.1 Authentication Servers In order to authenticate using Active Directory, we need to add an authentication server with the specifications of Active Directory. Name : fill in a meaningful name Primary Domain Controller: The IP address of the Domain Controller Backup Domain Controller: The IP address of the Backup Domain Controller (Optional) Domain: The domain to which the Domain Controller belongs. Enable Allow domain to be specified as part of username o Ex: domain\user1 Enable Allow trusted domains Admin Username: Enter a username of a user that has admin privileges in Active Directory Admin Password: Enter the users password Enable Kerberos o http://en.wikipedia.org/wiki/kerberos_%28protocol%29 Select Use LDAP to get Kerberos realm name 6 IDENTIKEY Federation Server for Juniper SSL-VPN

Save 3.2.2 User Realms The User Realm is used to specify which authentication server has to be used in order to authenticate a user. Name: fill in a meaningful name Description: fill in a meaningful description Authentication: Select the Authentication Server that is specified in 3.2.1 Auth. Servers Directory/Attribute: Same as above Accounting: None Save 3.2.3 User Roles User roles are used for both access rights and user privileges (bookmarks, remote desktop, telnet, ) Click on the Role Mapping tab New Rule Select Rule based on Group membership and click Update Click on Groups to get the Group selection popup Click on Search You will see a list of all your Active Directory groups Check the box for the groups that you want to use in Juniper SSL VPN and click Add Selected on top. 7 IDENTIKEY Federation Server for Juniper SSL-VPN

Click OK In Rule... If users is a member of any of these selected groups >> Select one or more groups and click the Add button.... then assign these roles >> select the Juniper role you want to assign to these groups (you will need to create roles before you start!) Save Changes For more information about user roles, consult Juniper documentation 8 IDENTIKEY Federation Server for Juniper SSL-VPN

3.2.4 Sign-in Now we have to select which realm (created in 3.2.2 User Realms) we want to use to Sign in on our VPN website. Sign-in URL: */ (this will result in http://10.4.0.168/) Select User Picks from a list of authentications realms Add Actica Directory Only Save 3.3 Test the Setup Browse to the SSL VPN Web portal, this would be the IP address of the Juniper appliance 9 IDENTIKEY Federation Server for Juniper SSL-VPN

Username: a user known in the Active Directory specified in 3.2.1 Authentication Servers Password: the password of the Active Directory user 10 IDENTIKEY Federation Server for Juniper SSL-VPN

4 Solution The Juniper supports the Security Assertion Markup Language (SAML) protocol, this is used as an authentication protocol. This protocol, together with the IDENTIKEY Federation Server (IFS), will result in a secure and user-friendly Single Sign On (SSO) Solution. For more information about SAML please consult http://en.wikipedia.org/wiki/security_assertion_markup_language 4.1 Architecture Internet IDENTIKEY Federation Server IP: 10.4.0.198 https://ifs.labs.vasco.com Juniper SA2500 IP: 10.4.0.168 4.2 Juniper 4.2.1 System Configuration To use SAML, the Juniper needs to be configured Click Configuration Click SAML Click Settings 11 IDENTIKEY Federation Server for Juniper SSL-VPN

Timeout value for metadata fetch request: 300 Validity of uploaded/downloaded metadata file: 365 Host FQDN for SAML: juniper.labs.vasco.com Save Changes Click New Metadata Provider Name: IFS Meta Provider Location: Remote Download URL: https://ifs.labs.vasco.com/ifs/profiles/saml2 ifs.labs.vasco.com has to be changed with the FQDN of your own IFS Import Certificate Check Identity Provider Check Service Provider Save Changes The Entity Ids name is needed in a later stage. 12 IDENTIKEY Federation Server for Juniper SSL-VPN

4.2.2 Authentication Servers In order to authenticate using IDENTIKEY Federation Server we need a new SAML authentication server Server Name : fill in a meaningful name SAML Version : 2.0 Configuration Mode: Metadata Identity Provider Entity Id : Select the Ids created in System Configuration Allowed Clock Skew (minutes): 10 Check Support Single Logout Select Post Select Certificate: select a valid certificate Select Device Certificate for Signing: select a valid certificate Select Device Certificate for Encryption: select a valid certificate Metadata Validity: 10 Save Changes When the authentication server is saved, click the download Metadata. This file is needed in a later stage. 13 IDENTIKEY Federation Server for Juniper SSL-VPN

4.2.3 User Realms Now we have to specify a new user realm where we will link the new Authentication Server. Name: fill in a meaningful name Description: fill in a meaningful description Authentication: Select the Authentication Server that is specified in 4.2.2 Auth. Servers Directory/Attribute: None Accounting: None Save 4.2.4 Sign-in page Now we have to link our new user realm to the Sign-in page Selected realms : Select the realm created in User realms It is possible to select multiple realms. This will give a select list on the Sign-in page with the multiple possibilities. 14 IDENTIKEY Federation Server for Juniper SSL-VPN

4.3 IDENTIKEY Federation Server In order to perform an authentication, the Juniper box needs to be added to the IDENTIKEY Federation Server, as an application. 4.3.1 Applications Application type: Generic SAML v2.0 application Selected profiles: select an authentication profile Select distribution method: Upload metadata file Metadata file: The file downloaded in Authentication Servers Save Select import method: Upload certificate file Certificate: upload a valid certificate 15 IDENTIKEY Federation Server for Juniper SSL-VPN

4.4 Test the Solution Browse to the SSL VPN Web portal, this would be the IP address of the juniper appliance Username: User known to the IFS Password: OTP generated by the Digipass linked to that user 16 IDENTIKEY Federation Server for Juniper SSL-VPN

5 FAQ 6 Appendix 17 IDENTIKEY Federation Server for Juniper SSL-VPN

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information