DualShield Integration Guide Copyright 2011 Deepnet Security Limited Copyright 2011, Deepnet Security. All Rights Reserved. Page 1
Trademarks Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID, SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp are trademarks of Deepnet Security Limited. All other brand names and product names are trademarks or registered trademarks of their respective owners. Copyrights Under the international copyright law, neither the Deepnet Security software or documentation may be copied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole or in part, without the prior written consent of Deepnet Security. Licence Conditions Please read your licence agreement with Deepnet carefully and make sure you understand the exact terms of usage. In particular, for which projects, on which platforms and at which sites, you are allowed to use the product. You are not allowed to make any modifications to the product. If you feel the need for any modifications, please contact Deepnet Security. Disclaimer This document is provided as is without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the document. Deepnet Security may make improvements of and/or changes to the product described in this document at any time. Contact If you wish to obtain further information on this product or any other Deepnet Security products, you are always welcome to contact us. Deepnet Security Limited Northway House 1379 High Road London N20 9LP United Kingdom Tel: +44(0)20 8343 9663 Fax: +44(0)20 8446 3182 Web: www.deepnetsecurity.com Email: support@deepnetsecurity.com Copyright 2011, Deepnet Security. All Rights Reserved. Page 2
Table of Contents Introduction... 4 Installation... 5 Integration... 5 Create a Service Provider... 5 Download SSO metadata... 6 Configure SSO Agent... 6 Google Apps... 7 Register a Google Apps in DualShield... 7 Create the SSO server s certificate file... 7 Configure Google Apps... 9 Authentication... 11 Copyright 2011, Deepnet Security. All Rights Reserved. Page 3
Introduction Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML OASIS standard for exchanging authentication and authorization data between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end-user) between an identity provider (IdP) and a service provider (SP, usually a web service or cloud application). SAML 2.0 enables web-based authentication and authorization scenarios including Single Sign-On (SSO). DualShield unified authentication platform includes a Single Sign-On server that is fully compliant to SAML 2.0 standard. The complete solution consists of the following components: DualShield Authentication Server DualShield SSO Server (IdP) Third-party SAML 2.0 enabled applications (SP) For a SAML enabled application, such as Google Apps and Salesforce, DualShield Single Sign-On server acts as an identity provider that authenticates users and provides information used to authorize users. When a user attempts to login to a could or web application that is SAML 2.0 enabled and integrated with DualShield SSO, the request is automatically redirected to DualShield SSO. DualShield SSO parses the request, authenticates the user with multifactor authentications and to an organization s AD/LDAP directory, and generates a SAML response to the cloud or web application. Once successfully verified, the user is automatically logged in to the application. Copyright 2011, Deepnet Security. All Rights Reserved. Page 4
Installation The DualShield SSO Server is a server application on its own. However, the DualShield installation program always installs a copy of the SSO server as a service in the platform in the same place where DualShield authentication server and management console are installed. The DualShield management console uses the SSO server as its login server. You can use this copy of SSO server or install a separate, standalone SSO server depending on your requirements and infrastructure. Integration To integrate a SAML enabled application (SP) with a SAML authentication server (IdP), it only requires the exchange of so-called metadata of each party. From the DualShield management console, you can easily create a SAML service provider and upload its metadata. You can also download the SSO server s metadata and upload it to the service provider. Create a Service Provider 1. In the main menu, select SSO SSO Server. A list of installed and registered SSO servers is displayed. 2. In the SSO server list, select a SSO server and click its context menu icon. 3. Select Service Providers in the context menu. A list of registered service providers is displayed. Copyright 2011, Deepnet Security. All Rights Reserved. Page 5
4. Click Create on the toolbar to create a new Service Provider 5. Provide a name for the new service provider to be created, and its metadata. 6. Click Save Download SSO metadata 1. In the SSO server list, select a SSO server and click its context menu icon. 2. In the context menu, select Download Metadata 3. Save the metadata file. Configure SSO Agent To the DualShield authentication server, a SSO server is an authentication agent. You need to further configure the SSO agent by connecting it to a DualShield application that is linked to your user directory. Copyright 2011, Deepnet Security. All Rights Reserved. Page 6
Google Apps DualShield management console provides a built-in facility that further simplifies the process of integrating DualShield SSO with Google Apps services. Register a Google Apps in DualShield 1. In the Service Provider list, click Register Google Apps 2. In the popup window, provide a name for your Google Apps service and its domain 3. Click Save Create the SSO server s certificate file Instead of the SSO server s metadata, Google Apps requires the SSO server s certificate. Currently, the DualShield Management Console lacks a quick way to download a SSO server s certificate. You will have to create a SSO server s certificate by extracting it from the SSO server s metadata. Copyright 2011, Deepnet Security. All Rights Reserved. Page 7
1. Download the SSO server s metadata 2. Save the metadata to a file and open it with a text editor 3. Select the text block from <ds:x509certificate> to </ds:x509certificate>, copy and it to the clipboard 4. Create a new, blank text file 5. Paste the text block from the clipboard to the new text file Copyright 2011, Deepnet Security. All Rights Reserved. Page 8
Integration Guide 6. Replace <ds:x509certificate> with -----BEGIN CERTIFICATE----- 7. Replace </ds:x509certificate> with -----END CERTIFICATE----- 8. Save the file. Configure Google Apps 1. Login into your Google Apps control panel. Typically, the URL is: https://www.google.com/a/xxx.xxx where xxx.xxx is your Google Apps domain name, e.g. deepnetid.com Copyright 2011, Deepnet Security. All Rights Reserved. Page 9
2. Click Advanced tools 3. Click Set up single sign-on (SSO) 4. Complete the form as below Sign-in page URL http://dualshield.deepnetsecurity.com:8074/appsso/login?dasapplicationname=goo gleapps Sign-out page URL http://dualshield.deepnetsecurity.com:8074/appsso/logout?dasapplicationname=go ogleapps&entityid=google.com/a/deepnetid.com Change password URL http://dualshield.deepnetsecurity.com:8074/appsso/chpwd Replace dualshield.deepnetsecurity.com:8074 with the URL of your DualShield SSO s logon URL. (8074 is the default TCP port number of the DualShield SSO server. Yours might be different, and you might wish to NAT it to the HTTP/S port (80/443)). Replace GoogleApps in the DASApplicationName=GoogleApps with the application name that you have published on your DualShield SSO Agent in the DualShield management console. (In this example,if happens to be named as GoogleApps but you can name your application whatever you like). Replace deepnetid.com with the domain name of your Google Apps service. 5. Click the Replace certificate link Copyright 2011, Deepnet Security. All Rights Reserved. Page 10
Choose the DualShield SSO server s certificate file that you have created in the last section, then upload it. 6. Finally, click Save Changes Your Google Apps is now integrated with the DualShield SSO, and its logon is protected by DualShield multifactor authentication. Authentication Once your web or cloud applications are integrated with the DualShield SSO server, when a user attempts to login to your applications the request is automatically redirected to DualShield SSO. When the user has been successfully authenticated by the DualShield SSO Server, the user will be automatically redirect back to your application and logged into the application. Copyright 2011, Deepnet Security. All Rights Reserved. Page 11
Within the same session, the user will be able to single sign on to other applications that are also protected with the same SSO server, without being asked to authenticate again. Copyright 2011, Deepnet Security. All Rights Reserved. Page 12