Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Similar documents
SAML-Based SSO Solution

SAML-Based SSO Solution

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Five9 Plus Adapter for Agent Desktop Toolkit

Introduction to application management

All about SAML End-to-end Tableau and OKTA integration

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Morningstar ByAllAccounts SAML Connectivity Guide

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

Integration of the platform. Technical specifications

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

D9.2.2 AD FS via SAML2

Qualys SAML & Microsoft Active Directory Federation Services Integration

Configuration Guide - Single-Sign On for OneDesk

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

Integrating YuJa Active Learning into Google Apps via SAML

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Single Sign-On (SSO)Technical Specification

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Add OKTA as an Identity Provider in EAA

PingOne. How to Set Up a PingFederate Connection to the PingOne Dock. Quick Start Guides. Version 1.1 December Created by: Ping Identity Support

April Understanding Federated Single Sign-On (SSO) Process

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

Manage SAML Single Sign-On

ArcGIS Server and Portal for ArcGIS An Introduction to Security

SAML-Based SSO Configuration

DDS Identity Federation Service

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Setting Up the Server

Okta Integration Guide for Web Access Management with F5 BIG-IP

Trusted Login Connector (Hosted SSO)

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

VAM. ADFS 2FA Value-Added Module (VAM) Deployment Guide

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Two factor authentication for Microsoft Remote Desktop Web Access

Secure single sign-on for cloud applications

Administering Jive Mobile Apps

Yellowfin SAML Bridge Web Application

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Better MDM

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Table of Contents. Installing the AD FS Running the PowerShell Script 16. Troubleshooting log in issues 19

GE Transportation Customer Web Center (CWC)

TripSource: Profile Manager

Five9 Plus Adapter for NetSuite

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

Qualys Cloud Platform (VM, PC) v8.x Release Notes

TECHNICAL GUIDE SSO SAML Azure AD

Integration Documentation. Automated User Provisioning Common Logon, Single Sign On or Federated Identity Local File Repository Space Pinger

Liferay Security Features Overview. How Liferay Approaches Security

Identity Provider for SAP Single Sign-On and SAP Identity Management

Quick Connection Guide

Microsoft ADFS Configuration

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

SSO Integration Overview

SAML Single Sign On Integration

SAML-Based SSO Configuration

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Administering Jive Mobile Apps for ios and Android

Configure Guest Access

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

Configure Guest Access

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

User Directories. Overview, Pros and Cons

Configuration Tab. Cisco WebEx Messenger Administration Guide 1

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

CA Adapter. CA Adapter Installation Guide for Windows 8.0

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

CoreBlox Integration Kit. Version 2.2. User Guide

SAML SSO Okta Identity Provider 2

Centrify for Dropbox Deployment Guide

Cloud Access Manager Configuration Guide

VIEVU Solution AD Sync and ADFS Guide

The benefits of synchronizing G Suite and Active Directory passwords

Configuring Remote Access using the RDS Gateway

Configuring Alfresco Cloud with ADFS 3.0

Canadian Access Federation: Trust Assertion Document (TAD)

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

IBM Domino WEB Federated Login

ServiceNow Deployment Guide

Google SAML Integration

BEST PRACTICES GUIDE MFA INTEGRATION WITH OKTA

SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 12.0(1)

Assurance Enhancements for the Shibboleth Identity Provider 19 April 2013

Cloud Secure Integration with ADFS. Deployment Guide

Farin Foresight/Insight RemoteApp Access Document last updated: 2/7/2017

Single Sign-On Administrator Guide

Azure Archival Installation Guide

opensap How-to Guide for Exercise Instructor-Led Walkthrough of SAML2 Configuration (Week 4 Unit 5)

Configure Unsanctioned Device Access Control

Transcription:

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief Qualys provides its customers the option to use SAML 2.0 Single SignOn (SSO) authentication with their Qualys subscription. When implemented, Qualys users can seamlessly open a session using their corporate credentials and their web browser. Qualys acts as a SAML 2.0 Service Provider (SP) and can establish a trust relationship with any customer s SAML 2.0 Identity Provider (IdP). Customers can use any SAML 2.0 IdP vendor of their choice including but not limited to Ping Identity, Shibboleth, Oracle Identity Federation and more. Benefits Enabling SAML 2.0 SSO with Qualys gives customers many benefits: - Provides customers with full control over authentication of hosted user accounts that can access Qualys. - Allows users to use their corporate credentials to open a Qualys session. - Automatically enforce password policies applied centrally and reduces the risk of having weak passwords or lost passwords by enforcing a single password policy that is unique to the customer s SAML deployment. - Simplifies the process of granting and removing the access to Qualys from a central management console. - Reduces the time that users spend to remember and manage multiple passwords. On Boarding Process To start using SAML 2.0 SSO to open Qualys sessions, the following onboarding process has to be completed: 1) Customer sends an email to support@qualys.com to request SAML 2.0 SSO activation for their Qualys subscription. A CRM ticket is automatically created and will be used as a reference and tracking for all discussions concerning the activation of SAML 2.0 SSO. 2) Qualys Support replies to the ticket by email to share and request technical information used to establish the trusted relationship between the customer s IdP and the Qualys SP and as follows (please see the Appendix for full details Warning: this information might not be up-todate. Support will share the latest version when the request is filled): - Questions about customer s SAML 2.0 Identity Provider (IdP) - Technical information about Qualys SAML 2.0 Service Provider (SP) that will be used to configure the customer s IdP. Copyright 2018 by Qualys, Inc. All Rights Reserved. 1

3) Upon receipt of the customer s response, Qualys will configure the trust relationship between the customer Idp and the Qualys SP. This process takes approximately one week to complete. 4) Qualys will set up the trust relationship and notifies the customer once SAML has been enabled for their subscription. Then Qualys will provide a new unique URL specific to their subscription that users must use to open a session with SAML SSO (for example https://qualysguard.qualys.com/fo/login.php?idm_key=xyz, where XYZ is a unique numerical identifier generated by Qualys to identify the customer s subscription). How to test At this point customer can start testing that SAML SSO has been properly configured for their subscription using the following procedure: 1) A Qualys Manager enables SAML for a test user as shown in the screenshot here: Optional: if the customer chose to identify the user using the External ID field in the Qualys user settings, this information needs to be added as shown in the screenshot below (more details provided in the User Provisioning section): In the example above, the email address has been used for the External ID. Qualys SAML 2.0 SSO Technical Brief 2

2) The user testing SAML SSO should follow these steps - Use a web browser and open the unique URL provided by Qualys. - As a result the web browser should be redirected to the customer s SAML SSO page where the user can enter their corporate login/password (for instance the Active Directory username and password). - Upon successful authentication, the web browser should be redirected to Qualys and a valid session should be opened with the expected user identity. - When logging out from Qualys, the web browser should be redirected to the optional exit URL provided by the customer. User Provisioning Qualys SAML 2.0 supports Single SignOn authentication for user accounts that already exist in customer subscriptions. The customer needs to create a process to provision Qualys user accounts whether it's a manual process using the Qualys User Interface or an automatic process using the Qualys API (see further details below). To properly identify each user authenticated using SAML SSO, a mapping between the customer s user identity (in the user store) and the Qualys accounts must be provided using one of the methods as described below. The customer has the option to choose the method that is most convenient for their environment: 1) Add Qualys user login names to the SAML user identity (in the user store). 2) Update Qualys accounts to add a unique user identifier in the External ID user property. Customers who would like use the Qualys API for user creation and provisioning will need to develop a software program. This program will combine user account data extracted from the customer user store (such as first name, last name, email address, etc) and additional Qualys specific user information including the required Qualys user role (Manager, Unit Manager, Scanner, Reader, etc) and user scope (list of asset groups). For example the Qualys user role and scope can be derived from a group membership user information in the customer s user store. In this case the framework that describes the mapping logic between these groups and Qualys user roles and scopes must be created by the customer. Thank You Thank you for your interest in Qualys SAML 2.0 Single SignOn. If you have questions or if you want to provide us with feedback, please contact Qualys Support (www.qualys.com/support). Qualys SAML 2.0 SSO Technical Brief 3

Appendix 1: Customer On Boarding Questionnaire In order to establish the trust relationship between the customer s SAML 2.0 Identity Provider and the Qualys SAML 2.0 Service Provider, technical information needs to be provided by the customer as listed below (Refer to the information sent by Qualys support for the latest details): Thank you for your interest in SAML. In order to get started with this feature, please provide the following information. Your responses will be entered directly into a request for our Operations team to begin the SAML integration, so filling in the questions individually and completely will assist in efficient turnaround of your request. 1) EntityID string from your IdP (SAML Identity Provider) (typically has a format like urn:mace:incommon:example.com) 2) Public key certificate for the IdP (your organization s IdP certificate) 3) Your organization s SAML IdP SSO URL (SP initiated authentication requests) 4) Subscription (Qualys Manager Primary Contact username for the subscription, such as abcd_ef) 5) Custom exit URL for a subscription (Optional). This is the URL where the user will be redirected when logging out from Qualys. For instance it can be the URL of the your corporate web site. For your information, Operations has provided the following: 1) QWEB SP entityid: QualysGuard_SharedPlatformSAML20SP 2) ACS URL for QWEB: https://qualysguard.qualys.com/idm/saml2/ 3) Managers will be able to enable SAML support for sub-accounts after the feature is functioning on your subscription. We will provide an update when SAML integration is complete, or if we need any additional information. Please do let me know if you have any other questions in the meantime. Appendix 2: FAQ Tell me about the unique Qualys SSO URL provided by Qualys The unique URL https://qualysguard.qualys.com/fo/login.php?idm_key=xyz provided by Qualys as part of the on boarding process must be used to open a Qualys session using SAML SSO. The customer needs to share this URL with all user who will access Qualys with SAML SSO. Users can bookmarked the URL in their web browsers. If users will log in from the customer s security intranet, the customer can insert the URL into a web page within their environment. Tell me about two factor authentication The customer can choose to implement two factor authentication at their discretion and if their SAML IdP implementation supports this. It is the responsibility of the customer to enable/enforce a two factor authentication mechanism for their SAML SSO IdP. Qualys SAML 2.0 SSO Technical Brief 4

How does a user change their password? When SAML SSO is enabled for a user, passwords are not managed by Qualys. Instead, the user should be able to change their SAML SSO password according to its company s policy. Tell me about Qualys API access Qualys API requires valid user credentials for authentication, and SAML SSO can t be used for this. A normal Qualys login/password must be used for all Qualys API requests. Tell me about users who have two accounts in the same Qualys subscription Upon successful authentication, Qualys will prompt the user to pick the user account that the user would like to use. What if a customer has two Qualys subscriptions? The on boarding process needs to be done twice. Once per Qualys subscription. You will receive two unique URLs, one URL for each subscription. Are there any special Qualys account requirements? Yes, the subscription must have the New Data Security Model enabled. Does Qualys support SAML 1.1 or 2.0? As of August 2012, Qualys only supports SAML 2.0. Is it IDP initiated SSO or SP initiated? Both Identity Provider (IDP) initiated and Service Provider (SP) initiated. Which SAML 2.0 binding? For SP initiated, Qualys will be using the HTTP Redirect binding to send the user to IDP and expects the SAML response via HTTP POST. For IDP initiated, Qualys expects the SAML response via HTTP POST. When SAML is turned on for our account, can we use our own internal Active Directory user IDs or do we need to have a field in our AD user accounts that match the Qualys usernames (for example aem_dp )? Users have the option to either store in their Active Directory the Qualys username in each user record, or use a unique ID coming from their AD and stored in Qualys user profile under the External ID field. For more details, refer to the User Provisioning section in this document Last updated: November 27, 2018 Qualys SAML 2.0 SSO Technical Brief 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback