Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

Similar documents
Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Cloud Secure Integration with ADFS. Deployment Guide

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

NETOP PORTAL ADFS & AZURE AD INTEGRATION

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Better MDM

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Enabling Single Sign-On Using Microsoft Azure Active Directory in Axon Data Governance 5.2

TECHNICAL GUIDE SSO SAML Azure AD

Advanced Configuration for SAML Authentication

Integrating AirWatch and VMware Identity Manager

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Five9 Plus Adapter for Agent Desktop Toolkit

Cloud Secure. Microsoft Office 365. Configuration Guide. Product Release Document Revisions Published Date

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

Slack Cloud App SSO. Configuration Guide. Product Release Document Revisions Published Date

Configure Unsanctioned Device Access Control

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Quick Start Guide for SAML SSO Access

SAML Authentication with Pulse Connect Secure and Pulse Secure Virtual Traffic Manager

OAM 2FA Value-Added Module (VAM) Deployment Guide

SecureAuth IdP Realm Guide

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

Okta Integration Guide for Web Access Management with F5 BIG-IP

Azure MFA Integration with NetScaler

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

VAM. ADFS 2FA Value-Added Module (VAM) Deployment Guide

SAML-Based SSO Configuration

Introduction to application management

Add OKTA as an Identity Provider in EAA

Quick Start Guide for SAML SSO Access

Quick Connection Guide

Juniper Networks SSL VPN Integration Guide

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

QUICK NOTE: MULTI-FACTOR AUTHENTICATION

O365 Solutions. Three Phase Approach. Page 1 34

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Okta

D9.2.2 AD FS via SAML2

MyWorkDrive SAML v2.0 Okta Integration Guide

Configuring Alfresco Cloud with ADFS 3.0

ComponentSpace SAML v2.0 Okta Integration Guide

Single Sign-On (SSO)Technical Specification

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

All about SAML End-to-end Tableau and OKTA integration

SafeNet Authentication Manager

WebEx Connector. Version 2.0. User Guide

SAML-Based SSO Solution

4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access

Morningstar ByAllAccounts SAML Connectivity Guide

4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

.NET SAML Consumer Value-Added (VAM) Deployment Guide

Cloud Access Manager Configuration Guide

SAML-Based SSO Solution

Unity Connection Version 10.5 SAML SSO Configuration Example

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

SAML-Based SSO Configuration

Configuring ServiceNow

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

MyWorkDrive SAML v2.0 Azure AD Integration Guide

Quick Connection Guide

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Two factor authentication for Microsoft Outlook Web App (OWA)

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Implementation Guide for protecting Juniper SSL VPN with BlackShield ID

Configuring Confluence

Two factor authentication for Microsoft Remote Desktop Web Access

2 Oracle WebLogic Overview Prerequisites Baseline Architecture...6

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

Establishing two-factor authentication with Juniper SSL VPN and HOTPin authentication server from Celestix Networks

Setting Up the Server

Okta SAML Authentication with WatchGuard Access Portal. Integration Guide

Enterprise Access Gateway Management for Exostar s IAM Platform June 2018

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Oracle WebLogic. Overview. Prerequisites. Baseline. Architecture. Installation. Contents

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

BEST PRACTICES GUIDE MFA INTEGRATION WITH OKTA

BIDMC Multi-Factor Authentication Enrollment Guide Table of Contents

Single Sign-On for PCF. User's Guide

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

CLI users are not listed on the Cisco Prime Collaboration User Management page.

SafeNet Authentication Service

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Integration Documentation. Automated User Provisioning Common Logon, Single Sign On or Federated Identity Local File Repository Space Pinger

RSA SecurID Access SAML Configuration for Datadog

AT&T Business Messaging Account Management

RSA SecurID Access SAML Configuration for Kanban Tool

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE

Integrating YuJa Active Learning into Google Apps via SAML

RSA SecurID Access SAML Configuration for Microsoft Office 365

SafeNet Authentication Service

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

Contents. Multi-Factor Authentication Overview. Available MFA Factors

Enabling Single Sign-On Using Okta in Axon Data Governance 5.4

Administering Jive Mobile Apps for ios and Android

Pulse Workspace Appliance. Administration Guide

Configure the Identity Provider for Cisco Identity Service to enable SSO

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Transcription:

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure Deployment Guide v1.0 May 2018

Introduction This document describes how to set up Pulse Connect Secure for SP-initiated SAML authentication using the Microsoft Azure Active Directory as the SAML IdP. It also describes the user experience with Web browser and Pulse Secure Client access methods. Prerequisites Ensure you have the following: Administrative access to the Azure Management Portal o Azure subscription that includes Active Directory and Multi-Factor Authentication (MFA) Pulse Connect Secure appliance running 8.2R1 or later. Process Steps The set up includes the following process steps: Setting up Microsoft Azure Active Directory Setting up Pulse Connect Secure 2018 Pulse Secure, LLC. All rights reserved 2

Setting up Microsoft Azure Active Directory Perform the following steps to configure Azure AD: 1. Log into the Azure Management Portal. 2. In the left pane, select ACTIVE DIRECTORY. 3. Select an active directory from the active directory list, and click APPLICATIONS. 4. Click the Add button at the bottom center of the page, click ADD. 2018 Pulse Secure, LLC. All rights reserved 3

5. In the pop-up window displayed, click Add an application my organization is developing. 6. In the Tell us about your application window, enter a name for the application. This has only local significance inside Azure. Example: PCS-MFA Keep the default option, WEB APPLICATION AND/OR WEB API, and click Next to continue. 7. In the App properties window, do the following: 2018 Pulse Secure, LLC. All rights reserved 4

a. SIGN-ON URL Enter a URL. As this solution is supported only for SP-Initiated SAML authentication, meaning the user will first connect to the Pulse Connect Secure service and then be redirected to Microsoft Azure. This URL is never used, but it must be provided. In this example, it is https://pcs.adminuser1.net/saml.sso/saml2/post b. APP ID URI This is a VERY important entry, as it must match the unique Service Provider (SP) Entity ID configured in the Pulse Connect Secure SAML Authentication Server later in this document. By default, in the Pulse Connect Secure, this is set to: https://[fqdn of PCS]/dana-na/auth/saml-endpoint.cgi?p=sp1 where the ending sp1 indicates it is the first SAML Service Provider. As there could be others already defined, you might have to go back and change this later. In this example, this is set to https://pcs.adminuser1.net/dana-na/auth/saml-endpoint.cgi?p=sp2; click the tick mark to complete. Note: App ID URI can be changed later. So, do not worry if you did not get this correct. 8. After the application is added, click CONFIGURE. 9. Scroll down to the single sign-on section and verify that App ID URI is the same as in step 7.b, that is https://pcs.adminuser1.net/dana-na/auth/saml-endpoint.cgi?p=sp2. Note, that this must match the unique Service Provider (SP) Entity ID to be configured on the PCS SAML Authentication server. 2018 Pulse Secure, LLC. All rights reserved 5

10. Change the REPLY URL to the SAML consumer URL that is used in Pulse Connect Secure. This has the format: https://[fqdn of PCS]/dana-na/auth/saml-consumer. In this example, it is: https://pcs.adminuser1.net/dana-na/auth/saml-consumer.cgi. 11. Click the Save button at the bottom of the page. 12. Click VIEW ENDPOINTS at the bottom of the screen. The App Endpoints window displays the list of endpoints. Note that the Federation Metadata Document URL is the Metadata URL for this application. In this example: https://login.microsoftonline.com/d2bef2fc-7f18-447b-92e2-2339e41e175d/federationmetadata/2007-06/federationmetadata.xml Copy and save this URL. We will return to this later in the Pulse Connect Secure configuration. 13. Close the VIEW ENDPOINTS page by clicking the tick mark. 14. Click MANAGE MANIFEST at the bottom of the screen, and select Download Manifest and save the file to your local machine. 15. Open the file in a notepad from the saved location and search for logouturl. "homepage": "https://pcs.adminuser1.net/saml.sso/saml2/post", "identifieruris": ["https://pcs.adminuser1.net/dana-na/auth/saml-endpoint.cgi?p=sp2"], "keycredentials": [], "knownclientapplications": [], 2018 Pulse Secure, LLC. All rights reserved 6

"logouturl": null, "oauth2allowimplicitflow": false, 16. Configure the logouturl: It has the format like https:// [fqdn of PCS]/Saml.sso/SLO/Redirect So in this example it is: "homepage": "https://pcs.adminuser1.net/saml.sso/saml2/post", "identifieruris": ["https://pcs.adminuser1.net/dana-na/auth/saml-endpoint.cgi?p=sp2"], "keycredentials": [], "knownclientapplications": [], "logouturl": "https://pcs.adminuser1.net/saml.sso/slo/redirect", "oauth2allowimplicitflow": false, 17. Save the file. 18. Click MANAGE MANIFEST at the bottom of the screen, and select Upload Manifest. 19. In the Upload Manifest window, browse and upload the file you saved. This concludes the setup in Microsoft Azure. In next section you will configure the Pulse Connect Secure to use this SAML2.0 IdP as a SAML Authentication server. 2018 Pulse Secure, LLC. All rights reserved 7

Setting up Pulse Connect Secure To configure Pulse Connect Secure as a SAML Service Provider (SP) to Azure as the SAML IdP, start by importing the metadata from Azure. 1. Go to System > Configuration > SAML. 2. Select New Metadata Provider. 3. Set a name for the Metadata provider. 4. In the Metadata Provider Location Configuration section: o o If the Pulse Connect Secure has internet access from the Internal interface, the Remote option can be used with the URL copied in step 12 above. In this example: https://login.microsoftonline.com/d2bef2fc-7f18-447b-92e2-2339e41e175d/federationmetadata/2007-06/federationmetadata.xml If the Pulse Connect Secure do not have internet access from the Internal interface, open a browser and go to the saved URL. In this example: https://login.microsoftonline.com/d2bef2fc-7f18-447b-92e2-2339e41e175d/federationmetadata/2007-06/federationmetadata.xml And save the content in a file on your local computer. Then use the Local option and upload the metadata to Pulse Connect Secure. 2018 Pulse Secure, LLC. All rights reserved 8

5. Select the Identity Provider (IdP) Role for the new Metadata provider, and save changes. 6. Create a SAML Authentication Server. a. Go to Authentication > Auth. Servers. b. Select New: SAML Server and click New Server c. Set a Server Name, locally used in Pulse Connect Secure. Select SAML Version 2.0 and Configuration Mode Metadata. d. Use the *Identity Provider Entity Id: field to pick the Metadata provider to be used. This will use the remote or locally uploaded metadata from Azure, and automatically sets various parameters for the SAML authentication server. 2018 Pulse Secure, LLC. All rights reserved 9

User Name Template The User Name template sets the attribute from the Azure IdP that the Pulse Connect Secure will use internally as the user name for the authenticated user in Active Users, logs etc. If this field is left blank, then Pulse Connect Secure uses the persistent NameID used by Microsoft, urn:oasis:names:tc:saml:2.0:nameid-format:persistent. That is an anonymous string like 0P_DMpDOO_VeIsV2Xim7ylaJTBJRR7pjTZeBlX7xSFw and is not really good to use in the Pulse Connect Secure as it gives no real user visibility. As you add a new user to Azure AD, you add few other variables like User Name, First Name, Last Name, and Display Name. These are present in the SAML Assertion returned to PCS as SAML attributes: Variable userattr.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name = nstark@adminuser1.net Variable userattr.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname = "Ned" Variable userattr.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname = "Stark" Variable userattr.http://schemas.microsoft.com/identity/claims/displayname = "Ned Stark" These attributes include special characters like : and /, which need to be suppressed when used in the User Name Template field. This is done using the { } enclosure around the attribute. <userattr.{http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name}> will set the name attribute nstark@adminuser1.net as the username. <userattr.{http://schemas.microsoft.com/identity/claims/displayname}> will set the displayname attribute Ned Stark as the username. In this example, the attribute <userattr.{http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name}> has been used as User Name Template attribute. 2018 Pulse Secure, LLC. All rights reserved 1 0

e. Single Logout is an optional setting. If this option is selected, it prompts for a new authentication after logout. If this option is not selected and you have not closed the browser, you can reconnect without authentication. f. Next, select the Requested Authn Context Class as Password and the Comparison Method as exact. g. Finally, set the Metadata Validity in terms of number of days. In this example: 100 days. 2018 Pulse Secure, LLC. All rights reserved 1 1

7. Save the Authentication server, then open the Authentication server to validate that the Connect Secure Entity Id: is matching the APP ID URI as in step 7b in the Setting up Microsoft Azure Active Directory section above. If it is not matching, go back to step 8 in the Setting up Microsoft Azure Active Directory section and edit the entry to match the SAML Authentication Server Connect Secure Entity Id. 8. Once that is done, or if it did already match, configure a Realm to use this Authentication Server and you are now ready to use the service. 2018 Pulse Secure, LLC. All rights reserved 1 2

User Experience This section describes accessing Pulse Connect Secure using Web browser and Pulse Secure Client. Browser Access Windows 10 using Edge Browser Note: These examples use another user account: admin@adminuser1.net When you access the Pulse Connect Secure Sign-in URL, you are automatically redirected to the Microsoft login page and authenticated with your Azure AD credentials. As this account is set up with Multi-Factor Authentication (MFA), you must provide additional information to successfully authenticate. This verification code can be submitted via SMS, phone call, verification pushed to mobile device application that needs to be accepted, or an actual T-OTP verification code sent from the mobile application. In this example, it is a T-OTP verification code from the Azure Authenticator Mobile Application installed on an Apple iphone. For more details on Microsoft Azure MFA and options, please refer to https://azure.microsoft.com/en-us/services/multi-factor-authentication/ 2018 Pulse Secure, LLC. All rights reserved 1 3

For the prompt to provide additional verification code, use the generated T-OTP in the Mobile App. You are then redirected back to the Pulse Connect Secure service with an authenticated session. 2018 Pulse Secure, LLC. All rights reserved 1 4

In the Pulse Connect Secure admin UI, this session can be seen in the Active Users page for the user admin@adminuser1.net 2018 Pulse Secure, LLC. All rights reserved 1 5

Pulse Secure Client Windows 10 using Pulse Secure Client for Windows 5.2.3 In the case of using Pulse Secure Client to access the Pulse Connect Secure service, you use a connection in the Pulse Secure Client. As this access uses SAML Authentication, a Browser window will be opened for the authentication to MS Azure. You will be prompted for authentication with your Azure AD credentials as well as the additional verification code. 2018 Pulse Secure, LLC. All rights reserved 1 6

Once the authentication is successful, the browser window will automatically be closed and the VPN connection is up. The above cases are provided as a few examples as this works with macos, Apple ios, Android and other OS and Web browsers as well. 2018 Pulse Secure, LLC. All rights reserved 1 7

References https://azure.microsoft.com/en-us/services/multi-factor-authentication/ https://www.pulsesecure.net/download/techpubs/current/708/pulse-connectsecure/pcs/8.2rx/ps-pcs-sa-8.2r3.0-admin-guide.pdf 2018 Pulse Secure, LLC. All rights reserved 1 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback