Version: 1.0.3 Update: April 2018 XPoint Network
Notice To Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of XPoint Network. Copyright, Trademark Copyright 2017 XPoint Network. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners. XPoint Network. reserves all ownership rights for the AppScaler product line including software and documentation. XPoint, the XPoint logo, AppScaler, and any other mark listed as a trademark in the Terms of Use portion of the XPoint Web site that is used herein are either registered trademarks or trademarks of XPoint Network. And/or its subsidiaries in the Hong Kong and/or other countries. Microsoft, Internet Explorer, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Limitations This document is provided as is. XPoint Network has made efforts to ensure that the information presented herein are correct but make no explicit guarantee or warranty as to the accuracy of the information contained herein. XPoint Network claims no responsibility, implied or otherwise, to anyone wishing to act of follow the content of this document.
Table of Contents INTRODUCTION... 4 Target Audience... 4 Conventions used in this publication... 4 Prerequisites... 4 OVERVIEW... 5 ADD ONE ACTIVE DIRECTORY USER... 6 ADD ONE ACTIVE DIRECTORY BASED AAA SERVER... 9 ADD ONE SSO PROFILE FOR AAA SERVER... 11 ADD ONE ACCESS POLICY... 13 ADD ONE VIRTUAL SERVICE... 15 CONFIGURE SSO FOR VIRTUAL SERVICE... 17 SSO TESTING... 18 SSO LOGON REPORT... 19
Introduction This document describes the process for AppScaler SSO deployment based on Active Directory authentication. Add one Active Directory User Add one Active Directory based AAA Server Add one SSO Profile for AAA Server Add one Access Policy Add one virtual service Configure SSO for virtual service Target Audience This User Guide covers all aspects of AppScaler SSO deployment based on Active Directory authentication and is intended for both administrators and system integrators. Conventions used in this publication This publication uses various conventions to present information. Words that require special treatment appear in specific fonts or font styles. Prerequisites The following are required to configure AppScaler SSO deployment based on Active Directory authentication. Windows Active Directory installed Active Directory Domain configured correctly FQDN of virtual service configured correctly
Overview AppScaler provides centralized and flexible application access authentication to consolidate identity access management infrastructure and realize enhanced security at a reduced operational cost. AppScaler leverages both advanced client authentication and access management, combined with the programmability of Post Form, it can offload authentication processing from business applications to make for a simpler, more flexible and secure environment. Providing SSO across applications deployed on heterogeneous platforms requires standardization on a common identity and access management framework, AppScaler supports a wide range of authentication protocols including LDAP, Radius, RAS SecurID, Kerberos, and NTLM. This document outlines the processes to provide pre-authentication against Active Directory authentication schema. When user accesses SSO enabled virtual service, the login form will display for user to enter credentials. AppScaler will pass the credentials to active directory for authentication. If not authenticated, user cannot access virtual service. If authenticated, user session will be stored and can access all the virtual services with the same SSO profile.
Add one Active Directory User The user of active directory needs to be added, and we use the credentials to do the AD authentication testing. To add one active directory user: Click Start->Administrative Tools->Active Directory Users and Computers Go to user section Input user details and click Next
Input the password and click Next Click Finish
Add one Active Directory based AAA Server To add one Active Directory based AAA Server: Login WebUI navigate to SLB -> Profiles Click Manage for Access Policy In AAA Server tab, click Add In the Add AAA Server page, enter the following Click Save
Settings Type Name IP Address:Port Account Name Account Password Notes Description The type for this AAA Server, including: LDAP Radius SecurID Kerberos The name of this AAA Server The IP Address and Port of this AAA Server The user name for this AAA Server authentication The password for this AAA Server authentication The notes for this AAA Server The AAA Server will be shown
Add one SSO Profile for AAA Server To add one SSO Profile for AAA Server: Login webui navigate to SLB -> Profiles Click Manage for Access Policy In SSO Profile tab, click Add In the Add SSO Profile page, enter the following Click Save Settings Name SSO Ident Root domain Notes Type AAA Server Session Timeout Login Format Description The name of this SSO Profile The SSO Ident for this SSO Profile The root domain for this SSO Profile The notes for this AAA Server Either Single Authentication or Dual Authentication Choose the AAA Server for this SSO Profile The session time out for this SSO Profile The login format for this SSO Profile
Max Login Tries Lockout Timeout The max login attempts The locked time for failed login The SSO Profile will be shown
Add one Access Policy To add one Access Policy: Login webui navigate to SLB -> Profiles Click Manage for Access Policy In Access Policy tab, click Add In the Add Access Policy page, enter the following Click Save Settings Name Notes SSO Profile Type SSO Profile SSO Method Description The name of this Access Policy The notes for this access policy Either SSO Profile or SSO Profile Group Choose one SSO Profile The SSO Method for this access policy, including: Client Initiated HTTP Form Client Initiated HTTP Form + RS HTTP Basic Auth Client Initiated HTTP Form + RS HTTP Form Client Initiated HTTP Form + RS Kerberos Client HTTP NTLM Auth
Login Form Enable Password Logout URL Password Reset URL Login Session/Cookie SSO Log Level Client HTTP NTLM Auth + RS Kerberos Client HTTP Basic Auth Client Auth Pass Through Choose one login form Enable or disable password field in login form The logout url string The password reset url string The login cache option The option for SSL Log The Access Policy will be shown
Add one virtual service To add one virtual service: Login webui Navigate to SLB -> Virtual Server and check Add button We set up one HTTP based virtual server, please note that you need to choose HTTP in Service Type dropdown list Click Save and the new Virtual Server will display We add new real server to this virtual server, Click icon in Action column In the Real Server tab, click Add Add the real server
Click Save and you can add more real servers for this virtual server
Configure SSO for virtual service To configure SSO for virtual service: Login WebUI with account admin/password Navigate to SLB -> Virtual Server Go to the row of the virtual server, Click icon in Action column Click Edit button besides Single Sign On in General Properties tab In Edit Single Sign On Configuration page, choose one access policy Click Save Settings Access Policy VS FQDN Start URI WhiteList URI Description Set the Access Policy for this virtual server. If No SSO selected, the Single Sign On is disabled. The FDQN for this virtual server. The access URI for this virtual server The URI will not be subjected to Single Sign On
SSO Testing To test the SSO for the virtual service: Open your browser and access FQDN of the virtual server, in this example, its http://abc.test.com The login form will pop up Input the username and password and click Login button If authenticated, it will be redirected to the virtual service
SSO Logon Report To access SSO logon report: navigate to Log & Report -> SSO Report Choose the SSO Profile and click View