Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for SonicWALL Secure Remote Access

Similar documents
Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Okta

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Tableau Server

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Citrix NetScaler 10.5

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Microsoft DirectAccess

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Check Point Security Gateway

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Cisco ASA

SafeNet Authentication Service

SafeNet Authentication Manager. Integration Guide. Using SAM as an Identity Provider for Dropbox

SafeNet Authentication Manager

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Better MDM

Integration Guide. SafeNet Authentication Service. Protecting SugarCRM with SAS

Integration Guide. SafeNet Authentication Service. NetDocuments

Integration Guide. SafeNet Authentication Manager. Using SafeNet Authentication Manager with Citrix XenApp 6.5

Integration Guide. SafeNet Authentication Client. Using SAC CBA with BitLocker

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with CA SiteMinder

Integration Guide. SafeNet Authentication Client. Using SAC CBA with Juniper Junos Pulse

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft NPS Technical Manual Template

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for Citrix GoToMyPC

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for VMware Horizon 6

Integration Guide. SafeNet Authentication Service. Protecting Microsoft Internet Security and Acceleration (ISA) Server 2006 with SAS

Integration Guide. SafeNet Authentication Service. Strong Authentication for Juniper Networks SSL VPN

SafeNet Authentication Manager

Integration Guide. SafeNet Authentication Service. SAS using RADIUS Protocol with WatchGuard XTMv. SafeNet Authentication Service: Integration Guide

Integration Guide. SafeNet Authentication Client. Using SAC CBA for VMware Horizon 6 Client

Integration Guide. SafeNet Authentication Service. Protecting Syncplicity with SAS

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft SharePoint on IIS 7/8. Technical Manual Template

SafeNet Authentication Manager

Integration Guide. SafeNet Authentication Service. Strong Authentication for Citrix Web Interface 4.6

SafeNet Authentication Service

KT-4 Keychain Token Welcome Guide

SafeNet Authentication Manager

SafeNet Authentication Manager

Synchronization Agent Configuration Guide

SafeNet Authentication Service Cisco AnyConnect Agent. Configuration Guide

SafeNet Authentication Service

SafeNet Authentication Service

Welcome Guide. SafeNet Authentication Service. MP-1 BlackBerry. SafeNet Authentication Service: Welcome Guide. MP-1 BlackBerry

Synchronization Agent Configuration Guide

SafeNet Authentication Client

SafeNet Authentication Service

Oracle iplanet Web Server Integration Guide

SAS Agent for NPS CUSTOMER RELEASE NOTES. Contents

SafeNet Authentication Service

SafeNet Authentication Manager

MobilePASS for BlackBerry OS 10

SafeNet Authentication Service

SafeNet Authentication Manager

SafeNet Authentication Service

SAS Agent for NPS FAQS. Contents. Page 1 of 5. Description... 2 Frequently Asked Questions... 2 Product Documentation... 5 Support Contacts...

Protecting SugarCRM with SafeNet Authentication Manager

SafeNet Authentication Client

Welcome Guide. SafeNet Authentication Service. RB-1 Tokens. SafeNet Authentication Service: Welcome Guide. RB-1 Tokens

SAS Agent for Microsoft SharePoint

SafeNet Authentication Service

SafeNet Authentication Client

SafeNet Authentication Service

Sentinel Cloud Run-time Java Samples ReadMe

SafeNet Authentication Client

SafeNet Authentication Client

SafeNet Authentication Service

SAS Agent for Microsoft Internet Information Services (IIS)

Sentinel Cloud V.3.6 Installation Guide

SafeNet Authentication Client

Oracle Access Manager Configuration Guide

April Understanding Federated Single Sign-On (SSO) Process

Novell Access Manager

Integration Guide. SafeNet Authentication Service (SAS)

SafeNet Authentication Service. Push OTP Solution Guide

SafeNet Authentication Manager

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

SafeNet Authentication Service Agent for Microsoft Outlook Web App. Installation and Configuration Guide

SafeNet Authentication Service

SafeNet MobilePASS+ for Android. User Guide

Cloud Access Manager Overview

User guide NotifySCM Installer

Dell SonicWALL Aventail Connect Tunnel User s Guide

SafeNet Authentication Client

Cloud Access Manager Configuration Guide

ZENworks Mobile Workspace Installation Guide. September 2017

Novell Access Manager

Dell One Identity Cloud Access Manager 8.0. Overview

Integrating AirWatch and VMware Identity Manager

SafeNet Authentication Service

Novell Access Manager

SafeNet Authentication Service

SafeNet Authentication Service (SAS) Service Provider Billing and Reporting Guide

SafeNet Authentication Service (SAS) SAML Authentication Quick Start Guide

SafeNet Authentication Service Token Validator Proxy Agent. Installation and Configuration Guide

4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access

SafeNet Authentication Client

Upgrade Guide. Platform Compatibility. Dell SonicWALL Aventail E-Class SRA 10.7 Upgrade Guide. Secure Remote Access

Novell Identity Manager

Novell ZENworks Endpoint Security Management

Aventail Connect Client with Smart Tunneling

AUTHORIZED DOCUMENTATION. Using ZENworks with Novell Service Desk Novell Service Desk February 03,

CA GovernanceMinder. CA IdentityMinder Integration Guide

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Transcription:

SafeNet Authentication Manager Integration Guide Using SAM as an Identity Provider for SonicWALL Secure Remote Access Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1

Document Information Document Part Number 007-012956-001, Rev. A Release Date February 2015 Trademarks All intellectual property is protected by copyright. All trademarks and product names used or referred to are the copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording, or otherwise, without the prior written permission of SafeNet, Inc. Disclaimer SafeNet makes no representations or warranties with respect to the contents of this document and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, SafeNet reserves the right to revise this publication and to make changes from time to time in the content hereof without the obligation upon SafeNet to notify any person or organization of any such revisions or changes. We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in succeeding releases of the product. SafeNet invites constructive comments on the contents of this document. These comments, together with your personal and/or company details, should be sent to the address or email below. Contact Method Mail Email Contact Information SafeNet, Inc. 4690 Millennium Drive Belcamp, Maryland 21017, USA TechPubs@safenet-inc.com 2

Contents Third-Party Software Acknowledgement... 4 Description... 4 Applicability... 4 Environment... 4 Audience... 5 SAML Authentication using SAM... 5 Authentication Flow using SAM... 5 SAML Prerequisites... 5 Configuring SafeNet Authentication Manager... 6 Synchronizing User Stores to SafeNet Authentication Manager... 6 Assigning a Token in SAM... 6 Configuring SAM as an Identity Provider... 7 Exporting the SAM Certificate... 8 Configuring SAM for SAML-based User Federation... 10 Configuring SonicWALL Secure Remote Access... 13 Importing a SAM Certificate... 13 Creating a Realm... 16 Creating a User... 20 Applying the Configuration Changes... 22 Running the Solution... 23 Support Contacts... 25 3

Third-Party Software Acknowledgement This document is intended to help users of SafeNet products when working with third-party software, such as SonicWALL Secure Remote Access. Material from third-party software is being used solely for the purpose of making instructions clear. Screen images and content obtained from third-party software will be acknowledged as such. Description SafeNet Authentication Manager (SAM) is a versatile authentication solution that allows you to match the authentication method and form factor to your functional, security, and compliance requirements. Use this innovative management service to handle all authentication requests and to manage the token lifecycle. SonicWALL Secure Remote Access (SRA) appliances extend secure remote networking over an SSL VPN to potentially thousands of locations providing anytime, anywhere access. The encrypted SSL VPN tunnel protects the transmitted data. In addition, as an added layer of protection, granular access controls allow the administrator to delegate access privileges to different individuals or groups so that they can access only specific, defined resources. SonicWALL SRA appliances integrate seamlessly with virtually any firewall. This document describes how to: Deploy multi-factor authentication (MFA) options in SonicWALL Secure Remote Access using SafeNet tokens managed by SafeNet Authentication Manager. Configure SAML authentication in SonicWALL Secure Remote Access using SafeNet Authentication Manager as an identity provider. It is assumed that the SonicWALL Secure Remote Access environment is already configured and working with static passwords prior to implementing multi-factor authentication using SafeNet Authentication Manager. SonicWALL Secure Remote Access can be configured to support multi-factor authentication in several modes. The SAML authentication will be used for the purpose of working with SafeNet Authentication Manager. Applicability The information in this document applies to: SafeNet Authentication Manager A server version of SAM that is used to deploy the solution onpremises in the organization. Environment The integration environment that was used in this document is based on the following software versions: SafeNet Authentication Manager 8.2 HF 468 SonicWALL Secure Remote Access 10.7.1 (HF clt-hotfix-10.7.1-449, pform-hotfix-10.7.1-474) 4

Audience This document is targeted to system administrators who are familiar with SonicWALL Secure Remote Access and are interested in adding multi-factor authentication capabilities using SafeNet Authentication Manager. SAML Authentication using SAM SAM provides a SAML authentication option that is already implemented in the SAM environment and can be used without any installation. Authentication Flow using SAM SafeNet Authentication Manager communicates with a large number of service providers and cloud-based services solutions using the SAML protocol. The image below describes the dataflow of a multi-factor authentication transaction for SonicWALL Secure Remote Access. 1. A user attempts to log on to SonicWALL Secure Remote Access. The user is redirected to SafeNet Authentication Manager (SAM). SAM collects and evaluates the user's credentials. 2. SAM returns a response to SonicWALL Secure Remote Access, accepting or rejecting the user`s authentication request. SAML Prerequisites To enable SafeNet Authentication Manager to receive SAML authentication requests from SonicWALL Secure Remote Access, ensure that end users can authenticate through the SonicWALL Secure Remote Access environment with a static password. 5

Configuring SafeNet Authentication Manager Using SAM as an identity provider for SonicWALL Secure Remote Access requires the following: Synchronizing User Stores to SafeNet Authentication Manager, page 6 Assigning a Token in SAM, page 6 Configuring SAM as an Identity Provider, page 7 Exporting the SAM Certificate, page 8 Configuring SAM for SAML-based User Federation, page 10 Synchronizing User Stores to SafeNet Authentication Manager SAM manages and maintains tokens information in its data store, including the tokens status and the token assignment to users. For user information, SAM can be integrated with an external user store. During the design process, it is important to identify which user store the organization is using, such as Microsoft Active Directory. If the organization is not using an external user store, SAM uses an internal (stand-alone) user store created and maintained by the SAM server. SAM 8.2 supports the following external user stores: Microsoft Active Directory 2003, 2008, 2008 R2, 2012, and 2012 R2 Novell edirectory Microsoft ADAM/AD LDS OpenLDAP Microsoft SQL Server 2005 and 2008 IBM Lotus Domino IBM Tivoli Directory Server Assigning a Token in SAM SAM supports a number of OTP authenticators that can be used as a second authentication factor for users authenticating through SonicWALL Secure Remote Access. The following tokens are supported: etoken PASS SafeNet GOLD SafeNet etoken 3400 SafeNet etoken 3500 etoken NG-OTP MobilePASS SafeNet etoken Virtual products MobilePASS Messaging 6

SafeNet Mobile Authentication (ios) Tokens can be assigned to users as follows: SAM Management Center: Management site used by SAM administrators and help desk for token enrollment and lifecycle management. SAM Self-Service Center: Self-service site used by end users for managing their tokens. SAM Remote Service: Self-service site used by employees not on the organization s premises as a rescue website to manage cases where tokens are lost or passwords are forgotten. For more information on SafeNet s tokens and service portals, refer to the SafeNet Authentication Manager 8.2 Administrator s Guide. Configuring SAM as an Identity Provider To use SonicWALL Secure Remote Access as a service provider and SAM as an identity provider, SAM must be set as an identity provider. 1. From the Windows Start menu, click All Programs > SafeNet > SafeNet Authentication Manager > Configuration Manager. (The screen image above is from Microsoft. Trademarks are the property of their respective owners.) 2. On the SafeNet Authentication Manager Configuration Manager window, from the menu bar, click Action > Cloud Configuration. 7

(The screen image above is from Microsoft. Trademarks are the property of their respective owners.) 3. On the Cloud Settings window, click the Info for Service Provider tab. In the Domain URL field, enter the web address of the SAM portal server. The system fills in the rest of the fields according to the Domain URL entered. (The screen image above is from Microsoft. Trademarks are the property of their respective owners.) Exporting the SAM Certificate The SAM certificate is shared between SAM and SonicWALL Secure Remote Access. The certificate will be used to sign the authentication requests. 8

1. From the Windows Start menu, click All Programs > SafeNet > SafeNet Authentication Manager > Configuration Manager. (The screen image above is from Microsoft. Trademarks are the property of their respective owners.) 2. On the SafeNet Authentication Manager Configuration Manager window, click Action > Cloud Configuration. (The screen image above is from Microsoft. Trademarks are the property of their respective owners.) 3. On the Cloud Settings window, click the Info for Service Provider tab. Click Export Certificate and save the certificate file. Later, this certificate file needs to be imported into SonicWALL Secure Remote Access. 9

(The screen image above is from Microsoft. Trademarks are the property of their respective owners.) Configuring SAM for SAML-based User Federation SafeNet Authentication Manager s Token Policy Object (TPO) policies include Application Authentication Settings for SAML service providers. These settings are used by SAM s portal to communicate with service providers. For general portal configuration, refer to the SafeNet Authentication Manager 8.2 Administrator s Guide. To edit the Token Policy Object for SAM s portal configuration: 1. Open the Token Policy Object Editor for the appropriate group. Refer to the SafeNet Authentication Manager 8.2 Administrator s Guide for more information. 2. On the Token Policy Object Editor window, expand Protected Application Settings, and then click User Authentication. (The screen image above is from Microsoft. Trademarks are the property of their respective owners.) 3. Double-click Application Authentication Settings. 10

4. On the Application Authentication Settings Properties window, perform the following steps: a. Select Define this policy setting. b. Select Enabled. c. Click Definitions. (The screen image above is from Microsoft. Trademarks are the property of their respective owners.) 5. On the Application Authentication Settings window, right-click Application Authentication Settings, and then click Create a new profile. (The screen image above is from Microsoft. Trademarks are the property of their respective owners.) 6. Right-click the new profile and rename it to a friendly name (for example, SonicWall). 7. Click the new profile (for example, SonicWall). 11

(The screen image above is from Microsoft. Trademarks are the property of their respective owners.) 8. Double-click on each of the following policies, and then enter the appropriate information: Application issuer SAM issuer Application s login URL Audience URI User mapping Enter the SonicWall EntityID, which will be used while configuring SonicWall. Enter a unique SAM ID to be identified in SAML authentication. Enter the SonicWall login URL. For example: https://<public IP of SonicWALL SRA Appliance>/saml2ssoconsumer Enter the same SonicWall EntityID that you entered in the Application issuer field. Select the field name in your user repository that identifies your SonicWALL Secure Remote Access login name. 9. Enable the appropriate authentication methods for your organization. Refer to the SafeNet Authentication Manager Version 8.2 Administrator s Guide for detailed information on authentication methods. The following is an example of the completed fields in the Application Authentication Settings window: (The screen image above is from Microsoft. Trademarks are the property of their respective owners.) 10. Click OK until all of the Token Policy Object Editor windows are closed. 12

Configuring SonicWALL Secure Remote Access To add SafeNet Authentication Manager as an identity provider in SonicWALL Secure Remote Access, perform the following procedures: Importing a SAM Certificate, page 13 Creating a Realm, page 16 Creating a User, page 20 Applying the Configuration Changes, page 22 Importing a SAM Certificate The SAM certificate is imported on the SonicWALL SRA appliance so that a trust can be established between SAM and the SonicWALL appliance. Before performing this activity, a SAM certificate should be downloaded. To download a SAM certificate, refer to Exporting the SAM Certificate on page 8. 1. Open the SonicWALL Management Console and log in as an administrator. 2. On the Aventail Management Console window, under System Configuration, click SSL Settings. 13

3. On the SSL Settings tab, under CA certificates, click the first Edit link (designated by the red box in the image below). 4. Under Filters, click New. 14

5. On the Import CA Certificate window, select the Certificate file option. 6. Click Choose File, and then select the downloaded SAM certificate. 7. Click Import. The SAM certificate is imported successfully. 15

Creating a Realm A realm refers to an authentication server. It determines which access agents are provisioned to users, and the end point control restrictions that are imposed. 1. Open the SonicWALL Management Console. 2. On the Aventail Management Console window, under User Access, click Realms. 3. On the Realms tab, click the New realm link (designated by the red box in the image below). 16

4. On the Configure Realm window, in the General tab, complete the following details: a. In the Name field, enter a name for the realm. b. In the Authentication server field, click New. c. Under Authentication directory, select CA SiteMinder, and then click Continue. CA SiteMinder is the name given for SAML authentication by SonicWall. 17

d. On the Configure Authentication Server window, complete the details as specified below, and then click Save. Name Appliance ID Server ID Authentication service URL Logout service URL Trust the following certificate Enter a name for the authentication server (for example, SAM SAML). Enter a unique Entity ID of the SonicWALL Secure Remote Access appliance. Note that this Entity ID will be same as configured in SAM. Enter the SAM Entity ID. It should match the entry in the SAM Issuer field, in Configuring SAM for SAML-based User Federation on page 10. Enter the SAM Sign-in page URL. To obtain the URL, refer to step 3 in Configuring SAM as an Identity Provider on page 7. Enter the SAM Sign-out page URL. To obtain the URL, refer to step 3 in Configuring SAM as an Identity Provider on page 7. Select the SAM certificate that was imported in Importing a SAM Certificate on page 13. 18

5. On the Configure Realm window, the newly created authentication server is populated in the Authentication server field. Click Next > Finish. A realm is created and its details are displayed. 19

Creating a User A user is an individual who needs access to resources on the corporate network. After creating users on the SonicWALL Secure Remote Access appliance, you can reference them in an Access Control Rule to permit or deny access to resources. 1. Open the SonicWALL Management Console. 2. On the Aventail Management Console window, under Security Administration, click Users & Groups. 3. On the Mapped Accounts tab, click New > Manual entry. 20

4. On the Add Mapped Account window, complete the details as specified below, and then click Save. Select realm Select the realm you created in Creating a Realm on page 16. User type User name Display name Description Select User. Enter the name of the user. The user name must be the same as specified in SAM. Enter the name of the user to display. Enter the description of this mapped account. 21

Applying the Configuration Changes After you have made the configuration changes, you need to apply them in the system. 1. Open the SonicWALL Management Console. 2. On the Aventail Management Console window, in the upper-right corner, click the Pending changes link. 3. On the Apply Pending Changes window, click Apply Changes. The changes are applied and the following message is displayed: 5. Click Close. 22

Running the Solution The SonicWALL Aventail WorkPlace portal is used to verify this integration solution. The Aventail WorkPlace portal provides dynamically personalized access to the web-based (HTTP) resources. It also gives users access from their web browsers to files and folders on Windows file servers, and to TCP/IP resources through Secure Mobile Access agents that can be provisioned from Aventail WorkPlace. For this integration, the SafeNet NG-OTP token is configured for authentication with the SAM solution. NOTE: While running the solution, if any Java or Security warning is shown, click Allow. 1. In a web browser, open the SonicWALL Aventail Workspace URL (for example, https://<appliance public IP>). 2. In the Log in to field, select an appropriate realm, and then click Next. The user will be redirected to the SAM login page. 3. In the Username field, enter your user name, and then click OK. 23

4. Generate an OTP using the SafeNet token. On the OTP Authentication window, enter the OTP in the OTP Authentication Code field, and then click OK. On successful authentication, you will be redirected to the SonicWall Aventail WorkPlace home page. NOTE: If you are using SonicWALL for the first time, you will need to install the Secure Endpoint Manager. When you log in to Aventail WorkPlace, you will see an option to install the Secure Endpoint Manager. For more information, refer to the SonicWALL documentation. 24

Support Contacts If you encounter a problem while installing, registering, or operating this product, please make sure that you have read the documentation. If you cannot resolve the issue, contact your supplier or SafeNet Customer Support. SafeNet Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between SafeNet and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you. Contact Method Address Contact Information SafeNet, Inc. 4690 Millennium Drive Belcamp, Maryland 21017 USA Phone United States 1-800-545-6608 International 1-410-931-7520 Technical Support Customer Portal https://serviceportal.safenet-inc.com Existing customers with a Technical Support Customer Portal account can log in to manage incidents, get the latest software upgrades, and access the SafeNet Knowledge Base. 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback