sma 11.4 saml 2.0 identity provider configuration...

Dell™ SMA 11.4 and SAML Identity ProviderConfiguration Guide

Copyright© 2016 Dell Inc. All rights reserved.

This product is protected by U.S. and international copyright and intellectual property laws. Dell™, SonicWALL, and the Dell logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

Dell SMA 11.4 and SAML Identity Provider Configuration GuideUpdated - July 2016Version - 11.4232-003305-00 Rev A

Legend

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

Dell SMA 11.4 and SAML Identity Provider Configuration Guide 1

Introduction to SAML Identity Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Downloading a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Configuring SAML Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Azure Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Configuring Azure Active Directory as an SMA Authentication Server . . . . . . . . . . . . 6Adding the SMA application to Azure Active Directory . . . . . . . . . . . . . . . . . . . . .10Configuring Single Sign-On for the SMA application . . . . . . . . . . . . . . . . . . . . . . .11Assigning users and groups to the SMA application . . . . . . . . . . . . . . . . . . . . . . .14

Dell™ One Identity Cloud Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Configuring Dell One Identity CAM as an SMA Authentication Server . . . . . . . . . . . .15Adding the SMA Application to One Identity Cloud Access Manager . . . . . . . . . . . . .19

OneLogin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25Configuring OneLogin as an SMA Authentication Server . . . . . . . . . . . . . . . . . . . . .25Adding the SMA Application to OneLogin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

Ping Identity PingOne . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Configuring Ping Identity PingOne as an SMA Authentication Server . . . . . . . . . . . . .31Adding the SMA Application to Ping Identity PingOne . . . . . . . . . . . . . . . . . . . . . .34

Salesforce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Configuring Salesforce as an SMA Authentication Server . . . . . . . . . . . . . . . . . . . .39Adding the SMA Application to Salesforce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Contents

1

Introduction to SAML Identity Providers

This configuration guide describes how to configure Security Assertion Markup Language (SAML) Identity Providers on an SMA Authentication Server.

Some of configuration procedures in this document require that you download and install a security certificate from the internet before you can complete the procedure. The correct certificate must be available for selection from the Trust the following certificate drop-down menu on the Configure Authentication Server dialog of the System Configuration > Authentication Servers page on the SMA appliance.

The Downloading a certificate procedure must be done before you can complete the configuration procedures in this document. Which certificate you need is given in the configuration procedure for the specific Identity Provider (IdP). See Configuring SAML Authentication Servers on page 5.

Downloading a certificateThis procedure must be done before you can select a certificate from the Trust the following certificate drop-down menu in the configuration procedures.

To download and install a certificate:

1 Download the certificate you want from the Configure Single Sign-on at <APP_NAME> screen that appears during the application registration.

2 Go to the System Configuration > SSL Settings page.

NOTE: The Identity Provider User Interface (UI) pages are subject to change without notice, and may be different than the UI pages used as examples in this document.


3 Under CA Certificates, click Edit.

4 Click New.


5 Select one of the following options:

a Select Certificate file and browse to select the certificate you want.

b Select Certificate text and enter the certificate text that you want.

6 Click Import.

The certificate should now appear in the Trust the following certificate drop-down menu.


2

Configuring SAML Authentication Servers

Topics

• Configuring Azure Active Directory as an SMA Authentication Server

• Configuring Dell One Identity CAM as an SMA Authentication Server

• Configuring OneLogin as an SMA Authentication Server

• Configuring Ping Identity PingOne as an SMA Authentication Server

• Configuring Salesforce as an SMA Authentication Server

This section describes how to configure the various SAML Authentication Servers (IDP).

Some of these configuration procedures require that you already have certain certificates downloaded and installed on your SMA appliance, so that they are available from the Trust the following certificate drop-down menu. See Downloading a certificate on page 2 for details on how to do this.


Azure Active Directory This section describes how to configure the Azure Active Directory (AD) as an SMA Authentication Server.

Topics

• Configuring Azure Active Directory as an SMA Authentication Server

• Adding the SMA application to Azure Active Directory

• Configuring Single Sign-On for the SMA application

• Assigning users and groups to the SMA application

Configuring Azure Active Directory as an SMA Authentication Server In this procedure, you will configure Azure AD as an SAML Identity provider, and create and configure an Authentication server on an SMA appliance.

To configure Azure AD as an SMA Authentication Server:

1 On the SMA appliance, go to the System Configuration > Authentication Servers page.


2 Under Authentication servers, click New. The New Authentication Server dialog appears.

3 Select SAML 2.0 Identity Provider.

4 Click Continue.


The Configure Authentication Server dialog appears.

The steps that follow explain how to configure the fields in the Configure Authentication Server dialog.

5 In the Name field, enter Azure AD.

6 In the Appliance ID field, enter the URL for the appliance from the App ID URL field or the Issuer URL field on the Configure App Settings page. For example: https://appliance.company.com as in the Issuer URL field below.


7 In the Server ID field, enter the URL for the server from the Issuer URL field on the Configure Single Sign-on at <APP_NAME> page. For example:https://sts.windows.net/db675175-89e4-40f3-xxxx-/ is in the Issuer URL field below.

8 In the Authentication service URL field, enter the URL from the Single sign-on service URL field on the Configure Single Sign-on at <APP_NAME> page. For example: https://login.windows.net/db675175-89e4-40f3-xxxx-/saml2.

9 In the Logout service URL field, enter the URL from the Single sign-on service URL field on the Configure Single Sign-on at <APP_NAME> page. For example: https://login.windows.net/db675175-89e4-40f3-xxxx-/saml2.

10 From the Trust the following certificate drop-down menu, select the certificate you want.This should be the Download certificate from the Configure Single Sign-on at <APP_NAME> page.

11 (Optional) Select the Sign AuthnRequest message using this certificate if you want it, then select the appropriate appliance certificate.

12 Click Save.

NOTE: You must first download and install the certificate you want before it can appear in the Trust the following certificate drop-down menu. See Downloading a certificate on page 2 for instructions on how to do this.


Adding the SMA application to Azure Active DirectoryAfter you configure Azure Active Directory (AD) as an SMA Authentication Server, you need to add the SMA application to the Azure AD service.

To add the SMA application to Azure AD:

1 Log in to Azure AD and select the Active Directory > [Directory] > Applications page.

2 Select Add an application from the gallery.

In the Application Gallery, you can add a custom application using the Custom category on the left.

3 In the Name field, enter a name for the SMA application.


Configuring Single Sign-On for the SMA applicationAfter you enter the name for the SMA application, you can configure the single sign-on options.

To configure Single Sign-On for the SMA application:

1 In Azure AD, go to the Dell_SMA application page.

2 Select Configure single sign-on.

3 To configure SAML-based authentication, select the Microsoft Azure AD Single Sign-On option.


4 Click the Next arrow.

The Configure App Settings dialog appears.

5 Enter the URLs you want in the three URL fields:

• SIGN ON URL - The appliance URL, for example: https://appliance.company.com.

• IDENTIFIER - The URL from the Appliance ID field from the Configure Authentication Server dialog. See Configuring Azure Active Directory as an SMA Authentication Server on page 6

• REPLY URL - The appliance ACS URL, for example: https://appliance.company.com/saml2ssoconsumer.

You can click on the question mark icon for each field to view a tooltip that describes which URL is required for that field and how it is used.

6 Click the Next arrow.


The Configure single sign-on at Dell_SMA screen provides the information you need to enable the SMA application to accept a SAML token from Azure AD.

The values required will vary depending on the application. Check the SAML documentation for the application for details.

The SINGLE SIGN-ON SERVICE URL and SINGLE SIGN-OUT SERVICE URL both resolve to the same endpoint, which is the SAML request-handling endpoint for your instance of Azure AD.

The ISSUER URL is the URL from the Issuer field of the SAML token.

7 After the SMA application is configured, click the Next arrow.


The Single Sign-On Confirmation page appears.

8 Click the check mark to close the dialog.

Assigning users and groups to the SMA application Once the SMA application has been configured to use Azure AD as an SAML-based Identity Provider, then it is almost ready to test. As a security control, Azure AD will not issue a token allowing users to sign into the SMA application until they have been granted access using Azure AD, either directly or through a group.

To assign a user or group to the SMA application:

1 In Azure AD, click the Assign Users button.

2 Select the user or group you wish to assign, and then select the Assign button.


Dell™ One Identity Cloud Access ManagerThis section describes how to configure Dell™ One Identity Cloud Access Manager (CAM) 7.0 as an SMA Authentication Server.

Topics

• Configuring Dell One Identity CAM as an SMA Authentication Server

• Adding the SMA Application to One Identity Cloud Access Manager

Configuring Dell One Identity CAM as an SMA Authentication ServerConfiguring the Dell One Identity Cloud Access Manager (CAM) as an SMA appliance is done by setting up a Dell One Identity CAM Authentication Server on an SMA appliance.

To configure the Dell One Identity CAM as an SMA Authentication Server:





4 Click Continue.


Some of the values for the fields in the Configure Authentication Server dialog can be obtained from the Application Created page of the One Identity Cloud Access Manager shown below.


5 In the Name field, enter Dell CAM.

6 In the Appliance ID field, enter the Audience/SP Identity from the Application Created page. For example, https://appliance.company.com.

7 In the Server ID field, enter the Issuer Entity ID or IDP from the Application Created page. For example, urn:cam.test.com.test.com/CloudAccessManager/RPSTS.

8 In the Authentication service URL field, enter the IDP Login URL from the Application Created page. For example, https://sp16.test.com/CloudAccessManager/RPSTS/Saml2/Default.aspx.

9 In the Logout service URL field, enter the SSO URL. For example, https://cam.test.com.com/CloudAccessManager/RPSTS/Saml2/Default.aspx.

10 From the Trust the following certificate drop-down menu, select the certificate you want. This should be the certificate from the Certificate (Download Certificate) of the Application Created page.

11 (Optional) Select the Sign AuthnRequest message using this certificate if you want it, then select the appropriate certificate.

12 Click Save.

NOTE: You must first download and install the certificate you want before it can appear in this drop-down menu. See Downloading a certificate on page 2 for instructions on how to do this.


Adding the SMA Application to One Identity Cloud Access ManagerAfter you configure One Identity Cloud Access Manager (CAM) as an SMA Authentication Server, you need to add the SMA application to the One Identity CAM.

To add the SMA application to One Identity CAM:

1 In One Identity CAM, go to the Home page.

2 Under Applications, click Add New.

The Create a New Application page appears.

NOTE: Some of the graphics in this procedure do not show the Next button. Due to the large size of the UI pages, most of the graphics just show the available options, but most of the actual UI pages have a Next button like this one.


3 Under Create a New Application, select Configure Manually.

The Back-end SSO Method page appears.

4 Under Back-end SSO Method, select Using SAML.

5 Click Next.

The Federation Settings page appears.

6 Under Federation Settings, enter the following URLs:

a In the Recipient field, enter https://appliance.company.com/saml2ssoconsumer.

b In the Audience/SP Identity field, enter https://appliance.company.com.


7 Click Next.

The Subject Mapping page appears.

8 Under Subject Mapping, leave the default option selected, Users from “AD” can’t log into this application.

9 Click Next.

The Claims Mapping page appears.

10 Leave the Claims Mapping section empty.


11 Click Next.

The External Access page appears.

12 Under External Access, select This application is external to my network.

13 Click Next.

The Permissions page appears.

14 On the Permissions page, select the Roles you want, using the Allow Role Access button.


15 Click Next.

The Application Name dialog appears.

16 In the Application Name field, enter the name of your SMA application.

17 Click Next.

The Application Portal page appears.

18 On the Application Portal page, under SSO Mode, select SP Initiated.

19 In the URL field, enter https://appliance.company.com.

20 Select any other options you want.

21 Click Finish.


The Application Created page appears.

The Application Created page shows all the Single Sign-On details necessary to configure the SMA application.


OneLoginThis section describes how to configure OneLogin as an SMA Authentication Server and how to add the SMA application to the OneLogin service.

Topics

• Configuring OneLogin as an SMA Authentication Server

• Adding the SMA Application to OneLogin

Configuring OneLogin as an SMA Authentication ServerConfiguring OneLogin as an SAML Identity Provider is done by configuring a OneLogin Authentication server on an SMA appliance.

To configure OneLogin as an SMA Authentication Server:





4 Click Continue.




5 In the Name field, enter OneLogin_IDP.

6 In the Appliance ID field, enter the Audience/SP Identity from the Configuration tab of the SonicWALL VPN page. For example, https://appliance.company.com.

7 In the Server ID field, enter the Issuer URL from the Configuration tab of the SonicWALL VPN page. For example, https://app.onelogin.com/saml/metadata/xxxx.


8 In the Authentication service URL field, enter the IDP Login URL from the SSO tab of the SonicWALL VPN page. For example, https://company.onelogin.com/trust/saml2/http-post/sso/xxxx.

9 In the Logout service URL field, enter the SLO Endpoint (HTTP) from the SSO tab of the SonicWALL VPN page. For example, https://company.onelogin.com/trust/saml2/http-redirect/slo/xxxx.

10 From the Trust the following certificate drop-down menu, select the X.509 Certificate.

11 (Optional) Select the Sign AuthnRequest message using this certificate if you want it, then select the appropriate certificate.

12 Click Save.

Adding the SMA Application to OneLogin After you configure OneLogin as an SMA Authentication Server, you need to add the SMA application to the One Login service.

To add the SMA application to the OneLogin service:

1 In OneLogin, go to the Home page.

The Find Applications page appears.

2 Under Find Applications, enter sonicwall in the search field and hit enter.

NOTE: You must first download and install this certificate before it can appear in this drop-down menu. See Downloading a certificate on page 2 for instructions on how to do this.


The Add Sonicwall VPN page appears.

3 In the Portal panel, in the Display Name field, enter Dell Sonicwall VPN.

4 In the Connectors panel, for the Connector Version, select SAML 2.0.

5 Click Save.

The Sonicwall VPN page appears.

6 Click the Configuration tab.

7 In the Appliance field, enter the FQDN for your appliance. For example, https://appliance.company.com.


8 Click the SSO tab.

9 In the Enable SAML 2.0 panel, under the X.509 Certificate field, click View Details.

The Standard Strength Certificate dialog appears.

10 Click the Download button to upload the CA Certificate to the SMA appliance.


Ping Identity PingOne This section describes how to configure Ping Identity PingOne as an SMA Authentication Server and how to add the SMA application to the Ping Identity PingOne service.

Topics

• Configuring Ping Identity PingOne as an SMA Authentication Server

• Adding the SMA Application to Ping Identity PingOne

Configuring Ping Identity PingOne as an SMA Authentication ServerConfiguring Ping Identity PingOne as an SAML Identity Provider is done by configuring a Ping Identity PingOne Authentication server on an SMA appliance.

To configure Ping Identity PingOne as an SMA Authentication Server:





4 Click Continue.



Most of the values for the fields on this page can be obtained from the fields on the PingOne application page.


5 In the Name field, enter PingOne_IDP.

6 In the Appliance ID field, enter the entityId from the PingOne application page. For example: https://appliance.company.com.

7 In the Server ID field, enter the value of the entityID of the EntityDescriptor tag from the downloaded XML file, for example, https://pingone.com/idp/company.

8 In the Authentication service URL field, enter the Initiate Single Sign-On (SSO) URL from the PingOne application page. For example, https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=734b784f-xxxxxx.

9 In the Logout service URL field, enter the value of the Logout Service URL from the Location attribute of SingleLogoutService tag from the downloaded XML file. For example, https://sso.connect.pingidentity.com/sso/SLO.saml2.


10 From the Trust the following certificate drop-down menu, select the certificate you want.This should be the Certificate downloaded from the PingOne application page.

11 (Optional) Select the Sign AuthnRequest message using this certificate if you want it, then select the certificate.

12 Click Save.

Adding the SMA Application to Ping Identity PingOneAfter you configure Ping Identity PingOne as an SMA Authentication Server, you need to add the SMA application to the Ping Identity PingOne service.

To add the SMA application to the Ping Identity PingOne service:

1 In PingOne, go to the My Applications page.

2 Under Add Application, select New SAML Application.

NOTE: You must first download and install the certificate you want before it can appear in this drop-down menu. See Downloading a certificate on page 2 for instructions on how to do this.


The Applications Details panel opens.

3 Enter the Application Name.

4 Enter the Application Description.

5 Select the Category you want.

6 For Graphics, select the Application Logo and Application Icon you want.

7 Click Continue to Next Step.


The Application Configuration panel opens.

8 For the Protocol Version, select SAML v2.0.

9 In the Assertion Consumer Service (ACS) field, enter the URL: https://appliance.company.com/saml2ssoconsumer.

10 Enter the Entity ID.

11 Enter the Application URL. This should be the same as appliance URL. For example, https://appliance.company.com.

12 For the Single Logout Binding Type, select Post.

13 Click Next.


The SSO Attribute Mapping panel opens.

14 In the Status column, click in the row for the application to make it active.

15 Click Save & Publish

16 Click Add new attribute.


The following panel opens.

17 To upload the CA Certificate to AMC, click Certificate Download.

18 Click SAML Metadata Download.

19 Click Finish.


SalesforceThis section describes how to configure Salesforce as an SMA Authentication Server and how to add the SMA application to the Salesforce service.

Topics

• Configuring Salesforce as an SMA Authentication Server

• Adding the SMA Application to Salesforce

Configuring Salesforce as an SMA Authentication ServerThis section describes how to configure Salesforce as an SMA Authentication Server.

To configure Salesforce as an SMA Authentication Server:





4 Click Continue.




5 In the Name field, enter Saleforce_IDP.

6 In the Appliance ID field, enter the Entity Id under Web App Settings from the Salesforce application page. For example, https://application.company.com.

7 In the Server ID field, enter the Issuer from the Salesforce application page, under Web App Settings. For example, https://company.my.salesforce.com as per application configuration in Salesforce.

8 In the Authentication service URL field, enter the IdP-Initiated Login URL from the Salesforce application page. For example, https://company.my.salesforce.com/idp/endpoint/HttpRedirect.

9 From the Trust the following certificate drop-down menu, select the certificate you want. This should be the certificate downloaded from the Identity Provider page.

10 (Optional) Select the Sign AuthnRequest message using this certificate if you want it, then enter the IP address for the certificate.

11 Click Save.

NOTE: You must first download and install this certificate before it can appear in this drop-down menu. See Downloading a certificate on page 2 for instructions on how to do this.


Adding the SMA Application to SalesforceAfter you configure Salesforce as an SMA Authentication Server, you need to add the SMA application to the Salesforce service.

To add the SMA application to the Salesforce service:

1 Login to Salesforce.

2 Go to the App Setup > Create > Apps > Connected Apps Detail page.

3 Click Add.

The Settings dialog appears.

4 In the Web App Settings panel:

a For Start URL, enter https://appliance.company.com.

b Select Enable SAML.

c For Entity ID, enter the Workplace URL: https://appliance.company.com.

d For ACS URL, enter https://appliance.company.com.

e For Subject Type, select Username.

f For Name ID Format, enter urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified


g For Issuer, enter https://company.my.salesforce.com.

5 Click Save.

6 On the App Setup > Create > Apps > Connected Apps Detail page, click Manage Profiles.

7 Select the types of users you want to allow to access the Salesforce application.

8 Click Save.

You can view the configured Saleforce settings on the Dell SMA page.


sma 11.4 saml 2.0 identity provider configuration...

Documents