Single Sign-On Authentication using SAML 2.0

Single Sign-On Authentication using SAML 2.0
cg142
Most enterprises are embracing Security Assertion Markup Language (SAML) standard for secure single sign-on access to applications in their environment as it offers a range of benefits such as,
  • Improved user experience
  • Increased security
  • Reduced costs
  • Supports seamless interoperability between systems, independent of implementations
In our endeavour to help customers adopt SAML for fast, simple, and secure access to applications in their environment, we have enabled Identity Governance to be SAML compliant. Enterprise users can now seamlessly access the Identity Governance application with SAML based secure single sign-on authentication.
SAML is an XML based federation protocol for exchanging authentication and authorization data between security domains. It uses security tokens containing assertions to pass end-user information between a SAML authority (Identity Provider) and a SAML consumer (Service Provider).
To facilitate SAML authentication with Identity Governance as the Service Provider and any SAML compliant Identity Provider of your choice, you must configure the following SAML settings in your environment in the given order:
Prerequisites
Enterprise users who would be assigned single sign-on access to the Identity Governance application must be imported into the Eurekify user store.
Export and Import Metadata from Identity Provider to Identity Governance
To establish a baseline of trust and interoperability between the Identity Provider and Identity Governance for SAML flow, you must download metadata from Identity Provider and must import the same into Identity Governance. The Identity Provider metadata XML file contains information such as Identity Provider certificate, entity ID, redirect URL, logout URL and so on.
Follow these steps:
  1. Download Metadata from Identity Provider.
    1. Log in to your SAML compliant Identity Provider.
    2. Follow your Identity Provider’s SAML configuration documentation and download the metadata.
  2. Import Identity Provider’s Metadata into Identity Governance.
    1. In the Identity Governance web interface, navigate to
      Administration,
      Settings, SAML 2.0 Property Settings.
    2. Click
      Identity Provider.
    3. Select the Identity Provider metadata file and click
      Import.
    4. The import action parses the metadata file and populates the Identity Provider certificate and login URL details on the screen.
The HTTP Binding (Post or Redirect) protocol used by Identity Governance for SAML flow depends on the imported Identity Provider’s metadata. If Identity Provider supports both HTTP Post and Redirect Binding protocols, then Identity Governance uses HTTP Post Binding to send SAML authentication request to the Identity Provider.
Upload a Certificate to Identity Governance
Upload a certificate to Identity Governance for signing SAML request and decrypting the SAML response from Identity Provider. When users access the Identity Governance URL, Identity Governance generates and signs the SAML authentication request with a private key. When Identity Provider receives the SAML request, it validates the digital signature with the public key of the Identity Governance certificate that is uploaded to the Identity Provider. Identity Provider encrypts SAML response with the public key from the certificate selected for encrypting SAML response and forwards to the Identity Governance. Identity Governance decrypts the SAML response with the corresponding private key. To upload a certificate, follow these steps:
  1. In the Identity Governance web interface, navigate to
    Administration,
    Settings,
    Certificates and Key Management.
  2. In the
    Add Certificate
    screen, do the following:
    1. Certificate KeyStore File:
      Select the certification keystore file.
    2. Certificate Alias:
      Enter an alias name for the certificate.
    3. KeyStore Password:
      Enter a password to access the keystore file.
    4. Private Key Password:
      Enter a password to encrypt the private key.
    The supported keystore formats are JKS and PKCS12. Each keystore file is expected to have only one public certificate and a private key represented by an alias.
    The recommendation is to use the Certificate Authority
    (CA) signed certificate and keys.
  3. Click
    Import
    to save the certificate into the database.
Configure Identity Governance for SAML Authentication
For Identity Governance to serve as a Service Provider for SAML single sign-on authentication, the following configuration must be carried out in the Identity Governance web interface.
  1. In the Identity Governance web interface, navigate to
    Administration,
    Settings, SAML 2.0 Property Settings.
  2. Click
    Service Provider
    and configure the following Service Provider settings:
    1. IG Proxy Base URL:
      Represents the address of the proxy/load balancer configured for Identity Governance in a cluster setup. The part of the Identity Governance URL before /eurekify/portal is the Proxy Base URL.
      Example: https://<hostname>.<domain_name>
      If a proxy is not configured for Identity Governance, enter the Identity Governance web interface URL till its port number.
      Example: https://<hostname>.<domain_name>:<port_number>
      Ensure that you do not leave this field blank, else you cannot save the Service Provider configuration.
    2. User Identity Location:
      Identity Provider passes SAML attributes in the SAML Assertion to provide information about a user that is getting authenticated. Generally, Identity Providers use NameID as the username to identify a user in SAML assertions.
      Example:<samlp:Response> ... <saml:Assertion> <saml:Subject> <saml:NameID>test_user</saml:NameID> ...
      For some Identity Providers, the username can be contained in the Attribute element of the SAML assertion instead of NameID. In such a case, change the User Identity Location to the attribute name defined in the SAML assertion to disambiguate the user.
      Example:<samlp:Response> <saml:Assertion> ... <saml:AttributeStatement> <saml:Attribute Name="username"> <saml:AttributeValue>test_user</saml:AttributeValue> </saml:Attribute> ...
    3. IG Disambiguating User Attribute:
      This field lists the Identity Governance user attributes (both standard and custom). From the list, select the user attribute that you must map to the SAML subject extracted from the SAML assertion. The PersonId attribute is generally used to disambiguate the user in the Identity Governance Eurekify user store.
      The attribute that you select must be unique in the Eurekify user store.
    4. Sign Request:
      Select this option if you want Identity Governance to sign and send SAML authentication request to Identity Provider.
      1. Request Signing Key:
        Select the private key to sign SAML request. In case, certificates are not uploaded to Identity Governance, follow section Upload a Certificate to Identity Governance.
      2. Request Signing Algorithm:
        Select the algorithm for signing the SAML authentication request. The supported signature algorithms are RSA-SHA1 and RSA-SHA256.
    5. Decrypt Assertions:
      Select this option if Identity Provider is configured to send encrypted SAML assertions in the SAML response. The encrypted assertions can be decrypted by Identity Governance only when this option is selected.
      1. Assertion Decryption Key:
        Select the private key to decrypt SAML assertions. In case, certificates are not uploaded to Identity Governance, follow section Upload a Certificate to Identity Governance.
    6. Enable SAML 2.0 Authentication:
      Selecting this option enables Identity Governance to serve as a Service Provider.
      SAML 2.0 authentication overwrites the existing authentication modes (SiteMinder, Native authentication) that are configured in your environment.
    7. BreakGlass URL:
      When SAML federation breaks, system administrators can bypass SAML authentication and directly log in to the Identity Governance application. Administrators must provide their local login password to log in to the application. This URL is auto-generated by the application after saving the SAML configuration and cannot be changed. In case of a proxy, the URL is auto-generated based on the proxy base URL.
      The format of the BreakGlass URL is http://<hostname>:<portnumber>/eurekify/portal?breakGlass=true
    8. Click
      Save.
    9. Export SP Metadata:
      Identity Governance publishes a metadata file that an Identity Provider can import to fetch Identity Governance related metadata information (ACS URL, signing and encryption certificates, entity ID) for SAML flow. To export Identity Governance metadata file, click
      Export SP Metadata.
      • The URLs in the metadata file depend on the Identity Governance Proxy Base URL.
      • Export the SP metadata file
        after saving
        the Identity Governance SAML configurations.
  3. SAML configuration is effective from the next user login session to the Identity Governance application.
Configure Identity Provider for SAML Authentication
Your organization’s Identity Provider must be SAML compliant to authenticate and authorize single sign-on access to Identity Governance. To accomplish this, you must define Identity Governance as a SAML-enabled connected app in Identity Provider.
If the Identity Provider supports import functionality, you can upload the Identity Governance metadata. Else, you must manually configure Identity Governance details in the Service Provider app section of the Identity Provider.
For example, if you are using Salesforce as the Identity Provider, you must configure the following settings in Salesforce to define Identity Governance as a SAML-enabled connected app.
  • Enable SAML:
    Select this option to enable SAML for your Identity Provider.
  • Entity ID:
    A unique URL identifier for Identity Governance. Salesforce identifies Identity Governance with this identifier.
  • Assertion Consumer Service (ACS) URL:
    Specifies the Identity Governance application URL. Salesforce redirects SAML authentication response to this URL.
  • Enable Single Logout:
    Identity Governance does not support Single Logout service. This means that when a user logs out of the Identity Governance application, the Identity Provider user session is still active. The user can still access the other service providers (applications) in the system.
  • Subject Type:
    Specifies the field that defines the user’s identity for the app. Options include the user’s Username, Federation ID, User ID, Custom Attribute, and Persistent ID.
  • Name ID Format:
    Specifies the user format attribute sent in SAML messages. You can set this parameter to any attribute (email address, persistent, or transient) that is uniquely identified in the Eurekify user store.
  • Issuer:
    A unique URL identifier for Salesforce. Identity Governance identifies Salesforce with this identifier.
  • Identity Provider Certificate:
    Represents the self-signed or CA signed certificate that is generated by Salesforce.
  • Optional
    • Start URL:
      Directs users to a specific location after they are authenticated. Enter Identity Governance's URL.
    • Verify Request Signatures:
      Select the security certificate that Identity Governance shared with Salesforce. Use this option only when Identity Governance signs the SAML authentication request. Identity Provider uses this certificate to validate the digital signature in the SAML request from Identity Governance.
    • Encrypt SAML Response:
      Select a certificate and an encryption method for encrypting the assertion in SAML response.
Access Identity Governance Web Interface
In a web browser, type in the Identity Governance login URL. You are redirected to the Identity Provider’s login page. After successful SAML authentication, the user is redirected to the home page of the Identity Governance User Interface.
If the user session is already active in the Identity Provider, the user gains access to the Identity Governance User Interface with single sign-on.
Troubleshooting
Symptom:
When you enter the Identity Governance URL in a browser, either the Identity Provider login page does not appear or the login page appears but fails after the credentials are provided.
Solution:
  • Verify that the Identity Provider SAML configuration is in sync with the Identity Governance metadata. You can check the Identity Provider’s logs for errors.
  • Recheck the Identity Governance single sign-on SAML configuration. Ensure that the Identity Provider configuration is imported into Identity Governance.
  • If proxy is configured, ensure that you provide the correct Identity Governance proxy base URL. You must enter only the part of URL before
    /eurekify/portal
    .
    Example: https://<hostname>.<domain_name>
  • If proxy is not configured, ensure that you provide the Identity Governance URL until its port number.
    Example: https://<hostname>.<domain_name>:<port_number>