In proxy-less form fill, Cloud Access Manager attempts to emulate the application's login form with an unsolicited post to the action URL within the login form. Configuring an application in this way involves fewer steps than the form fill authentication method described in Form fill authentication. This example guides you through the steps required to configure single sign-on to an application using the proxy-less form fill authentication method.
Log in to the Administration Console using the desktop shortcut Cloud Access Manager Application Portal, and select Add New from the Applications section on the home page. Cloud Access Manager provides a set of application templates to automatically configure common applications. This example describes how to configure an application manually, rather than using a template.
To configure single sign-on using proxy-less form-fill authentication
Use the tool to obtain the field IDs for the login form. For example, click in the Username field, for example, Domain\user name, then click in the Password field, then finally, click the Submit button, for example, Sign in.
After using the Login Form Inspection Tool to identify the username and password fields, proxy-less form fill does not use the submit button, and action URL, you are presented with the Form Fill Method configuration page, which is where you choose whether or not to proxy the application with Cloud Access Manager.
|
NOTE: Proxy-less form fill only emulates basic elements of login forms, it is therefore not compatible with login forms that rely on cookies, dynamic hidden variables, session handling functions or view states. |
You can now configure how the application is displayed on the Cloud Access Manager Portal. Enter the Title and Description you want to display on the Cloud Access Manager Portal. Many applications will require you to configure a particular entry point, for example for One Identity Active Roles you need to add ARServerAdmin in the URL field of the application portal page.
|
NOTE: Take care to ensure that the URL entered is unaltered, even down to subtle changes such as character case, in the example for Active Roles Server the URL must be ARServerAdmin. |
|
NOTE: The Add application to application portal home and Allow user to remove application from application portal home options allow you to specify whether the application should appear automatically on each user's portal page, and how the user can manage the application from the application portal. The options are shown in the table below. |
Add application to application portal home | Allow users to remove application from application portal home | Functionality |
---|---|---|
application is added to the portal and it cannot be removed by the user through the Application Catalog. | ||
application is added to the portal and it can be removed by the user through the Application Catalog. | ||
application is not automatically added to the portal. The user can add or remove the application to/from the portal through the Application Catalog. |
To access the application catalog from the application portal, the user simply clicks their username, then selects Application Catalog. Depending on the settings in the Add application to application portal home and Allow user to remove application from application portal home options, the user can add or remove applications to/from the application portal.
To verify that the application is configured correctly
Log in to the Cloud Access Manager Portal and click the application. When a user first accesses an application configured for proxy-less form fill they are presented with a pop-up to enter their login credentials. Cloud Access Manager will then pass the credentials to the application's target URL and store them in the user's Password Wallet for future access.
|
NOTE: If the user enters invalid credentials, they must be edited in Cloud Access Manager's Password Wallet. The user can access the Password Wallet from the Application Portal with their user ID. |
Configuration of an application for proxy-less form fill is now complete.
When you have added an application to Cloud Access Manager, you may want to ensure users only access the application using Cloud Access Manager. This may be required if you use Cloud Access Manager to enforce strong authentication for the application, or want to use Cloud Access Manager’s auditing features to monitor application usage. For further information on how to ensure that users access the application using Cloud Access Manager, please refer to Preventing direct access to applications protected by Cloud Access Manager in the One Identity Cloud Access Manager Security and Best Practices Guide.
This example will guide you through the steps required to configure single sign-on for Google Apps service which uses SAML Authentication.
To configure single sign-on for Google Apps service using SAML authentication
Log in to the Administration Console using the desktop shortcut Cloud Access Manager Application Portal and select Add New from the Applications section on the home page.
Cloud Access Manager provides a set of application templates to automatically configure common applications. The following example describes how to configure an application manually, rather than using a template.
If your service provider provides metadata for configuration, follow the instructions in this step to automatically configure the federation settings in Cloud Access Manager. Otherwise proceed to Step 5 to manually configure the federation settings.
In the Federation Metadata URL field enter the federation metadata URL provided by your service provider. Alternatively, click Browse to locate the file containing federation metadata. Please refer to your service provider’s configuration interface for assistance locating this information.
Enter the Recipient value for your SAML application, for example:
https://www.google.com/a/<your_google_domain>/acs for Google Apps service
If your service provider provides multiple Assertion Consumer Service (ACS) endpoints then you can add multiple entries by supplying an Index and Recipient for each entry. Click Add ACS Entry to add a new entry. Select the Default check box for the entry that will be the default if no Assertion Consumer Service URL or Index is specified in the SAML Authentication request.
If your service provider supports SAML logout enter the logout URL in the Application Logout URL field.
|
NOTE: For logout requests to be sent to federated applications you must enable the Log out of federated applications on session termination option in Settings | Configuration Settings. |
Some service providers sign their SAML Authentication requests or require that SAML Authentication Responses are encrypted. Both of these scenarios require Cloud Access Manager to be configured with a public certificate supplied by the service provider. These certificates can be uploaded using the controls at the bottom of the Federation Settings page.
|
NOTE: Consult your documentation, or application administrative interface for the values to enter. |
Select the Derive the username from an attribute option and enter an attribute name of mail, then click Next.
|
NOTE: This option uses the user’s email address stored in Active Directory as their application username, known as the user’s SAML subject. You can change the suffix if required to match your Google domain. |
|
NOTE: Cloud Access Manager allows users to request their own application accounts. If the user is in a group that is authorized to access a particular application, the user can have a user account automatically created for them as they select it from their application catalog and add it to their portal page. Cloud Access Manager includes directory connectors, which allow user accounts to be provisioned from Cloud Access Manager into Google Apps service, Salesforce.com and Microsoft Office 365. When a user adds an application to their portal page by selecting it from their application catalog, Cloud Access Manager automatically checks whether they already have a user account in that application’s directory. If the user does not, then an account is created for him or her through one of its directory connectors. The following three steps are for just-in-time provisioning of users and will only be displayed for applications for which Cloud Access Manager can provision users, such as Google Apps and Salesforce. |
Enter the credentials of a user account to provision new user accounts. Use the Test Connection button to validate the credentials before clicking Next.
Select who will receive an email when a new account is provisioned and enter the text to include in the email.
In order to provision a user, the application will typically require a number of provisioning parameters to be defined. For example, Google Apps requires the user’s first and last name. For each parameter, configure a claim rule to map the provisioning parameter to a user attribute containing the required value. For example, add a claim called Last Name, where its value is derived from the Active Directory user attribute sn.
|
NOTE: There is an 8 character limit on the Alias provisioning parameter. However, there is no such limit on the sAMAccountName attribute that the Salesforce template maps Alias to by default. This results in a failure to provision any user who has a sAMAccountName of greater than 8 characters. We recommend that either your Salesforce users are limited to a sAMAccountName of 8 characters or less, or the mapping of the Alias field is changed to use a different attribute that does meet this criteria. This is not limited to Salesforce, and can occur for any application that uses the Alias parameter for provisioning. In addition, using mapped attributes with NULL values will also result in a provisioning failure. |
|
NOTE: If the application you are provisioning provides a user provisioning API, please refer to Manual user provisioning. |
Click Download Certificate to download the certificate created by Cloud Access Manager to import into your SAML application. In addition, make a note of the Issuer/IDP Service URL as this may be required by your SAML application. Click Close.
|
NOTE: The Add application to application portal home and Allow user to remove application from application portal home options allow you to specify whether the application should appear automatically on each user’s portal page, and how the user can manage the application from the application portal. The options are shown in the table below. |
Add application to application portal home | Allow users to remove application from application portal home | Functionality |
---|---|---|
application is added to the portal and it cannot be removed by the user through the application catalog. | ||
application is added to the portal and it can be removed by the user through the application catalog. | ||
application is not automatically added to the portal. The user can add or remove the application to/from the portal through the application catalog. |
To access the application catalog from the application portal, the user simply needs to click their username, then select Application Catalog. Depending on the settings in the Add application to application portal home and Allow user to remove application from application portal home options, the user can add or remove applications to/from the application portal.
Cloud Access Manager configuration is now complete.
To configure your Google Apps account to authenticate your users using SAML
Enter the Cloud Access Manager Issuer/IDP Service URL that you noted in Step 21, into the Sign-in page URL and Change password URL fields. For example, enter:
https://CloudAccessManager.democorp.local/CloudAccessManager/RPSTS/Saml2/ Default.aspx
In the Sign-out page field, enter the URL:
https://CloudAccessManager.democorp.local/CloudAccessManager
For information on how to use the user mapping tool, please refer to the guide entitled One Identity Cloud Access Manager How To Configure User Mapping.
To verify that the application is configured correctly
Configuration of Google Apps for SSO is now complete.
In most situations the SAML token produced by Cloud Access Manager in response to an authentication request is accepted by the service provider. If the service provider has special requirements for the way the token is configured then you may modify the token options on the SAML Token Settings tab for the application.
Any settings changed on this page will only affect the selected application.
|
NOTE: To change the settings for all SAML applications, follow these steps:
|
For a description of the available configuration options, please refer to the table below.
|
NOTE: The settings for an individual application take precedence over global settings. |
Name | Description | Default |
---|---|---|
samltoken.minutes_before |
The number of minutes before the token IssueInstant to set the NotBefore attribute in the Conditions element. |
0 minutes |
samltoken.minutes_after |
The number of minutes after the token IssueInstant to set the NotOnOrAfter attribute in the Conditions and SubjectConfirmationData elements. |
30 minutes |
samltoken.name_id |
The value of the Format attribute of the NameID element in the Subject. |
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
samltoken.signature |
How the SAML token is signed. There are three options:
|
MessageOnly |
samltoken.multi_valued_attributes |
How attributes with multiple values are output in the SAML token. There are two options:
<Attribute Name="urn:example/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <AttributeValue>CN=Staff,CN=Users,DC=democorp,DC=co,DC=uk</AttributeValue> </Attribute> <Attribute Name="urn:example/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <AttributeValue>CN=Administrators,CN=Users,DC=democorp,DC=co,DC=uk</AttributeValue><AttributeValue> </Attribute>
<Attribute Name="urn:example/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <AttributeValue>CN=Staff,CN=Users,DC=democorp,DC=co,DC=uk</AttributeValue> <AttributeValue>CN=Administrators,CN=Users,DC=democorp,DC=co,DC=uk</AttributeValue><AttributeValue> </Attribute> |
OneValuePerAttribute |
samltoken.encryption |
How the Assertion element is encrypted, there are two options: AES256 - Encryption algorithm: AES256, encryption key: RSA-OAEP AES128 - Encryption algorithm: AES128, encryption key: RSAES-PKCS1-v1_5, key length: 128 |
AES256 |
samltoken.authn_req_signature_required |
When the authentication request is expected to be signed. There are two options:
|
WithSigningCertificateUploadedOnly |
samltoken.logout_request_signature_required |
When the logout request is expected to be signed. There are two options:
|
WithSigningCertificateUploadedOnly |
samltoken.logout_request_binding |
The binding that will be used when sending logout requests to the application. Select Disabled to not send logout requests. |
HttpPost |
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Términos de uso Privacidad Cookie Preference Center