Configuring a front-end authentication method
Microsoft® Active Directory® authentication
Configuring smart card authentication
LDAP authentication
Microsoft® Active Directory® LDS
389 Directory Service
Novell® eDirectory™
Windows Azure™ Active Directory® authentication
SAML federated
WS-Federated
Social authenticators
Integration with password management applications
Primary credentials
Configuring user front-end authentication method selection
Adding a web application
Integrated Windows Authentication
Form fill authentication
Proxy-less form fill authentication
SAML federation
Configuring advanced SAML token settings
Configuring advanced WS-Federation token settings
OpenID Connect/OAuth 2.0
Manual user provisioning
HTTP basic authentication
HTTP header value
No back-end SSO
Exporting an application configuration template
Forwarding claims to federated applications
Adding HTTP headers to proxy applications
Configuring step-up authentication
Configuring front-end authenticators
Configuring each application
Configuring for external users
Configuring Defender as a Service with Cloud Access Manager
Using Dell's Security Analytics Engine
Enabling Dell's Security Analytics Engine
Configuring Cloud Access Manager to use Dell's Security Analytics Engine for access control
Managing your SSL certificate
Obtaining a signed certificate
Replacing an expiring certificate
Installing a fully signed certificate from a certificate archive file
Installing a certificate authority certificate
Changing the Cloud Access Manager service account password
Cloud Access Manager IIS Application Pool
Dell Redistributable Secure Token Server
Front-end authenticators
Reporting
Customizing Dell™ One Identity Cloud Access Manager
Proxy-less form fill authentication
In proxy-less form fill, Dell™ One Identity Cloud Access Manager attempts to emulate the application's login form with an unsolicited post to the action URL within the login form. Configuring an application in this way involves fewer steps than the form fill authentication method described in Form fill authentication. This example guides you through the steps required to configure single sign-on to an application using the proxy-less form fill authentication method.
Log in to the Administration Console using the desktop shortcut Cloud Access Manager Application Portal, and select Add New from the Applications section on the home page. Cloud Access Manager provides a set of application templates to automatically configure common applications. This example describes how to configure an application manually, rather than using a template.
|
1 |
Click Configure Manually. |
|
2 |
|
3 |
If you have not already done so while adding a previous form fill application, save the Inspect Login Form bookmarklet to your browser's favorites. To do this, right-click the Inspect Login Form link. Click Add to favorites. |
|
4 |
Enter the URL of the application into the box provided and click Go, this will take you to the application's login page. If you are taken directly to the application, check that you are not already signed in and if necessary, sign out. |
|
5 |
With the application's login page displayed, click the browser's Favorites icon and click Inspect Login Form. The Cloud Access Manager Login Form Inspection Tool is now displayed in the bottom-right corner of the browser window. |
|
6 |
Use the tool to obtain the field IDs for the login form. For example, click in the Username field, for example, Domain\user name, then click in the Password field, then finally, click the Submit button, for example, Sign in.  |
|
7 |
Review the detected form IDs and click Save to save the form IDs and return to the Cloud Access Manager Configuration wizard. |
|
8 |
After using the Login Form Inspection Tool to identify the username and password fields, proxy-less form fill does not use the submit button, and action URL, you are presented with the Form Fill Method configuration page, which is where you choose whether or not to proxy the application with Cloud Access Manager. |
|
9 |
The next page contains the form fill details (the Username Field ID/Name and Password Field ID/Name) and the Login Form Action URL (the login form’s action URL) configuration detected by the Login Form Inspection Tool. |
|
12 |
Choose whether or not to Use primary credentials to log into this application. If selected, this feature will use Active Directory domain credentials rather than a different username or password unique to the application. For example, the same credentials that the user used to authenticate to Cloud Access Manager. For applications that require different credentials make sure this option is left clear. |
|
NOTE: The Add application to application portal home and Allow user to remove application from application portal home options allow you to specify whether the application should appear automatically on each user's portal page, and how the user can manage the application from the application portal. The options are shown in Table 3. |
Table 3. Application portal options
|
|
|
|
|
|
|
|
|
|
|
To access the application catalog from the application portal, the user simply clicks their username, then selects Application Catalog. Depending on the settings in the Add application to application portal home and Allow user to remove application from application portal home options, the user can add or remove applications to/from the application portal.
|
2 |
Open the Cloud Access Manager Portal using the desktop shortcut Cloud Access Manager Application Portal. |
|
3 |
Log in to the Cloud Access Manager Portal and click the application. When a user first accesses an application configured for proxy-less form fill they are presented with a pop-up to enter their login credentials. Cloud Access Manager will then pass the credentials to the application's target URL and store them in the user's Password Wallet for future access. |
|
5 |
From the application, click Sign Out and close Internet Explorer. |
|
7 |
Click the application and you are signed in automatically. |
Configuration of an application for proxy-less form fill is now complete.
Further considerations
When you have added an application to Dell™ One Identity Cloud Access Manager, you may want to ensure that users only access the application using Cloud Access Manager. This may be required if you are using Cloud Access Manager to enforce strong authentication for the application, or want to use Cloud Access Manager’s auditing features to monitor application usage. For further information on how to ensure that users access the application using Cloud Access Manager, please refer to Preventing direct access to applications protected by Cloud Access Manager in the Dell™ One Identity Cloud Access Manager Security and Best Practice Guide.
SAML federation
|
1 |
Log in to the Administration Console using the desktop shortcut Cloud Access Manager Application Portal and select Add New from the Applications section on the home page. |
|
2 |
Click Configure Manually. |
|
3 |
|
4 |
If your service provider provides metadata for configuration, follow the instructions in this step to automatically configure the federation settings in Cloud Access Manager. Otherwise proceed to Step 5 to manually configure the federation settings. In the Federation Metadata URL field enter the federation metadata URL provided by your service provider. Alternatively, click Browse to locate the file containing federation metadata. Please refer to your service provider’s configuration interface for assistance locating this information. |
|
5 |
Enter the Recipient value for your SAML application, for example: https://www.google.com/a/<your_google_domain>/acs for Google Apps service If your service provider provides multiple Assertion Consumer Service (ACS) endpoints then you can add multiple entries by supplying an Index and Recipient for each entry. Click Add ACS Entry to add a new entry. Select the Default check box for the entry that will be the default if no Assertion Consumer Service URL or Index is specified in the SAML Authentication request. |
|
6 |
Enter the Audience / SP Identity value for your SAML application, for example, google.com for Google Apps™ service. |
|
7 |
If your service provider supports SAML logout enter the logout URL in the Application Logout URL field. |
|
NOTE: For logout requests to be sent to federated applications you must enable the Log out of federated applications on session termination option in Settings | Configuration Settings. |
|
• |
If your service provider signs their SAML Authentication requests, click the first Choose File button to upload the certificate used to sign the request. This certificate will then be used by Cloud Access Manager to verify the SAML Authentication requests have come from a trusted source. |
|
• |
If your service provider requires SAML Authentication responses to be encrypted, click the second Choose File button to upload the certificate used to encrypt the response. This certificate will be used by Cloud Access Manager to encrypt the assertion element of the SAML response. To proceed, click Next. |
|
9 |
|
10 |
Select the Derive the username from an attribute option and enter an attribute name of mail, then click Next. |
|
NOTE: This option uses the user’s email address stored in Active Directory® as their application username, known as the user’s SAML subject. You can change the suffix if required to match your Google domain. |
|
NOTE: Cloud Access Manager allows users to request their own application accounts. If the user is in a group that is authorized to access a particular application, the user can have a user account automatically created for them as they select it from their application catalog and add it to their portal page. Cloud Access Manager includes directory connectors, which allow user accounts to be provisioned from Cloud Access Manager into Google Apps™ service, Salesforce.com® and Microsoft® Office 365™. When a user adds an application to their portal page by selecting it from their application catalog, Cloud Access Manager automatically checks whether they already have a user account in that application’s directory. If the user does not, then an account is created for him or her through one of its directory connectors. The following three steps are for just-in-time provisioning of users and will only be displayed for applications for which Cloud Access Manager can provision users, such as Google Apps and Salesforce. |
|
11 |
Enter the credentials of a user account to provision new user accounts. Use the Test Connection button to validate the credentials before clicking Next.  |
|
14 |
Click Next to continue. |
|
15 |
You will now see the Permissions page, which enables you to control the users who can access the application. By default, all Active Directory users have access to the application. You can restrict access to the application to users who belong to a specific Active Directory security group, but for this demonstration deployment, simply click Next to allow all Active Directory users access to the application. |
|
17 |
You can now configure how the application is displayed on the Cloud Access Manager Portal. Enter the Title and Description you want to display on the Cloud Access Manager Portal. |
|
18 |
|
19 |
|
20 |
Click Finish to complete the configuration of the application. |
|
21 |
Click Download Certificate to download the certificate created by Cloud Access Manager to import into your SAML application. In addition, make a note of the Issuer/IDP Service URL as this may be required by your SAML application. Click Close. |
|
NOTE: The Add application to application portal home and Allow user to remove application from application portal home options allow you to specify whether the application should appear automatically on each user’s portal page, and how the user can manage the application from the application portal. The options are shown in Table 4. |
|
|
|
|
|
|
|
|
|
|
|
To access the application catalog from the application portal, the user simply needs to click their username, then select Application Catalog. Depending on the settings in the Add application to application portal home and Allow user to remove application from application portal home options, the user can add or remove applications to/from the application portal.
Cloud Access Manager configuration is now complete.
Cloud Access Manager configuration is now complete.
|
1 |
|
2 |
|
3 |
Click Set up Single Sign-on (SSO). |
|
4 |
Select Enable Single-Sign-on. |
|
5 |
Enter the Cloud Access Manager Issuer/IDP Service URL that you noted in Step 21, into the Sign-in page URL and Change password URL fields. For example, enter: |
|
6 |
In the Sign-out page field, enter the URL: |
|
7 |
From the Verification certificate section, click Browse. Navigate to the Cloud Access Manager certificate obtained in the previous section, then click Upload. |
|
8 |
Click Save Change. |
For information on how to use the user mapping tool, please refer to the guide entitled Dell™ One Identity Cloud Access Manager How To Configure User Mapping.
|
1 |
Close Internet Explorer® to end your Cloud Access Manager session. |
|
2 |
Use the desktop shortcut Cloud Access Manager Application Portal to open the Cloud Access Manager portal. |
|
3 |
|
4 |
Browse to the Application Portal and click the Google Apps application. You are signed in automatically. |
Configuration of Google Apps for SSO is now complete.
Configuring advanced SAML token settings
In most situations the SAML token produced by Dell™ One Identity Cloud Access Manager in response to an authentication request is accepted by the service provider. If the service provider has special requirements for the way the token is configured then you may modify the token options on the SAML Token Settings tab for the application.
Any settings changed on this page will only affect the selected application.
|
For a description of the available configuration options, please refer to Table 5.
|
The number of minutes before the token IssueInstant to set the NotBefore attribute in the Conditions element. |
||||||
|
The number of minutes after the token IssueInstant to set the NotOnOrAfter attribute in the Conditions and SubjectConfirmationData elements. |
||||||
|
The value of the Format attribute of the NameID element in the Subject. |
||||||
|
How the SAML token is signed. There are three options:
|
||||||
|
How attributes with multiple values are output in the SAML token. There are two options: <Attribute Name="urn:example/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
|
||||||
|
How the Assertion element is encrypted, there are two options:
|
||||||
|
When the authentication request is expected to be signed. There are two options:
|
||||||
|
When the logout request is expected to be signed. There are two options:
|
||||||
|
The binding that will be used when sending logout requests to the application. Select Disabled to not send logout requests. |