Cloud Access Manager 8.1.4 - Configuration Guide

Microsoft Active Directory LDS

This option is an LDAP authenticator with pre-configured attributes for use with Microsoft Active Directory Lightweight Directory Service, please see LDAP authentication, for configuration options.

389 Directory Service

This option is an LDAP authenticator with pre-configured attributes for use with 389 Directory Service, please see LDAP authentication, for configuration options.

Novell eDirectory

This option is an LDAP authenticator with pre-configured attributes for use with Novell eDirectory, please see LDAP authentication, for configuration options.

Windows Azure Active Directory authentication

This section describes how you can configure Cloud Access Manager to use Windows Azure Active Directory for authentication. Before you begin you need to configure an application for Cloud Access Manager so it can authenticate users and obtain lists of users and groups. In addition:

• The Azure Active Directory Provider currently supports a single domain and single tenant application in Azure Active Directory, you should have an Active Directory instance created in your Microsoft Azure cloud subscription.
• The free version of Azure Active Directory can be used, but the Azure Active Directory self-serve password management will not be available. In all cases, newly-created users must not have the Force Change Password On Next Login set.
• Users must login with their full Azure Active Directory username, which should resemble an email address containing your full Azure Active Directory domain name. Azure Active Directory domain names should be of the form, <name>.onmicrosoft.com. Any external users added to your Azure Active Directory cannot be authenticated.

To configure an Azure Active Directory application for use with Cloud Access Manager

1. Log in to the Azure portal.
2. From the navigation pane, click Azure Active Directory.
3. Click App Registrations.
4. Click New application registration.
5. Enter a name for the application (this is simply a description).
6. Enter a Sign-on URL (this is simply a description).
7. From the Application type drop-down, select Web app/API.
8. Click Create. At this point Azure Active Directory creates an Application ID and Object ID. Copy and save this information.
9. From the navigation pane, click Settings.
10. Click Keys to access the Keys page.
11. Enter a description and select an expiration date for the key.
12. Click Save. At this point you MUST copy and save the key value as it will not be available again and it is required for configuring Cloud Access Manager. The key corresponds with the Application Key in Cloud Access Manager.
13. Click App Registrations.
14. Click Endpoints.
15. Copy and save the MICROSOFT AZURE AD GRAPH API ENDPOINT and OAUTH 2.0 TOKEN ENDPOINT values. These values correspond with the Windows Azure AD Graph API Endpoint and OAuth 2.0 Token Endpoint in Cloud Access Manager.

To configure Azure Active Directory authentication

1. Log in to the Administration Console and select Add New from the Front-end Authentication section on the home page.
2. Select Azure Active Directory, then click Next. The Connection Settings page is displayed.
   1. In the Client ID field, enter the Application ID from the Azure AD portal.
   2. In the Application Key field, enter the key that you created in the Azure portal.
   3. In the Windows Azure AD Graph API Endpoint field, enter the MICROSOFT AZURE AD GRAPH API ENDPOINT from the Azure portal App Endpoints page.
   4. In the OAuth 2.0 Token Endpoint, enter the OAUTH 2.0 TOKEN ENDPOINT from the Azure portal App Endpoints page.

   5. When you have entered the required configuration information, click Test Connection to verify the configuration.

      NOTE: If the connection fails, you will need to change the delegated permission values in Azure AD. Log in to the Azure portal. From the navigation pane, click Azure Active Directory. Click App Registrations. Change to All Apps and click your application. From the navigation pane, click Settings. Click Required Permissions. Select the Windows Azure Active Directory API and click Grant Permissions. Select the Read directory data Delegated permission. Click Save. From the Required Permissions page, click Add. Select Microsoft Graph. Select the Read directory data Delegated permission. Click Save.

   6. Once the connection has been successfully tested, click Next.

3. The settings on the Primary Authentication screen are split into three sections. When complete, click Next.

   The first section is used to determine whether or not users are allowed to use social authenticators, for example Facebook or Google, and link to the selected authenticator when authenticating to Cloud Access Manager.

   

   The second section determines whether users’ credentials are stored for accessing other applications. If selected, the credentials used to authenticate to Cloud Access Manager are stored as the Primary Credentials in the user’s Password Wallet. Please refer to Primary credentials for details.

   The third section is used to determine how users are challenged for their Windows credentials, you must choose at least one option. Cloud Access Manager checks for credentials presented in the following order of precedence:

   1. Enable kerberos authentication — Cloud Access Manager will check for a Kerberos ticket generated during Windows domain login and supplied by the browser. If the Kerberos ticket is present and valid, then the user will be successfully logged in.

      Successful Kerberos authentication requires correct configuration of the user's browser. Please refer to Microsoft Active Directory authentication for details. In addition some browsers do not support Kerberos authentication. Please refer to the One Identity Cloud Access Manager Installation Guide for browsers that support Integrated Windows Authentication.

   2. Enable smart card authentication — Users are given the opportunity to present an X.509 certificate in order to log in to Cloud Access Manager. The X.509 certificate may be located on a smart card or in the client computer's certificate store. If the certificate is invalid or expired the login attempt will be rejected. Please refer to the section Configuring smart card authentication for details.
   3. Enable forms authentication — Users are prompted for their Azure Active Directory username and password using a login form.

   NOTE: If you enable social authentication, storing credentials from the authenticator is required, this in turn requires that forms authentication is the only enabled authentication method. Storing credentials is required as Cloud Access Manager needs to verify if the linked account used for primary authentication is still valid, for example the account is not disabled, or the password has not expired when authenticating using a social authenticator. If a user attempts to authenticate with a social authenticator and the linked account is not valid, the user will be prompted to enter the correct credentials for the primary authenticator.

   NOTE: If you enable social authentication, we recommend that you set linked accounts to have a long password expiry, this allows seamless authentication using the social authenticator.

4. If you require two factor authentication each time users authenticate to Cloud Access Manager, select Use two factor authentication for all applications from the Two factor authentication mode list. Select the method of authentication from the Type of two factor authentication list.

   For information on how to configure the various authentication types or how to configure two factor authentication only for specific users or applications, refer to Configuring step-up authentication. When compete, click Next.

5. In the Authenticator Name field, enter the name that will be used to identify the authenticator within Cloud Access Manager, then click Finish.

   NOTE: This name will be seen by Cloud Access Manager users during authentication if multiple authentication methods have been configured.

6. You have now created the front-end authentication method. Click Edit Roles.

   Before Cloud Access Manager administrators and users can log in to Cloud Access Manager using their Azure Active Directory credentials, you must tell Cloud Access Manager how to identify administrators and users based on their Azure Active Directory group membership. For example, the Domain Admins group for Cloud Access Manager administrators and the Domain Users group for regular Cloud Access Manager users.

7. Click Admin.

8. Click +Add User.

   

9. Select the new Azure Active Directory authentication method from the list.
10. Use the search box to locate the group whose members are to be granted access to the Cloud Access Manager Administration application, then select the group from the list.
11. Click Save.
12. Now repeat the process for the Cloud Access Manager users. Click Users.
13. Click +Add User.
14. Select the new Azure Active Directory authentication method from the list.
15. Select a group from the list whose members are to be granted access to the Cloud Access Manager application portal.
16. Click Save.

Click Close to return to the Cloud Access Manager Administration Console. The configuration is now complete. Cloud Access Manager administrators and users can now log in to Cloud Access Manager using their Azure Active Directory credentials