Skip to content

Configuration

Authentication Servers

Having a local database of users who can authenticate to HySecure, you can configure authentication servers which will allow integration with LDAP based directories such as Active Directory or RADIUS based authentication systems. Once configured, these Authentication Servers become active in the Authentication Domain and Access Controls pages.

Adding Authentication Server

  1. Open HySecure management console.
  2. Click to expand Access Management, and then click Authentication Servers.
  3. Click Add to specify a new Authentication Server.
  4. Select SAML IDENTITY PROVIDER from Server type.

configure SAML IDP Authentication in HySecure

The process to enable SAML based external IDP server is as follows:

  1. Add SAML IDP as authentication server in HySecure

    1. Using IDP Metadata file or manually configure the settings

  2. Configure Accops HySecure as SAML SP in SAML IDP configuration

    1. Using Accops SP Metadata file or manually configure the settings

Adding SAML IDP in HySecure

  1. Get the IDP metadata from the SAML IDP which needs to be integrated

  2. Login to HySecure and access the management console

  3. Go to menu “Add Authentication Server”

  4. Select the authentication server type as SAML IDP

  5. Upload the IDP metadata

  6. SAML response attributes need to be defined on the portal

  7. Save the configuration form

  8. Option to download Accops HySecure SP metadata will be enabled against the IDP

  9. Download the metadata from the list of authentication servers and import the metadata file in IDP

Define General Settings

Upload the metadata file received from SAML IDP to configure all details automatically.

SAML Protocol settings

Once the metadata is uploaded all the fields in SAML PROTOCOL SETTING will be auto populated.
Given below are the details of the feature and the UI.

Sr No Setting Name Description
01 IdP Issuer URI Unique identifier of the IDP server. This is a string value or a URI and must match the IDP identifier on the IDP server.
02 IdP Single Sign ON URL Authentication URL of the IDP server. SAML SP will redirect unauthenticated users on this URL
03 IdP Signature Certificate This is the public certificate of IDP which is shipped with IDP metadata. This is used to verify the signature of SAML response that comes from IDP
04 Request Binding

SAML 2.0 has the following binding

  • HTTP Redirect Binding

  • HTTP POST Binding

  • HTTP Artifact Binding

HySecure supports HTTP Redirect and Post bindings.

For SAML SP Initiated HTTP Redirect is used.

It is recommended to set this value to HTTP Redirect Binding
05 Request Signature Whether the SAML AuthNRequest Request send by SP needs to be signed or not, If it is enabled the signature is added in the SAML AuthnRequest. It is recommended to keep this checked
06 Response Signature Verification

This field or selection signifies on what parameters signature will be created

It can be on one of the following parameters

  1. Response

  2. Assertion

  3. Response + Assertion

It is recommended to keep the value as Response
07 Response Signature Algorithm

Which signature algorithm needs to be used should be selected here. Following are supported

  1. SHA1

  2. SHA256

SHA256 is recommended algorithm.

Sample AuthNRequest without signature

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN\_809707f0030a5d00620c9d9df97f627afe9dcc24" Version="2.0"
ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z"
Destination="http://idp.example.com/SSOService.php"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs"\>

<saml:Issuer\>http://sp.example.com/demo1/metadata.php\</saml:Issuer\>

<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
AllowCreate="true"/\>

<samlp:RequestedAuthnContext Comparison="exact"\>

<saml:AuthnContextClassRef\>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\</saml:AuthnContextClassRef\>

</samlp:RequestedAuthnContext\>

</samlp:AuthnRequest\>

AuthNRequest with embedded signature

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="pfx41d8ef22-e612-8c50-9960-1b16f15741b3" Version="2.0"
ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z"
Destination="http://idp.example.com/SSOService.php"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs"\>

<saml:Issuer\>http://idp.example.com/demo1/metadata.php\</saml:Issuer\>

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig\#"\>

<ds:SignedInfo\>

<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n\#"/\>

<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig\#rsa-sha1"/\>

<ds:Reference URI="\#pfx41d8ef22-e612-8c50-9960-1b16f15741b3"\>

<ds:Transforms\>

<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig\#enveloped-signature"/\>

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n\#"/\>

</ds:Transforms\>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig\#sha1"/\>

<ds:DigestValue\>yJN6cXUwQxTmMEsPesBP2NkqYFI=\</ds:DigestValue\>

</ds:Reference\>

</ds:SignedInfo\>

<ds:SignatureValue\>g5eM9yPnKsmmE/Kh2qS7nfK8HoF6yHrAdNQxh70kh8pRI4KaNbYNOL9sF8F57Yd+jO6iNga8nnbwhbATKGXIZOJJSugXGAMRyZsj/rqngwTJk5KmujbqouR1SLFsbo7Iuwze933EgefBbAE4JRI7V2aD9YgmB3socPqAi2Qf97E=\</ds:SignatureValue\>

<ds:KeyInfo\>

<ds:X509Data\>

<ds:X509Certificate\>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcwMDI5MjdaFw0xNTA3MTcwMDI5MjdaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7vU/6R/OBA6BKsZH4L2bIQ2cqBO7/aMfPjUPJPSn59d/f0aRqSC58YYrPuQODydUABiCknOn9yV0fEYm4bNvfjroTEd8bDlqo5oAXAUAI8XHPppJNz7pxbhZW0u35q45PJzGM9nCv9bglDQYJLby1ZUdHsSiDIpMbGgf/ZrxqawIDAQABo1AwTjAdBgNVHQ4EFgQU3s2NEpYx7wH6bq7xJFKa46jBDf4wHwYDVR0jBBgwFoAU3s2NEpYx7wH6bq7xJFKa46jBDf4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQCPsNO2FG+zmk5miXEswAs30E14rBJpe/64FBpM1rPzOleexvMgZlr0/smF3P5TWb7H8Fy5kEiByxMjaQmml/nQx6qgVVzdhaTANpIE1ywEzVJlhdvw4hmRuEKYqTaFMLez0sRL79LUeDxPWw7Mj9FkpRYT+kAGiFomHop1nErV6Q==\</ds:X509Certificate\>

</ds:X509Data\>

</ds:KeyInfo\>

</ds:Signature\>

<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
AllowCreate="true"/\>

<samlp:RequestedAuthnContext Comparison="exact"\>

<saml:AuthnContextClassRef\>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\</saml:AuthnContextClassRef\>

</samlp:RequestedAuthnContext\>

</samlp:AuthnRequest\>

Service Provider Settings

Given below are the details of the feature and the UI.

Sr No Setting Name Description
01 SP Issuer URI

Unique identifier or UI of the service provider. This is a string value. This must match the corresponding SP Issuer name on the IDP server

This field goes as “entityID” in metadata file and as “Issuer” in the SP initiated SAML request
02 Assertion Consumer Service URL

IDP will send the SAML response back to this URL. The format of the URL is:

domain name/saml-idp/<Identity provider name>

Only the hysecure domain name must be modified and rest of the URI should not be modified by the admin.

This field corresponds to the “Location” field in metadata file.
03 SP Initiated URL

This is the URL which signifies to IDP that the SAML request has been generated from this particular URL. This URL is the origin of the SAML request from IDP point of view

The format of the URL is :

domain name/saml-login/<Identity provider name>

Only the hysecure domain name must be modified and rest of the URI should not be modified by the admin. This is an internal URL and this URL is not visible to IDP.
04 Name ID Format

This explains the SUBJECT attribute of SAML response, it will have the following format

  1. Unspecified: It can be anything (default)

  2. Email Address

  3. Persistent

  4. Transient

Authentication settings

Given below are the details of the feature and the UI.

NOTE: As part of attribute mapping, all the below details need to be asked and subsequently mapped from IDP to all the way with SP

S.No. Setting Name Description
1 IdP Username The username attribute can be following:
IDP User Subject Name ID: From response we have to fetch the Name ID (Username for HySecure Login) from Subject filed.
IDP User Attribute element: This requires attribute statement which needs to be defined as per the mutual understanding
between IDP and SP.
2 SAML Email Attribute The SAML Email attribute must be with the name "email".
3 SAML Mobile No. Attribute The SAML Mobile No attribute must be with the name "mobile".

Download SP Meta Data

Once the SAML configuration is saved then the SP metadata can be downloaded from below portal option .

Clicking on the highlighted yellow option shown in the above screenshot the user can download the service provider metadata which needs to be shared with the concerned IDP provider

Configure SAML Authentication for Cluster

In case of a cluster (High Available) configuration of HySecure, the all URLs of HySecure must contain a fully qualified domain name that is reachable to the end users. The external users should see a FQDN that is resolvable over Internet and internal users must see a FQDN which is resolvable within the LAN network. If possible the FQDN of the HySecure can resolve to public IP address always irrespective of user location, assuming the LAN users can reach the public IP address.

The actual hostname of the HySecure hosts does not matter. The URL visible in the browser and the hostname (subject or issued to field) in the certificate installed on the HySecure host matters.

Certificate of HySecure Used for SAML Authentication

The certificate used for SAML configuration is placed in HySecure certificate store at following location

/home/fes/fescommon/