Skip to content

Configuration

Add IdP Authentication Server

  1. Log on to the HySecure management console.

  2. Go to Settings > Authentication Servers and click Add.

  3. Select SAML IDENTITY PROVIDER.

Define General Settings

Upload the metadata file received from SAML IDP to configure all the details automatically.

SAML Protocol settings

Once the metadata is uploaded, all the fields in SAML PROTOCOL SETTING will be auto-populated.

Field Description
IdP Issuer URl Unique identifier of the IDP server. This is a string value or a URI and must match the IDP identifier on the IDP server.
IdP Single Sign ON URL Authentication URL of the IDP server. SAML SP will redirect unauthenticated users on this URL.
IdP Signature Certificate This is the public certificate of IDP which is shipped with IDP metadata. This is used to verify the signature of SAML response that comes from IDP.
Request Binding

SAML 2.0 has the following binding:

  • HTTP Redirect Binding

  • HTTP POST Binding

  • HTTP Artifact Binding

HySecure supports HTTP Redirect and Post bindings.

For SAML SP Initiated HTTP Redirect is used.

It is recommended to set this value to HTTP Redirect Binding.
Request Signature Whether the SAML AuthNRequest Request send by SP needs to be signed or not, If it is enabled the signature is added in the SAML AuthnRequest. It is recommended to keep this checked.
Response Signature Verification

This field signifies on what parameters signature will be created.

It is based on one of the following parameters:

  1. Response

  2. Assertion

  3. Response + Assertion

It is recommended to keep the value as Response.
Response Signature Algorithm

Select the signature algorithm that needs to be used. Following algorithms are supported:

  1. SHA1

  2. SHA256

It is recommended to keep the value as SHA256.

Sample AuthNRequest without signature

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ONELOGIN\_809707f0030a5d00620c9d9df97f627afe9dcc24" Version="2.0"
ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z"
Destination="http://idp.example.com/SSOService.php"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs"\>

<saml:Issuer\>http://sp.example.com/demo1/metadata.php\</saml:Issuer\>

<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
AllowCreate="true"/\>

<samlp:RequestedAuthnContext Comparison="exact"\>

<saml:AuthnContextClassRef\>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\</saml:AuthnContextClassRef\>

</samlp:RequestedAuthnContext\>

</samlp:AuthnRequest\>

Sample AuthNRequest with embedded signature

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="pfx41d8ef22-e612-8c50-9960-1b16f15741b3" Version="2.0"
ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z"
Destination="http://idp.example.com/SSOService.php"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs"\>

<saml:Issuer\>http://idp.example.com/demo1/metadata.php\</saml:Issuer\>

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig\#"\>

<ds:SignedInfo\>

<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n\#"/\>

<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig\#rsa-sha1"/\>

<ds:Reference URI="\#pfx41d8ef22-e612-8c50-9960-1b16f15741b3"\>

<ds:Transforms\>

<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig\#enveloped-signature"/\>

<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n\#"/\>

</ds:Transforms\>

<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig\#sha1"/\>

<ds:DigestValue\>yJN6cXUwQxTmMEsPesBP2NkqYFI=\</ds:DigestValue\>

</ds:Reference\>

</ds:SignedInfo\>

<ds:SignatureValue\>g5eM9yPnKsmmE/Kh2qS7nfK8HoF6yHrAdNQxh70kh8pRI4KaNbYNOL9sF8F57Yd+jO6iNga8nnbwhbATKGXIZOJJSugXGAMRyZsj/rqngwTJk5KmujbqouR1SLFsbo7Iuwze933EgefBbAE4JRI7V2aD9YgmB3socPqAi2Qf97E=\</ds:SignatureValue\>

<ds:KeyInfo\>

<ds:X509Data\>

<ds:X509Certificate\>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcwMDI5MjdaFw0xNTA3MTcwMDI5MjdaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7vU/6R/OBA6BKsZH4L2bIQ2cqBO7/aMfPjUPJPSn59d/f0aRqSC58YYrPuQODydUABiCknOn9yV0fEYm4bNvfjroTEd8bDlqo5oAXAUAI8XHPppJNz7pxbhZW0u35q45PJzGM9nCv9bglDQYJLby1ZUdHsSiDIpMbGgf/ZrxqawIDAQABo1AwTjAdBgNVHQ4EFgQU3s2NEpYx7wH6bq7xJFKa46jBDf4wHwYDVR0jBBgwFoAU3s2NEpYx7wH6bq7xJFKa46jBDf4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQCPsNO2FG+zmk5miXEswAs30E14rBJpe/64FBpM1rPzOleexvMgZlr0/smF3P5TWb7H8Fy5kEiByxMjaQmml/nQx6qgVVzdhaTANpIE1ywEzVJlhdvw4hmRuEKYqTaFMLez0sRL79LUeDxPWw7Mj9FkpRYT+kAGiFomHop1nErV6Q==\</ds:X509Certificate\>

</ds:X509Data\>

</ds:KeyInfo\>

</ds:Signature\>

<samlp:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
AllowCreate="true"/\>

<samlp:RequestedAuthnContext Comparison="exact"\>

<saml:AuthnContextClassRef\>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\</saml:AuthnContextClassRef\>

</samlp:RequestedAuthnContext\>

</samlp:AuthnRequest\>

Service Provider Settings

Field Description
SP Issuer URI

Unique identifier or UI of the service provider. This is a string value. This must match the corresponding SP Issuer name on the IDP server.

This field goes as “entityID” in metadata file and as “Issuer” in the SP initiated SAML request.
Assertion Consumer Service URL

IDP will send the SAML response back to this URL. The format of the URL is:

domain name/saml-idp/<Identity provider name>

Only the hysecure domain name must be modified and rest of the URL should not be modified by the admin.

This field corresponds to the “Location” field in metadata file.
SP Initiated URL

This is the URL which signifies to IDP that the SAML request has been generated from this particular URL. This URL is the origin of the SAML request from IDP point of view.

The format of the URL is :

domain name/saml-login/<Identity provider name>

Only the hysecure domain name must be modified and rest of the URL should not be modified by the admin. This is an internal URL and is not visible to IDP.
Name ID Format

This field explains the SUBJECT attribute of SAML response, it will have the following format:

  1. Unspecified: It can be anything (default)

  2. Email Address

  3. Persistent

  4. Transient

Authentication settings

For mapping attributes following details are required and subsequently mapped from IDP to SP.

Field Description
IdP Username The username attribute can be the following:
IDP User Subject Name ID: From the response, the Name ID (Username for HySecure Login) from the Subject file, is fetched.
IDP User Attribute element: This requires an attribute statement which needs to be defined as per the mutual understanding
between IDP and SP.
SAML Email Attribute The SAML Email attribute must be named as email.
SAML Mobile No. Attribute The SAML Mobile No attribute must be with the name, mobile.

Configure SAML Authentication for Cluster

For High Availability, the HySecure cluster should use URLs containing a fully qualified domain name (FQDN) reachable by both internal and external users. Internal users should see an FQDN resolvable within the LAN, while external users should see one resolvable over the internet. Ideally, the same fully qualified domain name (FQDN) should be used for both internal and external DNS resolution, assuming that the local area network (LAN) users can reach the public IP address.

The URL and certificate hostname are more important than the actual hostname of the HySecure hosts.