Add a Single Sign-on Server

Before you begin

Obtain the following from your SAML identity provider:

  • Identity Provider Entity ID URL

  • Sign-in URL

  • Sign-out URL

  • Identity provider certificate and enroll the certificate in threat defense using the management center web interface (Devices > Certificates)

For more information, see Configuring a SAML Single Sign-On Authentication.

Procedure

Step 1

Choose Object > Object Management > AAA Server > Single Sign-on Server.

Step 2

Click Add Single Sign-on Server and provide the following details:

  • Name—The name of the SAML single sign-on server object.

  • Identity Provider Entity ID—The URL that is defined in SAML IdP to identify a service provider uniquely.

    The URL for a page that serves a metadata XML that describes how the SAML Issuer is going to respond to requests.

  • SSO URL—The URL for signing into the SAML identity provider server.

  • Logout URL—The URL for signing out of the SAML identity provider server.

  • Base URL—URL that will redirect the user back to threat defense once the identity provider authentication is done. This is the URL of the access interface configured for the threat defense remote access VPN.

  • Identity Provider Certificate—Certificate of the IdP enrolled into the threat defense to verify the messages signed by the IdP.

    Select an identify provider certificate from the list or click Add to create a new certificate enrollment object.

    For more information, see Managing Threat Defense Certificates.

    You must enroll all of the Microsoft Azure registered application CA certificates as Trustpoints on the threat defense. The Microsoft Azure SAML identity provider is configured on threat defense for the initial application. All connection profiles are mapped to the configured MS Azure SAML identity provider. For each of the MS Azure applications (other than the default), you can choose the required trustpoint(CA certificate) in the connection profile configuration of the remote access VPN.

    For details, see Configure AAA Settings for Remote Access VPN.

  • Service Provider Certificatethreat defense certificate, which will be used to sign the requests and build circle of trust with IdP.

    If you have not enrolled internal threat defense certificates, click + to add and enroll a certificate. For more information, see Managing Threat Defense Certificates.

  • Request Signature—Select the encryption algorithm to sign the SAML single sign-on requests.

    The signatures are listed from weakest to strongest: SHA1,SHA256, SHA384, SHA512. Select None to disable encryption.

  • Request Timeout—Specify the SAML assertion validity duration for the users to complete the single sign-on request. The SAML IdP has two time outs: NotBefore and NotOnOrAfter. The threat defense validates if its current time is within the time range of (lower limit) NotBefore and (upper limit) the smaller of NotBefore plus timeout and NotOnOrAfter. Thus, if you set a timeout longer than the IdP's NotOnOrAfter timeout, the specified timeout is ignored and the NotOnOrAfter timeout is selected. If the sum of the specified timeout and the NotBefore timeout is less than the NotOnOrAfter time, threat defense timeout overrides the timeout.

    The timeout range is 1-7200 seconds; the default is 300 seconds.

  • Enable IdP only accessible on Internal Network—Select this option if the SAML IdP resides on the internal network. Threat Defense acts as a gateway and establishes communication between the users and IdP using an anonymous webvpn session.

  • Request IdP re-authentication on Login—Select this option to authenticate user at each login even if the previous IdP session is valid.

  • Allow Overrides—Select this check box to allow overrides for this single sign-on server object.

Step 3

Click Save.