Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

To manage access authentication for on-prem users and user group synchronization, you must first create authentication profiles that define the authentication protocols and choose the third-party IdPs you want to use. For more information about access authentication and how to utilize it to set up automated security policy management, see Managing Access Authentication.

When configuring an authentication profile, you can select any supported protocol and third-party IdP to suit your business requirements. You can also create multiple authentication profiles and enable them immediately or save them for future use. Note that you can associate multiple profiles with an on-prem host, but the profiles must have different protocol types and you can only enable one profile on the on-prem host. For example, you can create four SAML authentication profiles, but you can associate only one of them with an on-prem host at any given time. However, the same on-prem host can be associated with another profile as long as it contains a different protocol type, such as OpenID Connect. You can however enable only one of these profiles on the on-prem host at any given time.

Important Note

Before you configure an authentication profile, ensure that you understand the prerequisites for configuring applications in the IdPs. For more information, see Prerequisites for Configuring Access Authentication.

To add a new authentication profile, complete the following:

  1. Ensure that you have successfully set up the IdPs of your choice.
  2. From the Cloud Services Portal, click Administration > Access Authentication.
  3. On the Authentication Profiles tab, click Add Configuration, and choose one of the following authentication protocols:
    • SAML: SAML authentication uses the SAML 2.0 protocol to authenticate users. This is an open standard that allows IdPs to pass authorization credentials to service providers.
    • OpenID Connect: OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol that allows clients to verify user identity based on the authentication performed by an authorization server. This protocol allows you to perform SSO (single sign-on) and introduces ID token, which allows the client to verify the identity of the user and obtain basic profile information about the user.
    • LDAP: LDAP allows the use of Microsoft Windows Active Directory to verify the identity of users and user groups. One or more Active Directory servers can be used to implement security policies within an organization. 

When you choose SAML, complete the following in the Create Authentication Profile SAML dialog, and then click Save or Save & Close to save your configuration:

  • Name: Enter a name for the authentication profile.
  • Description: Enter a description of the authentication profile.
  • State: Use the toggle button to enable or disable the authentication profile. Only an enabled profile is available for on-prem association and user group synchronization.
  • Select 3rd party IDP support: Choose one of the following. Depending on which IdP you choose, you must obtain all the required information for the following configuration. 
    • Azure AD: Choose this to use the Microsoft Azure Active Directory or Azure Active Directory as the IdP.
    • MS AD: Choose this to use the Microsoft Active Directory asa the IdP.
    • Okta: Choose this to use Okta as the IdP.
    • Open AM: Choose this to use the open-source OpenAM as the IdP.
  • In the SERVICE PROVIDER DETAILS section, complete the following:
    • Entity ID: This field displays the Entity ID you need for setting up the connection with the third-party IdP. The default is http://captiveportal.infoblox.internal/
    • Assertion Consumer Service URL: This field displays the Assertion Consumer Service URL you need for setting up the connection with the third-party IdP. The default is https://captiveportal.infoblox.internal/saml/login
    • Metadata File: Click Download to download the metadata file that contains information required to set up your IdP. If you download the metadata file, you can use the file for your IdP setup instead of copying the Entity ID and Assertion Consumer Service URL.
  • In the IDENTITY PROVIDER DETAILS section, complete the following:
    • Issuer: Enter the issuer URI from your selected IdP issuer. You can find this information when you configure the SAML application for the selected third-party IdP.
    • SSO URL: Enter the single sign-on URL from your selected IdP. You can find this information when you configure the SAML application for the selected third-party IdP.
    • Signing Certificate: Click Select file to navigate to the signature certificate you downloaded from your selected IdP.
    • Metadata URL: Select the Use Metadata URL check box and then enter the metadata URL from your IdP. Typically, SAML metadata is an XML document that contains the information necessary for interacting with SAML-enabled identity or service providers. The document includes the IdP information such as the issuer, SSO URL, and signing certificate. When you select this check box, you do not need to enter information for the Issuer, SSO URL, and Signing Certificate individually.

When you choose OpenID Connect, complete the following in the Create Authentication Profile OpenID Connect dialog, and then click Save or Save & Close to save your configuration:

  • Name: Enter the name for the authentication profile.
  • Description: Enter a description of the authentication profile.
  • State: Use the level to enable or disable the authentication profile. An enabled profile is available for authentication.
  • Select 3rd party IDP support: Choose one of the following:
    • Azure: Choose this to use the Microsoft Azure Active Directory as the IdP.
    • Okta: Choose this to use OKTA as the 3rd party IdP.
    • Open AM: Choose this to use the open-source OpenAM as the 3rd party IdP.
  • In the CLIENT DETAILS section, complete the following:
    • Login Redirect URI: Displays the URL for the login redirect URI. Click Copy to copy the value and paste it into your IdP application.
    • Client ID: The user ID or username used to access the client that is connected to the authentication server.
    • Client Secret: The user password or secret used to access the client that is connected to the authentication server.
  • In the IDENTITY PROVIDER DETAILS section, complete the following:

When you choose LDAP, complete the following in the Create LDAP Authentication Profile dialog, and then click Save or Save & Close:

  • Name: Enter a name for the authentication profile. This is a required field. 
  • Description: Enter a description for the authentication profile.
  • State: Use the toggle switch to enable or disable the authentication profile. To be authenticated, a profile must be enabled. 
  • LDAP Server Details
    • FQDN/IP: Choose a fully qualified domain name or IP address for the MS AD Synch configuration. 
    • LDAP Port: Choose an LDAP address to be used when MS AD Synch is being configured. 389 is the default port.  
    • Distinguishing Name: Choose an easy-to-remember name for the MS AD Synch configuration. 

For more information about access authentication, see the following:

  • No labels