Configuring General SAML 2.0 Application
- Shirly Tsang
- Gary Leicht
- Sri Raghu
In the SSO Portal, you can configure your IdP (Identity Provider) using the standard SAML 2.0 interface. With this integration, Infoblox Platform products can be integrated with your identity solution. Optionally, you can define mappings between user groups in your IdP and user groups within Infoblox Platform, which will automatically assign permissions for users within Infoblox Platform. If this mapping is not defined, permissions can be manually set in the Infoblox Portal. The SSO Portal integration will also provide identity information for the Infoblox Support Portal.
To set up SAML2.0 authentication with a SAML2.0 compliant IdP, you complete the following main procedures:
- Configure your IdP using the HUB ACS URL and Audience URI values from the Infoblox SSO Portal.
- Configure the Infoblox SSO Portal, which sets up Infoblox with the IDP Single Sign-On URL, IDP Issuer URI, and Signature Certificate values from your IdP.
Note
Before you configure the SAML 2.0 federation, ensure that you have already completed the following:
- Selected a domain and a protocol, as described in Configuring IdP Authentication.
- Generated the audience keys, as described in Generating Audience Keys.
To integrate SAML 2.0 federation with the SSO Portal, complete the following:
- Log in to the Infoblox SSO Portal and obtain the following values: HUB ACS URL and Audience URI.
- Log in to your IdP console and locate the screens in your IdP that allow you to configure SAML and start configuring a SAML 2.0 connection with your IdP as the Identity Provider.
- Your IdP needs to know where to send the SAML assertions after it has authenticated a user. Your IdP may call this the Assertion Consumer Service URL, the Single Sign on URL, or the Application Callback URL. Set this field to the Infoblox SSO Portal's HUB ACS URL value.
- In your IdP, locate a field called Audience or EntityId. Set this field to the Infoblox SSO Portal's Audience URI value.
- If the IdP provides a choice for bindings, select HTTP-POST for authentication requests.
- Configure your IdP to provide the Subject name-id format as emailAddress. The Subject NameID in the SAML assertion must be the user’s email address, and the email address must have a domain name that matches the domain for which the federation is being configured.
- If your IdP provides a choice for mapping the application username, choose Email.
- Optionally, to set up group mapping from your IdP to the Infoblox Portal, configure your IdP to include group information in the SAML authentication response. Configure this SAML connection to include your desired IdP groups in an attribute called 'groups' in the authentication response SAML assertion.
- At some point during or immediately after the SAML setup in the IdP, obtain the following values from the IdP and set these values in the Infoblox SSO Portal:
IDP Single Sign-On URL
IDP Issuer URI
Signature Certificate (minimum digital signature of SHA-256 is required)
When the SAML application configuration is complete, verify that the admin and users are assigned to the SAML application in your IdP.
Ensure that all desired users in the domain are assigned to the SAML application. Neglecting to do so will result in authentication failures for all unassigned users.When all desired users and groups have been assigned to the Infoblox SAML connection, you can log out of the IdP instance instance and complete the IdP configuration in the SSO Portal.
Log in to the Infoblox SSO Portal, go to Authentication -> 3rd Party IdP, and then click Configure SAML.
- Enter the following values that you have copied from the SAML configuration in your IdP:
- IDP Single Sign-On URL: Identity Provider Single Sign-On URL.
IDP Issuer URI: Identity Provider Issuer.
Signature Certificate: X.509 Certificate key without BEGIN CERTIFICATE and END CERTIFICATE lines. The SSO Portal supports Base64 certificates with the following file extensions: .crt, .pem, and .ca-bundle. Minimum digital signature of SHA-256 is required.
If you receive an error message about the certificate, go to the beginning of the last line of the certificate and hit backspace to remove extra spaces in the previous line. You might need to repeat the same process for any lines that might include extra spaces.
If your IdP provides a choice for mapping the "Application username" or something similar: Choose Email. At this point, desired users and groups have been assigned to the Infoblox SAML connection and you are now free to leave your IdP instance and complete IdP configuration inside the SSO portal. The following steps describe how to configure a SAML application in the SSO Portal.
Click Save & Close.
Note
Required Fields and Values for Configuring SAML 2.0
There are a few values generated by the Infoblox SSO Portal, which are required for configuring 3rd Party IdP to process SAML authentication requests and send SAML authentication responses. There are also a few values generated by your IdP, which are required for configuring Infoblox to send SAML authentication requests to the IdP and verify SAML authentication responses from the IdP.
The following table lists the required fields and their usage:
| Fields | Description | Usage |
|---|---|---|
| HUB ACS URL | This value is the Assertion Consumer Service URL that digests the SAML2.0 authentication request and response. | You should see this value in both the SAML authentication request and response:
|
| Audience URI | This is the EntityId for Infoblox, acting as the Service Provider. | You can see this value in the SAML authentication request in the 2nd level element, SAML Issuer, as follows:
|
| IDP Single Sign On URL | This is the URL of your IdP to which SAML authentication requests are sent. This is often called the SSO URL. | You should see this value in root element of the SAML authentication request:
|
| IDP Issuer URI | This is the EntityId of your IdP. | You should see this value in the SAML authentication response in the 2nd level element, SAML Issuer:
|
| Signature Certificate | This is the certificate needed by Infoblox to validate the signature of the authentication assertions that have been digitally signed by your IdP. Minimum digital signature of SHA-256 is required. | Locate the place where you can download the signing certificate from your IdP. |
SAML Authentication Request and Response
The following examples have values replaced with their respective names. You can use various tools to trace SAML requests in your browsers.
In the following examples, "..." is the filler for other SAML elements and tags that are irrelevant to configuring a 3rd Party IdP in the Infoblox SSO Portal.
Authentication Request
POST IDP_Single_Sign-On_URL
<saml2p:AuthnRequest …
AssertionConsumerServiceURL="HUB_ACS_URL"
Destination="IDP_Single_Sign-On_URL"
…
Version="2.0"
>
<saml2:Issuer …>Audience_URI</saml2:Issuer>
…
</saml2p:AuthnRequest>
Authentication Response
POST HUB_ACS_URL
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="HUB_ACS_URL"
ID="id33356491144504744706246728"
InResponseTo="id225570470515014441659721296"
IssueInstant="2021-03-31T20:07:17.202Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>IDP_Issuer_URI</saml2:Issuer>
…
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
…
</saml2p:Response>