Configuring Authentication Profiles

To manage access authentication for on-prem users and user group synchronization, you must first create profiles that define the authentication protocols and choose the third-party IdPs you want to use. For more information about access authentication and how to utilize it to set up automated security policy management, see Managing Access Authentication.

You can configure an authentication profile by choosing one of the supported protocols and IdPs, and then associate the profile with a server so users in your organization can be authenticated for specific Infoblox Service and resources. When you enable the Access Authentication service on a server, you integrate a third-party IdP federation to retrieve user group data, so you can build security policies based on user groups.

When configuring an authentication profile, you choose a supported protocol and third-party IdP to suit your business requirements. You can create multiple authentication profiles and enable one of them immediately and save the others for future use. Note that you can enable only one profile at a time. However, you can associate multiple profiles with a server as long as the profiles have different protocol types. For example, you can create four SAML authentication profiles for future use, but you can associate and enable only one of them with a server at any given time. The same server can however be associated with another profile as long as the profile uses a different protocol type, such as LDAP or OpenID Connect.

To add a new authentication profile, complete the following:

1. Ensure that you have successfully set up the IdPs of your choice. For information, see Prerequisites for Configuring Access Authentication.
   
2. From the Infoblox Portal, click Configure > Administration > Access Authentication, and then click the Authentication Profiles tab.
   
3. On the Authentication Profiles tab, click Add Configuration and choose one of the following authentication protocols:
   • LDAP: LDAP allows the use of Microsoft Windows Active Directory (MS AD) to verify the identity of users and user groups. One or more Active Directory servers can be used to implement security policies within an organization. When you choose this option, ensure that you enable the MS AD Sync service, so you can synchronize user groups accordingly. For information on how to enable services, see Enabling and Disabling Services on Servers.
     
   • SAML: SAML authentication uses the SAML 2.0 protocol to authenticate users. This is an open standard that allows IdPs to pass authorization credentials to service providers.
   • OpenID Connect: OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol that allows clients to verify user identity based on the authentication performed by an authorization server. This protocol allows you to perform SSO (single sign-on) and introduces ID token, which allows the client to verify the identity of the user and obtain basic profile information about the user.

When you choose LDAP, complete the following in the Create Authentication Profile dialog, and then click Save or Save & Close to save your configuration.

• Name: Enter a name for the authentication profile. This is a required field. 
• Description: Enter a description for the authentication profile.
• State: Use the toggle switch to enable or disable the authentication profile. Only an enabled profile is available for on-prem association and user group synchronization, and only one profile can be enabled at any given time.
  
• LDAP Server Details: 
  • FQDN/IP: Enter the fully qualified domain name or IP address of the Active Directory server. 
  • LDAP Port: Choose an LDAP port to be used for connection with the Active Directory server. 389 is the default LDAP port for directory, replication, user authentication, and group policies.  
  • Distinguishing Name: Choose the base entry in the repository that uniquely identifies and describes the starting point in the AD or LDAP server.
    

When you choose SAML, complete the following in the Create Authentication Profile dialog, and then click Save or Save & Close to save your configuration.

• Name: Enter a name for the authentication profile.
• Description: Enter a description of the authentication profile.
• State: Use the toggle switch to enable or disable the authentication profile. Only an enabled profile is available for on-prem association and user group synchronization, and only one profile can be enabled at any given time.
  
• Select 3rd party IDP support: Choose one of the following. Depending on which IdP you choose, you must obtain all the required information for the following configuration. 
  • Azure AD: Choose this to use the Microsoft Azure Active Directory as the IdP.
  • Okta: Choose this to use Okta as the IdP.
  • Open AM: Choose this to use the open-source OpenAM as the IdP.
• In the SERVICE PROVIDER DETAILS section, complete the following:
  • Entity ID: This field displays the Entity ID you need for setting up the connection with the third-party IdP. The default is http://captiveportal.infoblox.internal/
  • Assertion Consumer Service URL: This field displays the Assertion Consumer Service URL you need for setting up the connection with the third-party IdP. The default is https://captiveportal.infoblox.internal/saml/login
  • Metadata File: Click Download to download the metadata file that contains information required to set up your IdP. If you download the metadata file, you can use the file for your IdP setup instead of copying the Entity ID and Assertion Consumer Service URL.
• In the IDENTITY PROVIDER DETAILS section, complete the following:
  • Issuer: Enter the issuer URI from your selected IdP issuer. You can find this information when you configure the SAML application for the selected third-party IdP.
  • SSO URL: Enter the single-sign-on URL from your selected IdP. You can find this information when you configure the SAML application for the selected third-party IdP.
  • Signing Certificate: Click Select file to navigate to the signature certificate you downloaded from your selected IdP.
  • Metadata URL: Select the Use Metadata URL check box and then enter the metadata URL from your IdP. Typically, SAML metadata is an XML document that contains the information necessary for interacting with SAML-enabled identity or service providers. The document includes the IdP information such as the issuer, SSO URL, and signing certificate. When you select this check box, you do not need to enter information for the Issuer, SSO URL, and Signing Certificate individually.

When you choose OpenID Connect, complete the following in the Create Authentication Profile dialog, and then click Save or Save & Close to save your configuration.

• Name: Enter the name for the authentication profile.
• Description: Enter a description of the authentication profile.
• State: Use the toggle switch to enable or disable the authentication profile. Only an enabled profile is available for on-prem association and user group synchronization, and only one profile can be enabled at any given time.
  
• Select 3rd party IDP support: Choose one of the following:
  • Azure: Choose this to use the Microsoft Azure Active Directory as the IdP.
  • Okta: Choose this to use OKTA as the 3rd party IdP.
  • Open AM: Choose this to use the open-source OpenAM as the 3rd party IdP.
• In the CLIENT DETAILS section, complete the following:
  • Login Redirect URI: Displays the URL for the login redirect URI. Click Copy to copy the value and paste it into your IdP application.
  • Client ID: The user ID or username used to access the client that is connected to the authentication server.
  • Client Secret: The user password or secret used to access the client that is connected to the authentication server.
• In the IDENTITY PROVIDER DETAILS section, complete the following:
  • Issuer: Enter the URI that you use to access your IdP issuer. Example: https://sp.okta.local/adfs/services/trust.

For more information about access authentication, see the following:

• Managing Access Authentication
• Configuring Authentication Settings
• Synchronizing User Groups