Contents x
    Identity Provider Details
    • 20 Apr 2022
    • 7 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Identity Provider Details

    • Updated on 20 Apr 2022
    • 7 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    You need to set up the CTERA Portal as a SAML application in the identity provider. The following sections outline the procedures for each of the providers certified by CTERA.

    Configuring Okta to Work with CTERA Portal

    You set up SAML single sign-on support in Okta using the SAML Service Provider application. You then gather the information you need to connect the CTERA Portal to Okta.

    To get the SAML single sign-on information:

    1. Login to Okta as the account administrator.

    2. Select Applications from the top menu and then click Add Application.

    3. Select SAML Service Provider from the list of applications.

    4. Change the Application label to the name you want to be displayed, for example CTERA, and click Next.
      GlobalAdministrationimagesPortalAdmin907301.png

    5. In Sign-On Options, click Identity Provider metadata and download the certificate.
      You upload this certificate after converting it to a .pem format, when setting up SAML in the CTERA Portal.

    6. Set the Assertion Consumer Service URL and the Service Provider Entity Id.
      The Assertion Consumer Service URL is the URL where SAML responses are posted, as follows: https://fullyqualifieddomain_name/ServicesPortal/saml.
      For example, https://myportal.example.com/ServicesPortal/saml.
      You use the Service Provider Entity Id in the CTERA Portal Entity ID/Issuer ID field when setting up SAML in the portal.

      Note
      For a global administrator to be automatically redirected, use https://fully_qualified_domain_name/admin/saml.

    7. Continue to set up the application, as described in Okta documentation.

    8. Select the application and click the General tab.
      GlobalAdministrationimagesPortalAdmin907302.png

    9. Scroll down to the App Embed Link section. You use the EMBED LINK value in the CTERA Portal Sign-in page URL field when setting up SAML in the portal.

    10. By default, Okta has a sign-out page. You can specify your own sign-out page in Okta, under Settings > Customization. which you can use as the Log-out page URL when setting up SAML in the portal.

    Configuring OneLogin to Work with CTERA Portal

    You set up SAML single sign-on support in OneLogin using a SAML application. You then gather the information you need to connect the CTERA Portal to OneLogin.

    To get the SAML single sign-on information:

    1. Login to OneLogin as the administrator.
    2. Select APPS > Company Apps from the top menu and click ADD APP.
    3. Select the relevant SAML service provider from the list of applications.
    4. Change the Display Name to the name you want to be displayed, for example CTERA, and click SAVE.
    5. Select the Configuration tab.
      GlobalAdministrationimagesPortalAdmin907303.png
    6. Enter values.
      You use the SAML Audience value in the CTERA Portal Entity ID/Issuer ID field when setting up SAML in the portal.
      You use the SAML Single Logout URL value in the CTERA Portal Log-out page URL field when setting up SAML in the portal.
    7. Select the SSO tab.
      GlobalAdministrationimagesPortalAdmin907304.png
      You use the SAML 2.0 Endpoint (HTTP) value in the CTERA Portal Sign-in page URL field when setting up SAML in the portal.
    8. Click View Details under the X.509 Certificate field and click DOWNLOAD to download the X.509 PEM certificate.
      You upload this certificate when setting up SAML in the CTERA Portal.

    Configuring ADFS to Work with CTERA Portal

    You set up SAML single sign-on support in ADFS and gather the information you need to connect the CTERA Portal to ADFS.

    To get the SAML single sign-on information:

    1. Login to the Windows Server ADFS machine as the administrator.
    2. Open AD FS Management.
      Note: The procedure and screens are based on AD FS running on Windows 2012 server. This might be slightly different on other versions of Windows server.
    3. In the left pane navigation tree, select Trust Relationships and right-click Relying Party Trusts.
    4. Click Add Relying Party Trust.
      GlobalAdministrationimagesADFSAddRelyingPartyTrust.png
    5. Click Start.
      GlobalAdministrationimagesADFSAddRelyingPartyTrust1.png
    6. Choose the Enter data about the relying party manually option and click Next.
    7. Enter a display name for the relying party and optionally add notes about the party and click Next.
      GlobalAdministrationimagesADFSAddRelyingPartyTrust2.png
    8. Choose the AD FS Profile option and click Next.
      GlobalAdministrationimagesADFSAddRelyingPartyTrust3.png
    9. Optionally, if you want to encrypt claims sent to the relying party, browse to the CTERA Portal certificate and select it and click Open.
      The issuer, subject, effective date and expiry date information for the certificate is displayed.
    10. Click Next.
      GlobalAdministrationimagesADFSAddRelyingPartyTrust4.png
    11. Check Enable support for the SAML 2.0 WebSSO protocol and enter the CTERA Portal URL followed by /SAML , as in the following example: https://exampleportal.ctera.me/ServicesPortal/saml
      Note
      For a global administrator to be automatically redirected, use https://fully_qualified_domain_name/admin/saml.
    12. Click Next.
      GlobalAdministrationimagesADFSAddRelyingPartyTrust5.png
    13. Set the Relying party trust identifier and click Add. For example, ctera-adfs
      You use the Relying party trust identifier in the CTERA Portal Entity ID/Issuer ID field, in the procedure To configure SAML single sign-on: in step 4, when setting up SAML in the portal.
    14. Set the Relying party trust identifier and click Add. For example, https://exampleportal.ctera.me/adfs/ls/IdpInitiatedSignOn.aspx
      You use the Relying party trust identifier in the CTERA Portal Entity ID/Issuer ID field when setting up SAML in the portal.
    15. Click Next.
    16. Leave the default to allow all users access, unless you want to restrict the users with access to the portal to users for whom you add issuance authorization rules, as described in the ADFS documentation.
    17. Click Next.
      GlobalAdministrationimagesADFSAddRelyingPartyTrust6.png
      A summary of the wizard steps is displayed in the tabs.
    18. Select the Signature tab and import the CTERA Portal Certificate.
    19. Click Next.
      GlobalAdministrationimagesADFSAddRelyingPartyTrust7.png
    20. Check the Open Edit Claim Rules dialog for this relying trust when the wizard closes and click Close.
      The Edit Claim Rules dialog for the relying party is displayed.
      GlobalAdministrationimagesADFSClaimRule1.png
    21. Click Add Rule.
      GlobalAdministrationimagesADFSClaimRule.png
    22. Select Send LDAP Attributes as Claims for the Claim rule template and click Next.
      GlobalAdministrationimagesADFSClaimRule2.png
    23. Enter the following:
      Claim rule name – A name for the rule.
      Attribute store – Select the store from the list, for example, Active Directory.
      LDAP Attribute – Use User-Principal-Name.
      Outgoing Claim Type – Select Name ID.
    24. Click Finish.
    25. Click OK.
    26. In the left pane navigation tree, select Service > Certificates, right-click the certificate under Token-signing and click View Certificate.
      GlobalAdministrationimagesADFSViewCertificate.png
    27. Select the Details tab and click Copy to File.
      GlobalAdministrationimagesADFSCertificate.png
    28. Click Next in the Certificate Export wizard and select the Base-64 encoded X.509 option.
      GlobalAdministrationimagesADFSCertificateExport.png
    29. Click Next and enter a file name.
    30. Click Next and then Finish.

    You upload this certificate when setting up SAML in the CTERA Portal.

    Encrypting the SAML Response

    When using ADFS for SAML to sign in to the portal, the SAML response can be encrypted, as follows:

    1. Add the portal certificate to the relaying party in ADFS.
    2. Using SSH, log in as root to your CTERA Portal server.
    3. Run the following command in ADFS PowerShell: set-ADFSRelyingPartyTrust –TargetName “<relaying party name>” –EncryptClaims $True
      For example, set-ADFSRelyingPartyTrust –TargetName “CTERA Portal” –EncryptClaims $True

    To turn the encryption off, run the command but set to $False.

    Configuring Azure Active Directory to Work with CTERA Portal

    You set up SAML single sign-on support in Azure and gather the information you need to connect the CTERA Portal to Azure Active Directory.

    To get the SAML single sign-on information:

    1. Login to Azure as the administrator.
      The home blade is displayed.
      GlobalAdministrationimagesAzureSSO.png
    2. Access the Azure Active Directory service.
      The Overview blade is displayed.
      GlobalAdministrationimagesAzureSSO1.png
    3. Scroll down and under Create click Enterprise application.
      The Add an application blade is displayed.
      GlobalAdministrationimagesAzureSSO2.png
    4. Click Non-gallery application.
      The Add your own application blade is displayed.
      GlobalAdministrationimagesAzureSSO3.png
    5. Enter the DNS name for the portal in the Name box and click Add.
    6. In the home blade, click Enterprise applications and then select the portal.
    7. In the navigation pane, click Single sign-on.
      The SAML-based Sign-on blade is displayed.
      GlobalAdministrationimagesPortalAdmin907323.png
    8. Click the pen icon to edit the Basic SAML Configuration.
      the Basic SAML Configuration blade is displayed.
      GlobalAdministrationimagesPortalAdmin907324.png
    9. Copy the App Federation Metadata Url from the third part of the SAML-based Sign-on blade to the Identifier (Entity ID) box in the Basic SAML Configuration blade.
    10. Enter the URL to access the portal login in the Reply URL (Assertion Consumer Service URL) box: http://<portal>.<DNS_Suffix>/admin/saml where <portal> is the name of the portal, and <DNS_Suffix> is the DNS suffix for the CTERA Portal installation.
    11. Click Download for the Certificate (Base64).

    Configuring Swivel AuthControl Sentry to Work with CTERA Portal

    Before You Start, get a CTERA logo image from CTERA, to identify the CTERA Portal SSO application.

    You set up SAML single sign-on support in Okta using the SAML Service Provider application. You then gather the information you need to connect the CTERA Portal to Okta.

    To get the SAML single sign-on information:

    1. Login to Swivel AuthControl Sentry as the account administrator.
    2. Select Keys from the navigation menu.
      The Keys screen is displayed.
    3. Click Download next to the Cert type.
    4. Save the certificate as you will need to upload it to CTERA Portal when defining SAML SSO in the portal.
    5. Select Application Images from the navigation menu.
    6. Click Upload New Image.
    7. Upload the CTERA logo image, that you received from CTERA.
    8. Select Applications from the navigation menu and then click Add Application.
      The Application Types screen is displayed.
    9. Select SAML - other.
    10. The SAML Application screen is displayed.
      Enter the following:
      Name – An name to identify the application. CTERA recommends a name such as CTERA.
      Image – A graphic to identify the application. CTERA recommends using the ctera logo, you uploaded uploaded.
      Points – The score the user needs from the authentication method in order to successfully authenticate to this application. The default is zero. If you set a value, you have to specify how the authentication methods that ill be applied. For details, refer to Swivel AuthControl Sentry documentation.
      Portal URL – The URL to access the portal: http://<portal_name>.<DNS_Suffix>/ServicesPortal/samlSso where <portal_name> is the name of the portal, and <DNS_Suffix> is the DNS suffix for the CTERA Portal installation.
      Endpoint URL – Leave this field empty.
      Entity ID – Free text string that uniquely identifies your SAML identity provider. This must match the Entity ID/Issuer ID value you use when setting up SAML in the portal, described in Defining SAML Single Sign-on in a CTERA Portal. The format is similar to the following example: https://172.23.9.35:8443/sentry/saml20endpoint
      Federated Id – The field used to identify the user attempting to log on to the portal. Enter email.
      Idp-Initiated SSO – Choose the SP-initiated option.
    11. Click Save.

    To verify that SSO has been set up in Swivel AuthControl Sentry:

    • As an administrator, access the AuthControl Sentry start page.
      The CTERA application should be displayed.

    Was this article helpful?
    What's Next
    Copyright © CTERA Networks Ltd. All Rights Reserved