IBM Aspera on Cloud SAML integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

Arculix by SecureAuth offers a simple method for adding single sign-on (SSO) MFA to IBM Aspera on Cloud through its SAML solution.

Prerequisites

Configured Arculix instance and user account with administrative privileges for Arculix.
Configured Arculix LDAP Agent.
For more information, see the Arculix LDAP Agent deployment guide.
User account with administrative privileges for IBM Aspera on Cloud.

IBM Aspera on Cloud configuration

In this section, you'll configure IBM Aspera on Cloud as a service provider (SP).

Download the SAML metadata and certificate for your organization from Arculix.
Metadata download: https://sso.acceptto.com/<myorganization>/saml/download/metadata
View metadata: https://sso.acceptto.com/<myorganization>/saml/metadata
Certificate download: https://sso.acceptto.com/<myorganization>/saml/download/cert
Log in to your IBM Aspera on Cloud instance, click the settings icon in the top right corner, and click Admin.
In the left menu, go to Authentication > SAML and click Create new.

On the Create a new SAML configuration page, set the following configurations:

Name	Enter a name for this SAML configuration.
SSO target URL	Enter the Arculix single sign-on URL for your organization. For example, `https://sso.acceptto.com/<myorganization>/saml/auth`
SAML login button label	Enter the button text to display on the login page for your end users.
Security	Choose Certificate and paste the Arculix certificate metadata downloaded in Step 1.

Scroll down to the Attribute mapping section and set the following configurations, then click on Create.
Email
Enter the Email attribute.
First name
Enter the First name attribute.
Last name
Enter the Last name attribute.
Member of
Enter the Member of attribute.
Note
For details on login restrictions, see Configuring SAML: Overview on the IBM website.
Copy the IBM Aspera on Cloud metadata for the Arculix configuration, then click Save.
After you create the SAML instance, you can configure workspaces and shared inboxes for your SAML users in these steps.
1. Select the Workspace memberships tab and click Add workspace memberships.
2. Select the Role for SAML users in this workspace, andclick Add.

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application for IBM Aspera on Cloud and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

Log in to Arculix with an administrative account and go to Applications.
Click Create New Application.

In the New Application form, on the General tab, set the following configurations:

Name	Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs. For example, IBM Aspera on Cloud.
Type	Set to SAML Service Provider.
Out of Band Methods	Select the allowed methods end users can choose to approve MFA requests. For example, Arculix Mobile app (push notifications), SMS, or Security Key.
Message for MFA Requests	Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

Select the SAML Service Provider Configuration tab, and set the following configurations:

Issuer or Entity ID	Paste the Entity ID URL found in the downloaded IBM Aspera on Cloud SAML metadata. For example, `https://api.ibmaspera.com/api/v1/oauth2/<identifier>/saml/414/metadata`
Log in URL	Enter the login URL for your IBM Aspera on Cloud instance. For example, `https://<identifier>.ibmaspera.com/`
NameID Format	Set to Unspecified.
Name Identifier	Set to Email.
Algorithm	Set to RSA-SHA256.

Scroll down and click Add New Attribute Assertion, and create new attributes with the following values:
Friendly Name
Name
Value
Name Format
First name
First name
givenName
unspecified
Email
Email
mail
unspecified
Last name
Last name
sn
unspecified
Member of
Member of
memberOf
unspecified
Save your changes.

Friendly Name	Name	Value	Name Format
First name	First name	givenName	unspecified
Email	Email	mail	unspecified
Last name	Last name	sn	unspecified
Member of	Member of	memberOf	unspecified

Test your application integration

Go to your IBM Aspera on Cloud URL and select Arculix.
You will be redirected to the Arculix SSO page.
After successful authentication, select your preferred MFA method to approve access to the IBM Aspera on Cloud application.
You are redirected to the IBM Aspera on Cloud home page.

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

In this section:

Email	Enter the Email attribute.
First name	Enter the First name attribute.
Last name	Enter the Last name attribute.
Member of	Enter the Member of attribute.