Skip to main content

Leostream SAML integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only you know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

Leostream develops a vendor-neutral connection broker, which is software that maps end users to computing resources, such as desktops, that are hosted in a data center. A connection broker integrates end-user access points, including thin clients, laptops and Web browsers, with back-end systems hosting desktops and applications. It also integrates all other data center systems required for a virtual desktop infrastructure, including security, authentication, and load balancing systems.

Arculix by SecureAuth, as a SAML provider, improves the user login experience for Leostream users with convenient MFA. This manual illustrates how to configure Leostream with Arculix’s single sign-on (SSO) solution.

Prerequisites

  • Arculix account with a configured Identity Provider and LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • User account with administrative privileges for Arculix.

  • User account with administrative privileges for Leostream.

  • An organization identifier provided by Arculix (organization slug).

  • Leostream 9 or higher. SAML logins are currently supported only for user’s logging in using the Leostream Web client. Leostream Connect, thin client, and zero client logins do not support SAML-based authentication.

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application for Leostream and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:

    Name

    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, Leostream.

    Type

    Set to SAML Service Provider.

    Out of Band Methods

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests

    (Optional) Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

    arculix_new_app_leostream.png
  4. Select the SAML Service Provider Configuration tab, and set the following configurations:

    Issuer or Entity ID

    Enter the Issuer/Entity ID of your Leostream instance.

    For example, LeostreamBroker

    Log in URL

    Enter the URL used by users to log in to your Leostream.

    For example, https://Leostream_FQDN /saml.

    NameID Format

    Set to Unspecified.

    Name Identifier

    Set to userPrincipalName.

    ACS URL

    Enter the URL on the service provider where the identity provider will redirect to with its authentication response.

    For example, https://Leostream_FQDN /saml.

    arculix_leostream_saml_settings.png
  5. Click Add New Attribute Assertion button and create attributes like the below image:

    Friendly Name

    Name

    Value

    Name Format

    Email

    email

    userPrincipalName

    urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

    Login

    login

    sAMAccountName

    urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

    memberOf

    memberOf

    memberOf

    urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

    Last Name

    lastname

    sn

    urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

    First Name

    firstname

    cn

    urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

    arculix_attribute_leostream.png
  6. Save your changes.

  7. Download your SAML IdP X509 certificate. Go to https://sso.arculix.com/[organization identifier]/saml/download/cert to download the cert.pem file containing your certificate.

  8. Download your SAML metadata file. Go to https://sso.arculix.com/[organization identifier]/saml/download/metadata to download your metadata file.

Leostream configuration

After creating your application in Arculix, register it with Leostream by creating a SAML authentication server in your Connection Broker.

  1. Go to Setup > Authentication Servers.

  2. Click Add Authentication Server.

  3. Select SAML from the Type drop-down menu.

    Note

    You can add a single SAML IdP to your Connection Broker. Therefore, you will not see the SAML option in the Type drop-down menu if you have already defined a SAML IdP.

    If you do not see the SAML option in the Type drop-down menu and your Authentication Servers page does not already list a SAML IdP, contact sales@leostream.com to enable SAML IdP integration in your Leostream environment.

  4. Enter a descriptive name in the Authentication Server Name field.

  5. In the SAML EntityID edit field, enter the unique Entity ID you specified when creating the application in Arculix.

  6. In the Connection Settings section, set the following:

    Identity Provider login URL

    Enter the SingleSignOnService URL from the Arculix metadata.

    Enable user logins without SAML

    Optional. By default, after you create a SAML-based authentication server, the Connection Broker redirects all users to the Arculux login URL when the user visits the Connection Broker login page. To allow users to bypass the SAML-based authentication server, select the check box.

    Identity Provider XML Metadata

    Enter the content of the Metadata XML file you downloaded earlier from Arculix.

    leostream_connection_settings.png
  7. Click Save.

  8. Go to Configuration > Assignments and click Edit next to your Arculix Authentication Server.

  9. In the Assigning User Role and Policy section, set the following:

    Attribute

    Enter memberOf.

    Conditional

    Select Contains.

    leostream_assign_user.png
  10. Add groups based on the Group name, which is case sensitive.

  11. Add the application pools and assign groups to them.

Test your application integration

  1. Go to your Leostream URL.

  2. You will be redirected to the Arculix SSO page.

    Application login page with email
  3. After successful authentication, select your preferred MFA method to approve access to the Leostream application.

    Select an authenticator
  4. Approve the authentication request on your Arculix Mobile app.

  5. Finally, you will be redirected to your resource page.

    leostream_resources_page.png

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.