Documentation
Introduction

Use this guide to enable Juniper IVE as an Identity Provider that authenticates users and issues a SAML assertion to SecureAuth IdP, which acts as a Service Provider (SP). This will enable any Post Authentication event from SecureAuth IdP once the SAML authentication has been completed.

Prerequisites

1. Have Juniper IVE version 7.4R2 or above

2. Create a New Realm or access an existing realm for the Juniper IVE SAML assertion integration in the SecureAuth IdP Web Admin

3. Configure the following tabs in the Web Admin before configuring the Workflow tab:

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Registration Methods – the 2-Factor Authentication methods that will be used to access this page (if any) must be defined

Post Authentication configuration options can be found here

Juniper IVE Configuration Steps
SAML Settings

 

1. Log into the Juniper IVE admin console, and select Configuration under System, and click SAML

2. Click Settings

 

3. Set the Host FQDN for SAML to the Fully Qualified Domain Name (FQDN) of the Juniper IVE server, e.g. ive.company.com

4. Click Save Changes

Sign-in SAML
Metadata Provider

 

5. In the admin console, select Signing-in under Authentication, and click Sign-in SAML

6. Select the Metadata Provider menu option

7. Set the Entity ID to the FQDN of the Juniper IVE server, followed by /dana-na/auth/saml-endpoint.cgi, e.g. https://ive.company.com/dana-na/auth/saml-endpoint.cgi

8. Set the Metadata Validity to a number between 1 and 9999 days

9. Click Save Metadata Provider

Identity Provider

 

10. Select the Identity Provider menu option from the Sign-in SAML section

11. Select Post from the Protocol Binding to use for SAML Response options

12. Select the SSL Signing Certificate that will be used in the assertion from the Signing Certificate dropdown

13. Select Reuse Existing NC (Pulse) Session from the Other Configurations options

14. Select the Sign-in Policy to be used for the Identity Provider

15. Select DN from the Subject Name Format dropdown

16. Set the Subject Name to <USERNAME>

17. Click Save Changes

18. Click Add SP

New Peer Service Provider

 

19. Select Manual from the Configuration Mode options

20. Provide a Name for the Entity ID, e.g. SecureAuthIdP

21. Set the Assertion Consumer Service URL to the FQDN of the SecureAuth IdP appliance, followed by the SecureAuth IdP realm to which the SAML assertion will be sent, e.g. https://secureauth.company.com/secureauth2/

22. Select Post from the Protocol Binding supported by the Assertion Consumer Service at the SP and the Default Binding options

23. The SSL Signing Certificate selected in step 12 will appear in the Signature Verification Certificate section

24. Click Save Changes

Web Bookmarks

 

25. In the admin console, select User Roles under Users, and click Web

26. Select the Bookmarks menu option

27. Click New Bookmark...

 

28. Provide a Name and Description for the new bookmark

29. Set the URL to the FQDN of the SecureAuth IdP appliance, followed by the SecureAuth IdP realm to which the SAML assertion will be sent, e.g. https://secureauth.company.com/secureauth2/

30. Select Open the bookmark in a new window

31. Click Save Changes

SSO
SAML

 

32. In the admin console, select Resource Policies under Users, and click SSO

33. Select the SAML menu option

34. Click New Policy...

 

35. Provide a Name and Description for the new policy

36. Provide the FQDN of the SecureAuth IdP appliance, followed by the SecureAuth IdP realm to which the SAML assertion will be sent, e.g. https://secureauth.company.com/secureauth2/ in the Resources field

37. Apply the policy to the appropriate Roles

38. Select Use the SAML SSO defined below from the Action options

39. Select 2.0 from the SAML Version options

40. Select the Entity ID set in step 20 (e.g. SecureAuthIdP) from the Service Provider Entity ID dropdown

41. Set the Cookie Domain(s) to the domain names for the SSO cookies

42. Check Rewrite Response from SP

43. Click Save Changes

SAML External Apps

 

44. Select the SAML External Apps menu option from the SSO section

45. Click New Policy...

 

46. Provide a Name and Description for the new policy

47. Provide the FQDN of the SecureAuth IdP appliance, followed by the SecureAuth IdP realm to which the SAML assertion will be sent, e.g. https://secureauth.company.com/secureauth2/ in the Resources field

48. Select Policy applies to SELECTED roles from the Roles options

49. Select the Roles to which this policy applies, and click Add

50. Select Use the SAML SP defined below from the Actions options

51. Select the Entity ID set in step 20 (e.g. SecureAuthIdP) from the Service Provider Entity ID dropdown

52. Click Save Changes

SecureAuth IdP Configuration Steps
Workflow

 

1. In the Workflow section, select Public Mode Only from the Public/Private Mode dropdown

2. Select False from the Show UserID Textbox dropdown

3. Select UserName Only from the Authentication Mode dropdown

4. Select False from the Validate Persistent Token dropdown

Custom Front End

 

5. Select Token from the Receive Token dropdown

6. Select True from the Require Begin Site dropdown

7. Select Custom from the Begin Site dropdown

8. Set the Begin Site URL to SAML20IdPInitACS.aspx

9. Select Name from the Token Data Type (Receive) dropdown

10. Select User ID from the Token Data Type (Send) dropdown

SAML 2.0 Service Provider

 

11. Copy the contents of the SSL Signing Certificate used in the Juniper IVE configuration, and paste it into the ACS / SAML Request Certificate field

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes