Single Sign-On with SAMLIntegration Guide

Overview 3

Single Sign-On with SAML 3

Luna Control Center and SAML 3

Luna Control Center as a Service Provider 4

Provisioning SSO with Luna Control Center 5

Initial Setup 5

Provision SSOwith Luna Control Center 5

STEP ONE 5

Entity IDs 6

Service Provider Endpoints 6

Status Messages 7

STEP TWO 7

STEP THREE 8

Working with the Configuration 9

Downloading Configuration Data 10

Activating Configurations 10

Deactivating Configurations 10

Troubleshooting 10

Testing 10

Frequently Asked Questions 11

- 2 -

OverviewSAML (Security Assertion Markup Language)is an XML-based framework for exchanging user authen-tication and authorization information betweensecurity domains. The user attempts to access a resourcewithin asecure domain. Thesecurity domainsrefer to theidentity provider(IDP), which makes assertionsabout the user, and to theservice provider(SP), which consumes assertions about theuser. The SAMLstandard is extensible, flexible, and platform-independent and it allows for a way to securely exchangeinformation between business entities. For more information about SAML see the following:http://en.wikipedia.org/wiki/Security_Assertion_Markup_Languagehttp://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdfhttp://www.oasis-open.org/committees/security/faq.php

Single Sign-On with SAML

Implementing a single sign-on (SSO) infrastructure enables users to sign in once and have access to allauthorized resources. There are many benefits:

Increased adoption SSOmakes it easier to access applications and reduces the barriers of use forresources.Uniform security layer - SAML is platform agnostic, allowing enterprise architects to implement a uniformsecurity layer between existing assets.Improved productivity - Centralized password management saves time and makes users more productive.Reduced frustration -By establishing one password to all of their resources, SSO greatly reduces user frus-trations associated with maintaining and remembering multiple passwords and eliminates their need formultiple login events.

Luna Control Center and SAML

l Luna Control Center supports SAML 2.0 Integration for fully federated control of users, singlesign-on, and multifactor authentication. This solution, for customers using their own identity pro-vider, validates the user's identity prior to allowing access to Luna Control Center.

- 3 -

Luna Control Center as a Service Provider

Luna Control Center can act as a SAMLservice providerfor single sign-on. Customers can use their ownSAMLidentity providerto authenticate users prior to entering Luna Control Center.

Only SAMLversion 2.0 is supported in Luna. Its assumed that any customer IDP will beusingSAML2.0for SingleSign-On.When customers enable an identity provider, all users are directed to that IDP for authentication,andsingle sign-on is enabled for all users.

To act as a service provider, Luna Control Center requires the attribute userid in the SAML assertionsent by the identity provider. Luna uses this attribute to assign a user profile to the client..

- 4 -

Provisioning SSO with Luna Control CenterBefore creating an identity provider SSO configuration, you need to determine a hostname for the serviceprovider endpoint. This hostname is provisioned by Luna Control Center.

Additionally, you will need to set up your own identity provider. There are various open source and pro-prietary packages available for providing federated identity solutions. Luna Control Center uses the Sim-pleSAMLphp package, available at http://simplesamlphp.org/.

Additional information required to configure your identity provider can be found in the metadata file, whichis generated after completing the provisioning in Luna (See figure, ahead, captioned Sample MetadataFile).

Initial Setup

Configuring your identity provider requires the following information:

l Entity ID orissuer name (a URL or name that uniquely identifies your identity provider)l Authentication/public keycertificatel SAMLsingle sign-on URLl SAMLlogout URL(if you have one and want to use it)l Email address, where new Luna certificates and metadata, system alerts, and other com-

munications from Luna Control Center should be sentl Domain name used in the identity provider discovery mechanism and taking the following

form:.luna-sp.com

You also need the following information about Luna Control Center as a service provider. This inform-ationcontained in the SAML metadata file, which can be downloaded from the link provided in Luna oncethe identity provider configuration is savedis the following:

l Entity ID (luna-sp.com)l x509c Certificate keyl SAML ACS URL (https://.luna-sp.com/sso/endpoint/postResponse)l SAMLSLO URL (https://.luna-sp.com/sso/endpoint/logout)l SAML attribute sent by IDP(must beuserid, containing the user's Luna Control

Centerusername/email address)

Provision SSOwith Luna Control Center

STEP ONE

The Manage Single Sign-On with SAML applications main configuration panel can be reached from LunaControl Center as follows:

1. From the top-level menu, open the path Configure>Organization>Manage SSO with SAML. Theapplications main panel appears.

- 5 -

The main panel conveniently lists the identity provider configurations thathave been created. It lets you easily edit, activate, and deactivate/reactivateconfigurations by selecting them in the list, clicking the gear icon in the samerow, and then choosing the appropriate action from the menu. It also lets youdelete inactive configurations by selecting them and choosing Delete fromtheir gear menu. (Note that this action results in removing the inactive con-figuration from the main panels list.).

The main panel displays the entity ID, the service provider endpoint, and thestatus for each configuration. A filter is provided for your convenience in deal-ing with long lists of configurations.

Entity IDs

This column shows the Entity ID for each configuration. This is the entity ID orissuer name that uniquely identifies your identity provider.

Service Provider Endpoints

This column shows the hostname through which the single sign-on URLs areavailable. It is assigned by Luna Control Center at the time when you firstsign up for service, and it is the hostname through which you are then able toaccess all of Lunas services.

- 6 -

You can set the first part of the hostname; the second part (.luna-sp.com) ispre-specified by Luna Control Center. Once it is provisioned, it cannot beedited or changed.

Status Messages

The Status column shows a range of information, such as whether the con-figuration is Active or Inactive, as well as more specific variations, such asPending activation where the action is still pending completion. (Note thatconfiguration processes can take up to 48 hours, depending on the workqueue.) Status messages also include Failed and Failed verification.Failed means that an error occurred while trying to deploy the con-figuration. Failed verification means that the configuration could not be veri-fied, typically because the certificate had already expired or because it hadan expiration date that was too far into the future.

2. Click Create Identity Provider Configuration

STEP TWO

Enter all of the information pertaining to your identity provider in the SSO provisioning application. Theasterisks indicate required fields, where you must enter information in order to successfully create andsave a configuration.

The strings in some fieldssuch as the local user attribute name (userid) and the last part of the serviceprovider endpoint address (.luna-sp.com)are pre-specified by Luna Control Center.

1. Using the information about your identity provider (IDP). Fill in the first three fields:l Service Provider End-point

l Entity ID

- 7 -

l Single Sign-On URL

2. The next field, Single Logout URL, is optional. If your SAML metadata includes this information andyou wish to configure for a Single Logout, you may enter it here.

3. Enter an email address that should receive notifications from Luna Control Center.

4. Enter thex509c Certificate key.

5. The next field, Alternate x509c Certificate Key, is optional. If you have an alternate x509c Certificatekey, you may enter it here. Having a second key can be convenient if your current key is nearingexpiration and your IDP supports key rotation.

6. When the required information has been entered, click Saveor click Save & Activate.

Click Save if you want to keep a draft of your configuration without activating it yet. In the ManageSingle Sign-On with SAML applications main panel, Inactive then appears in the Status columnof the new configuration. This means it has been saved but is not yet activated.

l You may repeat all steps to this point, to create as many additional inactive SSO con-figurations as desired. Theyll all be listed and accessible from the main panel. (A filter isprovided for convenience when dealing with long lists.)

l When you want to activate one of your saved but inactive configurations, simply select Activ-ate from its gear icon. This action results in a progression of status messageswhich maytake up to 48 hoursstarting with "Pending activation" then "Pending activation (DNS)" andfinally "Active."

Click Save & Activate if you want to immediately request activation of the new configuration. In theManage Single Sign-On with SAML applications main panel, "Pending activation" then appears inthe Status column of the new configuration, indicating that it has been saved and is awaiting activ-ation.

l This action results in a progression of status messages, starting with "Pending activation(DNS)" and ending with "Active."

l You may repeat all steps to this point, to create as many additional active configurations asdesired.

STEP THREE

Once the configuration is complete and is saved, a CNAME request is generated automatically to create aDNS entry for .luna-sp.com hostname. The actual CNAME creation process, which is not auto-mated, can take 12 business days.

After youve saved a configuration, it displays "Inactive" in the Status column. This means the configurationhas been saved but is not yet activated.

Lastly, you need to configure your Identity Provider, a two-step process.

1. Click the gear icon and select Download. This action downloads the Luna SAMLmetadata that you need to configure your IDP.

- 8 -

2. To activate the new configuration, click the gear icon and select Activate. This will result in a pro-gression of status messages, starting with "Pending activation" and ending with "Active."

Sample Metadata File. The metadata file that is generated has information aboutLuna Control Center as service provider and can be used to configure your identityprovider. As shown, this metadata file has information about entity ID, AssertionConsumer Service (ACS) URL, and the X509 certificate.

Working with the Configuration

Various actions can be performed with respect to each created configuration in the main panel. Optionsinclude: Download,Activate, and Deactivate. These actions are selected from drop-down menus thatappear after clicking one of the gear icons.

- 9 -

Downloading Configuration Data

Choose the Download option to download Luna Control Centers SAML metadata for your configurations.You will need the data to set up your IDP, which must be done before any testing begins.

Activating Configurations

You can activate an inactive configuration by selecting the Activate option from the configurations gearmenu. A message then appears, asking you to confirm that you wish to activate the configuration. ClickYes.

Deactivating Configurations

The Manage SSO with SAML application lets you easily deactivate any of your active configurations byselecting Deactivate from its gear icon menu. A message then appears, asking you to confirm that youwish to deactivate the configuration, causing all those who may be using this IDP configuration to loseaccess to Luna. Click Yes. A second message then confirms that the configuration has been disabled.

In the applications main panel, the Status for the configuration updates to "Pending deactivation." Hover-ing over the label displays this message: The configuration is awaiting deactivation. These changes takeeffect within 24 hours.

Troubleshooting

If you see a Failed status message while provisioning the metadata, or experience any other issues duringtesting, file a support ticket through Luna Control Center.

Testing

Testing can begin only after:

l The Status for a configuration reads "Active."

l You have downloaded the Luna SAML metadata and have provisioned it on your Identity Pro-vider.

For SP-initiated single sign-on, a URL of the following form can be used:

/sso/genSSOCookie?IdP=

Example:

https://customersso.luna-sp.com/sso/genSSOCookie?IdP=Customer_EntityID

An IDP-initiated single sign-on URL can also be used.

To test the setup, create two configurations: one for testing and another for the production environment.Once you are satisfied with the settings in test configuration, you can deploy the production configuration.

- 10 -

Frequently Asked QuestionsQ. How can I decide upon the hostname used for creating Service Provider Endpoint?A. The hostname used for creation of Service Provider Endpoint needs to be unique across all the LunaSAML identity provider configurations. This hostname needs to be in a format accepted as a valid host-name by RFC 1123. Additionally, it's highly recommended to have a hostname of a form that can act as anidentifier for your account.

For example, If the sample account is Example, Inc., you can use hostname"examplesso". In this case, theservice provider endpoint that will be provisioned would be examplesso.luna-sp.com.

Q.How is it communicated that a CNAME has been created? Can you provision before creating aCNAME?

A.. Once a configuration is saved, the CNAME request is triggered automatically on Luna to create a DNSentry for .luna-sp.com hostname. When a configuration is activated, the status messages pro-gress from Pending activation to Pending activation (DNS) to Active." "Pending activation (DNS) statusinforms that CNAME has not been created yet.

Q. What do the various status messages in the Provisioning column imply?

A. Here are the various status messages and their meanings.l Inactive. The configuration has been saved, but is not yet active. Or, The configuration has been

deactivated.l Active. The configuration has been created on the server.l Pending activation.The configuration is awaiting activation.l Pending activation (DNS).The configuration is awaiting DNS record creation.l Pending deactivation. The configuration has been disabled.l Failed. An error occurred during activation. Or, An error occurred during deactivation.l Failed Verification. An error occurred during certificate verification.

Q. What should be entered in the entity-id field in the configuration menu?

The entity ID of a SAML IDP (or SP) exists in the SAML metadata within a tag. For example:

It is also contained in the Issuer tag in the SAML response:

http://sso.ex-ample.com/adfs/services/trust

If the value in entity ID field is wrong, you will see a 400 response.

Q. Are there any specifications for the r509c Certificate key?

A. As of now the public key must be in the X.509 format with a key length of 2048 recommended.

- 11 -

Q. Why do I see an option for a second r509c Certificate in the provisioning page?

A. This can be used to enter a second key when the first one is about to expire.

Q. What happens to direct login, once SAML has been integrated? Will users be able to continue usingtheir Luna credentials to access Luna Control Center? Is it possible to designate users as SAML only?

A. Users' Luna credentials will work for a direct login.You can choose to require SAML only, and canrequest Akamai to turn off direct login. Until this change is made, however, users will be able to accessLuna both ways.

Q. I am seeing a 400 Bad-Request response after getting authenticated by my identity provider. Why?

A. There are several possible reasons for this type of response:l Your identity provider may be using an RSA SHA 256 signing algorithm. Luna Control Center

doesnt currently support this algorithm. Ask your IDP to use an RSA SHA 1 signing algorithmnstead.

l Your identity provider may be encrypting the payload or response. Luna doesnt support encryp-tion. Luna expects digitally signed responses.

l The entity ID of a SAML IDP (or SP) exists in the SAML metadata within a tag like this:

l

l It is also contained in the issuer tag in the SAML response:

http://sso.ex-ample.-com/adfs/services/trust

l In extreme cases, the identity provider may be sending a different entity ID for Luna. The correctvalue is luna-sp.com. Look for an Audience tag in the SAML response. It should have the valueluna-sp.com.

Q. I am getting a "403 response after being authenticated by my identity provider. Why?A. This would happen if the user doesn't have a user profile on Luna Control Center. Check for the emailID in the SAML response, userid attribute. There should be a user profile with that email ID on Luna.

Q. What are the steps that need to be taken to select the SAML only option and to ensure that direct loginis turned off?

A. Once you have decided to make the switch from a non-SAML-only to SAML-only login, you will haveto communicate this requirement to your Luna account team, TPM, or SA/SE.

- 12 -

- 13 -

OverviewSingle Sign-On with SAMLLuna Control Center and SAMLLuna Control Center as a Service Provider

Provisioning SSO with Luna Control CenterInitial SetupProvision SSO with Luna Control CenterSTEP ONEEntity IDsService Provider EndpointsStatus MessagesSTEP TWOSTEP THREEWorking with the ConfigurationDownloading Configuration DataActivating ConfigurationsDeactivating ConfigurationsTroubleshootingTesting

Frequently Asked Questions