Configure SAML Authentication For WPA2-Enterprise With Shibboleth

Configure SAML Authentication For WPA2-Enterprise With Shibboleth

SecureW2 specializes in providing efficient certificate authentication solutions that are easily configurable and boast a positive user experience. By integrating our certified solutions with Shibboleth, your organization is provided excellent visibility context and ironclad security.

Once users complete the streamlined onboarding software, their device is equipped with a certificate that is tied to the device’s identity and user’s identity. When authenticating through SAML, approved network users are automatically authorized for network use without entering credentials.

Additionally, administration can configure many custom use, role, and enrollment policies that allow for segmentation of the network. In a university setting, most would want separate use policies for students and professors. SecureW2’s certificate solutions allows for significant customization and effortless distribution of those policies.

Below we’ve summarized the integration process into 3 high level steps:

  1. Create a SAML application in Shibboleth and share Metadata between the two
    • Exchange metadata to inform the IDP of approved network users and to imprint certificates with user identity.
  2. Configure the attributes Shibboleth sends to SecureW2
    • Define the fields that will determine different user groups. Based on a user’s certificate attributes, they will be segmented into network groups that can be assigned differing network policies.
  3. Configure the authentication and user role policies
    • Configure these policies to segment users into groups and apply different policies to different user groups. Based on a user’s attributes, you can customize the network to limit access to websites, applications, files, etc, based on the user’s organizational role.

Ready to set it up? Here’s what you need to get started:

 

Create an Identity Provider in SecureW2

An identity provider (IDP) is the system that proves the identity of a user/device.

To create an IDP in SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. In the form, enter the name and description of the IDP.
  4. Click the Type dropdown and select SAML.
  5. Click the Saml Vendor dropdown and select Shibboleth.
  6. Click Save to finish creating the IDP.

Now, SecureW2 Cloud Connector knows how to exchange information with your Shibboleth user database.

 

Create a SAML Application in Shibboleth

Your SAML application allows a user to enter their Shibboleth credentials in SecureW2’s software, which are then passed to your IDP for verification. Your IDP verifies the user’s identity and then sends attributes to your SAML application, which then passes the attributes to SecureW2 to configure devices for secure network access and enroll certificates.

To create a SAML application to use with SecureW2:

  1. From your Shibboleth Admin Console, create a SAML application and download the IDP metadata. Save the metadata file (.XML) to your computer.
  2. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  3. Click Edit for the IDP you created (Shibboleth).
  4. Select the Configuration tab.
    • Note the ACS URL and EntityId – you’ll need these for step 8.
  5. Under Identity Provider (IDP) Info, for Metadata, click Choose File.
  6. In the prompt that appears, select the metadata file you saved to your computer. Click Upload.
  7. Click Update.
  8. Copy the ACS URL and EntityId to your clipboard or somewhere handy.
  9. Return to your Shibboleth SAML App setup. For the service provider details, paste the ACS URL and EntityId.
  10. Select enable Signed Response.

 

Configure Attribute Mapping

Attribute mapping lays out the attributes that are returned by your IDP and used for granting access to users.

Once your IDP identifies a user, it sends attributes to your SAML application, which then sends the attributes to SecureW2. SecureW2 encodes these attributes onto the certificate it issues.

To set up SAML authentication, you need to configure attribute mapping in your Shibboleth admin console, as well as in SecureW2.

Configure Attribute Mapping in Shibboleth

Now you need to configure Shibboleth to send attributes to SecureW2. After you configure attribute mapping in SecureW2, SecureW2 will populate these attributes into the certificates it issues.

To map attributes in Shibboleth:

  1. From your Shibboleth Admin Console, add attribute mapping. This will allow you to configure the attributes that will be encoded onto the certificate.
  2. Create an application attribute called ‘name’.
  3. Create another application attribute called ’email’.

Configure Attribute Mapping in SecureW2

Now you need to configure SecureW2 to receive the attributes sent from your IDP, so they can be encoded onto the certificate and used for policies.

These steps will show you how to map the attributes SecureW2 receives from Shibboleth, and how to edit the certificate template to use these attributes.

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. For the IDP you created (Shibboleth), click Edit.
  3. Select the Attribute Mapping tab.
  4. Click Add.
  5. For Local Attribute, enter ’email’ as the name of the variable.
  6. Click the Remote Attribute dropdown and select USER_DEFINED. In the field that appears, enter ’email’ and then click Update.
  7. Click Add.
  8. For Local Attribute, enter ‘displayName’ as the name of the variable.
  9. Click the Remote Attribute dropdown and select USER_DEFINED. In the field that appears, enter ‘name’ and then click Update.
  10. Below the table, click Update.

Now that you’ve configured SecureW2 to receive the attributes, you need to make sure the attributes are encoded onto the certificates that are issued to users. Here’s how:

  1. From your SecureW2 Management Portal, go to PKI Management > Certificate Authorities.
  2. For DEFAULT CERTIFICATE TEMPLATE 1, click Edit.
  3. In the Basic section, the ‘displayName’ variable is encoded as Subject.
  4. In the SAN section, the ’email’ variable is encoded as RFC822.
  5. Click Update.

The certificate template now includes the attributes and will use these attributes when certificates are issued.

 

Configure Policies in SecureW2

SecureW2 issues certificates based on the policy configuration you set up in the SecureW2 Management Portal. There are two policies that you need to configure: the Authentication policy, and the User Role policy.

To configure the policies:

  1. Go to Policy Management > Authentication.
  2. For your network profile’s authentication policy, click Edit.
  3. Select the Conditions tab and make sure your network profile is selected.
  4. Select the Settings tab and make sure the selected identity provider is the one you created (Shibboleth).
  5. Click Update.
  6. Go to Policy Management > User Roles.
  7. For Default Role Policy, click Edit.
  8. Select the Conditions tab. Click the Identity Provider dropdown and select the IDP you created (Shibboleth).
  9. Click Update.

 

Conclusion

SAML authentication with Shibboleth and SecureW2 is easy. Simply set up your IDP and SAML application, configure the attributes to be encoded on user certificates, and configure policies in SecureW2. In no time, you can use SecureW2’s JoinNow Solution to configure devices for certificate-based network access, using your Shibboleth database. Click here for a pricing estimate to implement this cost effective solution for your organization.

Shibboleth is a registered trademark of the Shibboleth Consortium in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.