How to Configure SAML Authentication with Shibboleth

How to Configure SAML Authentication with Shibboleth

One of SecureW2’s solutions is configuring devices for secure network access, and any LDAP or SAML identity store can be integrated with SecureW2. Google, Okta, Azure, Shibboleth — these are examples of major SAML providers that can integrate with SecureW2 to authenticate users for secure network access.

To do so, set up an identity provider (IDP) in SecureW2, create a SAML application in Shibboleth, and share metadata between the two.

Next, configure the attributes Shibboleth sends to SecureW2, and configure SecureW2 to receive the attributes. SecureW2 can then encode the attributes to certificates it issues.

Finally, configure the authentication and user role policies in SecureW2. SecureW2 issues certificates based on these policies, which determine a user’s access rights, network segments, etc.

 

Ready to set it up? Here’s what you need to get started:

  • An active SecureW2 account
  • An active Cloud Connector subscription
  • Used the SecureW2 Getting Started Wizard to configure for EAP-TLS certificate-based Wi-Fi authentication

 

Create an Identity Provider in SecureW2

An identity provider (IDP) is the system that proves the identity of a user/device.

To create an IDP in SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. In the form, enter the name and description of the IDP.
  4. Click the Type dropdown and select SAML.
  5. Click the Saml Vendor dropdown and select Shibboleth.
  6. Click Save to finish creating the IDP.

Now, SecureW2 Cloud Connector knows how to exchange information with your Shibboleth user database.

 

Create a SAML Application in Shibboleth

Your SAML application allows a user to enter their Shibboleth credentials in SecureW2’s software, which are then passed to your IDP for verification. Your IDP verifies the user’s identity and then sends attributes to your SAML application, which then passes the attributes to SecureW2 to configure devices for secure network access and enroll certificates.

To create a SAML application to use with SecureW2:

  1. From your Shibboleth Admin Console, create a SAML application and download the IDP metadata. Save the metadata file (.XML) to your computer.
  2. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  3. Click Edit for the IDP you created (Shibboleth).
  4. Select the Configuration tab.
    • Note the ACS URL and EntityId – you’ll need these for step 8.
  5. Under Identity Provider (IDP) Info, for Metadata, click Choose File.
  6. In the prompt that appears, select the metadata file you saved to your computer. Click Upload.
  7. Click Update.
  8. Copy the ACS URL and EntityId to your clipboard or somewhere handy.
  9. Return to your Shibboleth SAML App setup. For the service provider details, paste the ACS URL and EntityId.
  10. Select enable Signed Response.

 

Configure Attribute Mapping

Attribute mapping lays out the attributes that are returned by your IDP and used for granting access to users.

Once your IDP identifies a user, it sends attributes to your SAML application, which then sends the attributes to SecureW2. SecureW2 encodes these attributes onto the certificate it issues.

To set up SAML authentication, you need to configure attribute mapping in your Shibboleth admin console, as well as in SecureW2.

Configure Attribute Mapping in Shibboleth

Now you need to configure Shibboleth to send attributes to SecureW2. After you configure attribute mapping in SecureW2, SecureW2 will populate these attributes into the certificates it issues.

To map attributes in Shibboleth:

  1. From your Shibboleth Admin Console, add attribute mapping. This will allow you to configure the attributes that will be encoded onto the certificate.
  2. Create an application attribute called ‘name’.
  3. Create another application attribute called ’email’.

Configure Attribute Mapping in SecureW2

Now you need to configure SecureW2 to receive the attributes sent from your IDP, so they can be encoded onto the certificate and used for policies.

These steps will show you how to map the attributes SecureW2 receives from Shibboleth, and how to edit the certificate template to use these attributes.

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. For the IDP you created (Shibboleth), click Edit.
  3. Select the Attribute Mapping tab.
  4. Click Add.
  5. For Local Attribute, enter ’email’ as the name of the variable.
  6. Click the Remote Attribute dropdown and select USER_DEFINED. In the field that appears, enter ’email’ and then click Update.
  7. Click Add.
  8. For Local Attribute, enter ‘displayName’ as the name of the variable.
  9. Click the Remote Attribute dropdown and select USER_DEFINED. In the field that appears, enter ‘name’ and then click Update.
  10. Below the table, click Update.

 

Now that you’ve configured SecureW2 to receive the attributes, you need to make sure the attributes are encoded onto the certificates that are issued to users. Here’s how:

  1. From your SecureW2 Management Portal, go to PKI Management > Certificate Authorities.
  2. For DEFAULT CERTIFICATE TEMPLATE 1, click Edit.
  3. In the Basic section, the ‘displayName’ variable is encoded as Subject.
  4. In the SAN section, the ’email’ variable is encoded as RFC822.
  5. Click Update.

The certificate template now includes the attributes and will use these attributes when certificates are issued.

 

Configure Policies in SecureW2

SecureW2 issues certificates based on the policy configuration you set up in the SecureW2 Management Portal. There are two policies that you need to configure: the Authentication policy, and the User Role policy.

To configure the policies:

  1. Go to Policy Management > Authentication.
  2. For your network profile’s authentication policy, click Edit.
  3. Select the Conditions tab and make sure your network profile is selected.
  4. Select the Settings tab and make sure the selected identity provider is the one you created (Shibboleth).
  5. Click Update.
  6. Go to Policy Management > User Roles.
  7. For Default Role Policy, click Edit.
  8. Select the Conditions tab. Click the Identity Provider dropdown and select the IDP you created (Shibboleth).
  9. Click Update.

 

Conclusion

SAML authentication with Shibboleth and SecureW2 is easy. Simply set up your IDP and SAML application, configure the attributes to be encoded on user certificates, and configure policies in SecureW2. In no time, you can use SecureW2’s JoinNow Solution to configure devices for certificate-based network access, using your Shibboleth database.

Shibboleth is a registered trademark of the Shibboleth Consortium in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

  • Email addresses from free providers (Gmail, Hotmail, etc.) will not be accepted.
  • This field is for validation purposes and should be left unchanged.