Enable SAML authentication for browser-based authentication

You can enable SAML authentication for browser-based user authentication.

You must have the browser-based user authentication configured before enabling the SAML authentication for browser-based user authentication. For more details, refer to the Enable browser-based user authentication topic.

Steps

  1. Select Engine.
  2. Right-click an Engine, then select Edit <element type>.
  3. Browse to Add-Ons > User Authentication.
  4. Under the SAML section:
    1. Select the Enable SAML checkbox.
    2. Enter the value in seconds in the Clock Skew Limit field. It is the maximum allowed time difference in seconds between the Service Provider and the Identity Provider.
    3. Click Add to add a row in the table or select a row and click Remove to remove the row. The table includes the following fields:
      1. Authentication Method: Select the SAML authentication method element to use. For more details on how to create a SAML Authentication method, refer to the Create a SAML authentication method element topic.
      2. Service Entity ID: Enter the Service Provider Entity ID.
        Note: You must configure the Service Entity ID in both the IdP and the Engine. The Service Provider Entity ID that is configured in the IdP must match the Service Provider Entity ID that is configured in the Engine.
      3. IdP Metadata: Configure the Identity Provider Metadata. For more details, refer to the Create a SAML authentication method element topic.
        Note: The IdP metadata is already selected, if the IdP metadata was configured for the selected authentication method when SAML authentication method was created. You can reconfigure the IDP metadata here to overwrite it only for browser-based user authentication.
      4. ACS URL: Enter the URL where the SAML assertion is sent after login.
        Note:
        • You must configure the ACS URL in both the IdP and the Security Engine. The ACS URL that is configured in the IdP must match the ACS URL that is used in the Engine.
        • The IP Address and the port used in the ACS URL must match the browser-based user authentication interface IP Address and port.
    4. Save and refresh the policy.

Engine Editor > Add-Ons > User Authentication

Use this branch to enable user authentication. You can configure authentication using HTTP connections or encrypted HTTPS connections.

Option Definition
Authentication Time-Out Defines the length of time after which authentication expires and users must re-authenticate.
Authentication Idle Time-Out Defines an idle timeout for user authentication. If there have been no new connections within the specified time limit after the closing of a user's previous connection, the user is removed from the list of authenticated users.
HTTP When selected, allows authentication using plain HTTP connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 80.
HTTPS When selected, allows authentication using encrypted HTTPS connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 443.

This option is required for client certificate authentication.
HTTPS Settings Opens the Browser-Based User Authentication HTTPS Configuration dialog box.
TLS Profile The TLS Profile element that defines TLS settings for HTTPS connections for authentication, and the trusted certificate authority for client certificate authentication. Click Select to select an element.

This option is required for client certificate authentication.
Use Client Certificates for Authentication When selected, the Security Engine allows users to authenticate using X.509 certificates. Client certificate authentication is supported for browser-based user authentication.
Always Use HTTPS When selected, redirects connections to the HTTPS port and enforces the use of HTTPS if the Security Engine also listens on other ports.
Listen on Interfaces Restricts the interfaces that users can authenticate through.
  • All — Users can authenticate through all interfaces.
  • Selected — Users can only authenticate through the selected interfaces.
User Authentication Page Select the User Authentication Page element that defines the look of the logon, challenge, re-authentication, and status page shown to end users when they authenticate.
Enable Session Handling

(Optional)

 When selected, enables cookie-based strict session handling.
Note: When Enable Session Handling is selected, the Authentication Idle Time-Out option is not available. The Refresh Status Page Every option defines the authentication timeout.
Refresh Status Page Every

(Optional)

 Defines how often the status page is automatically refreshed. When Enable Session Handling is selected, defines the authentication timeout.
Enable SAML When selected, enables SAML authentication for browser-based user authentication.
Note: This feature is only supported for HTTPS connections.
Clock Skew Limit Enter the maximum allowed time difference in seconds between the Service Provider and the Identity Provider.
Add

Click Add to add a row to the table. The table includes the following columns:

Note: To enter details in the row, double-click the field in the column to open the dialog box.
  • Authentication Method: Select the authentication method element to use for the Browser-based SAML authentication. For more details on how to create a SAML Authentication method, refer to the Create a SAML authentication method element topic.
  • Service Entity ID: Enter the Service Provider Entity ID.
    Note: You must configure the Service Entity ID in both the IdP and the Engine. The Service Provider Entity ID that is configured in the IdP must match the Service Provider Entity ID that is configured in the Engine.
  • IdP Metadata: Enter the IdP Metadata details to establish trusted and secure communication with the Identity Provider (IdP). For more details, refer to the Create a SAML authentication method element topic.
    Note: If IdP metadata has already been configured for the selected authentication method and you reconfigure it here, the new IdP metadata will overwrite the existing configuration for that authentication method. This overwrite applies only to browser-based user authentication.
  • ACS URL: Enter the URL where the SAML assertion is sent after login. For example, https://xxy.xxyxyx.com:9443/sso/saml. Wherein, xxy.xxyxyx.com is the hostname of the browser-based authentication and 9443 is the same port that is defined for the browser-based authentication.
    Note:
    • You must configure the ACS URL in both the IdP and the Security Engine. The ACS URL that is configured in the IdP must match the ACS URL that is used in the Engine.
    • The IP Address and the port used in the ACS URL must match the browser-based user authentication interface IP Address and port.
Remove Select a row in the table and then click Remove to remove the row.