Enable SAML authentication for Application Access Portal

You can use SAML authentication for user logins to the Application Access Portal.

Steps

  1. Select Engine.
  2. Right-click an engine element, then select Edit <element type>.
  3. Browse to VPN > Application Access Portal.
  4. Under the SAML section:
    1. Select the Enable SAML checkbox.
    2. Enter the value in seconds in the Clock Skew Limit field. It is the maximum allowed time difference in seconds between the Service Provider and the Identity Provider.
    3. Click Add to add a row in the table or select a row and click Remove to remove the row. The table includes the following fields:
      1. Authentication Method: Select the SAML authentication method element to use. For more details on how to create a SAML Authentication method, refer to the Create a SAML authentication method element topic.
      2. Service Entity ID: Enter the Service Provider Entity ID.
        Note: You must configure the Service Entity ID in both the IdP and the Engine. The Service Provider Entity ID that is configured in the IdP must match the Service Provider Entity ID that is configured in the Engine.
      3. IdP Metadata: Configure the Identity Provider Metadata. For more details, refer to the Create a SAML authentication method element topic.
        Note: The IdP metadata is already selected, if the IdP metadata was configured for the selected authentication method when SAML authentication method was created. You can reconfigure the IDP metadata here to overwrite it only for the Application Access Portal.
      4. ACS URL: Enter the URL where the SAML assertion is sent after login.
        Note:
        • You must configure the ACS URL in both the IdP and the Security Engine. The ACS URL that is configured in the IdP must match the ACS URL that is used in the Engine.
        • The IP Address and the port used in the ACS URL must match the browser-based user authentication interface IP Address and port.
    4. Save and refresh the policy.

Engine Editor > VPN > Application Access Portal

Use this branch to change settings for the Application Access Portal on the Security Engine.

Option Definition
Application Access Portal Shows the Application Access Portal element that is selected for the Security Engine. Click Select to select an element.
Port

(Optional)

 The port for client connections to the Application Access Portal. The default port is 443.
Allowed SSL/TLS Versions The versions of SSL and TLS that are allowed for connections to the Application Access Portal.
  • SSL 3.0
  • TLS 1.0
  • TLS 1.1
  • TLS 1.2
TLS Cryptography Suite Set The cryptographic suite for TLS connections to the Application Access Portal. Click Select to select an element. Do not change the default setting unless you have a specific reason to do so.
Enable SAML When selected, it enables SAML authentication for Application Access Portal.
Clock Skew Limit Enter the maximum allowed time difference in seconds between the Service Provider and the Identity Provider.
Add
Click Add to add a row to the table. The table includes the following columns:
Note: To enter details in the row, double-click the field in the column to open the dialog box.
  • Authentication Method: Select the authentication method element to use for the Application Access Portal.
  • Service Entity ID: Enter the Service Provider Entity ID.
    Note: You must configure the Service Entity ID in both the IdP and the Engine. The Service Provider Entity ID that is configured in the IdP must match the Service Provider Entity ID that is configured in the Engine.
  • IdP Metadata: Enter the IdP Metadata details to establish trusted and secure communication with the Identity Provider (IdP). For more details, refer to the Create a SAML authentication method element topic.
    Note: If IdP metadata has already been configured for the selected authentication method and you reconfigure it here, the new IdP metadata will overwrite the existing configuration for that authentication method. This overwrite applies only Application Access Portal.
  • ACS URL: Enter the URL where the SAML assertion is sent after login. For example, https://xxy.xxyxyx.com:9443/sso/saml. Wherein, xxy.xxyxyx.com is the hostname of the Application Access Portal and 9443 is the same port that is defined for the Application Access Portal.
    Note:
    • You must configure the ACS URL in both the IdP and the Security Engine. The ACS URL that is configured in the IdP must match the ACS URL that is used in the Engine.
    • The IP Address and the port used in the ACS URL must match the browser-based user authentication interface IP Address and port.
Remove Select a row in the table and then click Remove to remove the row.