Integrating the hybrid service with a single sign-on identity provider

Single sign-on uses an identity provider to authenticate user identity, attributes, and roles with enterprise directories. All communications between components are secured.

When single sign-on is enabled and installed on your network, clients connecting to the hybrid proxy are redirected to an identity provider. The identity provider must be configured if off-site users are to be authenticated. Once single sign-on has authenticated a user against your directory service, they are directed back to the hybrid proxy and the appropriate policy is applied. Clients who have authenticated once do not then have to authenticate again for subsequent browsing sessions.

Currently, Ping Federate, Microsoft Active Directory Federation Services (AD FS), and, with v8.5.5, any SAML 2.0 Compliant Identity Provider are supported as single sign-on identity providers. For information about how to deploy PingFederate, please visit their website. Visit this website for information about AD FS.

To integrate a single sign-on identity provider:

Steps

  1. On the Settings > Hybrid Configuration > Hybrid User Identification page, download and install the hybrid SSL certificate to ensure seamless authentication to HTTPS sites.

    If the certificate is not installed for single sign-on users, they receive a certificate error when they browse to an HTTPS site. If they then select the “Continue to this website (not recommended)” link, they must authenticate using NTLM identification or manual authentication, depending on the settings on the Hybrid User Identification page. See Enabling hybrid HTTPS notification pages.

  2. Mark Use identity provider for single sign-on to activate single sign-on for all client machines.
  3. Select the Identity Provider you wish to use.
  4. Once single sign-on is configured and the SSL certificate is installed on clients, copy the metadata URL from the identity provider’s metadata and enter it in the Metadata URL field.
  5. Under Session Timeout, define how often users’ credentials are revalidated for security reasons. The default options are 1, 7, 14, or 30 days.
    Note: It is possible to extend the Session Timeout options to 3 months, 6 months, and 12 months. To enable this extended feature, contact Technical Support.
  6. Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.