Académique Documents
Professionnel Documents
Culture Documents
Integration Guide
Overview
Initial Setup
STEP ONE
Entity IDs
Status Messages
STEP TWO
STEP THREE
10
Activating Configurations
10
Deactivating Configurations
10
Troubleshooting
10
Testing
10
11
-2-
Overview
SAML (Security Assertion Markup Language)is an XML-based framework for exchanging user authentication and authorization information betweensecurity domains. The user attempts to access a resource
within asecure domain. Thesecurity domainsrefer to theidentity provider(IDP), which makes assertions
about the user, and to theservice provider(SP), which consumes assertions about theuser. The SAML
standard is extensible, flexible, and platform-independent and it allows for a way to securely exchange
information between business entities. For more information about SAML see the following:
http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
http://www.oasis-open.org/committees/security/faq.php
Luna Control Center supports SAML 2.0 Integration for fully federated control of users, single
sign-on, and multifactor authentication. This solution, for customers using their own identity provider, validates the user's identity prior to allowing access to Luna Control Center.
-3-
To act as a service provider, Luna Control Center requires the attribute userid in the SAML assertion
sent by the identity provider. Luna uses this attribute to assign a user profile to the client..
-4-
Initial Setup
Configuring your identity provider requires the following information:
l
Entity ID orissuer name (a URL or name that uniquely identifies your identity provider)
Authentication/public keycertificate
Email address, where new Luna certificates and metadata, system alerts, and other communications from Luna Control Center should be sent
Domain name used in the identity provider discovery mechanism and taking the following
form:<customer>.luna-sp.com
You also need the following information about Luna Control Center as a service provider. This informationcontained in the SAML metadata file, which can be downloaded from the link provided in Luna once
the identity provider configuration is savedis the following:
l
Entity ID (luna-sp.com)
SAML attribute sent by IDP(must beuserid, containing the user's Luna Control
Centerusername/email address)
-5-
The main panel conveniently lists the identity provider configurations that
have been created. It lets you easily edit, activate, and deactivate/reactivate
configurations by selecting them in the list, clicking the gear icon in the same
row, and then choosing the appropriate action from the menu. It also lets you
delete inactive configurations by selecting them and choosing Delete from
their gear menu. (Note that this action results in removing the inactive configuration from the main panels list.).
The main panel displays the entity ID, the service provider endpoint, and the
status for each configuration. A filter is provided for your convenience in dealing with long lists of configurations.
Entity IDs
This column shows the Entity ID for each configuration. This is the entity ID or
issuer name that uniquely identifies your identity provider.
-6-
You can set the first part of the hostname; the second part (.luna-sp.com) is
pre-specified by Luna Control Center. Once it is provisioned, it cannot be
edited or changed.
Status Messages
The Status column shows a range of information, such as whether the configuration is Active or Inactive, as well as more specific variations, such as
Pending activation where the action is still pending completion. (Note that
configuration processes can take up to 48 hours, depending on the work
queue.) Status messages also include Failed and Failed verification.
Failed means that an error occurred while trying to deploy the configuration. Failed verification means that the configuration could not be verified, typically because the certificate had already expired or because it had
an expiration date that was too far into the future.
2. Click Create Identity Provider Configuration
STEP TWO
Enter all of the information pertaining to your identity provider in the SSO provisioning application. The
asterisks indicate required fields, where you must enter information in order to successfully create and
save a configuration.
The strings in some fieldssuch as the local user attribute name (userid) and the last part of the service
provider endpoint address (.luna-sp.com)are pre-specified by Luna Control Center.
1. Using the information about your identity provider (IDP). Fill in the first three fields:
l
Entity ID
-7-
2. The next field, Single Logout URL, is optional. If your SAML metadata includes this information and
you wish to configure for a Single Logout, you may enter it here.
3. Enter an email address that should receive notifications from Luna Control Center.
4. Enter thex509c Certificate key.
5. The next field, Alternate x509c Certificate Key, is optional. If you have an alternate x509c Certificate
key, you may enter it here. Having a second key can be convenient if your current key is nearing
expiration and your IDP supports key rotation.
6. When the required information has been entered, click Saveor click Save & Activate.
Click Save if you want to keep a draft of your configuration without activating it yet. In the Manage
Single Sign-On with SAML applications main panel, Inactive then appears in the Status column
of the new configuration. This means it has been saved but is not yet activated.
l
You may repeat all steps to this point, to create as many additional inactive SSO configurations as desired. Theyll all be listed and accessible from the main panel. (A filter is
provided for convenience when dealing with long lists.)
When you want to activate one of your saved but inactive configurations, simply select Activate from its gear icon. This action results in a progression of status messageswhich may
take up to 48 hoursstarting with "Pending activation" then "Pending activation (DNS)" and
finally "Active."
Click Save & Activate if you want to immediately request activation of the new configuration. In the
Manage Single Sign-On with SAML applications main panel, "Pending activation" then appears in
the Status column of the new configuration, indicating that it has been saved and is awaiting activation.
l
This action results in a progression of status messages, starting with "Pending activation
(DNS)" and ending with "Active."
You may repeat all steps to this point, to create as many additional active configurations as
desired.
STEP THREE
Once the configuration is complete and is saved, a CNAME request is generated automatically to create a
DNS entry for <customer>.luna-sp.com hostname. The actual CNAME creation process, which is not automated, can take 12 business days.
After youve saved a configuration, it displays "Inactive" in the Status column. This means the configuration
has been saved but is not yet activated.
Lastly, you need to configure your Identity Provider, a two-step process.
1. Click the gear icon and select Download. This action downloads the Luna SAML
metadata that you need to configure your IDP.
-8-
2. To activate the new configuration, click the gear icon and select Activate. This will result in a progression of status messages, starting with "Pending activation" and ending with "Active."
Sample Metadata File. The metadata file that is generated has information about
Luna Control Center as service provider and can be used to configure your identity
provider. As shown, this metadata file has information about entity ID, Assertion
Consumer Service (ACS) URL, and the X509 certificate.
-9-
Activating Configurations
You can activate an inactive configuration by selecting the Activate option from the configurations gear
menu. A message then appears, asking you to confirm that you wish to activate the configuration. Click
Yes.
Deactivating Configurations
The Manage SSO with SAML application lets you easily deactivate any of your active configurations by
selecting Deactivate from its gear icon menu. A message then appears, asking you to confirm that you
wish to deactivate the configuration, causing all those who may be using this IDP configuration to lose
access to Luna. Click Yes. A second message then confirms that the configuration has been disabled.
In the applications main panel, the Status for the configuration updates to "Pending deactivation." Hovering over the label displays this message: The configuration is awaiting deactivation. These changes take
effect within 24 hours.
Troubleshooting
If you see a Failed status message while provisioning the metadata, or experience any other issues during
testing, file a support ticket through Luna Control Center.
Testing
Testing can begin only after:
l
You have downloaded the Luna SAML metadata and have provisioned it on your Identity Provider.
For SP-initiated single sign-on, a URL of the following form can be used:
<your Service Provider endpoint>/sso/genSSOCookie?IdP=<your Entity Id>
Example:
https://customersso.luna-sp.com/sso/genSSOCookie?IdP=Customer_EntityID
An IDP-initiated single sign-on URL can also be used.
To test the setup, create two configurations: one for testing and another for the production environment.
Once you are satisfied with the settings in test configuration, you can deploy the production configuration.
- 10 -
CNAME?
A.. Once a configuration is saved, the CNAME request is triggered automatically on Luna to create a DNS
entry for <customer>.luna-sp.com hostname. When a configuration is activated, the status messages progress from Pending activation to Pending activation (DNS) to Active." "Pending activation (DNS) status
informs that CNAME has not been created yet.
Inactive. The configuration has been saved, but is not yet active. Or, The configuration has been
deactivated.
Failed. An error occurred during activation. Or, An error occurred during deactivation.
- 11 -
Q. What happens to direct login, once SAML has been integrated? Will users be able to continue using
their Luna credentials to access Luna Control Center? Is it possible to designate users as SAML only?
A. Users' Luna credentials will work for a direct login.You can choose to require SAML only, and can
request Akamai to turn off direct login. Until this change is made, however, users will be able to access
Luna both ways.
Q. I am seeing a 400 Bad-Request response after getting authenticated by my identity provider. Why?
A. There are several possible reasons for this type of response:
l
Your identity provider may be using an RSA SHA 256 signing algorithm. Luna Control Center
doesnt currently support this algorithm. Ask your IDP to use an RSA SHA 1 signing algorithm
nstead.
Your identity provider may be encrypting the payload or response. Luna doesnt support encryption. Luna expects digitally signed responses.
The entity ID of a SAML IDP (or SP) exists in the SAML metadata within a tag like this:
l
In extreme cases, the identity provider may be sending a different entity ID for Luna. The correct
value is luna-sp.com. Look for an Audience tag in the SAML response. It should have the value
luna-sp.com.
Q. What are the steps that need to be taken to select the SAML only option and to ensure that direct login
is turned off?
A. Once you have decided to make the switch from a non-SAML-only to SAML-only login, you will have
to communicate this requirement to your Luna account team, TPM, or SA/SE.
- 12 -
- 13 -