Single Sign-On with SAML

Integration Guide

Overview

Single Sign-On with SAML

Luna Control Center and SAML

Luna Control Center as a Service Provider

Provisioning SSO with Luna Control Center

Initial Setup

Provision SSOwith Luna Control Center

STEP ONE

Entity IDs

Service Provider Endpoints

Status Messages

STEP TWO

STEP THREE

Working with the Configuration

Downloading Configuration Data

10

Activating Configurations

10

Deactivating Configurations

10

Troubleshooting

10

Testing

10

Frequently Asked Questions

11

-2-

Overview
SAML (Security Assertion Markup Language)is an XML-based framework for exchanging user authentication and authorization information betweensecurity domains. The user attempts to access a resource
within asecure domain. Thesecurity domainsrefer to theidentity provider(IDP), which makes assertions
about the user, and to theservice provider(SP), which consumes assertions about theuser. The SAML
standard is extensible, flexible, and platform-independent and it allows for a way to securely exchange
information between business entities. For more information about SAML see the following:
http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
http://www.oasis-open.org/committees/security/faq.php

Single Sign-On with SAML

Implementing a single sign-on (SSO) infrastructure enables users to sign in once and have access to all
authorized resources. There are many benefits:
Increased adoption SSO makes it easier to access applications and reduces the barriers of use for
resources.
Uniform security layer - SAML is platform agnostic, allowing enterprise architects to implement a uniform
security layer between existing assets.
Improved productivity - Centralized password management saves time and makes users more productive.
Reduced frustration -By establishing one password to all of their resources, SSO greatly reduces user frustrations associated with maintaining and remembering multiple passwords and eliminates their need for
multiple login events.

Luna Control Center and SAML

l

Luna Control Center supports SAML 2.0 Integration for fully federated control of users, single
sign-on, and multifactor authentication. This solution, for customers using their own identity provider, validates the user's identity prior to allowing access to Luna Control Center.

-3-

Luna Control Center as a Service Provider

Luna Control Center can act as a SAMLservice providerfor single sign-on. Customers can use their own
SAMLidentity providerto authenticate users prior to entering Luna Control Center.
Only SAMLversion 2.0 is supported in Luna. Its assumed that any customer IDP will be
usingSAML2.0for SingleSign-On.
When customers enable an identity provider, all users are directed to that IDP for authentication,
andsingle sign-on is enabled for all users.

To act as a service provider, Luna Control Center requires the attribute userid in the SAML assertion
sent by the identity provider. Luna uses this attribute to assign a user profile to the client..

-4-

Provisioning SSO with Luna Control Center

Before creating an identity provider SSO configuration, you need to determine a hostname for the service
provider endpoint. This hostname is provisioned by Luna Control Center.
Additionally, you will need to set up your own identity provider. There are various open source and proprietary packages available for providing federated identity solutions. Luna Control Center uses the SimpleSAMLphp package, available at http://simplesamlphp.org/.
Additional information required to configure your identity provider can be found in the metadata file, which
is generated after completing the provisioning in Luna (See figure, ahead, captioned Sample Metadata
File).

Initial Setup
Configuring your identity provider requires the following information:
l

Entity ID orissuer name (a URL or name that uniquely identifies your identity provider)

Authentication/public keycertificate

SAMLsingle sign-on URL

SAMLlogout URL(if you have one and want to use it)

Email address, where new Luna certificates and metadata, system alerts, and other communications from Luna Control Center should be sent

Domain name used in the identity provider discovery mechanism and taking the following
form:<customer>.luna-sp.com

You also need the following information about Luna Control Center as a service provider. This informationcontained in the SAML metadata file, which can be downloaded from the link provided in Luna once
the identity provider configuration is savedis the following:
l

Entity ID (luna-sp.com)

x509c Certificate key

SAML ACS URL (https://<SP end point>.luna-sp.com/sso/endpoint/postResponse)

SAMLSLO URL (https://<SP end point>.luna-sp.com/sso/endpoint/logout)

SAML attribute sent by IDP(must beuserid, containing the user's Luna Control
Centerusername/email address)

Provision SSOwith Luna Control Center

STEP ONE
The Manage Single Sign-On with SAML applications main configuration panel can be reached from Luna
Control Center as follows:
1. From the top-level menu, open the path Configure>Organization>Manage SSO with SAML. The
applications main panel appears.

-5-

The main panel conveniently lists the identity provider configurations that
have been created. It lets you easily edit, activate, and deactivate/reactivate
configurations by selecting them in the list, clicking the gear icon in the same
row, and then choosing the appropriate action from the menu. It also lets you
delete inactive configurations by selecting them and choosing Delete from
their gear menu. (Note that this action results in removing the inactive configuration from the main panels list.).

The main panel displays the entity ID, the service provider endpoint, and the
status for each configuration. A filter is provided for your convenience in dealing with long lists of configurations.

Entity IDs
This column shows the Entity ID for each configuration. This is the entity ID or
issuer name that uniquely identifies your identity provider.

Service Provider Endpoints

This column shows the hostname through which the single sign-on URLs are
available. It is assigned by Luna Control Center at the time when you first
sign up for service, and it is the hostname through which you are then able to
access all of Lunas services.

-6-

You can set the first part of the hostname; the second part (.luna-sp.com) is
pre-specified by Luna Control Center. Once it is provisioned, it cannot be
edited or changed.

Status Messages
The Status column shows a range of information, such as whether the configuration is Active or Inactive, as well as more specific variations, such as
Pending activation where the action is still pending completion. (Note that
configuration processes can take up to 48 hours, depending on the work
queue.) Status messages also include Failed and Failed verification.
Failed means that an error occurred while trying to deploy the configuration. Failed verification means that the configuration could not be verified, typically because the certificate had already expired or because it had
an expiration date that was too far into the future.
2. Click Create Identity Provider Configuration

STEP TWO
Enter all of the information pertaining to your identity provider in the SSO provisioning application. The
asterisks indicate required fields, where you must enter information in order to successfully create and
save a configuration.

The strings in some fieldssuch as the local user attribute name (userid) and the last part of the service
provider endpoint address (.luna-sp.com)are pre-specified by Luna Control Center.

1. Using the information about your identity provider (IDP). Fill in the first three fields:
l

Service Provider End-point

Entity ID

-7-

Single Sign-On URL

2. The next field, Single Logout URL, is optional. If your SAML metadata includes this information and
you wish to configure for a Single Logout, you may enter it here.

3. Enter an email address that should receive notifications from Luna Control Center.
4. Enter thex509c Certificate key.
5. The next field, Alternate x509c Certificate Key, is optional. If you have an alternate x509c Certificate
key, you may enter it here. Having a second key can be convenient if your current key is nearing
expiration and your IDP supports key rotation.

6. When the required information has been entered, click Saveor click Save & Activate.
Click Save if you want to keep a draft of your configuration without activating it yet. In the Manage
Single Sign-On with SAML applications main panel, Inactive then appears in the Status column
of the new configuration. This means it has been saved but is not yet activated.
l

You may repeat all steps to this point, to create as many additional inactive SSO configurations as desired. Theyll all be listed and accessible from the main panel. (A filter is
provided for convenience when dealing with long lists.)

When you want to activate one of your saved but inactive configurations, simply select Activate from its gear icon. This action results in a progression of status messageswhich may
take up to 48 hoursstarting with "Pending activation" then "Pending activation (DNS)" and
finally "Active."

Click Save & Activate if you want to immediately request activation of the new configuration. In the
Manage Single Sign-On with SAML applications main panel, "Pending activation" then appears in
the Status column of the new configuration, indicating that it has been saved and is awaiting activation.
l

This action results in a progression of status messages, starting with "Pending activation
(DNS)" and ending with "Active."

You may repeat all steps to this point, to create as many additional active configurations as
desired.

STEP THREE
Once the configuration is complete and is saved, a CNAME request is generated automatically to create a
DNS entry for <customer>.luna-sp.com hostname. The actual CNAME creation process, which is not automated, can take 12 business days.
After youve saved a configuration, it displays "Inactive" in the Status column. This means the configuration
has been saved but is not yet activated.
Lastly, you need to configure your Identity Provider, a two-step process.

1. Click the gear icon and select Download. This action downloads the Luna SAML
metadata that you need to configure your IDP.

-8-

2. To activate the new configuration, click the gear icon and select Activate. This will result in a progression of status messages, starting with "Pending activation" and ending with "Active."

Sample Metadata File. The metadata file that is generated has information about

Luna Control Center as service provider and can be used to configure your identity
provider. As shown, this metadata file has information about entity ID, Assertion
Consumer Service (ACS) URL, and the X509 certificate.

Working with the Configuration

Various actions can be performed with respect to each created configuration in the main panel. Options
include: Download,Activate, and Deactivate. These actions are selected from drop-down menus that
appear after clicking one of the gear icons.

-9-

Downloading Configuration Data

Choose the Download option to download Luna Control Centers SAML metadata for your configurations.
You will need the data to set up your IDP, which must be done before any testing begins.

Activating Configurations
You can activate an inactive configuration by selecting the Activate option from the configurations gear
menu. A message then appears, asking you to confirm that you wish to activate the configuration. Click
Yes.

Deactivating Configurations
The Manage SSO with SAML application lets you easily deactivate any of your active configurations by
selecting Deactivate from its gear icon menu. A message then appears, asking you to confirm that you
wish to deactivate the configuration, causing all those who may be using this IDP configuration to lose
access to Luna. Click Yes. A second message then confirms that the configuration has been disabled.
In the applications main panel, the Status for the configuration updates to "Pending deactivation." Hovering over the label displays this message: The configuration is awaiting deactivation. These changes take
effect within 24 hours.

Troubleshooting
If you see a Failed status message while provisioning the metadata, or experience any other issues during
testing, file a support ticket through Luna Control Center.

Testing
Testing can begin only after:
l

The Status for a configuration reads "Active."

You have downloaded the Luna SAML metadata and have provisioned it on your Identity Provider.

For SP-initiated single sign-on, a URL of the following form can be used:
<your Service Provider endpoint>/sso/genSSOCookie?IdP=<your Entity Id>

Example:
https://customersso.luna-sp.com/sso/genSSOCookie?IdP=Customer_EntityID
An IDP-initiated single sign-on URL can also be used.
To test the setup, create two configurations: one for testing and another for the production environment.
Once you are satisfied with the settings in test configuration, you can deploy the production configuration.

- 10 -

Frequently Asked Questions

Q. How can I decide upon the hostname used for creating Service Provider Endpoint?
A. The hostname used for creation of Service Provider Endpoint needs to be unique across all the Luna
SAML identity provider configurations. This hostname needs to be in a format accepted as a valid hostname by RFC 1123. Additionally, it's highly recommended to have a hostname of a form that can act as an
identifier for your account.
For example, If the sample account is Example, Inc., you can use hostname"examplesso". In this case, the
service provider endpoint that will be provisioned would be examplesso.luna-sp.com.

Q.How is it communicated that a CNAME has been created?

Can you provision before creating a

CNAME?

A.. Once a configuration is saved, the CNAME request is triggered automatically on Luna to create a DNS
entry for <customer>.luna-sp.com hostname. When a configuration is activated, the status messages progress from Pending activation to Pending activation (DNS) to Active." "Pending activation (DNS) status
informs that CNAME has not been created yet.

Q. What do the various status messages in the Provisioning column imply?

A. Here are the various status messages and their meanings.
l

Inactive. The configuration has been saved, but is not yet active. Or, The configuration has been
deactivated.

Active. The configuration has been created on the server.

Pending activation.The configuration is awaiting activation.

Pending activation (DNS).The configuration is awaiting DNS record creation.

Pending deactivation. The configuration has been disabled.

Failed. An error occurred during activation. Or, An error occurred during deactivation.

Failed Verification. An error occurred during certificate verification.

Q. What should be entered in the entity-id field in the configuration menu?

The entity ID of a SAML IDP (or SP) exists in the SAML metadata within a tag. For example:
<EntityDescriptor entityID='<entity id>' ... >
It is also contained in the Issuer tag in the SAML response:
Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://sso.ex<
ample.com/adfs/services/trust</Issuer>
If the value in entity ID field is wrong, you will see a 400 response.

Q. Are there any specifications for the r509c Certificate key?

A. As of now the public key must be in the X.509 format with a key length of 2048 recommended.

- 11 -

Q. Why do I see an option for a second r509c Certificate

A. This can be used to enter a second

in the provisioning page?

key when the first one is about to expire.

Q. What happens to direct login, once SAML has been integrated? Will users be able to continue using
their Luna credentials to access Luna Control Center? Is it possible to designate users as SAML only?

A. Users' Luna credentials will work for a direct login.You can choose to require SAML only, and can
request Akamai to turn off direct login. Until this change is made, however, users will be able to access
Luna both ways.

Q. I am seeing a 400 Bad-Request response after getting authenticated by my identity provider. Why?
A. There are several possible reasons for this type of response:
l

Your identity provider may be using an RSA SHA 256 signing algorithm. Luna Control Center
doesnt currently support this algorithm. Ask your IDP to use an RSA SHA 1 signing algorithm
nstead.

Your identity provider may be encrypting the payload or response. Luna doesnt support encryption. Luna expects digitally signed responses.

The entity ID of a SAML IDP (or SP) exists in the SAML metadata within a tag like this:
l

<EntityDescriptor entityID='<entity id>' ... >

It is also contained in the issuer tag in the SAML response:

<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://sso.ex-ample.com/adfs/services/trust</issuer>

In extreme cases, the identity provider may be sending a different entity ID for Luna. The correct
value is luna-sp.com. Look for an Audience tag in the SAML response. It should have the value
luna-sp.com.

Q. I am getting a "403 response after being authenticated by my identity provider. Why?

A. This would happen if the user doesn't have a user profile on Luna Control Center. Check for the email
ID in the SAML response, userid attribute. There should be a user profile with that email ID on Luna.

Q. What are the steps that need to be taken to select the SAML only option and to ensure that direct login
is turned off?

A. Once you have decided to make the switch from a non-SAML-only to SAML-only login, you will have
to communicate this requirement to your Luna account team, TPM, or SA/SE.

- 12 -

- 13 -