Configure Secure Proxy to Use External Logon Portal

About this task

You can configure Secure Proxy to use an external logon portal. Support has now been added to accept SAML 2.0 tokens from an external Identity provider and authenticate users based on these SAML 2.0 tokens.

Before you configure an external logon portal, gather the following information:

  • Provide a value for each Secure Proxy feature listed. Fields listed in the worksheet are required.
  • Accept default values for fields not listed.
  • Note the Configuration Manager field where you will specify the value.

Configuration Manager Field

Feature

Value

SSO Token Cookie Name

Name to assign to the Secure Proxy configuration

External Portal

Enables use of an external logon portal.

  • External Application Login URL

URL of external login portal.

  • SAML 2.0
 Select this check box to enable SAML 2.0 (SSO) support on an external portal. For more information on related field definitions see, Logon Portal tab.
  • Service Provider ID
 This ID represents the Secure Proxy Service Provider (SP). https://<host>:<port>/myfilegateway
  • Assertion Consumer Service Index
 Index of the Service Provider (SP) known to Identity Provider (IdP). For more information on related field definitions see, Logon Portal tab.
  • External Portal Logout URL

URL of the page that the trading partner is redirected to when it is logged out.

 For more information on related field definitions see, Logon Portal tab.
  • Authn Response POST path (Relative to Login Directory Name)
 Endpoint path to which the authentication response is to be sent. If you specify saml2SsoPost here, SSP expects IdP to HTTP POST the AuthnResponse with URL Signon/saml2SsoPost after a successful authentication. The same URL must be configured in IdP. For more information on related field definitions see, Logon Portal tab.
  • Identity Provider Id
 This ID represents the IdP.  
  • KeyStore

From the drop-down, select the keystore where the keycert to be used for signing requests being sent to IdP by Secure Proxy is present.

To know more about available KeyStore, go to CM GUI Credentials -> System Certificate Stores.

  
  • Signing Key Certificate
 From the drop-down list select the keycert to be used to sign requests being sent to IdP by Secure Proxy.  
  • Trust Store

From the drop-down, select the trusted certificate store where the trusted certs are present to be used to validate the signed messages from IdP.

To know more about available TrustStore, go to CM GUI Credentials>Trusted Certificate Store.

 
  • IdP Trusted Certificates
 From the drop-down list, select the trusted certificates to be used to validate the signed messages from IdP.  

To configure Secure Proxy to use the external logon portal:

Procedure

  1. Click Advanced from the menu bar.
  2. To create a new SSO configuration:
    1. Click Actions > New SSO Configuration.
    2. Type an SSO configuration name in the Name field.
  3. To edit an existing SSO configuration:
    1. From the navigation menu, click SSO Configurations.
    2. Click the configuration to modify.
  4. On the Logon Portal tab, select External Portal.
  5. Type the URL of the external login portal in the External Application Login URL field.

    You can customize the web pages used during SAML External IdP authentication and define how you want the page to look and what information to include on the page. Web pages used by Secure Proxy are available under <SP Engine Install dir>/Signon/extportal/director.

  6. Select the SAML 2.0 check box to enable SAML 2.0-based authentication and enter values for the following:
    1. Service Provider ID
    2. Assertion Consumer Service Index
    3. External Portal Logout URL
    4. AuthnResponse POST Path
    5. Identity Provider Id
    6. KeyStore
    7. Signing Key Certificate
    8. Trust Store
    9. IdP Trusted Certificates
      Note: For more information on related field definitions see, Logon Portal tab.
  7. Define the following properties related to External Portal logon during a single sign-on session
    1. redirect.to.idp.logout
    2. userid.attribute.name.in.authnresponse
    3. userid.from.attribute.name.in.authnresponse
      Note: For more information on related field definitions see, SSO Configuration - Properties.
  8. Click Save.