Revision History ..................................................................................................................................................... 24
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
ActivID Appliance and Zscaler Web Security | SAML 2.0 Channel Integration Handbook
The Zscaler® W eb Security solution ena bles organizatio ns to embrace ne w cloud applications and social m edia
technologies, while gaining advanced protection from accidental data loss, malicious attacks, and emerging
threats. Zscaler W eb Security enables organizations to s ecurely enable busines s beyond the corporat e network,
including such capabilities as:
• Advanced Threat Protection
• Cloud Application and Social Media Control
• Anti-Virus and Anti-Spyware
• Dynamic URL Filtering
Providing secure “one prompt” access via a web proxy over existing Int ernet connections requires strong , twofactor authentication to protect and identify users.
The HID® Global I den tity Assurance™ ActivID® Ap pl i ance works with Zscaler solution to pr o vi de vers at il e, s t rong
authentication that is flexible, scalable, and simple to manage.
The ActivID Appliance offers support for multiple authentication methods that are useful for diverse audiences
across a variety of service channels (SAML, RADIUS, etc.), including user name and password, mobile and PC
soft tokens, one-time passwords, and transparent Web soft tokens.
1.1 Scope of Do cument
This document explai ns how to conf igure Acti vID Appliance and Zscaler using S ecurit y Assertion Mar kup
Language (SAML). SAML 2.0 enables Web-bas ed authentication and author ization and can be us ed by
Zscaler to delegate user authentication to the ActivID App lianc e.
Integrating ActivID Applian c e capab iliti es with Zscaler provides multiple choices for user authentication.
This option is simple an d allows users to authenticate to t he ActivID Ap pliance IDP portal that has m any
authentication mec hanisms working out of the box, including on e-time password (OTP), W eb soft token
OTP, and Public Key Infrastructure (PKI) methods.
1.2 Prerequisites
• ActivID Appliance 7.2 (or greater) installed and configured.
• Zscaler Web Security.
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
ActivID Appliance and Zscaler Web Security | SAML 2.0 Channel Integration Handbook
1. In the Configure User Authentication section of the Zscaler Administrator Console, click View SAML
Single Sign-On Parameters.
2. Enter the following parameters.
•URL of the ActivID Appliance to which users are sent for authentication. For example, change the
following URL to your ActivID Appliance Identity Provider.
•For Attribute containing Login Name, enter NameID.
3. To upload the SSL public Certificate of the ActivID Appliance, click Service Provider’s Public Certificate
(see the following section for steps to export your IDP certificate).
4. Click Done.
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
ActivID Appliance and Zscaler Web Security | SAML 2.0 Channel Integration Handbook
2.4 Procedure 4: Imp ort Act ivID Applian ce IDP certificate
1. Before you can import the 4TRESS_IDP_SIGN.cer file, you must convert it to a .pem file using the Openssl
tool. Run the following:
openssl x509 -outform der -in 4TRESS_IDP_SIGN.cer -out 4TRESS_IDP_SIGN.der
openssl x509 -inform der -in 4TRESS_IDP_SIGN.der -out 4TRESS_IDP_SIGN.pem
2. After you convert the file, you can import the file 4TRESS_IDP_SIGN.pem file by cli cking on Upload SSL
Public Certificate in the Zscaler Administrator Console Identity Provider (IDP) Options section, as
illustrated next:
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
ActivID Appliance and Zscaler Web Security | SAML 2.0 Channel Integration Handbook
Note: The ActivID Appliance IDP only returns the configured attribute values within the as sertion if
it is
2.6 Procedure 6: Modify Zscal er Metad ata
Zscaler must be able to attribute values within the response to an authentication request before it can authorize
access via the Internet. You can configure these attributes for the ActivID App l iance.
the Zscaler SAML Authentication request contains a reference to the index. That is why
necessary to add this attribute (isDefault=”true”) in the Zscaler metadata.
The following snippets are examples for the attributes mail, group, and name:
Important: You will use the ActivID Appliance Management Console and the ActivID Appliance
3.0 ActivID Appliance Configuration
This chapter describes how to configure the ActivID Appliance.
Configurer to perform these procedures. This chapter only provides a summary of steps. For complete
details, please have the following technical documents on hand for easy reference:
• ActivID Appliance IDP Solution Guide
• ActivID Appliance Administ rator Guide: Man agement Console
2. Under the SAML Assertion Configuration section, deselect the option, Enable OneTimeUse condition.
3. Click File import and then type the federation metadata file path of the Zscaler metadata (the zscaler-metadata-base.xml file).
4. Click Add to add the values that will be available to be returned in the SAML assertion (the values you edited
during Procedure 6: Modify Zscaler Metadata on page10. The following dialog is displa yed.
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
ActivID Appliance and Zscaler Web Security | SAML 2.0 Channel Integration Handbook
5. From the Select an assertion attribute drop-down list, select an option.
6. To map the attribute to specific values, from the Select the value type drop-down list, select either Static
value, User attribute, or a Predefined attribute, and then click OK.
You will see the following message when you are fini s hed.
You can check the list of values to be returned in SAML assertion. The following illustration is based on the values
listed in section 2.6 which covers how to modify Zscaler metadata.
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
ActivID Appliance and Zscaler Web Security | SAML 2.0 Channel Integration Handbook
5. In the Available Channels box,select and move Zscaler SAML to the Selected Channels box, and then
click Update.
6. When returned to the Authentication Policies page, select the AT_EMPEPWD policy, and then click Edit.
7. In the Available Channels box,select and move Zsca ler SAML to the Selected Channels box, and then
click Update.
8. Return to the Management Console and edit the previously saved channel. You can view the permitted
(allowed) Authentication Policies by expanding the Allowed authentication Policies section, as illustrated
next.
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
ActivID Appliance and Zscaler Web Security | SAML 2.0 Channel Integration Handbook
2. In the pane to the left under Policies, expand SAML, and then click ActivID Identity Provider.
3. Deselect the option, Require signed authenticate requests.
The next step is to add the corresponding authentication policies and GUI template ID. Continue with section 3.5
Procedure 5: Adding a New Authentication Policies Mapping on page 18.
If the authentication is accepted, then the user is redirected to a default browser Web page and can browse the
Internet – according to the security policy imposed by Zscaler.
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
ActivID Appliance and Zscaler Web Security | SAML 2.0 Channel Integration Handbook
HID, the HID logo, ActivID, 4TRESS and/or other HID Global products or marks referenced herein are registered
trademarks or trademarks of HID Global Corporation in the United States and/or other countries.
The absence of a mark, product, service name or logo from this list does not constitute a waiver of the HID Global
trademark or other intellectual property rights concerning that name or logo. The names of actual companies,
trademarks, trade names, service marks, images and/or products mentioned herein are the trademarks of their
respective owners. An y rights not express l y granted h er ein are reserved.
Revision His tory
Date Author Description
Version
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
hidglobal.com
Americas
US Federal
Europe
Asia Pacific
Web
+1 510.574.0100
+1 571.522.1000
+33 (0) 1.42.04.84.00
+61 (0) 3.9809.2892
http://www.hidglobal.com/identity-assurance
Corporate Headquarters
15370 Barranca Parkway
Irvine, CA 92618
www.hidglobal.com
+1 949.732.2000
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.