Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Set Up Single Sign-on with SAML 2.0 Identity Provider

Single sign-on (SSO) is an authentication method that allows you to securely log in to multiple applications and websites with a single set of login credentials.

Security Assertion Markup Language (SAML) is a framework for authentication and authorization between a service provider (SP) and an identity provider (IdP). Here, authentication is exchanged using digitally signed XML documents. The service provider agrees to trust the IdP to authenticate users. In return, the IdP generates an authentication assertion indicating that a user is authenticated.

Benefits

  • With SAML authentication, you can easily integrate Juniper ATP Cloud with your corporate identity provider (IdP) to provide single sign-on. If you are authenticated to your IdP, you are automatically authenticated to Juniper ATP Cloud. You need not remember separate passwords or type in credentials every time you access the Juniper ATP Cloud portal.

  • We support SAML protocol only for service provider-initiated SSO. Juniper ATP Cloud is compatible with SAML 2.0 web SSO profile as a service provider.

Step1: Configure SSO Settings in IdP

Example: Configure SSO with Okta as IdP

This section provides step-by-step instructions to configure SSO with Okta as Identity Provider (IdP):

Note:
  • The information provided in this section is based on the current SSO with SAML implementation by Okta and is subject to change. For more detailed information, see Okta Documentation.

  • You must already have an account with Okta.
  • You must log in as administrator to perform the following operations.
  1. Log in to Okta portal.
  2. Navigate to Applications and click Applications > Create App Integration.
  3. In the Sign in method section, select SAML 2.0 and click Next.
  4. Enter the General settings for your application, such application name, application logo, and application visibility. Click Next.
  5. Configure the SAML Setting. For guidelines, see Table 1.
  6. Click Next.
  7. Choose whether you are a customer or a partner. Click Finish.

    Your application is now added to Okta. Click the Sign on tab. The Okta IdP metadata file is available for download. You can use this metadata file to dynamically import Okta IdP SSO settings to Juniper ATP Cloud.

  8. Navigate to Directory > Groups > Add Group and add groups. Create separate groups for each roles. For example, role_administrator, role_operator, role_observer.

    The group names are important. Note down the group names as it will be used for user role mapping in Juniper ATP Cloud Portal. See Table 4

    .
  9. Click on a group name and add users and applications to the group.
  10. Click Manage People and select the users from the list. The user is now added from Not Members list to the Members list.
  11. Click Save. The user is now assigned to the group.
Table 1: SSO SAML Settings for Okta

Field

Description

General Settings

Single sign on URL

The location where the SAML assertion is sent with a HTTP POST. This is often referred to as the SAML Assertion Consumer Service (ACS) URL for your application.

Example: https://canada.sky.junipersecurity.net/portal/sso/acs

Audience URI (SP Entity ID)

The application-defined unique identifier that is the intended audience of the SAML assertion. This is Juniper ATP Cloud's SP Entity ID (a globally unique identifier).

Example: https://canada.sky.junipersecurity.net

Default Relay State

(Optional) Identifies a specific application resource in an IdP-initiated Single Sign-On scenario. In most instances this is blank.

Juniper ATP Cloud does not support IdP-initiated SSO. We recommend you leave this field blank.

Name ID format

Identifies the SAML processing rules and constraints for the assertion's subject statement. Select the name ID format from the list. Use the default value of 'Unspecified' unless the application explicitly requires a specific format.

This field is not used in the Juniper ATP Cloud Web portal, hence retain the default value.

Application username

Determines the default value for a user's application username. The application username is used for the assertion's subject statement. Select the application username from the list.

This field is not used in the Juniper ATP Cloud, hence retain the default value.

Advanced Settings

Response

Determines whether the SAML authentication response message is digitally signed by IDP or not. A digital signature is required to ensure absolute privacy of the information exchanged by your IdP.

You must set this field to Signed.

Assertion Signature

Determines whether the SAML assertion is digitally signed or not. A digital signature is required to ensure that only your IDP generated the assertion.

You must set this field to Signed.

Signature Algorithm

Determines the signing algorithm used to digitally sign the SAML assertion and response.

Okta provides RSA-SHA256 and RSA-SHA1 signature algorithm. You can set any of the algorithm.

Note:

RSA-SHA1 will be deprecated soon, hence we recommend that you set algoritm RSA-SHA256.

Digest Algorithm

Determines the digest algorithm used to digitally sign the SAML assertion and response.

Okta provides SHA256 and SHA1 digest algorithm. You can set any of the algorithm.

Assertion Encryption

Determines whether the SAML assertion is encrypted or not. Encryption ensures that nobody but the sender and receiver can understand the assertion.

You must set this field to encrypted only if you plan to enable Encrypt SAML response on the Juniper ATP Cloud ATP SSO settings.

Enable Single Logout

Enable SAML Single Logout.

This field is not used in the Juniper ATP Cloud, hence retain the default value.

Assertion Inline Hook

This field is disabled.

This field is not used in the Juniper ATP Cloud, hence retain the default value.

Authentication context class

Identifies the SAML authentication context class for the assertion's authentication statement

This field is not used in the Juniper ATP Cloud, hence retain the default value.

Honor Force Authentication

Prompt user to re-authenticate, if requested by SP.

This field is not used in the Juniper ATP Cloud, hence retain the default value.

SAML Issuer ID

SAML IdP Issuer ID.

This field is not used in the Juniper ATP Cloud, hence retain the default value.

Attribute Statements

When you create a new SAML integration, or modify an existing one, you can define custom attribute statements. These statements are inserted into the SAML assertions shared with Juniper ATP Cloud.

  1. Name — the reference name of the attribute. The maximum length is 512 characters. The Name attribute must be unique across all user and group attribute statements. It is where you specify the mapping for Juniper ATP Cloud. Example,
    • firstname (optional)
    • lastname (optional)
    • username (mandatory)
    Note:

    The username attribute is mandatory for Juniper ATP Cloud. It is used for logging in to Juniper ATP Cloud portal.

  2. Name Format — the format of the name attribute. The supported formats are:
    1. Unspecified —can be any format defined by the Okta profile and must be interpreted by your application.
    2. URI Reference —the name is provided as a Uniform Resource Identifier string.
    3. Basic —a simple string; the default if no other format is specified.
  3. Value — the value for the attribute defined by the Name element. Admins can create custom expressions (using Okta Expression Language) to reference values in the Okta user profile. The maximum length for this field is 1024 characters.

Sample attribute statement is provided in Table 2.

Group Attribute Statements (optional)

If your Okta org uses groups to categorize users, you can add group attribute statements to the SAML assertion shared with your application.

User's groups is mapped to the attribute statement in the SAML Response. The group attribute helps in identifying which user belongs to which group.

  1. Enter the name of the group attribute in your SAML app. example: role
  2. Select a Name Format.
  3. Choose a Filtering option for your expression: Starts with, Equals, Contains, or Matches regex
  4. Type in the expression that will be used to match against the Okta GroupName values and added to the SAML assertion.

You can create group attribute for role_administrtor, role_observer, and role_operator and add users to the group.

Sample group attribute statement is provided in Table 3.

Preview the SAML assertion

Click to view the XML file that will be used in the assertion.

Table 2: Sample Attribute Statements for Okta
Name Name Format Value
firstname Unspecified user.firstName
lastname Unspecified user.lastName
email Unspecified user.email
Note:

The firstname and lastname attributes are optional. In Juniper ATP Cloud SSO SAML Provider Settings, you must set a mandatory field named Username Attribute, Whatever attribute value you have planned to set in Juniper ATP Cloud, you must set the same attribute value in Okta IdP, else SSO will fail.

For example, if you plan to set the Username Attribute value in the Juniper ATP Cloud SSO SAML Provider Settings to user.email, then you must set the same attribute in Okta IdP with the attribute value as user.email.

Table 3: Sample Group Attribute Statements for Okta

Name

Name Format

Filter

 

role

Unspecified

contains

role

Table 4: Sample Role Mapping in Okta
Role Mapping in Okta Role Mapping in Juniper ATP Cloud Portal

role_administrator

Set Administrator field to role_administrator when you configure SSO settings in Juniper ATP Cloud Portal.

role_operator

Set Operator field to role_operator when you configure SSO settings in Juniper ATP Cloud Portal.

role_observer

Set Observer field to role_observer when you configure SSO settings in Juniper ATP Cloud Portal.

Example: Configure SSO with Microsoft Azure as IdP

This section provides step-by-step instructions to configure SSO with Microsoft Azure as Identity Provider (IdP):

Note:
  • The information provided in this section is based on the current SSO with SAML implementation by Microsoft Azure and is subject to change. For more detailed information, see Microsoft Azure Documentation.

  • You must already have an account with Microsoft Azure.
  • You must log in as an administrator to perform the following operations.
  1. Log in to Azure portal.
  2. Click Azure Active Directory > Enterprise Applications.
  3. Click + New application > +Create your own application.
  4. Enter the application name and click Create.

    The new application is listed in the All applications page.

  5. Click on the application name.
  6. Click Assign users and groups > Add user/group.

    The Add assignment page appears.

  7. Click None selected. Choose the users and groups from the Users and groups list and click Select.
    Note:

    When you assign a group to an application, only users directly in the group will have access. The assignment does not cascade to nested groups.

  8. Click Assign. For sample users and groups, see Table 5
  9. Navigate to Manage > Single Sign-on > SAML. Configure the settings as per the guidelines provided in Table 6.
  10. Click Test to check if SSO is working.
    Note:

    You must add users to Users and groups before you can sign in.

  11. Navigate to Security > Token encryption > Import Certificate and upload the encryption certificate. IdP administrator must generate and upload the certificate to enable token encryption
Table 5: Sample Users and Group Settings for Microsoft Azure
Display Name Object Type Role Assigned

role_administrator

Group

User

role_observer

Group

User

role_operator

Group

User

Table 6: SSO Settings for Microsoft Azure

Field

Description

Basic SAML Configuration

Identifier (Entity ID)

(Mandatory) The default identifier will be the audience of the SAML response for IDP-initiated SSO. This value must be unique across all applications in your Azure Active Directory tenant

Example: https://amer.sky.junipersecurity.net

Reply URL (Assertion Consumer Service URL)

(Mandatory) The default reply URL will be the destination in the SAML response for IDP-initiated SSO. The reply URL is where the application expects to receive the authentication token. This is also referred to as the “Assertion Consumer Service” (ACS) in SAML.

Example: https://amer.sky.junipersecurity.net/portal/sso/acs

Sign on URL

(Optional) This URL contains the sign-in page for this application that will perform the service provider-initiated single sign-on. Leave it blank if you want to perform identity provider initiated SSO.

Relay State

(Optional) The relay state instructs the application where to redirect users after authentication is complete, and the value is typically a URL or URL path that takes users to a specific location within the application. The value in this form only takes effect in an IdP-initiated SSO flow.

Juniper ATP Cloud does not support IdP-initiated SSO. We recommend you leave this field blank.

User Attributes & Claims

Parameters that define which access control groups to associate with ATP. The access control groups are mapped to Juniper ATP roles.

Unique User Identifier

(Optional) Provide the Name ID.

Example: user.userprincipalname [nameid-format:emailAddress]

+Add new claim

Define the claims used by Azure AD to populate SAML tokens issued to Juniper ATP Cloud.

To add a new claim:

  1. Click + Add new claim.

    The Manage claim page appears.

  2. Enter the claim name and namespace.
  3. Select the source.
  4. Select the source attribute from the drop-down list.
  5. (Optional) Specify the claim condition.
  6. Click Save.

See Table 7.

Note:

The givenname and surname attributes are optional. In Juniper ATP Cloud SSO SAML Provider Settings, you must set a mandatory field named Username Attribute. Whatever attribute value you have planned to set in Juniper ATP Cloud, you must set the same attribute value in Azure IdP, else SSO will fail.

For example, if you plan to set the Username Attribute value in the Juniper ATP Cloud SSO SAML Provider Settings to emailaddress, then you must set the same attribute name in Azure IdP with the attribute value as user.mail.

+ Add a group claim

Define the group claims used by Azure AD to populate SAML tokens issued to Juniper ATP Cloud.

To add a new group claim:

  1. Click + Add a group claim.

    The Group Claims page appears.

  2. For groups associated with users, choose All groups.
  3. Select the source attribute.
    • If the source attribute is sAMAccountName, then you must specify the role name as the attribute for role mapping in Juniper ATP Cloud portal. For example, role: role_administrator
    • If the source attribute is Group ID, then you must specify the reference ID as the attribute for role mapping in Juniper ATP Cloud portal. For example, role: abcdef
    Note:
    • The source attribute only works for groups synchronized from an on-premises Active Directory using AAD Connect Sync 1.2.70.0 or above.
    • If you do not have the Azure Active Directory to pull the users and groups, then choose Group ID as the source attribute in the Azure IdP and provide the respective group ID in Juniper ATP Cloud SSO setting group attributes.
  4. Select the Customize the name of the group checkbox.
  5. Specify the name and namespace. For example, if the group name is role, then in the SAML response to Juniper ATP Cloud, the group name "role" will be the key and the value of the key will be the role name, where the users are added.
  6. Click Save.

    Group claim role is created with value as user.groups.

SAML Signing Certificate

Status

Displays the status of the SAML certificate used by Azure AD to sign SAML tokens issued to your application.

Thumbprint

Displays the thumbprint of the SAML certificate.

Expiration

Displays the expiration date of the SAML certificate.

Notification Email

Displays the notification e-mail address.

App Federation Metadata Url

Displays the Azure IdP metadata URL for SAML.

Example: https://login.microsoftonline.com/ff08d407-69c4-4850-9af0-29034d31ab36/federationmetadata/2007-06/federationmetadata.xml?appid=6915f8ab-640a-4e1c-bb67-5e81a14f7898

Certificate (Base64)

(Optional) Click to download the Base64 certificate.

Certificate (Raw)

(Optional) Click to download the Raw certificate.

Federation Metadata XML

(Optional) Click to download the federation metadata document.

Signature Algoritham

Determines the signing algorithm used to digitally sign the SAML assertion and response.

Azure provides RSA-SHA256 and RSA-SHA1 signature algorithm. You can set any of the algorithm.

Note:

RSA-SHA1 will be deprecated soon, hence we recommend that you set algoritm RSA-SHA256.

Set up Application (Juniper ATP Cloud)

Login URL

Displays the login URL for Microsoft Azure. You will be redirected to login URL for authentication.

Example: https://login.microsoftonline.com/ff08d407-69c4-4850-9af0-29034d31ab36/saml2

Azure AD Identifier

Displays the intended audience of the SAML assertion. It is the Entity ID (a globally unique identifier) of Azure IdP.

Example: https://sts.windows.net/ff08d407-69c4-4850-9af0-29034d31ab36/

Logout URL

Displays the logout URL for Microsoft Azure.

This field is not yet supported in Juniper ATP Cloud.

Table 7: Add New Claim for Azure AD
Attribute Name Source Attribute Value Description
givenname user.givenname The givenname attribute will be used to map last name of the user in ATP Cloud.
surname user.surname The surname attribute will be used to map last name of the user in ATP Cloud.
emailaddress user.mail  
    The emailaddress attribute will be used to map email address of the user in ATP Cloud.

Step 2: Configure SSO Settings in Juniper ATP Cloud Web Portal

See Configure SSO Settings.

Step 3: Activate SSO Configuration

To activate SSO configuration, log in to Juniper ATP Cloud portal, navigate to Administration > Single Sign-on Setting and click Activate.

Step 4: Test SSO Configuration

  • SSO initiated by Service Provider (Juniper ATP Cloud)—Log in to Juniper ATP Cloud Web portal with SSO. If you log into the Juniper ATP Cloud Web Portal before authenticating with IdP SSO, then based on the ATP Cloud realm, you will be redirected to the IdP portal for authentication. After authentication with IdP you are logged in to Juniper ATP Cloud Web portal.

  • Identity Provider—When you log in to the IdP SSO account, it provides a list of applications that are integrated with IdP and you can access any of the applications. For example, if you click on the Juniper ATP Cloud application, you are directed to Juniper ATP Cloud Web portal.

Troubleshoot SSO Configuration

Use the following information to troubleshoot errors and issues when using SAML 2.0 with Juniper ATP Cloud.

  • Realm
    • The SSO setting is configured per realm. Both local and SAML users can co-exist in a realm. By default, the realm creator (administrator) is the local user.

    • If SSO fails due to incorrect configuration and SSO user is unable to login, then contact the realm creator (administrator), who has local login access to the realm. Administrator can login with theATP Cloud customer portal URL and fix the SSO configuration for the realm.

  • Role mapping
    • Juniper ATP Cloud has the 'admin', 'operator', 'observer' roles set as part of the user profiles creation use case.

    • To authenticate ATP users with IdP, you need to have at least one group in IdP that defines ATP users, which will eventually be mapped to ATP roles.

    • Users can create an IdP group for each ATP role type: 'admin', 'operator', 'observer' and map the roles appropriately during IdP configuration.

    • If the user group doesn’t match with the mapping on IdP, an error message is displayed to the user.

  • Multifactor authentication
    • If IdP provides its own step-up authentication capability, SSO user will be redirected to the SSO site for the step-up authentication. Multifactor Authentication on Juniper ATP Cloud is disabled if single-sign-on is enabled.

    • Local users on the same realm can continue to use ATP’s multifactor authentication.

  • Password
    • SSO users who have forgotten the password must log in to the IdP site to reset the password. When a user tries to SSO by providing the realm name, ATP Cloud portal will redirect the user to IdP site for the authentication. If user authentication fails in the IdP site. then the user must reset the password from the IdP site.

    • The Forgot password option in Juniper ATP Cloud portal is for the realms that are not configured with SSO.