Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

About the End User Authentication Page

To access this page, select Secure Edge>Identity>User Authentication.

Configure authentication profiles to authenticate the end users.

Tasks You Can Perform

You can perform the following tasks from this page:

Create a SAML Profile

To create a SAML profile:

  1. Select Secure Edge > Identity > User Authentication .

    The End User Authentication page appears with the SAML profile tab.

  2. Complete the configurations according to the guidelines in Table 1
    Note:

    Fields marked with an asterisk (*) are mandatory.

    Figure 1: SAML ProfileSAML Profile
    Figure 2: IdP AttributesIdP Attributes
    Figure 3: IdP Metadata URLIdP Metadata URL
  3. Click OK.
Table 1: Fields on the SAML profile tab

Field

Description

SAML Profile

SAML Profile

Enable or disable SAML authentication.

ACS URLs

View the Assertion Consumer Service (ACS) URLs. The ACS URL directs your IdP where to send its SAML response after authenticating a user.

Directory Synchronization

Enable to use the user groups from your IdP directories in Secure Edge policy. Supported IdPs are Okta and Entra ID (Azure AD).

Identity Provider (IdP) Configuration

Identity Provider

Select an IdP. Available IdPs for directory synchronization are Okta and Entra ID (Azure AD).

Okta Configurations

Security API Token

Enter the Okta API token created using the API > Token > Create token menu on Okta admin console for Juniper Secure Edge. API token is valid for 30 days.

If SAML profile or directory synchronization is made inactive/disabled for more than 30 days, it is revoked and cannot be used again. For reconfiguration, you need to create a new token.

Tenant Domain

Enter the domain configured in Okta. Locate the Okta domain by clicking your username in the top-right corner of the Okta admin console. The domain appears in the dropdown menu.

Validate

Click validate button to test the validity of the configurations.

Entra ID Configurations

Application ID

Enter the Application (client) ID assigned to you after completing App registrations on Microsoft Entra admin center for Juniper Secure Edge.

Directory (tenant) ID

Enter the Directory (tenant) ID assigned to you after completing App registrations on Microsoft Entra admin center for Juniper Secure Edge.

Client Secret

Enter the client secret generated using Certificates & secrets > Client secrets menu on Microsoft Entra admin center for Juniper Secure Edge. Microsoft Entra generates client secret with expiry date, so update client secret before expiry date.

Validate

Click validate button to test the validity of the configurations.

IdP Settings

  • Select Import Settings to import the IdP metadata in one go. The metadata file must be in XML format.

  • To manually configure the IdP settings, select Enter settings manually.

  • To copy the settings from an URL, select Enter metadata URL.

Metadata URL

Enter the IdP metadata URL. The Service Provider (SP) uses the metadata URL to validate that the SAML assertions are issued from the correct IdP.

Service Provider (SP)

Entity ID

Displays the unique identifier for the SAML Profile.

Username attribute

Enter the username attribute for SAML.

Username attribute is mandatory and must be in e-mail address format. The username attribute is mapped to the user data, which is provided by IdP in the SAML assertion response.

Sign auth requests

Enable the toggle button to sign the SAML authentication requests sent from Juniper Secure Edge to IdP. If you enable sign authentication requests, you must provide both private key and public key certificate.

Private key

Enter the private key that you have generated locally. In Juniper Secure Edge, the private key is used to sign SAML authentication request. The private key is not shared with IdP.

Public key

Enter the public key that you have generated locally. The public key certificate is generated locally by the user. You must upload the same public key certificate in the IdP portal. In IdP, the public key certificate is used to validate the SAML authentication request sent by Juniper Secure Edge.

Group attribute

Enter the group attribute which the end-user belongs to which is then filtered and sent to IDP.

First name attribute

Enter the first name attribute of the SAML user.

The first name attribute is used to create an user profile.

Last name attribute

Enter the last name attribute of the SAML user.

The last name attribute is used to create an user profile.

Note:
  • For SAML, the retries and the locking period is configurable in SAML server.

  • By default, directory synchronization runs at regular intervals.

Create an LDAPS Profile

LDAPS profile configuration supports high availability (HA). You must configure both primary and secondary LDAPS servers. If you enable SSL encryption, the default SSL LDAP port number is 636. If you are not using SSL, the default port number is 389.

To create an LDAPS profile:

  1. Select Secure Edge > Identity > User Authentication .

    The End User Authentication page appears.

  2. Click LDAPS tab.
  3. Complete the configurations according to the guidelines in Table 2
    Note:

    Fields marked with an asterisk (*) are mandatory.

    Figure 4: LDAPS Profile LDAPS Profile
  4. Click OK.
Table 2: Fields on the LDAPS profile tab

Field

Description

Primary Server

Server address

Enter the IP address of LDAP authentication server. The server address is a unique IPv4 or IPv6 address that is assigned to a particular LDAP server and used to route information to the server.

SSL certificate

The client certificate for LDAP client to establish an LDAP over SSL connection. If you plan to use SSL encryption with your LDAP server, you must import the SSL certificate from the LDAP server. Click Browse, select the SSL certificate and click Open.

Port number

Specify a port on the LDAP server to which the LDAP client can connect to.

Secondary Server (Optional)

Click the toggle button to enable the secondary server.

Server address

Enter the IP address of secondary LDAP authentication server. The server address is a unique IPv4 or IPv6 address that is assigned to a particular LDAP server and used to route information to the server.

SSL certificate

The client certificate for LDAP client to establish an LDAP over SSL connection. If you plan to use SSL encryption with your secondary LDAP server, you must import the SSL certificate from the LDAP server. Click Browse, select the SSL certificate and click Open.

Port number

Specify a port on the secondary LDAP server to which the LDAP client can connect to.

Test LDAP Servers Connection

Click Test LDAP Servers Connection to check if the connection is established.

LDAP Authentication

Base domain name

Enter the distinguished name (DN) of the search base. Configure the distinguished name of the search base (LDAP base) that specifies the base of user directory. Every entry in the directory has a distinguished name (DN). The DN is the name that uniquely identifies an entry in the directory.

Bind domain name

Enter the distinguished name of the proxy account of the LDAP client to bind to the server with. Configure the distinguished name to bind the LDAP client with the LDAP server.

Bind password

Enter the credentials of the LDAP client to bind with the LDAP server. Configure the public key password. Click Test Authentication to check if the credentials are bound for authentication.

User Options

User attribute

Enter the username attribute that is used for comparing user entries. The username attribute has permissions to access the LDAP server.

User filter

Enter a value to use for the search parameter filter in LDAP.

Manage the Hosted Database

End users can be authenticated against a hosted database consisting of user's username (email address) and passwords. Administrators can use the Juniper Secure Edge portal to configure and activate the users in hosted database. Once the users are configured in the Juniper Secure Edge portal, the user will receive an e-mail consisting of their credentials (username and password). Once the user has this information, they can use their email address and password as credentials to authenticate.

Use the Hosted Database tab to add, modify, and delete an end user profile or group profiles.

You can perform the following tasks from this page:

Note:

Hosted database supports maximum five retry attempts after which the user is locked. The number of retries is not configurable. Once a user is locked, they can only be unlocked by the administrator.

Table 3: Fields on the Hosted Database tab

Field

Description

End users

Name

Displays the name of the user who is a part of the tenant.

Email

Displays the email address of the user. E-mail is the username, which will be used by the user for authentication.

Groups

Displays the groups to which the user belongs to. Group name is displayed in domain:groupname format.

Groups

Name

Displays the name of the group.

Username

Click on Show users to view the list of users in the group. Username for a user is the email address of the user.

Domain

Displays the domain to which the group belongs to.

Description

Displays the description of the group.