StoneBlog.stonesoft.com

Time has come for a new tech dive for StoneGate SSL VPN, and today I’d like to share with you a nice tip concerning advanced techniques to manage the Single Sign On process with our splendid solution.

The idea is to allow an authentication based on certificate, then if a certificate attributes matches a user attribute in user profile we will pass that parameter for a Single Sign On operation.

Consider the following schema:

The user needs to present a valid certificate to login into the system, optionally protecting the certificate with a passphrase. Once the user is logged on, the system will match a certificate with the one present in user profile and will identify the user consequently.

The interesting feature offered by StoneGate SSL VPN allows to match, as part of the certificate authentication process, an attribute from digital certificate to a user attribute in the directory service where the user profile is stored… and this directory service can be internal to StoneGate SSL VPN or defined as an external User Storage.

Support of backend user storages is vast and it ranges from Microsoft Active Directory to LDAP based systems, to Novell eDirectory, IBM RACF and others.

In this article, I detail the main configuration steps to take to configure this mapping process.

First, we need to import the Certificate Authority public certificate which will be used to validate the certificates that users will present.

Access to Administrator’s Interface, click on Manage System and then on Certificates on menu on your left. Then click on Add Certificate Authority.

Define a name for the CA, then browse for the CA certificate and configure if we should perform Revocation Control as shown in the window below:

Click on Finish Wizard to confirm your settings.

Second, we need to define Certificate Authentication method in StoneGate SSL VPN.

Click on Authentication Methods on left hand menu.

Click on Add Authentication Method… and select User Certificate. Choose a name that will identify the service in authentication menu presented to the user when he’ll point to SSL VPN URL. We will call this service “Certificate Authentication Test”.

Select also the Certificate Authority we’ll use to validate the certificates as shown below:

Click on Next> to access to Extended Properties page.

Before continuing, let me show you the content of the user certificate I will use:

As you can see, the common name is set to www.connectingusers.it

In Active Directory server I’m using as a Directory Service, I have set the attribute physicalDeliveryOfficeName for user Marco Rottigni to www.connectingusers.it

Here we’ll configure the magic: click on Add Extended Property…

Select Certificate Attribute and in Value field type CN. Confirm with Add

Select User Attribute and in Value field type physicalDeliveryOfficeName. Confirm with Add.

Click Save to confirm changes.

Now we will create the SSO Domain to complete the magic.
Click on Manage Resource Access, then on left menu click on SSO Domains.
Click on Add SSO Domain…
Type in the domain name and select Text Domain type from drop-down menu. Click Next>.

Clic Add domain attribute… and select User name as Attribute name, Locked as Attribute Restriction, Referenced by User attribute and finally type in Attribute Value field the value samaccountname. Click Add…

Clic Add domain attribute… and select Password as Attribute name, Editable as Attribute Restriction, Referenced by User input and finally type in Attribute Value field the value samaccountname. Click Add… to obtain results as shown below:

Concerning Access Rules you can setup the most appropriate or accept the default Any Authentication.

With this configuration we have told the system to use match between physicalDeliveryOfficeName User Attribute in Directory Service and CN Certificate Attribute to authorize a valid digital certificate, then in case of successful authentication it will populate Web Test SSO Domain using samaccountname user attribute of the authenticated user.

Now we need to complete configuration by associating the SSO Domain to the web resource for which we need to enable Single Sign On.

Edit the web resource you have defined and select Adaptive SSO from Single Sign On type drop down menu and Web Test from SSO Domain drop down menu. Click Save to confirm changes as shown below:

.

Let’s now look the SSO settings for the user profile, to see how our configuration as been received.

Prepare a form in PHP on web resource you have configured as protected using the sample code below:

<?php
$username = $_POST["username"];
$password = $_POST["password"];
if (!isset($_POST['submit'])) { // if page is not submitted to itself echo the form
?>
<HTML>
<HEAD>
<TITLE>The Form Page</TITLE>
</HEAD>
<BODY>
<H1>Welcome to the Form Page</H1>
<form method="post" action="<?php echo $PHP_SELF;?>">
Insert your Name:<input type="text" size="12" maxlength="12"
name="username"><br />

Insert your Password:<input type="password" size="12" maxlength="12"
name="username"><br />

<input type="submit" value="submit" name="submit">
</form>
<?php
} else {
echo "Hello, ".$username.".<br />";
echo "Welcome!<br />";}
?>
</BODY>
</HTML>

Test your setup and observe how beautifully it works.

Single Sign-On. Empowered. Simplified!

written by RoarinPenguin - 2,617 views \\ tags: certificate, Single Sign-On, SSL VPN, SSO, user attribute