Configuring SAML authentication

You can configure HTTP access services such as HCL Nomad to use Security Assertion Markup Language (SAML) authentication rather than LDAP authentication or local authentication.

Before you begin

Configure the HTTP access service you will enable for SAML. For HCL Nomad instructions, see Nomad server in the Nomad administration documentation.

About this task

SAML authentication delegates user authentication to a SAML identity provider (IdP) such as Active Directory Federation Services (ADFS). When SAML is configured, users log on to an HTTP access service with their SAML IdP identities.

To configure SAML authentication for an HTTP access service, complete the following steps.

Procedure

  1. (Linux only) Install SAML Service Provider support for SafeLinx. On Linux, you can choose to install SafeLinx SAML support by selecting "y" (yes) at the prompt Install SAML Service Provider support? To install support for SAML after SafeLinx installation from the installer archive, run the following command:
    sudo rpm -ivh HCLSafeLinx-saml-<safelinxversion>.rpm.
    For example: sudo rpm -ivh HCLSafeLinx-saml-1.2.1.0.rpm
    Note: SAML Service Provider support is installed automatically on Windows.
  2. To enable SAML, complete the following steps to start a local SAML service provider on the SafeLinx server.
    1. From the SafeLinx Administrator, right-click the access service resource and select Properties.
    2. Select the Mode tab.
    3. For Credential challenge type, select SAML IDP.
    4. For URL of SAML service provider, specify http://127.0.0.1:<port>/SL_saml /login.
      By default, <port> is 8080. But if another SafeLinx service is using 8080, specify a different port, for example, 8888.
  3. Modify the LDAP-bind Authentication profile:
    1. Open the SafeLinx Administrator and connect to the SafeLinx server.
    2. Select Resources > Authentication Profile.
    3. Open the SafeLinx Authentication Profile used for the service your are enabling for SAML, for example HCL Nomad.
    4. On the LDAP page, select Disable password verification. When SAML is used, no password is provided to SafeLinx so you must disable password verification.
  4. Configure SAML authentication:
    1. Copy the config.example.yml file and rename it config.yml.
      • On Linux, the file is at /opt/hcl/Safelinx/saml/config.example.yml
      • On Windows, the file is at C:\Program Files\HCL\Safelinx\saml\config.example.yml
      Note: Keep config.yml in the \saml directory.
    2. Open config.yml and update the following entries.
      • issuer: The HTTP access service endpoint URL. For example, https://safeLinx-nomad.<mydomain>.
      • entryPoint: The SAML SSO service URL. For example, https://adfsipd1.mydomain/adfs/ls/

        If you use ADFS, this is the value of the Location attribute of the SingleSignOnService element in the FederationMetadata.xml file.

      • logoutUrl: The SAML SSO service logout URL, often the same as IDP: entryPoint
      • cert: The X.509 certification information for the IDP.

        If you use ADFS, this is the value of the X509Certificate element in the # X509Data tag in FederationMetadata.xml

      • secret: Any random string of at least 30 characters.
      • port: If you did not specify the default port (8080) for URL of SAML service provider in Step 2, specify the port value.
      Note: If you use ADFS, also set identifierFormat to null.
  5. To make the config.yml changes take effect, restart the SAML service. To do so, stop and then restart the SafeLinx server using the following commands:
    • Windows: 
      wgstop
      wgstart
    • Linux: 
      sudo systemctl stop safelinx
      sudo systemctl start safelinx
  6. Create a corresponding Relying Party Trust on your IdP. The following steps provide an example of creating a trust using ADFS 5.0:
    1. Open the ADFS console.
    2. Select Relying Party Trusts.
    3. Select Add Relying Party Trust and set values for the following properties:
      • Relying party identifiers Specify the value of the issuer parameter in config.yml.
      • Endpoints > SAML Assertion Consumer Endpoints Specify the value of the issuer parameter in config.yml.
      • Endpoints > SAML Logout Endpoints Specify the logout endpoint for your IdP. For ADFS, specify https://<fqdn_of_the_adfs_service>/adfs/ls/slo. For example: https://adfs.mycompany.com/adfs/ls/slo.
      • Secure hash algorithm Select SHA-256 or another option shown.
      • Claim Issuance Policy Create an Issuance Transform Rule and specify the following values:
        • Claim Rule Name Any descriptive name
        • Attribute store Active Directory
        • LDAP Attribute E-Mail-Addresses
        • Outgoing Claim Type Name ID

Results

If the SAML configuration is working correctly, when a user goes to the SafeLinx service URL (the issuer value), they are challenged for their IdP credentials.

What to do next

If you are configuring Nomad federated login so that Nomad for web browser users will not be prompted for Notes IDs, complete the steps in the procedure Nomad federated login in the Domino documentation.