Online Help

SafeNet Trusted Access for Evidian Web Access Manager

Overview

Configuring SafeNet Trusted Access for Evidian Web Access Manager is a three-step process:

1.Evidian Web Access Manager setup

2.SafeNet Trusted Access setup

3.Verify authentication

Evidian Web Access Manager Setup

As a prerequisite, download the identity provider metadata from the SafeNet Trusted Access console by clicking the Download metadata file button. You will need this metadata in one of the steps below.

Configuring SafeNet Trusted Access as your Identity Provider in Evidian Web Access Manager requires:

Configuring the host as IdP

Creating an injection database

Generating key and certificate objects

Creating an authentication policy object

Declaring an authentication server

Creating a portal

Configuring the Host as IdP

Perform the following steps to configure the Host as IdP:

1.Log in to Evidian Web Access Manager as an administrator using the http://<<WAM_Server_Name>>:9119 URL (for example, http://portal.evidian.com:9119/), and launch the console.

2.On the Evidian Web Access Manager (WAM) console, click the Authentication tab,

3.In the left pane, right-click on SAML Domain and select Declare a SAML Domain with Metadata(s).

4.In the right pane, click the General tab, and perform the following steps:

a.In the Name field, enter a name for the domain (for example, sfnt-inde).

b.In the Name (as seen by end user) field, click Add to add a domain name as it is displayed for end-users on the SAML inter-domains authentication window, and click Ok.

5.Click the Remote IDP tab and perform following steps:

a.In a text editor, open the IdP Metadata that you downloaded earlier from the SafeNet Trusted Access console and copy the entire text of the metadata.

b.In the Metadata of remote Identity provider field, paste the metadata that you copied in the previous step.

c.In the Name of the Identity provider field, the IDP Issuer/Entity ID will be displayed automatically.

d.Select the Require Signed Authentication Requests (AuthnRequest) checkbox.

e.In the NameID attribute format sent in Authentication Request (AuthNRequest) field, select Unspecified.

f.Under Local Service provider configuration, in the Type of use field, select Identity Federation.

g.In the User Identity field, ensure that Subject (NameID) is selected.

h.In the LDAP attribute for SAML federation field, enter mail.

i.Click Ok.

Creating an Injection Database

Perform the following steps to create an injection database:

1.On the WAM console, click the SSO & Injections tab.

2.In the left pane, right-click on Data Injection, and select Create Injection Data Base.

3.On the Injection Data Base creation window, perform the following steps:

a.In the Name field, enter a name for the injection database.

b.In the Type of Injection Data Base field, select Authentication.

c.Click OK.

4.In the left pane, right-click on the injection database that you created in the previous step, and select Create Injection Data.

5. In the right pane, perform the following steps:

a.In the Name field, enter a name for identification, (for example, NameID-1).

b.In the Source of data field, select User Primary Account.

c.In the User Attribute Name field, enter mail.

d.Ensure the following:

User Attribute Type is selected as not binary.

Decoding to be done is selected as none.

Injection Target is selected as SAML Assertion tag.

SAML NameID format is selected as Unspecified.

Injection for SAML Domain is selected as For all SAML domains which are Service Providers.

e.Clear the Injection for “Login Modules” check box.

f.Click Ok.

Generating Key and Certificate Objects

Generate a Server certificate

Perform the following steps to generate a server certificate:

1.On the WAM console, click the Keys and Certificates tab.

2.In the left pane, right-click on Keys and Certificates, and select Generate a Key pair.

3.On the Key pair generation window, perform the following steps:

a. In the Name field, enter a name for identification (for example: Key_for_interdomain_1).

b.In the Private Key length field, select 2048.

c.Click OK. The certificate (in disable state) will be displayed in the left pane under Keys and Certificates.

4.To enable the key pair certificate, right-click on the key pair certificate that you have created in the previous step, and select Generate a Test Certificate.

5.On the Generate a Test certificate for “<Key name>” Key and Certificates window, perform the following steps:

a.In the Key Usage field, select Server Certificate.

b.In the Common Name field, click the icon to select a common name.

c.On the Common Name selection window, select a name, and click Ok.

d.In the Organization field, enter a name for the organization (for example, BULL).

e.In the Locality field, enter a name for the locality (for example, Las Clayes).

f.In the State or Province field, enter a name for the state or province.

g.In the Country field, click the icon to select a country code.

h.Click Next.

i.Click OK.

Generate a Code Signing Certificate

Perform the following steps to generate a code signing certificate:

1.On the WAM console, on the Keys and Certificates tab, in the left-pane, right-click on Keys and Certificates and select Generate a Key pair.

2.On Key pair generation window, in the Name field, enter a name for identification (for example, Widcard_evidian_portal.com).

3.In the Private Key length field, select 2048.

4.Click OK. The key pair (in disable state) will be displayed in the left pane under Keys and Certificates.

5.To enable the key pair, right-click on the key pair certificate that you have created in the previous step, and select Generate a Test Certificate.

6.On the Generate a Test certificate for “<Key name>” Key and Certificate window, perform the following steps:

a.In the Key Usage field, select Object Signing Certificate.

b.In the Common Name field, click the icon to select a common name.

c.On the Common Name selection window, select a name, and click Ok. This is the name provided by Evidian while installing the product.

d.In the Organization field, enter a name for the organization (for example, BULL).

e.In the Locality field, enter a name for the locality (for example, Las Clayes).

f.In the State or Province field ,enter a name for the state or province.

g.In the Country field, click the icon to select a country code.

h.Click Next.

i.Click OK.

Declare a Certificate Authority

Perform the following steps to declare a certificate authority:

1.In the left pane, right-click on Certificate Authorities, and select Declare Certificate Authority.

2.In the right pane, on the General tab, enter a name for identification (for example, SFnt_cert).

3.Select the following check boxes:

Accept client certificates from this authority

Accepts HTTPS server certificates from this authority

Accept signature certificates from this authority

Use the default mapping

4. Click Ok.

Creating an Authentication Policy Object

Perform the following steps to create an authentication object:

1.On the WAM console, click the Authentication tab.

2.In the left pane, right-click Authentication Policies, and select Create Authentication Policy.

3.In the right pane, on the General tab, perform the following steps:

a.In the Name field, enter a name for identification (for example, Authentication for interdomain).

b.In the End User Authentication field, select Form Authentication.

c.In the Multi User Directory field, click the icon to select multi user directory, and click OK.

d.In the Injection Data Base field, click the icon to select the injection data base that you created earlier in the Creating an Injection Database section.

e.Click OK.

4.Click the SAML Domains tab.

5.Click Add.

6. On the SAML Domain Identity Provider selection window, select the SAML domain that you created created earlier in the Configuring the Host as IdP section.

7.Click OK.

8.Click OK.

Declaring an Authentication Server

Perform the following steps to declare an authentication server:

1.In the left pane, under Authentication Servers, right-click on WAM Authentication Server and select Declare WAM Authentication Server.

2.In the right pane, click the General tab, and perform the following steps:

a.In the Name field, enter a name for identification (for example, Interdomain Authentication Server).

b. In the Protocol field, select HTTPS.

c.In the Host name field, enter a host name (for example, authentication.portal.evidian.com).

Note:  Please map the host name with the IP address (as provided by the Evidian support team) on the machine, where the Evidian portal is running.

d.In the SSL Port field, enter 443.

e.In the Key and Certificates field, click the icon.

f.On the Key and Certificate selection window, select the certificate that you created earlier in the Generate a Server Certificate section.

g.Click OK.

3. On the WAM Authentication Server Declaration window, click the SAML tab and perform the following steps:

a.In the Key and Certificates field, click the icon.

b.On the Key and Certificate selection window, select the certificate that you created in the Generate a Code Signing Certificate section.

c.Click OK.

d.In the SAML Identity field, enter WAMIDP.

e.Select the Dedicated to InterDomain checkbox.

f.Click OK.

Creating a Portal

Perform the following steps to create a portal:

1.On the WAM console, click the Portals and Web Agents tab.

2.In the left pane, right-click on Portals, and select Create Portal.

3. In the right pane, perform the following steps:

a.In the Name field, enter a name required for identification (for example, WAMSp-idp).

b.In the Welcome service of Portal field, click the icon and select End User Access Portal Service Lists.

c.In the Authentication Policy field, click the icon, select Creating an Authentication Policy Object, and click OK.

d.Select the Authentication delegated to Authentication Server check box.

e.In the WAM Authentication Server field, click the icon to select the authentication server that you declared earlier in the Declaring an Authentication Server section.

f.Next to the Name (as seen by end user) field, click Add to provide a name to be used for the identification purpose.

g.Click Ok.

4. Click the Address tab and perform the following steps:

a.In the Protocol field, select HTTPS.

b.In the Host name field, enter a name to access the Evidian portal to access resources.

Note:  Map the host name to the IP address (provided by the Evidian team) on the machine host file, where you are accessing the Evidian portal.

c.In the SSL Port field, enter 443.

d.In the Keys and Certificates field, select the server certificate that you created created earlier in the Generating a Server Certificate section.

e.Click Ok.

5. Click OK.

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in Evidian Web Access Manager , the second step is to activate the Evidian Web Access Manager application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, the Evidian Web Access Manager application you added earlier is in the inactive state by default. To configure and activate this application, click the application (for example, Evidian Web Access Manager ) and proceed to the next step.

2.Under STA Setup, perform the following steps:

a.Click Upload Evidian Web Access Manager Metadata.

b.On the Metadata Upload window, click Browse to search and select the Evidian Web Access Manager metadata provided by the Evidian support team.

c.Under Advanced Settings, in the IDP INITIATED SSO RELAY STATE field, enter the relay state value if your application requires a unique relay state. For rest of the fields, modify the default values as per your preferred configuration.

d.Click Save Configuration to save the details and activate the Evidian Web Access Manager application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to the Evidian Web Access Manager login URL, https://wam-sp.evidian.com that you created earlier in step 4(b) of Creating a Portal and log in to your Evidian Web Access Manager account. Select Go to My Personal Welcome Page, select the domain created in Evidian WAM (for example, Gemalto-Inde), and click Ok.

You will be redirected to your SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the Evidian Web Access Manager application after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click the Evidian Web Access Manager application icon. You should be redirected to the Evidian Web Access Manager application after authentication.

 

© 2019 SafeNet Trusted Access. Various trademarks are held by their respective owners.