Online Help

SafeNet Trusted Access for Safe-T ZoneZero®

Overview

The application template provides the ability to enable single sign-on for users accessing the Safe-T ZoneZero® application through SafeNet Trusted Access. OIDC settings are configured in Safe-T ZoneZero® to access the Safe-T ZoneZero® console.

The SP-initiated SSO use case can be configured for Safe-T ZoneZero®.

Configuring SafeNet Trusted Access for Safe-T ZoneZero® is a three-step process:

1.Safe-T ZoneZero® setup

2.SafeNet Trusted Access setup

3.Verify authentication

Safe-T ZoneZero® Setup

As prerequisites,

You must have a Safe-T ZoneZero® SDP 4.4 environment that is up and running.

You must have the Fully Qualified Domain Name (FQDN) of your Authentication Gateway, this is referred as FQDN_OF_AUTH_GATEWAY in the below steps.

You must have the FQDN of your Access Gateway, this is referred as Access_Gateway_FQDN in the below steps.

You must have the IP address of your access controller, this is referred as Access_Controller_IP_address in the below steps.

Configuring Safe-T ZoneZero® SDP Authentication Gateway End User Portal

Perform the following steps to configure Safe-T ZoneZero® authentication gateway end user portal:

1.Log in to the Safe-T ZoneZero® server management console as an administrator using the https://<Access_Controller_IP_address>:3000 URL.

2.On the Server Management console, in the left pane, click Reverse Access Rules.

3.In the right pane, click Add Rule.

4.On the Add Rule window, perform the following steps to add the first rule:

a.In the Rule Type field, ensure that SDP Auth is selected.

Note:  For the first rule to be created, the default rule type is SDP Auth.

b.In the Domain Name field, enter <FQDN_OF_AUTH_GATEWAY> (for example, thalesauth.com).

c.In the Application URL field, select <External port> (for example, https://thalesauth.com:443/api/login).

Note:  The port number can be 443 or 80.

WARNING!  In a production environment,you must use HTTPs

d.Click Save.

Note:  You need to create a reverse access rule for each backend service that you want to publish via the access gateway.

For example, if you have four backend services, you must configure five reverse access rules. One reverse access rule for the authentication gateway and rest of the four reverse access rules for each backend service.

5.On the console, click Add Rule to add another rule.

6.On the Add Rule window, perform the following steps:

a.In the Rule Type field, select SDP.

Note:  You cannot verify end user access to the Authentication Gateway unless you create minimum one reverse access rule for connecting to a backend service.

b.In the Application Name field, enter a name (for example, Thales RDP) to identify the resource.

c.In the Application URL field, enter a URL as per the format defined for the selected backend service.

Service protocol://<Access_Gateway_FQDN>:WAN_Facing_port

Where, <Access_Gateway_FQDN> must be resolved to the WAN facing IP address of the Access Gateway.

Examples of the backend services' URLs are given in the below table.

Service Protocol Application Name URL
RDP Active_Directory_RDP rdp://< Access_Gateway_FQDN >.com:3390
SMB FileSharing SMB//< Access_Gateway_FQDN >.com:445
SFTP ClientSFTP sftp://< Access_Gateway_FQDN >.com:2424

d.In the Service Address field, enter the internal backend private IP address of the published backend service.

e.In the Service Port field, enter the listening port of the backend service.

f.Ensure that the External IP Address field contains 0.0.0.0 by default.

g.In External Port field, enter the WAN facing port number of the access gateway.

Note:  Any free port number can be entered with the condition that the same port number is used in the application URL.

h.Ensure that the Callback IP Address field contains 0.0.0.0 by Default.

i.In the Callback Port field, enter the port number used by the access controller to access the access gateway.

Note:  The port number is required by the access controller to pull incoming requests from the access gateway.

7.Click Save.

8.Click Save & Apply.

Configuring STA in Safe-T ZoneZero®

Perform the following steps to configure STA as your identity provider in Safe-T ZoneZero®:

1.On the Safe-T ZoneZero® Admin console, in the left pane, click Authentication Workflow.

2.In the right pane, click the Workflow Policies tab and perform the following steps:

a.In the Policies field, select Identity Provider Policy.

b.Under Workflow Steps, from Available Authentication Options, move Generic OAuth2.0 to Selected Options.

c.Click Save.

3.Click the Workflow Connectors tab and perform the following steps:

a.In the Connector field, select Authentication - OAuth 2.0.

b.In the Authentication Protocol field, enter openidconnect.

c.In Authentication Http URL field, enter the authorization endpoint URL of STA.

From the STA console, you can copy the the URL by clicking on the Copy to Clipboard icon available next to the AUTHORIZATION END POINT URL field.

d.In Token Http URL field, enter the token endpoint URL of STA.

From the STA console, you can copy the the URL by clicking on the Copy to Clipboard icon available next to the TOKEN END-POINT URL field.

e.In Client Identifier field, enter the client ID of STA.

From the STA console, you can copy the the CLIENT id by clicking on the Copy to Clipboard icon available next to the CLIENT ID field.

f.In the Scope field, enter openid.

g.In Redirect URL field, enter https://<FQDN_OF_AUTH_GATEWAY>.com/api/callback?service=1&name=Apps_GenericOAuth&AccessToken=<WebServiceAccessToken>

Where, <WebServiceAccessToken> is provided by Safe-T ZoneZero® support team.

h.In OpenID Metadata Server field, enter the well known configuration URL of STA.

From the STA console, you can copy the the URL by clicking on the Copy to Clipboard icon available next to the WELL KNOWN CONFIGURATION URL field.

i.In OpenID Issuer field, enter the issuer URL of STA. You need to extract the issuer URL from the Well Known Configuration URL. In the Well Known Configuration URL, the issuer URL is the entire string given before .wellknown/openid-configuration.

For example, if your STA well known configuration URL is, https://example.STA.com/auth/realms/TENANT/.wellknown/openid-configuration, your Issuer URL is https://example.STA.com/auth/realms/TENANT/

j.In Groups Selector field, enter groups.

k.Click Save.

4.Click the Trusted Services tab and perform the following steps:

a.Under Trusted Service, click the plus icon.

b.In SERVICE NAME column, enter the name of the backend service that enables group access. The service name must be same as the application name that you configured earlier while adding the reverse access rule in step 6 (b) of Configuring Safe-T ZoneZero® SDP Authentication Gateway End User Portal.

c.In the GROUP NAME column, enter a name for the AD / Identity provider group (for example, Security, Testers, etc.). Members of AD / Identity provider group should be able to access the backend services.

Note:  An asterisk * can be entered that will grant access to all services or all groups. Also, you can use a semicolon separator to enter names of more than one group or service.

d.In the Actions column, click the icon to save the created trusted service rule.

5.Click the Authentication Workflow URL tab to enable you to connect URL login variants that you created in a policy.

6.Under Authentication Workflow URL, click the plus icon.

7.On the Workflow Url window, perform the following steps:

a.In the Route field, enter api/.

b.In the Description field, enter a description of the workflow URL.

c.In the Default Policy field, select Identity Provider Policy.

d.Click Save.

Note:  
- The URLs are differentiated by adding suffixes in the Route field after api/.
- For each workflow URL you create, select an appropriate Policy according to your organization’s security rules.

8.Click the plus icon.

9.On the New Workflow URL window, perform the following steps:

a.In the Route field, enter api/test.

b.In the Description field, enter a description of the workflow URL.

c.In the Default Policy field, select Username and Password Two-step Policy.

d.Click Save.

10. Click Apply Changes.

11. On the Apply Changes To Authentication Workflow? window, click Confirm.

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in Safe-T ZoneZero®, the second step is to activate the Safe-T ZoneZero® application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, the Safe-T ZoneZero® application you added earlier is in the inactive state by default. To configure and activate this application, click the application (for example, Safe-T ZoneZero®) and proceed to the next step.

2.Under STA Setup, under Account Details, perform the following steps:

a.In the SERVICE LOGIN URL field, enter the service login URL of Safe-T ZoneZero® application, https:// <FQDN_OF_AUTH_GATEWAY>:443/api/login

Where, <FQDN_OF_AUTH_GATEWAY> is the fully qualified domain name of the authentication gateway that is already registered in the Safe-T ZoneZero® application.

For example, https://thalesauth.com:443/api/login

b.In the VALID REDIRECT URL field, enter the redirect URL of the Safe-T ZoneZero® application, https:// <FQDN_OF_AUTH_GATEWAY>/api/callback?service=1&name=Apps_GenericOAuth&AccessToken=<WebServiceAccessToken>

c.In the USERINFO SIGNATURE ALGORITHM field, ensure that RSA-SHA256 is selected.

d.In the REQUEST SIGNATURE ALGORITHM field, ensure that RSA-SHA256 is selected.

e.For rest of the fields, modify the default values as per your preferred configuration.

3.Click Save Configuration to save the details and activate the Safe-T ZoneZero® application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to the Safe-T ZoneZero® login URL, https:// <FQDN_OF_AUTH_GATEWAY>/api/login and click Log In.

You will be redirected to your SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the Safe-T ZoneZero® console after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click the Safe-T ZoneZero® application icon. You should be successfully logged in to the Safe-T ZoneZero® application after authentication.

 

© 2020 SafeNet Trusted Access. Various trademarks are held by their respective owners.