Skip to content

SAML Integration

Excalibur SAML Integration manual consists of 2 parts:

  • Dashboard - Manual for managing Service providers on Identity Provider (Excalibur) side
  • Configurations - Guide for configuring specific services like (O365, Cisco ASA, ...). List of supported services can be found here.

Dashboard

To manage SAML you need to be logged into Excalibur Dashboard as Administrator. Excalibur Dashboard SAML user interface:

!Description

Get Excalibur IDP Metadata

  • Download metadata file:

    You can download Excalibur SAML IDP metadata by clicking on SAML IDP Metadata:

!Description

  • Show metadata in browser:

    Go to https://xclbr.com/saml/metadata, where xclbr.com is Excalibur server domain name

    Example:

    <EntityDescriptor entityID="xclbr.com">
    <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate> MIIFWzCCA0OgAwIBAgIUBxMfRNk3gvc1AAEFHQ1d8beC2+gwDQYJKoZIhvcNAQELBQAwPTELMAkGA1UEBhMCQVUxCzAJBgNVBAgMAlNLMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjAwNzA4MTAwNzExWhcNMzAwNzA2MTAwNzExWjA9MQswCQYDVQQGEwJBVTELMAkGA1UECAwCU0sxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALTRhAnTQ1Kc4BSIt2KyEwUXaYV4mUtJqBf6xQOIz6DNV1onZKrMfJIx/1geNK+DaNc3qu/KRi9JShzX9W9aD7bTqb0o6kgr8H9vFjgca4oW5Q35P2m8Af1AeSHCLpx7jzIovyyazkQdNOOBpZBl+n0qarQtN65J5EdKd9/t6WU/OTcu5IMM9ekdhSh1srEoxBdXRFY+VI38Yn/z2ZIRFKuVEAyGYdQGx6jUvzwqevUa6L+KoQ7MMdQbDl6c24iIwdhPWs58xibk42AUrUNhzncU6R6kVlDTpz4nNTpGSPKqLuGZXmufgI7YjSRJ+h1uYMeIE8xqym2s7VUGO5wDg6nHcG/IWiKjRzYMJkIgV3qZZnd4XPWatgckHK8T4ikW/URFGlFAoAutvP9tC5pzbHeShEW1WLHmla4I+7j9rLVDTO7FeH93pLYrzu8XvqmwhpsOoiMC2l9uQ96gdKqwLMo1byZt5zWdvx5iOi5wGXOIdBwRf5V66CE+cjMurVgRhc+s1HoiYAaehadsRNzr3EU8q/T5JRInimDYVadXZ9cxSlfQtC/94l5lGbTwa18lELt2YZKCjktXYw2rE7d6RtZ097EbuRs9fne6KBp9l61vJP05y8wCokRgB35tlnBrh8rsLNqHjgLrukfUyOq/26oPhojEthjBmXzdnfJCVBJDAgMBAAGjUzBRMB0GA1UdDgQWBBTDaLh/T/fF2Y9ts9oQRwpP9crMkDAfBgNVHSMEGDAWgBTDaLh/T/fF2Y9ts9oQRwpP9crMkDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAtnEffqsJyYJ3oLFH5JIFFRkBNIFW3loEJR64bcU7NEBJi4kpwJYS7w/ANHMJhv46pAE1gfdGL4CrxiFQfvregVvXF0b74aI/Dr5OD2lnpmS1q/odp2QOz1HI7kyfj/q/DruBa9/WfvStD4aUmI+pYKAWVeBGSiGJQnUi9ePNMAT9XoSb59262ZSWNPWF52o32MwouKZpz0fYtof1iYQJau4/yYGdGJnaDKLZKilOBvgD4uVfeNyF/YZFag4H+xcdD26bStkFNZ8kAaI/5cp4YKnZiSDadcr/fxNlp+PK9U21NihcHFkguce67EtAlN8KSz/d9V/8LhoUT3QcN6x6uWXxjTb9KUAZoEhMBr32HlLYI8MDMxhe7r/SbE+MgeZ+/cl+bhrBWoA51wrCXKXlnI3qYzxOf97QoqlA3JwVZQ8qtQjOSHXn6PYPbjP+AUKJ+284w+B/2bN8akpY4kR1/VQEl58+bSe+2IGqmKfASKHD69G/BcjZy2zv5HI3y3o61bY2exMN926xIFhqIEQnbsirsOyMpZ+8fSAQ/euWEbJ09AwJxrS/rGqNbP4azwCY+XOKqXTxjKEk6MwsgewQD7AUT4GiUM0DqjnaP+Qyl7XzjCdRK1/L/NLUcgtgOK0yKiVvpEqXP3huDfZg5rgWP8cgf9GJhwBnJlAJ4KdyUoQ==
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <NameIDFormat>
    urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
        </NameIDFormat>
        <NameIDFormat>
    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
        </NameIDFormat>
        <NameIDFormat>
    urn:oasis:names:tc:SAML:2.0:nameid-format:transient
        </NameIDFormat>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://xclbr.com/saml/login"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://xclbr.com/saml/login-post"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://xclbr.com/saml/logout"/>
    </IDPSSODescriptor>
</EntityDescriptor>

Get Excalibur IDP Certificates

  • Download Signing Certificate: Used for signing SAML messages / assertions if Service Provider is configured that way.


    !Description

  • Download Encryption Certificate: If Excalibur IDP is configured to encrypt messages/assertion encryption certificate should be located in Excalibur Dashboard in the same place as signing certificate.

Managing Service providers (SPs)

Add Service provider (SP)

Service providers are managed using SAML SP Metadata.

!Description

Edit Service provider (SP)

Editing is done the same way as adding new Service provider but with edited metadata. When editing SP confirmation dialog will be displayed:

!Description

Remove Service Provider (SP)

Just click the cross button next to SP you want to delete. You will be prompted to confirm your action:

!Description

Configurations

You can find here manuals for configuring Excalibur SAML IDP with a few SPs. Excalibur IDP should work with any standard SAML Service Providers, but we cannot actively test and maintain all SAML Service Providers implementations. Supported services have configuration manual here. If something is not right, outdated, or you need our help, you can contact us at xclbr@xclbr.com

Supported services:

Fortigate configuration

Resources:
- Fortigate as SP - SSL VPN (6.2.3) - SAML SSO with AZURE as IDP (6.2.0) - SAML SSO with AZURE as IDP

Example configurations

For SSL VPN: 

config user saml
    edit "XCLBR-SAML"
        set cert "Fortinet_Factory"
        set entity-id "https://10.67.56.24/remote/saml/metadata"
        set single-sign-on-url "https://10.67.56.24/remote/saml/login"
        set single-logout-url "https://10.67.56.24/remote/saml/logout"
        set idp-entity-id "https://staging.xclbr.com"
        set idp-single-sign-on-url "https://staging.xclbr.com/saml/login"
        set idp-single-logout-url "https://staging.xclbr.com/saml/logout"
        set idp-cert "REMOTE_Cert_1"
    next
end

config user group
    edit "SAML-SSLVPN"
        set member "XCLBR-SAML"
    next
end

config firewall policy
    edit 8
        set name "SSLVPN"
        set srcintf "ssl.root"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set groups "SAML-SSLVPN"
    next
end
Just for Admin login: 
config system saml
    set status enable
    set role service-provider
    set default-login-page normal
    set default-profile "super_admin"
    set cert ''
    set idp-entity-id "https://excaliburmfa.intertech.com.tr"
    set idp-single-sign-on-url "https://excaliburmfa.intertech.com.tr/saml/login"
    set idp-single-logout-url "https://excaliburmfa.intertech.com.tr/saml/logout"
    set idp-cert "REMOTE_Cert_2"
    set server-address "10.140.140.76"
end

Pulse configuration

Configuring SAML

  • create new Metadata Provider in System -> Configuration -> SAML -> New Metadata Provider
  • create new Authentication Server in Authentication -> Auth. Servers -> New Server
  • change auth. server in User Realms -> your user group -> Authentication drop down

Metadata

Service Provider Metadata can be downloaded from Auth Servers -> SAML Server -> Settings -> Download Metadata

Cisco ASA Configuration

Resources:

Configuration steps with example values:

  1. Set time synchronization between the IdP and the ASA(SP):
    ciscoasa(config)# ntp server 209.244.0.4
  2. Import the IdP's signing certificate into a trustpoint:
    ciscoasa(config)# crypto ca trustpoint exc-tp
ciscoasa(config-ca-trustpoint)# enrollment terminal
ciscoasa(config-ca-trustpoint)# no ca-check
ciscoasa(config-ca-trustpoint)# crypto ca authenticate exc-tp
Enter the base 64 encoded CA certificate.
End with the word "quit" on a line by itself
quit
INFO: Certificate has the following attributes:
Fingerprint:     85de3781 07388f5b d92d9d14 1e22a549
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
  3. Add a SAML IdP:
    ciscoasa(config-webvpn)# saml idp xclbr

    where xclbr is entityID of Excalibur IDP from metadata.

  4. Configure attributes under saml-idp sub-mode:

    ciscoasa(config-webvpn-saml-idp)# url sign-in https://xclbr.com/saml/login
ciscoasa(config-webvpn-saml-idp)# url sign-out https://xclbr.com/saml/logout
ciscoasa(config-webvpn-saml-idp)# trustpoint idp exc-tp
ciscoasa(config-webvpn-saml-idp)# trustpoint sp asa_saml_sp
ciscoasa(config-webvpn-saml-idp)# base-url https://vpn.asa.com      
ciscoasa(config-webvpn-saml-idp)# signature rsa-sha256
ciscoasa(config-webvpn-saml-idp)# timeout assertion 7200
    where:

    • xclbr.com is Excalibur server domain name (FQDN)
    • exp-tp is truspoint with imported Excalibur signing cert from step 2.
    • asa_saml_sp is ASA trustpoint with certificates imported
    • vpn.asa.com is ASA domain name (FQDN)
  5. Configure an IdP for a tunnel group and enable SAML authentication:
    ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# tunnel-group-list enable
ciscoasa(config)# tunnel-group idp_exc type remote-access
ciscoasa(config)# tunnel-group idp_exc webvpn-attributes
ciscoasa(config-tunnel-webvpn)# authentication saml
ciscoasa(config-tunnel-webvpn)# group-alias Excalibur enable
ciscoasa(config-tunnel-webvpn)# saml identity-provider xclbr.com

    where xclbr is saml idp name from step 4.

  6. Add Cisco ASA SP Metadata to Excalibur IDP:
    1. You can get the ASA's SAML SP metadata from https://vpn.asa.com/saml/sp/metadata/idp_exc, where:
      • vpn.asa.com is ASA domain name (FQDN)
      • idp_exc is tunnel-group configured in step 6
    2. Adding SP metadata to Excalibur IDP

Notes:

  • Certificate CN does not have to be the same as entityID of IDP
  • SAML idp name needs to be same as entityID of IDP
  • Running Cisco ASA in esx could lead to incorrect system time, check with show clock, restart should resolve this issue (don`t forget to write configuration)
  • SAML responses have limited time validity
  • Self signed signing certificate should be enough for SAML
  • If you see just blank page instead of Excalibur SAML Login page (with QR Code), check browser compatibility mode.
  • Excalibur works with IE 8 and everything more modern.

Alliance Web Platform (SWIFT)

For configuring SAML in Alliance Web Platform you will need 2 admin accounts. This guide will use keywords admin1 and admin2 as placeholders.

Administrator needs to create each user, that should have access to Alliance Web Platform via SAML login. If the user is not created in Alliance Web Platform, authentication will fail.

Steps:

  1. Get Excalibur Identity Server Metadata
  2. Generate Metadata for Identity Providers (admin1):

    In User Management tab choose Identity Provider Servers and click Generate Metadata button. Save this metadata.

  3. Add an Identity Provider Server (admin1)
    1. On the Identity Provider Servers page, the first user clicks Add.
    2. In the Server Name field, type a name for the identity provider server.
    3. In the Description field, type a description for the identity provider server.
    4. In the Identity Provider Metadata field, click Browse to select the metadata file to use. Use metadata downloaded in step 1
    5. Click Save.

    The new identity provider server is created with a status of Disabled.

  4. Enable Identity Provider Server (admin2)

    This must be done by an administrator other than the one who added the Identity Provider Server. So if admin1 added Identity Provider Server, admin2 needs to enable it.

    • From the Identity Provider Servers page, select the check box next to the identity server that you want to modify and click Enable.
    • Alternatively, from the Identity Provider Servers page, click the identity server that you want to modify. The Identity Provider Server Details window opens. Then click Enable.
  5. Add users (admin1)

    For each user you want to add:

    1. On the Users page, admin1 clicks Add to create a new Alliance Web Platform Server-Embedded user.
    2. In the Name field, type the name of the user.
    3. In the Role field, select the role of the user from the drop-down menu.
    4. In the Authentication Type field, select Identity Provider.
    5. In the E-mail Address field, type the e-mail address associated with the user.
    6. In the External Identifier field, type the e-mail address associated with the Excalibur user. Excalibur uses email addresses as identifiers.
    7. Click Save.

    The new user is created with a status of Disabled.

  6. Enable users (admin2)
    • Either on the Users page or the Users Details page, the Administrator selects the user and clicks Enable.
  7. Add Service Provider to Excalibur

Notes:

  • SWIFT Online Help is quite useful.
  • All users need to be manually created.
  • If the user is not created in the Alliance Web Platform, authentication will fail, even if it will succeed on the Excalibur side.
  • SWIFT hostname in metadata is generated from current url.
  • Metadata are generated in Identity Providers page on demand so unless someone generates metadata manually, metadata should not change, not even when another hostname is used.

RSA SAML Test Service Provider configuration

https://sptest.iamshowcase.com/

  1. Go to https://sptest.iamshowcase.com/instructions and download SP metadata
  2. Add SP metadata to Excalibur IDP
  3. Download IDP metadata
  4. Upload IDP metadata to https://sptest.iamshowcase.com/instructions
  5. Try login using Excalibur from generated url

Office 365

Office configuration needs to be done in Windows Powershell

  1. Add Office Metadata to the Excalibur.

    Link to the Office metadata found in Azure AD docs

  2. Import-Module AzureAD

    Note:

    If a module is not installed, install it with: Install-Module -Name "AzureAD"

  3. $cred=get-credential

    Note:

    User credentials usually ends with .onmicrosoft.com

  4. Connect-MSOLService –Credential $cred

    Note:

    This command is part of another module, which needs to be installed: Install-Module MSOnline

  5. (Optional) Add users: 

    New-MsolUser -UserPrincipalName john@domain.com -ImmutableId john -DisplayName "John Doe" -FirstName John -LastName Doe

  6. Excalibur attributes: 

    $dom = "xclbr.com"
$uri = "<Excalibur url>"
$LogOnUrl = "<Excalibur url>/saml/login-post"
$LogOffUrl ="<Excalibur url>/saml/logout"
$MetadataUrl = "<Excalibur url>/saml/metadata"
$Protocol = "SAMLP"
$cert="<MII..>"

    Notes:

  7. Set Domain Authentication: 

    Set-MsolDomainAuthentication -DomainName $dom -FederationBrandName Excalibur -Authentication Federated -PassiveLogOnUri $LogOnUrl -SigningCertificate $cert -IssuerUri $uri -LogOffUri $LogOffUrl -MetadataExchangeUri $MetadataUrl -PreferredAuthenticationProtocol $Protocol

Other helpful commands:

Notes:

  • Office is sending username, which user entered, in initial request (SAMLRequest), but Excalibur is not responding with actual user that logged in.
  • Once Domain Authentication is set it needs to be changed to Managed prior to any changes.

Citrix Storefront

StoreFront 3.9 and newer have native support for SAML Authentication without Citrix ADC. Notes: - SAML overrides Explicit and Pass-through authentication. - SAML in StoreFront without Citrix ADC seems to work in Workspace app and Receiver Self-Service for Windows.

Before adding a SAML as authentication method to the Citrix StoreFront you have to download Excalibur SAML signing certificate.

Adding a new Authentication Method to the Citrix StoreFront:

  1. In StoreFront 3.9 or newer console, right-click a Store, and click Manage Authentication Methods

  2. Check the box next to SAML Authentication. If you don’t see this option (because you upgraded from an older version), click the Advanced button on the bottom of the window, and install the authentication method.

  3. On the right, click the gear icon for SAML, and click Identity Provider.

  4. Change the SAML Binding to the Post

  5. Enter ID of your Excalibur deployment, it can be found in the Excalibur IDP Metadata

  6. Click import.

  7. Import Excalibur certificate exported in the first step.

  8. Download Citrix StoreFront metadata. There is a little snippet for the powerShell to get information about Citrix StoreFront SAML Service Provider.

Last step is to import Citrix SAML SP Metadata to the Excalibur.

Citrix StoreFront SAML Service Provider information

asnp citrix*

$StoreVirtualPath = "/Citrix/Store"

$store = Get-STFStoreService -VirtualPath $StoreVirtualPath

$auth = Get-STFAuthenticationService -StoreService $store

$acs = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + "/SamlForms/AssertionConsumerService")

$md = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + "/SamlForms/ServiceProvider/Metadata")

$samlTest = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + "/SamlTest")

Write-Host "SAML Service Provider information:
Service Provider ID: $spId
Assertion Consumer Service: $acs
Metadata: $md
Test Page: $samlTest "

Resources:

Google

TODO: To be added.

Further Materials

Excalibur Administrator Dashboard Manual

Excalibur FAQ