To configure Zentera zCenter Identity Services to authenticate external admins or users against ADFS with SAML2.0, you will need to perform several steps to establish a trust relationship and configure the appropriate settings. Users and admins require separate configurations, and may be authenticated against completely independent user directories.
Any authentication security considerations, such as MFA, device trust, etc that are configured within the ADFS service are out of scope of this document.
Identity Services Configuration
Zentera CoIP Access Platform supports multiple user authentication mechanisms:
SAML2.0 Identity Providers
LDAP-based Directory Services
zCenter locally configured users
There are independent configuration options available for the different types of users and locations for authentication.
Admin Portal - Service Admins
Admin Portal - Customer Admins
CoIP Launcher Users - End users within the scope of individual Customers
Please note, the external Identity Providers are used by the CoIP Access Platform for authentication only, and not for resource authorization. Roles and permissions are managed on the zCenter portal.
This article discusses the SAML2.0 Identity Services configuration, specifically with the ADFS service. First described is the CoIP Launcher Users’s Identity Service configuration, then for Admin Portal admins. These are very similar, differing mostly in where in zCenter they are configured.
ADFS Configuration
The configuration of the ADFS server is out of the scope of this article. For reference, we used the below resources to configure the ADFS server in our testing:
ADFS/SAML2.0 Identity Service Configuration for CoIP Users
Login to your zCenter account and select the drop down for the Customer you would like to create the ADFS trust in.
Select “Settings / Manage Identity Services”
In the “Authentication method for external CoIP User accounts” drop down select “Customized SAML 2.0” and select Yes in the “Change Authentication method” pop-up
Click the button for “New Identity Provider” and provide the following information from your ADFS server (the settings displayed are default configurations for a newly created ADFS)
Display Name (Any descriptive name)
Entity ID
SSO Service URL
Logout Service URL (need more information)
For “Signing Option” select “Sign SAML Assertion”
X509 Certificate (in a default install you will create a local certificate)
Click “Save”
Click the button for “View Service Provider Info” and record the information for your ADFS server configuration.
Configure ADFS server with zCenter information
Create new Relying Party Trust
In your ADFS control panel add a new Relying Party Trust
Configure Signature
On your ADFS server save the X509 Certificate from zCenter as zcenter.cert
In the “Signature” tab. Click the “Add” button and select the cert from created in step 1
Configure the Logout endpoint
In the Endpoints tab click the “Add SAML” button.
In the Add Endpoint box
Change the “Binding” drop down to “Post”
In the “Trusted URL” field enter the “Assertion Consumer URL” from zCenter
Click “OK”
The below diagram shows the final look of the Endpoints tab
Configure “Identifiers”
In the “Identifiers” tab insert the following
Display Name (any descriptive name)
Input the “Issuer (Entity ID)” from zCenter in the “Relying party identifier”
Click the “Add” button
Click the “OK” button to save the Relying Party Trust
Create Users for External Login
In OBF select “Onboarding and Management / Users”
Click the “Onboard User+” button
In the Add User screen enter the following information
UserID (this must match an AD username with ADFS access)
In the “Authentication Type” drop down select “External”
Email
Fill any additional information needed
Test ADFS login with zCenter Launcher login
When logging into the CoIP Launcher with the username configured for External Authentication, you will be redirected to your ADFS server/proxy to enter the password information. After successful authentication on the ADFS page, the user will be redirected to the CoIP Launcher dashboard.
ADFS/SAML2.0 Identity Service Configuration for CoIP Admins
To configure the ADFS for Admins, the same procedure can be applied as above so far in this document, except the starting point within zCenter as per below:
Global Service Admins
Advanced Management menu → Service Management → Identity Services → Admin Account
Per-Customer Admins
Advanced Management menu → Portal Management → Customers → Manage Identity Services for a specific Customer
Please note, the “Service Provider Info” obtained from the zCenter will vary slightly depending on whether it is for Portal Admins or for CoIP Launcher Users.
Comments
0 comments
Please sign in to leave a comment.