Integrating MetaAccess and SafeConnect NAC Using SAML Authentication

If end-user devices are being assessed by MetaAccess, and the network is being managed by SafeConnect NAC, you may want to restrict the internet access for devices that MetaAccess indicates are not compliant with all policies. One way to accomplish this is via the use of a SAML authentication policy in SafeConnect linked to MetaAccess. When end-user devices are seen by SafeConnect they are blocked until they authenticate. When MetaAccess indicates that these devices are not yet compliant, the SafeConnect captive portal shows the MetaAccess remediation instructions.

To Integrate MetaAccess and SafeConnect using SAML authentication:

Step 1. Preliminaries

  1. Before beginning, contact OPSWAT support at (813)-607-2771, or via email at support@impulse.com, and request that the SAML authentication feature be enabled on your appliance. Also tell them what Identity Provider you intend to use so they can make the necessary remediation resources available to quarantined users.

  2. Complete the MetaAccess setup by referring to 3.1.1. How to set it up?

  3. Only continue once you receive confirmation from OPSWAT support that SAML integration has been enabled on the SafeConnect appliance.

Step 2. Get SAML Information from SafeConnect NAC

SafeConnect NAC is operating as the Service Provider in a SAML authentication system. Some information needs to be retrieved from the SafeConnect appliance before continuing.

  1. Log in to the appliance, use the hamburger in the upper left to navigate to the "Configuration" page, and click "SAML" on the left-hand panel. images/download/attachments/7187434/image2020-2-6_17-41-10.png

  2. Click on the "Service Provider Configuration" tab and note the "Entity ID" at the top of the page. This should be "urn:impulse:saml:auth". You will also need to know your Single Sign-On URL. If you are using the default hostname for your SafeConnect appliance, this will be "https://portal.myweblogon.com:8443/saml/SSO". If you are using a custom hostname, you would replace "portal.myweblogon.com" with your custom hostname, and replace "8443" with "9443". Many Identity Providers support more-or-less hands-off configuration with the upload of a metadata xml file. If your Identity Provider supports this, you can download this file from SafeConnect by scrolling to the bottom of the "Service Provider Configuration" page and clicking "Download Metadata". If your Identity Provider requires that you enter Service Provider information manually, you’ll need to download the certificate used so that it can be uploaded to the Identity Provider by clicking "Download Certificate". images/download/attachments/7187434/image2020-2-7_14-15-9.png

Step 3. Identity Provider Configuration

note

The exact steps for adding a Service Provider will vary by Identity Provider. The steps below use Okta.com, but your Identify Provider may have different steps.

  1. Navigate to your Okta organization dashboard as a user with admin privileges. Then click "Admin" in the upper right. images/download/attachments/7187434/image2020-2-7_9-59-46.png

  2. Click "Add App" images/download/attachments/7187434/image2020-2-7_10-3-30.png

  3. On the next page, click "Create New App", select "Web" and "SAML 2.0" on the dialog this brings up, then click "Create". images/download/attachments/7187434/image2020-2-7_13-24-37.png

  4. On the "General Settings" page set "App Name" to "SafeConnect" and upload a custom logo if you would like. Then click "Next". images/download/attachments/7187434/image2020-2-7_13-29-54.png

  5. On the "SAML Settings" page, set "Single sign on URL" and "Audience URI (SP Entity ID)" to the values you got from the SafeConnect "Service Provider Configuration" tab. Then scroll to the bottom and click "Next" then "Finish" on the next page. images/download/attachments/7187434/image2020-2-7_14-28-7.png

  6. You should now be on a page with a panel like the one shown below. Click "View Setup Instructions" to be taken to the page where we'll get the last piece of information we need to finish setting up SafeConnect's SAML configuration. images/download/attachments/7187434/image2020-2-7_14-36-44.png

  7. Scroll to the bottom of the page to find a text box like the one below. This is referred to as the IDP "metadata", and SafeConnect will use this to configure itself to use this particular Identity Provider. Copy all of the text from the text box and save it to a .xml file. images/download/attachments/7187434/image2020-2-7_14-43-23.png

Step 4. SafeConnect NAC Configuration

  1. Back in the SafeConnect UI, under "Configuration" > "SAML" > "Identity Provider Configuration", click on the "New IDP" button. images/download/attachments/7187434/image2020-2-7_14-51-27.png

  2. Give the new Identity Provider a name, check the "Default IDP" box, select the .xml file with the metadata you got from your Identify Provider, and click Upload. images/download/attachments/7187434/image2020-2-7_14-59-10.png

  3. (Optional) Click "Delete" on the "testSaml" IDP panel.

  4. Very that SAML authentication is working by setting up a group to use the "SAML Single Sign On Service" authentication policy, and having a member of that group authenticate with SafeConnect using SAML credentials. For best results we recommend making sure that this authentication policy requires users to authenticate every session. This ensures that compliance changes on the MetaAccess side are reflected in SafeConnect network access as often as possible.

Step 5. MetaAccess Integration

  1. From your MetaAccess dashboard, navigate to "Access Control" > "Configurations" images/download/attachments/7187434/image2020-2-7_15-36-51.png

  2. Check "Enable access control" if it's not already checked, then click "Add New Identity Provider" images/download/attachments/7187434/image2020-2-7_15-44-11.png

  3. Before we can fill out the new fields that have just appeared, we'll need to get some more information from the Identity Provider. For the case of Okta, navigate back to the "New Setup Instructions" page from earlier in a new tab. Download Okta's certificate and locate the IPD Login URL in the metadata text. It should be inside a "<md:SingSignOnService/>" tag. images/download/attachments/7187434/image2020-2-7_16-14-33.png

  4. Back in the MetaAccess UI,

    • fill in the "IdP Name" field with the name of your IDP

    • upload the certificate you downloaded in the previous step

    • name the application "SafeConnect"

    • set "IDP Login URL" to the URL you just got from the metadata your IDP provided

    • set "Application ACS URL" to the "Single sign on URL" from earlier (e.g. https://portal.myweblogon.com:8843/saml/SSO)

    • set access mode to "Enforce"

    • click "ADD IDP"
      images/download/attachments/7187434/image2020-2-7_16-16-5.png

  5. Once the application is saved, the “Setup Instruction” button will show you the login URL that the IDP should be using. Keep track of that URL. images/download/attachments/7187434/screenshot-2020-02-14T12-50-09-0500.png

  6. This URL can be taken to your IDP and used to replace the URL that the IDP will forward successful authentication attempts to. For example, Okta calls this the “Single sign on URL” images/download/attachments/7187434/screenshot-2020-02-14T12-58-23-0500.png

  7. We need to replace the certificate included in the IDP metadata we provided to SafeConnect with a certificate OPSWAT generates for us. To get this certificate, click the "Download OPSWAT Certificate" button. images/download/attachments/7187434/image2020-2-7_16-40-54.png

  8. Open up this file in a text editor and copy the certificate into your clipboard, excluding the "----BEGIN CERTIFICATE---", "---END CERTIFICATE----", and any unnecessary newline characters. images/download/attachments/7187434/image2020-2-7_16-47-5.png

  9. Make a duplicate of the metadata file from your IDP, and rename it to something like "idp_metadata_opswat_cert.xml". Then open it in a text editor, select the certificate text as you did before, selecting no extra characters, and press Ctrl-V to overwrite it with the OPSWAT-provided certificate. Save the file. images/download/attachments/7187434/image2020-2-7_17-5-15.png images/download/attachments/7187434/image2020-2-7_17-7-4.png

  10. Back in the SafeConnect UI under "Configuration" > "SAML" > "Identitfy Provider Configuration", choose the new metadata file and click "Upload" again.
    images/download/attachments/7187434/image2020-2-7_17-14-10.png

Step 6. Test The Integration

You should have a policy group in SafeConnect NAC that requires users authenticate against SAML. When a device is online and is put in that group, it should be presented with a captive portal that requires they authenticate against the SAML IDP.

When that login is successful, traffic should then be forwarded to MetaAccess for compliance checking. A compliant device should be presented with the SafeConnect redirect URL (by default a placeholder indicating that network access is now permitted). If the device is not compliant they should be presented with a MetaAccess remediation page.