9.31 Web Authentication Method

Advanced Authentication facilitates you to authenticate with different Identity Providers, such as OAuth 2.0, OpenID Connect, and SAML 2.0 with the Web Authentication method. The Web Authentication method uses browser and http based authentication protocols and can be used in web environment or hybrid applications.

Before you configure the Web Authentication method, ensure that you set the correct Public external URLs (load balancers) that provisions Advanced Authentication to the users.

NOTE:Ensure that you use a valid certificate for the Advanced Authentication server. Users may face enrollment issues on the Internet Explorer and Microsoft Edge browsers, if the certificates are not valid.

To configure the Web Authentication method for Advanced Authentication, perform the following steps:

Click Methods > Web Authentication.
Click Add in Identity providers.
Select the Authentication type.
Click the arrow icon.

Web authentication method supports the following authentications:

OAuth 2.0: Advanced Authentication applies RFC6749 for OAuth 2.0 authentication. For more information, see https://github.com/OpenIDC/pyoidc.
OpenID Connect: Advanced Authentication uses OpenID Connect Core specification 1.0. For more information, see https://openid.net/specs/openid-connect-core-1_0.html.
SAML 2.0: Advanced Authentication implements SAML 2.0 on top of xmlsec and python-saml. For more information see, https://github.com/mehcode/python-saml. This implementation of SAML protocol does not completely comply to SAML 2.0 standards but is compatible with Microsoft ADFS.

You can configure the Web Authentication method to use the following Identity Providers:

9.31.1 SAML for Advanced Authentication

To add the SAML Identity Provider, perform the following steps:

Specify the identity provider name in Identity Provider.
Select the Available presets for Name ID Format.

The Name ID Format is automatically populated.

or

Specify manually in Name ID Format.
Click Browse to upload the Identity Provider Metadata file.

WARNING:Ensure that you choose the Identity Provider Metadata file that is exported from a used Identity Provider. Do not use the metadata file exported from the Administrative Portal > Policies > Web Authentication.

NOTE:The Web Authentication method supports only HTTP-POST for the Single Sig-On (SSO) Service Binding parameter in the metadata file. The HTTP-Redirect is not supported.
Click the save icon.
In the Upload SAML Service Provider signature certificate section, you must upload a certificate file in the PEM format with a private key. This certificate is used by the Web Authentication method to sign a SAML AuthnRequest token.

If the private key is protected by a password, specify the password in Private key password.
Click Save.

An Example Configuration with ADFS

Perform the following steps to add ADFS as an Identity Provider for the Web Authentication method.

Specify myexample-adfs as the IdP provider name.
Select urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName from Available presets for Name ID Format.

The selected Name ID Format will be extracted from the SAML AuthnResponse token and saved as an authentication data (unique data which will be associated with the user).
Click Browse to upload the IdP Metadata file from the ADFS server.
Click the save icon.
In the Upload SAML Service Provider signature certificate section, upload a certificate file in the PEM format with a private key.

If the private key is protected by a password, specify the password in Private key password.
Click Save.

Configuring the ADFS Identity Provider

Save the Service Provider metadata from Advanced Authentication to a file. Use the URL mentioned below to obtain the Service Provider metadata:

https://AAF_SERVER/webauth/TENANT/metadata

NOTE:The default TENANT is TOP. Use TOP as TENANT if you are not using multi-tenancy.

A sample Service Provider metadata is mentioned below:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_7a8608ad1cfbc149" entityID="https://www.d18r14.tk/webauth">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>https://www.d18r14.tk/webauth</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>
MIIEOzCCAyOgAwIBAgIJAJcsrIQZzcT0MA0GCSqGSIb3DQEBCwUAMIGyMQswCQYD
VQQGEwJDSDEcMBoGA1UECAwTR3JlYXRlciBadXJpY2ggQXJlYTEPMA0GA1UEBwwG
WnVyaWNoMRcwFQYDVQQKDA5NaWNybyBGb2N1cyBBRzERMA8GA1UECwwIQXV0aGFz
YXMxFzAVBgNVBAMMDm1pY3JvZm9jdXMuY29tMS8wLQYJKoZIhvcNAQkBFiBhbGV4
YW5kZXIuZ2FsaWxvdkBtaWNyb2ZvY3VzLmNvbTAgFw0xNjA1MjAwOTMyMzlaGA8y
MTE2MDQyNjA5MzIzOVowgbIxCzAJBgNVBAYTAkNIMRwwGgYDVQQIDBNHcmVhdGVy
IFp1cmljaCBBcmVhMQ8wDQYDVQQHDAZadXJpY2gxFzAVBgNVBAoMDk1pY3JvIEZv
Y3VzIEFHMREwDwYDVQQLDAhBdXRoYXNhczEXMBUGA1UEAwwObWljcm9mb2N1cy5j
b20xLzAtBgkqhkiG9w0BCQEWIGFsZXhhbmRlci5nYWxpbG92QG1pY3JvZm9jdXMu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5ZjKCY2x2ruYkW8e
/IgOa5y9xqSx4bUogYuZnAwLgZH2EIEx54T1YzKKc6a58t9tFU0Xb1Z47ay57g/B
A1oOOV4HOsl6SRG4lJojiOKSpLb1zZMqj3s1dd9hLE9KuScchApcJ5F8GxPf6YHO
VpY4d6e6Z+fS071lK3UHpjbLQ71yoDV+s+wJ+pmgsLxiyV/7A+CurxixibyXKx2x
jHvynZBPWf1P/goi54gbCZ1PjQnRPKfxUzRvWipH8T2xvfT0UAZL3HO8C6JJGZxQ
t82lw/za9tADH0CxPolL/JJyHeEGJAj07uw1wks6mEv8wZY5KkhuDpVv6BUl146+
tL5LSQIDAQABo1AwTjAdBgNVHQ4EFgQUoeHvvSDZn/GIul8Q6T0yleN9q48wHwYD
VR0jBBgwFoAUoeHvvSDZn/GIul8Q6T0yleN9q48wDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAQEAQ+T4XForCi/FFSpNLVxb7x/yO1eBi7JujH7CfNTKXUC3
STlTZiJaTLVXzNd9dvxSjzAoDy4NVV/T4KiA4ss7JCTPwGrD3S8k/a+GpogRzRcE
R1i/Z/bx2I4PmQk1g1z4lpuqnic0aIg/OVAE0+kwDBK3E0/pgpoSixAAvxEqM5tw
X9vdt3W/QCoAO3rFABRDboaLkslGbk80Q37tEASKFYm4/0fyB3PEv2uL0S6rP/+E
Fp1Xhlk/5MVRHNb0hLqpZmJxne96dnXpo+ZDeCCn87B3257eRFI1eUeAnxuw79vv
uterPobGSjjPm+y7sY2U3hLKsoVymRvqAohrd9kXSQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.d18r14.tk/webauth/callback" index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>

In the ADFS Management console, click Relying Party Trusts > Add relying party trust.
In the Add Relying Party Trust wizard, click Start.
Select Import data about the relying party from a file.
Click Browse to upload the Advanced Authentication’s metadata file that you created in Step 1.
Click Next.
Specify the Display name.
Click Next.
Ensure that Open the Edit Claim Rules dialog for this relying party trust when the wizard closes is selected.
Click Close.

The Edit Claim Rules wizard is displayed.
Click Add Rule.
Select Transform an Incoming Claim from Claim rule template.
Click Next.
Specify the Claim rule name.
Set Incoming claim type to Windows account name.
Set Outgoing claim type to Name ID and Outgoing name ID format to Windows Qualified Domain Name.
Ensure that Pass through all claim values is selected.
Click Finish.
Click OK.
In the ADFS Management console, click Relying Party Trusts and select the relying party trust you added.
Right-click on the relying party trust and select Properties from the menu.
In Properties, click the Encryption tab and remove the certificate by clicking Remove.
Click OK.

NOTE:Web authentication method does not support the encrypted tokens.

9.31.2 OpenID Connect for Advanced Authentication

To add the Open ID Connect Identity Provider, perform the following steps:

Specify the name of the provider in Provider name.
Select the Available presets.

The Issuer, Scope, and Key field are automatically populated.
Specify the Client ID and Client secret.

The Client ID and Client secret can be obtained by registering with the respective Identity Provider that you select, for more information see Integrating Third Party Applications with Advanced Authentication Using OpenID Connect.

NOTE:Set the Callback URL at the respective Identity Provider. For example, https://<aahostname>/webauth/callback.
Turn Send Client secret as an URL parameter to ON to send the Client secret as a URL. By default, the option is set to OFF.
Click the save icon.
Click Save to save the method configuration.

Integrating Third Party Applications with Advanced Authentication Using OpenID Connect

The following sample configurations explains how to configure third party applications with Advanced Authentication using OpenID Connect.

Integrating Advanced Authentication with Facebook

Perform the following steps to integrate Advanced Authentication with Facebook using OpenID Connect:

Login to facebook for developers.
Click My Apps.
In the left pane, click Settings > Basic.
Make a note of App ID and App Secret. These are the Client ID and Client Secret for Advanced Authentication.
In Display Name, specify Advanced Authentication. This is the name for this OpenID Connect configuration.
In App Domains, specify the domain name of the Advanced Authentication Server. For example aafapp.demo.live.
In Privacy Policy URL, specify the URL of the Advanced Authentication Server. For example aafapp.demo.live.
Scroll through the page until you find the Website section. If you cannot find the Website section, click Add Platform > Website.
In the Website section, specify the web address of the Advanced Authentication Server. For example aafapp.demo.live.
Click Save Changes.
In the left pane, click Settings > Advanced.
Scroll through the page until you find the Domain Manager tab.
Click Add a Domain.
In the Add a Domain window, specify the URL of the Advanced Authentication Server in Site URL. For example aafapp.demo.live.
Click Apply.
Click Save Changes.
In the left pane, click App Review.
Make your application public by clicking the toggle switch in the Make Advanced Authentication public? section.
In the left pane, below the Products tab, click Settings.
In Valid OAuth Redirect URIs, specify https://<Advanced Authentication Server>/webauth/callback.
Click Save Changes.
Specify the Client ID and Client Secret generated in Step 4 in the Client ID and Client Secret fields of Advanced Authentication Administrative Portal.

Integrating Advanced Authentication with Google

Perform the following steps to integrate Advanced Authentication with Google using OpenID connect:

Login to Google APIs.
Click Credentials > Create.
Specify a Project Name and a Location.
Click Create.
Click Create credentials > OAuth client ID.
Click Configure a consent screen.
Specify a name in the Application name field. For example Advanced Authentication.
In Authorised domains, specify the domain name of the Advanced Authentication Server. For example aafapp.demo.live.
In Application Homepage link, specify the web address of the Advanced Authentication Server. For example https://aafapp.demo.live.
In Application Privacy Policy link, specify the web address of the Advanced Authentication Server. For example https://aafapp.demo.live.
In Application type, select Web application.
In Application Terms of Service link, specify the web address of the Advanced Authentication Server. For example https://aafapp.demo.live.
In Name, specify a name for the OpenID Connect configuration.
In Authorized JavaScript origins, specify the Advanced Authentication server address. Ensure that you specify the complete server address including https. For example https://aafapp.demo.live.
In Authorized redirect URIs, specify https://<Advanced Authentication Server>/webauth/callback. Ensure that you specify the valid Advanced Authentication server name inside <>.
Click Save.
Make a note of the client ID and client secret specified in the OAuth client window. Click OK.
Specify the Client ID and Client Secret generated in Step 17 in the Client ID and Client Secret fields of Advanced Authentication Administrative Portal.

Integrating Advanced Authentication with Yahoo

Perform the following steps to integrate Advanced Authentication with Yahoo using OpenID connect:

Login to Yahoo Developer Network.
Click Create an app.
In Application Name, specify a name for the OpenID Connect configuration.
In Application Type, select Web Application.
In Callback Domain, specify the domain name of the Advanced Authentication Server. For example aafapp.demo.live.
Click Create.
Make a note of the client ID and client secret. Click Update.
Specify the Client ID and Client Secret generated in Step 7 in the Client ID and Client Secret fields of Advanced Authentication Administrative Portal.

Integrating Advanced Authentication with Microsoft Azure

Perform the following steps to integrate Advanced Authentication with Microsoft Azure using OpenID connect:

Login to Microsoft Azure.
In the left pane, click Azure Active Directory.
In the Manage section, click App registrations.
Click New application registration.
In Name, specify a name for the OpenID Connect configuration.
In Application Type, select Web app / API.
In Sign-on URL, specify https://<Advanced Authentication Server>/webauth/callback. Ensure that you specify the correct Advanced Authentication server address inside <>.
Click Create.
Make a note of Application ID. It is the Client ID for Advanced Authentication.
Click Settings > Keys.
In the Passwords section, specify key description and key duration.
Click Save.
Make a note of the text generated in the VALUE field. It is the Client Secret for Advanced Authentication.
In the left pane, click Azure Active Directory.
Click Properties.
Make a note of the text specified in the Directory ID field.
Specify the text generated in Step 16 in the Issuer field of Advanced Authentication Administrative Portal.
Specify the Client ID generated in Step 9 and Client Secret generated in Step 13 in the Client ID and Client Secret fields of Advanced Authentication Administrative Portal.

9.31.3 OAuth 2.0 for Advanced Authentication

To add the OAuth 2.0 Identity Provider, perform the following steps:

Specify the name of the provider in Provider name.
Select the Available presets.

The Authorization endpoint, Token endpoint, Attributes endpoint, Scope, and Key field are automatically populated.
Specify the Client ID and Client secret.

The Client ID and Client secret can be obtained by registering with the respective Identity Provider that you select.

NOTE:Set the Callback URL at the respective Identity Provider. For example, https://<aahostname>/webauth/callback.
Turn Send Client secret as an URL parameter to ON to send the Client secret as a URL. By default, the option is set to OFF.
Select the format of the access token from Access token is returned in body encoded as.
Set Send access token in "Authorization: Bearer" header to ON to send the access token as a header. By default, the option is set to OFF.
Click the save icon.
Click Save to save the method configuration.