This article is a step by step guide to configure SSO Authentication using the Security Assertion Markup Language (SAML) authentication mechanism. SAML is an XML-based authentication mechanism that provides single sign-on (SSO) capability between different organizations by allowing the user authentication without sharing the local identity database. As part of the SAML SSO process, the new Parallels RAS Enrollment Server communicates with Microsoft Certificate Authority (CA) to request, enroll and manage digital certificates on behalf of the user to complete authentication without requiring the users to put in their Active Directory credentials.
Service providers and Enterprises with multiple subsidiaries (acquisitions) don’t have to maintain your own internal Identity Management solutions or complex domains or forest trusts. Integrating with 3rd party Identity Providers allow customers' and partners' end users a true SSO experience.
As an example, we will review the process of configuring Okta as Identity Provider.
- Local Active Directory:
- A local AD user account for use as enrollment agent (CA terminology).
- A local AD limited user account for NLA authentication.
- Microsoft Certification Authority (CA) in Enterprise mode (example in more details at Microsoft TechNet look after standalone root CA):
- Enrollment Agent Certificate Template
- Smartcard Logon Certificate Template
- Third-party Identity Provider (Azure, Safenet, Gemalto, Okta etc):
- This is where the user accounts should reside and synchronized into the third-party SAML identity provider.
- The local AD is typically synchronized to the third-party provider using an Active Directory Connector. Please consult with the provider on how to properly synchronize users.
- Domain Controllers must have Domain Controller certificates. The certificates on the Domain Controllers must support smart card authentication. Certificates created using the Microsoft CA certificate template named Domain Controller Authentication supports smart cards. Manually created Domain Controller certificates might not work.
- Since SAML is a web-based authentication, it requires a browser (used to log in to HTML5 portal and get application listing). Native Parallels Client for Windows is used to launch RDP sessions.
- For security reasons, ES must be a separate server and must not be installed on a Publishing Agent server. ES should be installed on a secure, standalone server that does not have any other components and roles installed.
Setting up Windows Server side to comply RAS SAML pre-requisites
Per prerequisites above, configure Microsoft Certification Authority, Certificate templates and add required user accounts. Detailed instructions available here: https://kb.parallels.com/124813
Adding RAS Enrollment Server Agent
Install RAS Enrollment Server Agent either manually or from RAS Console:
- In RAS Console > Enrollment Servers > click “+” icon to add a new agent.
- In case of manual ES setup (RASInstaller.msi > Custom) it is necessary to put the ES host registration key to folder "%installation_path%\Parallels\ApplicationServer\x64". To export the registration key, open the RAS Console > ES > Tasks > Export registration key > registration.crt (remote pushing does this automatically).
In RAS Console > Enrollment Servers > AD Integration tab specify the CA and user accounts for Enrollment agent and NLA user you configured and apply the changes
Make sure, Enrollment Agent server status is OK.
Switch to AD Integration tab and click on Validate AD Integration settings, make sure that all checks are passed
Adding Identity Provider to Parallels RAS
1. Open Parallels RAS Console > Connection > SAML tab > click Add.
2. In the opened Add Identity Provider wizard, give it a name (e.g. Okta), choose “Manually enter the IdP information” and click Next.
3. On the next page enter any information to satisfy the requirements to not leave the fields blank, (we will import Okta settings using metadata file later) and click Finish.
4. Apply the configuration by clicking the Apply button.
Export SP settings (metafile)
1. Open just created IdP Okta properties and switch to SP tab.
2. Specify external FQDN or IP address in the “Host” field.
3. Copy and save values for “SP entity ID”, e.g. https://IPADDRESS/RASHTML5Gateway/sso/idp_6/metadata.xml and “Reply URL”, e.g. https://IPADDRESS/RASHTML5Gateway/sso/idp_6/assert
4. Now you are ready to proceed with configuring Okta
Okta Side Configuraton
1. Sign in to Okta Admin Management console and switch to Classic UI
2. Click on Applications > Add Application > Create New App
4. Create an app with the following parameters:
- Platform: Web
- Sign on method: SAML 2.0
5. In the App name field enter the name for the configuration and click Next. In this example we will be using Parallels RAS as an application name.
Configure SAML Settings
Note: In this example we configuring integration for testing purposes, thus using the simplest method.
1. General Settings:
- Single sign on URL – paste the “Reply URL” taken from RAS Server, e.g. https://IPADDRESS/RASHTML5Gateway/sso/idp_6/assert
- Use this for Recipient URL and Destination URL - Enabled
- Audience URI (SP entity ID) - paste SP Entity ID taken from RAS Server, e.g. https://IPADDRESS/RASHTML5Gateway/sso/idp_6/metadata.xml
- Default RelayState – leave blank
- Name ID format – leave “Unspecified”
- Application username – leave “Okta username”
2. Expand Advanced Settings and set the following options:
- Response – leave “Signed”
- Assertion Signature – leave “Signed”
- Signature Algorithm – leave “RSA-SHA256”
- Digest Algorithm – leave “SHA256”
- Assertion Encryption – leave “Unencrypted”
- Enable Single Logout – leave unselected
- Authentication context class – leave “PasswordProtectedTransport”
- Honor Force Authentication – leave “Yes”
- SAML Issuer ID – leave default
3. Attribute Statements:
Add the following attribute mapping:
• Email – user.email
Note: Main goal is to configure attributes to match IdP users with AD users.
4. Group Attribute Statements: Leave blank
5. Download Okta Certificate and continue
Click on the button on the right side of the SAML configuration to download the Okta Certificate (this will be required during the IdP configuration in RAS Console) and Click Next button at the bottom.
5. Select the type of Okta relationship you have and click Finish.
6. Export Identity Provider metadata by click on Identity Provider metadata link and save xml file in known location, e.g. “My Documents”.
7. After you create an application switch to Assignments tab and specify required users.
Import Identity Provider metadata
1. In RAS Console > Connection > SAML tab > open IdP Okta and switch to IdP tab.
2. Click on Import IdP Infortmation and confirm settings replacement.
3. Switch to Attributes tab and select the appropriate attribute for you. In our example this will be Custom, SAML = email, AD = Mail
4. Switch to General and associate needful theme with this IdP. Hit Apply to coplmete the configuration.
Go to RAS HTML5 Theme URL. The user will be redirected to IdP for authentication. Once completed, applicationg listing will present.