SAML Authentication

This page has not been liked. Updated 4/12/13, 10:28 AM by Dan_IBMTags:

The enrollment server and SSP support the ability to authenticate users using a SAML identity provider (idP), rather than directly against LDAP using the TSP. In this authentication scheme, the user's credentials are never entered into the application. Instead, authentication is delegated to the identity provider, which the Management Extender, Enrollment Server, or SSP trusts.



Due to some complications, there is no content at present to configure for SAML authentication, and this article is intended to help you configure your enrollment server and/or SSP manually. This configuration is completed using a pair of command-line utilities located in “<program files>\BigFix Enterprise\Management Extender\MDM Provider\utils\”. Open a command prompt with administrator privileges to the “MDM Provider\utils” folder to perform any of the following configuration steps.



Note: Any text in monospace font indicates a command to run on this command line. The iOS extender should not have to be restarted before or after these commands.

 

Multitenancy

The following configuration assumes you are installing in a single tenant environment and any config commands used during SAML Authentication will, by default, apply to the entire enrollment server. This may not be the desired behavior in a multitenancy environment.



When configuring SAML authentication in a multitenancy environment change any config commands into tag_config commands so they apply to specific enrollment tags only and do not apply to the entire enrollment server. The Tag ID must be included after the tag_config command, for example:

mdmios.bat config auth_type SAML

would become:

mdmios.bat tag_config foo auth_type SAML

where foo is the Tag ID.

 

SSP Configuration

The following configuration commands use mdmios.bat to configure the Enrollment and Apple iOS Management Extender. The same commands must be run using ssp.bat to configure the Self Service Portal. If you do not change all of the commands to replace "mdmios.bat" to "ssp.bat" the SSP will not be configured for SAML authentication. If your deployment does not utilitize a SSP, this is not required. If your deployment utilizes both an Enrollment and Apple iOS Management Extender, you will effectively run each command twice substituting the appropriate .bat file.

For example:

mdmios.bat config auth_type SAML

would become:

ssp.bat config auth_type SAML

 

Required configuration

auth_type: Configures the enrollment server to use "SAML" mode of authentication instead of the more standard "LDAP" mode (which depends on the TSP).

mdmios.bat config auth_type SAML

 

enrollment_mode: "pin" enrollment mode is required for SAML, because it must be performed in the browser.

mdmios.bat config enrollment_mode "pin"



saml_metadata_url: This URL is retrieved by the enrollment server and is expected to provide basic SAML metadata so that the enrollment server knows which URLs to use and how to communicate with this identity provider.

mdmios.bat config saml_metadata_url "http://saml.company.com/idp/metadata.xml"

 

auth_email_attribute: Specifies the attribute that the SAML idP will include in its response that contains the authenticated user's email address. Since MDM no longer receives the user's credentials, it needs a way to retrieve users’ email addresses. This attribute must be passed back and will be assigned to the device's "email" property. (This defaults to "mail" if not set.) If this property is not returned, then the enrollment server will report that authentication failed.

mdmios.bat config auth_email_attribute "mail"

 

saml_idp_sha1_fingerprint: Requires responses not only to be signed, but to be signed with the certificate matching this SHA1 fingerprint. If not set, it will accept any valid signature.

mdmios.bat config saml_idp_sha1_fingerprint "<saml fingerprint>"

The fingerprint can be found using the openssl tool:

openssl x509 -in your-cert.pem -fingerprint -sha1

 

Configure the SAML cert fingerprint. In Multitenant environments you will need to do this for each Enrollment Tag.

tsp.bat saml_cert set "<enrollment tag or empty quotes if not multitenant>" "<saml certificate file or fingerprint>"

The fingerprint can be found using the openssl tool:

openssl x509 -in your-cert.pem -fingerprint -sha1

 

NOTE: When in a multitenant environment, the fingerprint you enter here must exactly match the fingerprint you entered for each Enrollment Tag you configured on the TSP when the TSP was set up for multitenancy: Multitenancy Setup for the Self Service Portal, SSP.

 

 

Optional configuration options

auth_header_text: This text will appear at the top of the login page. To help alert the user for what is about to happen.

mdmios.bat config auth_header_text "Authenticate with your organization's Single Sign-On Service"

 

saml_sign_requests: Specifies all outgoing authentication authentication requests from the enrollment server to the idP should be signed: (default false)

mdmios.bat config saml_sign_requests [true|false]

 

saml_require_signed_responses: Requires all responses from the identity provider to be signed: (default true)

mdmios.bat config saml_require_signed_responses [true|false]

 

saml_force_authn: Requires identity provider to initiate a new session and force the user to authenticate again, rather than reusing off an existing session that might exist: (default false

mdmios.bat config saml_force_authn [true|false]

 

auth_enrollment_tag_attribute: This setting was intended for multi-tenant mode. It specifies the attribute that the SAML idP will include in its response that contains the authenticated user's enrollment tag. If this is specified, then the enrollment server will verify that the enrollment tag the user is enrolling with is indeed the proper one.

mdmios.bat config auth_enrollment_tag_attribute "o"

 

SAML idP Configuration

You will need to configure the SAML identity provider to accept authentication requests from your enrollment server and/or SSP as a known "service provider".

The entity ID / metadata URL of your enrollment server will be (replacing the information in brackets < >):

https://<mdm.company.com>/saml/meta

The entity ID / metadata URL of your SSP will be:

https://<mdm.company.com>/ssp/saml/meta

You should also configure your SAML identity provider to return a persistent NameID, since this ID will be forever tied to this enrolled device, as the value of the inspector: "authenticated id of current user".