Skyhigh Security - SAML integration

The following document refers to a SAML integration between Skyhigh Security and TrustBuilder (InWebo).

Introduction

Security Assertion Markup Language (SAML) 2.0 is one of the most widely used open standard for authentication and authorizing between multiple parties.

The SAML workflow implies the following actors:

User → the actual human trying to authenticate and having metadata (identity information) attached to them.
Identity Provider (IdP) → the service that serves as a source of identity and that confirms user identity. Here, TrustBuilder (InWebo) has the IdP role. TrustBuilder (InWebo) authenticates users and returns identity information to the Service Provider.
Service Provider (SP) → the application that a user tries to access. The SP is the service that requests authentication and identity information about the user. Here, Skyhigh Security has the SP role. The SP takes authentication responses from the IdP and uses the information to create sessions for the user.

Here is what a basic authentication flow may look like, with TrustBuilder (InWebo) SAML connector set:

The user is prompted with an authentication page.
The user provides his email address.
Skyhigh Security requests authentication from TrustBuilder (InWebo).
The user is redirected to TrustBuilder (InWebo) to authenticate.
The user enters their PIN and validates. In back-end an OTP is generated by the user device (token web, desktop and mobile ) and sent to TrustBuilder (InWebo).
TrustBuilder (InWebo) validates the OTP and authenticates the user.
TrustBuilder (InWebo) sends a SAML assertion to the Skyhigh Security. It contains user information such as logins, identifiers, and other relevant attributes.
The Skyhigh Security grants the user access.

Prerequisites

A Skyhigh Security SSE console with administrator rights
An TrustBuilder (InWebo) service with administrator rights

Configuration

The configuration consists of an exchange of metadata between the SP (Skyhigh Security) and the IdP (TrustBuilder): each provides its metadata to the other. Then, it is necessary to make sure that TrustBuilder provides attributes that match with the attributes of the Skyhigh Security so that the authentication works.

TrustBuilder part:

Step 1: Create TrustBuilder (InWebo) SAML connector

Login to your TrustBuilder (InWebo) administration console.
Go to the Secure Sites tab.
In the "connectors” section, click on Add a connector of type… and select SAML 2.0.

Name your connector.
Click on Add to create the connector.

Step 2: Provide the TrustBuilder metadata to Skyhigh Security

You should provide the TrustBuilder IdP metadata to allow your SAML instance to communicate with the connector. You can download TrustBuilder metadata from the platform, in the connector’s settings. We will download directly the metadata in XML format.

Step 3: Generate Skyhigh Security Metadata

To the correct communication between TrustBuilder and Syhigh Security, we need to generate Skyhigh Security (SP) authentication metadata that we’ll use to include in TrustBuilder connector to communicate.

You can download and modify the following XML file example to match your environment. → Download the SP metadata sample file

Make sure to configure:

entityID: use the Entity ID URL “https://saml.wgcs.mcafee-cloud.com/saml”
Location (2 times): use Entity ID URL “https://saml.wgcs.mcafee-cloud.com/saml”
X509Certificate: paste the Skyhigh Security certificate get from Step 4 on Skyhigh Security Part.

Here is an example:

Step 4: Provide the Skyhigh Security metadata to TrustBuilder

Skyhigh Security SAML authentication instance need to push his metadata to TrustBuilder (InWebo) SAML 2.0 connector to communicate with it.

In your TrustBuilder (InWebo) administration console, go to the Secure Sites tab.
Edit the SAML 2.0 connector previously created.
Paste the Skyhigh Security (SP) metadata generated previously.

Click on Update to save the configuration.

Step 5: Update the TrustBuilder (InWebo) SAML connector

Now that the exchange of metadata between the SP and TrustBuilder (InWebo) is done, you should configure the connector to make sure that TrustBuilder (InWebo) provides attributes that match with the attributes of Skyhigh Security.

In our example, we request from TrustBuilder the email address and group membership of the user:

Step 6: Create a secure site

In your TrustBuilder (InWebo) administration console, go to the Secure Sites tab.
Click on Add a secure site of type… and select the SAML connector name you previously configured.
Set the Called URL to point to your SP Internet address.

The Called URL setting is only used to set a bookmark for the user on their MyTrustBuilder portal, it has no impact on the security.

Click on Add to create the secure site.

Skyhigh Security Part:

Step 1: Create a new SAML Configuration profile.

Skyhigh Security can be configured to use one or multiple IdP provides, the domain provided by the user on the authentication page, will be user to choose the correct IdP attached to that domain.

Under configuration / Infrastructure / Web Gateway Setup

Select “New SAML”. A new frame will appear.

Une image contenant texte, logiciel, Page web, Site web Description générée automatiquement

Step 2: Configure SAML Configuration

In this step, we will configure Skyhigh Security profile to use TrustBuilder as an IdP.

Skyhigh Security give the opportunity to import the IdP metadata directly to it.

We will use the TrustBuilder metadata exported in xml format on Step 2 from TrustBuilder part.

Provide a name to the profile and import the metadata xml file.

Step 3: Provide SAML arguments.

In the communication between TrustBuilder and Skyhigh Security, some attribute will be stored on the session cookies by TrustBuilder (IdP), that Skyhigh Security need to consume. Is this step, we will highlight to Skyhigh Security what attribute it needs to take to identify the user ID and group ID. (it need to match step 5 of TrustBuilder Part)

Also, we will provide the domain that this profile will be attached to.

Here is a screenshot of our example :

Step 4: Export the X509Certificate

In this step, we will export the Skyhigh Security certificate that it used for our communication with the IdP (TrustBuilder) that need to generate Skyhigh Security (SP) authentication metadata.

Une image contenant texte, Police, ligne, reçu Description générée automatiquement

Testing the authentication

To test your SAML authentication, go to the test user machine that is configured to use SAML.

Note : add on the proxy bypass list inWebo URLs to avoid a SAML loop. “http://inwebo.com , http://myinwebo.com , ult-inwebo.com”

Once the user tried to access internet, Skyhigh Security SSE display the user with a login page, user need to provide his email address.

Once the email address is filled, Skyhigh Security SSE redirect the user to the TrustBuilder (InWebo) to authenticate.

If the browser is enrolled, user can enter his PIN code directly on the TrustBuilder authentication page. Otherwise, the user will have the option to use his mobile or desktop token instead for authentication".

TROUBLESHOOTING

There are tools that can help you to debug. For example, “SAML-Tracer” is a web browser plugin for viewing SAML and WS-Federation messages sent through the browser during single sign-on and single logout.