External SAML Authentication

Overview

This topic explains how to configure TOS for SAML authentication using Okta or Azure. SAML is an open standard that enables users to log into an external authentication system, the Identity Provider (IDP). The IDP then automatically logs the user into TOS, the Service Provider (SP). TOS supports SAML 2.0.

TOS uses the OpenID Connect protocol, which in turn uses the Keycloak Authentication service as an IDP. For OpenID Connect, TOS is a Relying Party (RP) that can accept and receive information from a third-party authentication service.

To configure TOS to use Keycloak as an external IDP, you must first configure Keycloak as a SAML SP.

External SAML authentication only applies to SecureTrack, unless you also use internal SSO authentication to make it apply to all TOS modules - SecureTrack, SecureChange and SecureApp. For TOS R22-1 and later, internal SSO authentication is enabled by default. When upgrading from earlier releases, this feature needs to be manually activated.

SAML Authentication Flow

TOS authenticates login requests via SAML as follows:

  1. SecureTrack is the RP for OpenID Connect. It redirects authentication requests to Keycloak, the internal IDP for OpenID Connect.

  2. Keycloak is also the SAML SP. It redirects requests to an external SAML IDP.

  3. The SAML IDP completes the authentication and redirects the authentication approval back to Keycloak.

  4. Keycloak then redirects the authentication approval back to SecureTrack.

Prerequisites

To configure SecureTrack for SAML authentication, you need the following:

  • Browser access to a SAML provider

    • For Microsoft Edge, a signed CA certificate for the Apache HTTPD web server. The self-signed certificate provided by SecureTrack is not supported by Microsoft Edge for SAML SPs.

  • Outgoing HTTPS connection from the SecureTrack server to the SAML SP.

    SecureTrack can resolve the domain name of the SAML provider.
  • String to be used as a label on the SAML login button. Maximum length is 10 characters including spaces.

Before You Begin

  • Backup your SecureTrack configuration using the following command:

    [<ADMIN> ~]$ sudo tos backup create
    sudo tos backup create

    See tos backup create.

  • Make sure your SAML provider administrator is available during the configuration process.

Which Server Needs to be Configured?

Environment Server
Standard SecureTrack server
High Availability Active SecureTrack server
Distributed Architecture Central Server

SAML Configuration Procedure

  1. Okta (to configure Microsoft Azure as the external IDP, use step 6)

    1. Create Mappers in the Keycloak IDP
    2. You can now log in to SecureTrack via Okta.

  2. Microsoft Azure (To configure Okta as the external IDP, use step 5)

    1. Create Mappers in the Keycloak IDP

  3. Delete the Keycloak Administrator user.
    • In Keycloak, go to the Users page, and delete the user you created in step 1.
  4. If you are using TOS SSO, when activating the feature, the SecureTrack Administrator must manually add all the SAML authenticated users into SecureTrack, and assign them roles before they log in for the first time.
  5. Do not delete integration_user. This user is needed for the SecureTrack integration.

Known Issues

Troubleshooting

Notes

The Keycloak Server Log is /opt/tufin/logs/services/keycloak-service/server.log