Balancing Security and Flexibility with Hybrid IAM
You can integrate SafeNet Trusted Access (STA) with SafeNet Authentication Service Private Cloud Edition (SAS PCE), by configuring SAS PCE as the external identity provider (IDP) in STA. This hybrid deployment model enables you to provide protection for cloud applications with STA in the cloud, and secure authentication through SAS PCE on premises. Any existing on-premises or cloud-based applications continue to work as before with SAS PCE and STA, and users can use the same authenticator for all applications.
When SAS PCE operates as the external IDP, it uses SafeNet Agent for Keycloak to connect to a separate Keycloak instance, which redirects traffic from STA to SAS PCE. STA remains the primary IDP, orchestrating the use of SAS PCE as a secondary, external IDP, that provides additional authentication where needed. As the external IDP, SAS PCE can be either the only authentication method or the second factor of authentication. It cannot be the first method of authentication in the order of authentication.
STA for cloud and SAS PCE for on-premises applications
You can keep user data in the cloud to a minimum, and reserve access to cloud applications for groups that need it. Users are synchronized independently to SAS PCE and STA. Users who don't need to access cloud applications don't need to be synchronized to STA.
This solution provides control, enabling you to protect your on-premises resources and shield them from the risk of internet disruptions. When authentication is redirected to SAS PCE, your multi-factor authentication (MFA) token secrets can remain on premises.
You can use SAS PCE as the external IDP for STA to facilitate the gradual migration from SAS PCE to STA, because users can authenticate with the same on-premises OTP token for both SAS PCE- and STA-protected resources. You have the option to migrate users to STA with self-provisioning or with token migration through professional services.
Login interface and language
The external IDP is entirely responsible for the login interface that it presents. This responsibility also includes any language selection logic that you must manage independently of STA on the external IDP.
When SAS PCE is the external IDP with Keycloak, you can configure the Keycloak IDP to use the language that the user selects on the STA IDP login page. This means that the language selected on the STA login page is also selected on the login screen shown by Keycloak. This gives the user a unified login experience. For information about how to configure the Keycloak IDP to use the custom language, see the SafeNet Agent for Keycloak Administration Guide, Chapter 5: Customization > Language Selection.
External IDPs and subscription plans
IDP orchestration is available in the STA and STA Premium subscription plans. It is not available in the STA Basic plan.
If you configure an external IDP and then later downgrade to the STA Basic plan, the external IDP becomes unavailable:
-
When you remove the external IDP from a policy or scenario, then you cannot select it again until you upgrade the virtual server to the STA or STA Premium plan.
-
When you disable the external IDP, you cannot enable it again until you upgrade the virtual server to the STA or STA Premium plan.
External IDP in policies or scenarios
The configured external IDP becomes an authentication method that you can select in STA policies and scenarios. STA redirects authentication to SAS PCE through policies or scenarios, based on group membership, application, or context. STA can redirect access requests that come from any of the following types of applications that are integrated on the Applications tab:
-
Agent applications that are configured on the Applications tab, such as SafeNet Agent for Microsoft Outlook Web App.
Components in the implementation with Keycloak
SAS PCE and STA have separate management consoles. In SAS PCE, you manage tokens. In STA, you manage cloud applications and access policies.
The redirection from STA to the external IDP is executed internally through the OIDC protocol. SAS PCE handles OIDC through the Keycloak IDP and SafeNet Agent for Keycloak.
This implementation requires you to configure several components:
-
SAS PCE: Your virtual server includes the users who will authenticate with STA and the external IDP
-
STA Hybrid Service Pack, by Professional Services: This service pack provides the bridge between STA and SAS PCE. The package contains the following:
-
SafeNet Agent for Keycloak: Install the agent as an extension on Keycloak. It performs the handshake between SAS PCE and Keycloak. With the agent, you create a realm in Keycloak and configure SAS PCE user federation.
-
Keycloak IDP: You must deploy and manage the Keycloak IDP. It has a separate management interface. To configure Keycloak as the external IDP, in Keycloak, configure a client and a client mapper for STA.
To purchase this service pack (SKU: Pro Services, Service Pack for STA Hybrid), contact Customer Support.
-
-
STA: You can configure one external IDP for each virtual server, and then use that external IDP in your policies and scenarios. IDP redirect requires connectivity between STA and the external IDP.
Configure the STA Hybrid Access Management Add-On
You can configure one external IDP in each virtual server. You need to set up the two-way communication between STA and SAS PCE:
-
Configure SafeNet Agent for Keycloak for SAS PCE: Create a Keycloak realm and configure STA user federation.
-
Configure communication between STA and Keycloak: In Keycloak, create a client and a mapper for STA.
-
Configure the external IDP in STA: Configure STA using information from Keycloak.
After you configure the STA Hybrid Access Management Add-On, add the external IDP that you create as an authentication method in a policy or scenario.
Configure SafeNet Agent for Keycloak for SAS PCE
SafeNet Agent for Keycloak performs the handshake between SAS PCE and Keycloak. With the agent, you create a realm in Keycloak and configure SAS user federation.
A realm manages a set of users, credentials, roles, and groups. Each realm is isolated from other realms and can manage and authenticate only the users under its control.
When you use SAS user federation, Keycloak can retrieve all the user information that it needs from SafeNet Agent for Keycloak, and therefore indirectly from SAS PCE. There is no need to configure synchronization or federation between Keycloak and your user repository. Users can authenticate with their SAS PCE user ID or with any of the aliases configured in SAS PCE.
If you don't use SAS user federation, then you need to add the users in Keycloak with the same details that are in SAS PCE.
-
Download the SafeNet Agent for Keycloak package.
-
Follow the steps described in the SafeNet Agent for Keycloak Administration Guide to use either the Keycloak Admin Console or the realm JSON file (SafeNetOTPRealm.json), which is included in the agent package. Configure the following:
-
Keycloak realm
-
STA user federation
-
Configure communication between STA and Keycloak
After you configure SafeNet Agent for Keycloak with a realm in Keycloak and STA user federation, you need to configure the two-way communication between STA and the Keycloak realm where your SAS PCE users are federated.
In STA, after you configure the external IDP, you must enable it before you can select it as an authentication method in policies or scenarios. You cannot disable the external IDP when no enabled policies or scenarios refer to it. You can only enable a disabled policy or scenario that refers to the external IDP when the external IDP is enabled.
You need to configure settings in both STA and Keycloak. In STA, you configure the external IDP settings, and in Keycloak you create a client and a mapper. You can configure one external IDP in each virtual server.
When you configure STA and Keycloak, you go back and forth between the STA Access Management console and the Keycloak Admin Console to copy and paste some information.
Complete these steps to configure the two-way communication between STA and Keycloak:
Copy the Redirect URI from STA
On the STA Access Management console, select Settings > External Identity Provider. If no external IDPs have been added, select Setup.
![alt_text]({static}/images/operator/external-idp-setup.png){style="border: solid 1px #c0c0c0;"}
-
On the External Identity Provider page, select Set up new IDP.
-
Under Redirect URI, click Copy. You need to use this URI when you configure the client in Keycloak.
Keep this page open in STA while you configure Keycloak, so that the Redirect URI doesn't change. If you leave the External Identity Provider page without saving the settings, a new Redirect URI is generated.
Create a client in Keycloak
-
Log in to the Keycloak Admin Console. You can go directly to the console URL:
-
If you log in from the same machine, the console URL is:
http://localhost:8080/auth/admin/
-
If you log in from a different machine, the console URL is:
https://
/auth/admin
-
-
Select the realm that you created when you configured SafeNet Agent for Keycloak.
-
In the Configure menu on the left, select Clients.
-
Click Create on the right.
-
Enter the Client ID. This ID is an alpha-numeric string that is used to identify the client in OIDC requests.
-
In the Client Protocol list, select openid-connect.
-
Click Save. This creates the client and opens the client Settings tab.
-
In the Access Type list, select confidential.
-
In the Valid Redirect URIs field, paste the value that you copied from the STA Access Management console > Settings > External Identity Provider > Redirect URL field. Click the plus + sign to add the URI.
-
Click Save.
Create a mapper for the client in Keycloak
-
Click the Mappers tab.
-
Click Create on the right.
-
On the Create Protocol Mapper screen, enter a Name, and in the Mapper Type list select User Attribute.
-
Enter the User Attribute, such as Email address.
-
Enter the Token Claim Name, such as email.
-
Select the corresponding Claim JSON Type, such as String.
-
Click Save.
Configure the external IDP in STA
-
Go back to the External Identity Provider page in STA.
-
Under Display Names, in the Identity Provider Name field, enter a friendly name for the IDP.
The identity provider name is used in the access logs, policies, and scenarios, but is not visible to your users.
-
In the Credentials Name field, enter the authentication method that the external IDP uses.
For example, the authentication method might be FIDO, OTP, push, bio, password, context, and so on.
In policies, the display name is used to identify the external IDP in the format [Identity Provider Name] ([Credentials Name]), such as SafeNet Keycloak Agent (password).
-
Under Server Details, enter the Client ID and the Client Secret from Keycloak.
-
For the Client ID, use the Keycloak value in Clients > Settings > Client ID.
The client ID is the OIDC application (client) ID that is used to identify Keycloak as the external IDP.
-
For the Client Secret, use the Keycloak value in Clients > Credentials > Secret.
STA sends the OIDC shared secret to authenticate the redirection request with Keycloak.
-
-
Enter the Well-Known Configuration Endpoint URL from Keycloak.
-
In Keycloak, go to Realm Settings > General > Endpoints, and then right-click and copy the OpenID Endpoint Configuration URL.
-
-
Click Load to populate the endpoint URLs and the Issuer:
-
Authorization Endpoint: This is the URL to which the user is redirected to authenticate.
-
Token Endpoint: When authentication is successful, an authorization code is sent to this URL to obtain an ID token and an access token.
-
Token Keys Endpoint: This is the URL that is used to retrieve the key that is needed to validate the ID token signature.
-
Issuer: This is the issuer string that is used to validate the keys for the ID token signature.
-
-
Under User Mapping, select the user attributes to represent the user ID in the redirection to the external IDP:
-
Request User Identifier: This is the STA user attribute that is sent in the authentication request to the external IDP.
-
Verification User Identifier: This identifier is usually identical to the request user identifier. It is the STA user attribute to match with the content of the specified ID token claim.
-
Verification Claim Name: This is the name of the mapper that you created in Keycloak.
-
-
Click Save and turn on the toggle at the top-right of the page to enable the external identity provider.
Add the external IDP in a policy
The configured external IDP becomes an authentication method that you can select in STA policies and scenarios. The redirection to the external IDP becomes part of the decision about whether to grant access, based on group membership, application, or context.
-
On the STA Access Management console, select Policies.
-
Select the policy or scenario and then select Edit.
-
Under Decision, in the Authentication Methods section, select External IDP, and then Select an IDP from the list.
The external IDP is identified using the IDP name and credentials name that are configured in Settings > External Identity Provider and use the format [IDP Name] ([Credentials Name]), such as SAS PCE (OTP).
-
Select how often users must authenticate:
-
Once per session: Prompt the user to authenticate once per STA SSO session within a browser.
-
If not verified in the last [number of minutes or hours]: Prompt the user to authenticate at least every N minutes or hours. Select the value that meets your organization's requirements. The values supported by STA are: 5, 10, 15, 30, 45, or 60 minutes; as well as 2, 3, 4, 5, 6, 7, or 8 hours.
Use this option to provide a presence check for sensitive applications by requiring users to re-authenticate if the specified number of minutes or hours have elapsed since they last accessed the application.
Between this setting and the single sign-on session timeout, the shortest setting takes precedence.
-
Every access attempt: Prompt the user to authenticate regardless of whether they previously authenticated in the current STA SSO session.
If you use CBA, some certificates and their drivers might have their own session, apart from the STA SSO session, and might not prompt a user for authentication. For example, the user might not be prompted to authenticate as long as a smart card is inserted in a computer.
-
-
Select Save.
IDP orchestration in the logs
IDP orchestration is logged in the authentication logs and the access logs.
IDP orchestration in the authentication logs
On the STA Token Management console, the authentication logs are available in Snapshot > Authentication activity.
The logs use the Identity Provider Name and Credentials Name that are specified in Settings > External Identity Provider.
Each type of activity includes different log entries:
-
Initiation of the redirection: The initiation of the redirection by STA includes the following information in the logs:
-
Timestamp: The time when the redirection initiated.
-
Result: Redirection
-
Credential Type: [Credentials Name]
-
Message: Redirection to [Identity Provider Name] for [Credentials Name] authentication.
-
-
Success: The successful response from the external IDP is logged:
-
Timestamp: The time when the response was returned, or the timeout time in case no response was received.
-
Result: Success
-
Credential Type: <Credentials name >
-
Message: Redirection to [Identity Provider Name] for [Credentials name] authentication.
-
-
Failure: The failure in redirection to the external IDP is logged:
-
Timestamp: The time when the response was returned, or the timeout time in case no response was received.
-
Result: Failure
-
Credential Type: <Credentials name >
-
Message: Timing out without response from <Identity Provider Name>.
-
IDP orchestration in the access logs
The redirection to the external IDP is recorded in the access logs:
-
The Credentials field includes the Credentials Name that is configured in Settings > External Identity Provider.
-
When there is a failure due to timing out without a response from the external IDP, the Reason is Redirection timeout.