Description
As described in Using SAML for Single-Sign-On, Lumen Cloud supports the use of Security Assertion Markup Language (SAML) for exchanging user authentication data as XML between trusted parties. This industry standard protocol empowers customers to use their own SAML-supported identity management system for authenticating users of the Lumen Control Portal.
Now, with the addition of the Require SAML for Login option provided by Control Portal, customers can force users to authenticate through their identity providers to enable additional identity management features like multi-factor authentication (MFA) and user provisioning. This way, the Lumen Cloud platform can provide flexible, standards-based capabilities while allowing an organization to keep the nuts-and-bolts of their IdM configurations in their pre-existing systems.
For more details and how SAML works in general and how to specifically setup an ADFS IdP for use with Control Portal, refer to Using SAML for Single-Sign-On.
In the example below, however, we will use a separate software-as-a-service vendor as the identity provider in order to also enforce multi-factor authentication. The following steps will walk through the process of configuring the IdP to add users, enabling MFA and SAML, and configuring Lumen Control Portal's SAML settings to enforce the use of the IdP.
Steps
In this example, we will use the cloud-based identity and access management solution OneLogin as our identity provider since it is free to use as a demo, easy to setup, and supports both SAML and MFA.
Though we are using OneLogin in our example here, of course the principles will apply for any IdP with support for SAML and MFA. The steps below assume you have already signed up for a OneLogin account and are able to login to its administrator interface.
Configure IdP for SAML
- In the Lumen Cloud Control Portal, from the Account Settings page, navigate to the "Users" tab and the "Authentication" sub-menu.
- Click the "SAML 2.0 Authentication" checkbox to show all the available settings. For now, just take note of the "Relying Party Assertion Consumer Service URL" listed there. It should be in the format of
https://{account-alias}.cloudportal.io/SAMLAuth/Post
. (Highlighted in the screenshot below.)
- Now login to the OneLogin end-user dashboard.
- From the "Apps" menu, select "Add Apps".
- In the search field, type "onelogin saml" and select the first app that shows up. It should be called "OneLogin SAML Test (IdP)".
- Rename this app to "Lumen Cloud Control Portal" and click the "Save" button.
- Now, on the "Configuration" tab, enter the URL you copied from Step 2 in the section above into the "SAML Consumer URL" field. Optionally, you may provide other values in the additional fields if you know them. (You will find the Single Logout URL also available on the Control Portal page from Step 2 above.)
- Click the "Save" button in the upper right hand corner to save the OneLogin configuration.
There are a number of other settings that OneLogin supports or that may be supported by other IdPs, but this is the minimal configuration required on the OneLogin side for SAML authentication to work.
Configure Control Portal SAML Settings
- While still in the OneLogin administrator interface, click on the "SSO" tab to view SAML configuration information required to plug in to the Control Portal settings. You should see a SAML 2.0 Endpoint and a X.509 Certificate. Both of these values are required to configure SAML in Lumen Cloud Control Portal.
- Back in the Control Portal Authentication settings page, check the "Require SAML for Login" option and the "Apply to all Sub Accounts" options. This will require SAML login only for this account and all sub accounts. Next, enter the SAML 2.0 Endpoint URL provided in the previous step into the "SSO IdP URL (required)" field and copy and paste the certificate value from OneLogin page into the "Signing Certificate Key" field in Control Portal. Optionally, you can configure the "SLO IdP URL" as well. Click "Save" to apply the SAML settings to control.
At this point, SAML is configured on both ends. All that's left is to enable MFA and begin provisioning users.
Configure IdP for MFA
- From the OneLogin interface, select the "Settings" menu and go to "Authentication Factors". From this screen you will be presented with a number of available multi-factor authentication providers that can be enabled. Clicking the provider name and clicking the "Save" button activates it as an additional authentication factor. In this example we will use "Google Authenticator" since it's ubiquitous and easy to setup. (You could choose RSA SecurID or another provider of your choice.)
- To complete the setup, we need to define and apply a policy that requires users to authenticate with MFA. Select "Policies" from the "Settings" menu and click on the "Default policy" to edit. (We could create a new policy to apply only to our set of Control Portal users if we are using OneLogin with multiple applications. Here, we will keep things simple and apply a single policy for all users and apps.)
- On the MFA tab, click the "OTP Auth Required" and "Google Authenticator" checkboxes. To keep things simple, we'll keep the setting to require OTP for all users at every login, but this can be adjusted as desired. Click "Save".
All that's left is to provision users in the IdP and associate them with users in Control Portal.
Provision User(s)
There are a few different options for provisioning users to Lumen Cloud and no doubt the IdP you choose to use has a number of options as well. OneLogin supports both bulk user import from a flat file as well as an API for creating users. Lumen Cloud's API also provides the capability to programmatically create users. In this example, we will assume we already have a user in the Control Portal that we want to provision to OneLogin.
You may have the opposite situation where you need to create users in Control that already exist in your IdP. Or you may not have users in either location. No matter how you choose to provision users, as you will see, the important thing is that the SAML username in Control matches the SAML username in the IdP.
- In the Control Portal, from the "Users" page in Account Settings, click the user you will be provisioning to OneLogin. (If you need to create a new user in Control, you can follow the instructions in Creating Users
- On the User Profile page, take note of the e-mail address, first and last name. Most importantly, click on the "saml username (single sign on)" field and enter the e-mail address for this user. The OneLogin SAML configuration uses e-mail as the default username. To keep this example simple, we will stick with this rather than set it to a custom value. Here, it is also the same as the user name, which is a good practice for uniqueness.
- Back in the OneLogin configuration, navigate to "Users -> All Users" from the menu and click the "New User" button to create a new user. Enter the first name, last name, and e-mail address you took note of in Step 3. All of these fields are required and as noted above, the e-mail address must match the value entered into the SAML username field in Control. You may also fill in other fields as desired. Click "Save User".
- Now we have to give the user access to the Control Portal SAML application. On the "Applications" tab for the user, click the "+" sign to add a new app. Select "Lumen Cloud Control Portal" and click "continue" then enter the user's e-mail address and click "save".
- Select "Send Invitation" from the "More Actions" menu. This sends an e-mail to the user, initiating provisioning.
- The user receives an e-mail with a link to set their password. When they follow the link, they will set their password and then, in this case since we are using Google Authenticator, will be presented with a QR code to scan using the Google Authenticator app to setup a token and be given a security code to enter. Once this is done, the user enters the security code and clicks "log in". This will activate the user's MFA token for use.
Putting It All Together
Now that all the configuration is complete, users must login to Control Portal using their OneLogin credentials.
- From a browser, go to your SAML Login page. This is the root of the highlighted URL from the very second step above, in the format
https://{account-alias}.cloudportal.io
. (In this example, it's https://bry2.cloudportal.io.) If you have the "Require SAML for Login" setting turned on as described above, this should ultimately result in you being redirected to the OneLogin login screen. - Login using the username, password, and Google Authenticator security code. You should be directed back to the Control Portal and logged in as that user. You can use the logout link as well if you have set the logout URLs appropriately.
Note that the "Require SAML for Login" setting will force this user to login this way whether they access the SAML-specific login page as described in Step 1 or the primary control URL (https://control.ctl.io). If the primary URL is used, when logging in using the regular login screen, after entering the username (and any value for password), the user will be redirected to the SAML login page as described above.
Updated Signing Certificate (February 2024)
Customers with an existing SAML configuration as of Tuesday, February 13, 2023 will need to update their signing certificate for use with their IdP with the following text:
-----BEGIN CERTIFICATE-----
MIIG8jCCBdqgAwIBAgIQAxibq8xTL3VdXQWhnwPPyDANBgkqhkiG9w0BAQsFADBZ
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypE
aWdpQ2VydCBHbG9iYWwgRzIgVExTIFJTQSBTSEEyNTYgMjAyMCBDQTEwHhcNMjQw
MTMwMDAwMDAwWhcNMjUwMjEyMjM1OTU5WjBwMQswCQYDVQQGEwJVUzESMBAGA1UE
CBMJTG91aXNpYW5hMQ8wDQYDVQQHEwZNb25yb2UxITAfBgNVBAoTGEx1bWVuIFRl
Y2hub2xvZ2llcywgSW5jLjEZMBcGA1UEAwwQKi5jbG91ZHBvcnRhbC5pbzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN51fi0cc8FNuuaom3GeXzDi9RIS
O0uGzI0ZQ+G5NPx8xNU78Vkag/SOYESYvuctpfa+y5YeCvvTDh8DIHdSvfkOv83Q
fdxa1qR/6z8Wms4Zvxkzuj6LNtQFK7qtxxXr2mtGwL2CRHy3qGyn4tJVPppP8PGu
bHoMqlKipto/Guohlq9aHk7r1hltuTCegTrQ91XnRsiXwJn1B0tvhgjZsngwffnZ
5ewYoqz+j+WRzGXsBHb9W8H8nWZNgOBIa4paKkHjEXqHbiLy1lIFO4NuwsCKek64
iJzht0nv0dp7wRwiNsNDDYWNwi0LQdv+v8V4jruI7hWoyfacAas2NDA7ai0CAwEA
AaOCA50wggOZMB8GA1UdIwQYMBaAFHSFgMBmx9833s+9KTeqAx2+7c0XMB0GA1Ud
DgQWBBRqDWxVGIboHH41ChSZJQ9e8/wAazArBgNVHREEJDAighAqLmNsb3VkcG9y
dGFsLmlvgg5jbG91ZHBvcnRhbC5pbzA+BgNVHSAENzA1MDMGBmeBDAECAjApMCcG
CCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBnwYDVR0fBIGX
MIGUMEigRqBEhkJodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9i
YWxHMlRMU1JTQVNIQTI1NjIwMjBDQTEtMS5jcmwwSKBGoESGQmh0dHA6Ly9jcmw0
LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbEcyVExTUlNBU0hBMjU2MjAyMENB
MS0xLmNybDCBhwYIKwYBBQUHAQEEezB5MCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz
cC5kaWdpY2VydC5jb20wUQYIKwYBBQUHMAKGRWh0dHA6Ly9jYWNlcnRzLmRpZ2lj
ZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbEcyVExTUlNBU0hBMjU2MjAyMENBMS0xLmNy
dDAMBgNVHRMBAf8EAjAAMIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdwBOdaMn
XJoQwzhbbNTfP1LrHfDgjhuNacCx+mSxYpo53wAAAY1cUAfSAAAEAwBIMEYCIQDC
wOgdiH8c0IPjnvEeLLFMOv9mLgkdNZH3iORQ5USBoAIhAMoVSrk6wJWbHP8Nu+z0
NYXD8pSfqpdsCuAvVf8UvsmgAHYAfVkeEuF4KnscYWd8Xv340IdcFKBOlZ65Ay/Z
DowuebgAAAGNXFAH8gAABAMARzBFAiEAmfcU4ScgK/+rD/4vb94TvthKQJ9NIrNh
XQHIwZODCtUCIFWuwBuRalwQbjRB15tQYxWI/Suh1G2XaLywGcCrthCCAHYA5tIx
Y0B3jMEQQQbXcbnOwdJA9paEhvu6hzId/R43jlAAAAGNXFAIHgAABAMARzBFAiEA
/Zz0A9OtlviikQ8cTDP9+ZUUcLdWCFyE1l8UV78zKFECIE22AmOfH16JQGxhtm4a
OwJ6SzfwUWLU7AsQDf717W0tMA0GCSqGSIb3DQEBCwUAA4IBAQB1fUYVeeniAryw
TemtDuVcmRzQ286rWJGsBeawomdy3TUmn4cb7Rngaq0BSrNbmNckLSIm+Gxg37yp
JYHRi8NpswD9A7a31bjSJMEMYHoRignyXGFLWt4WBwjWWFflDYEalkHYbiJz/I9b
Ll2X3RhTNzH8Q4OdDkT7xyCKZRm8+3psXylq1wk3CSsSHh4YTiQDgILDsjiyEafh
wD2EJdKH+Is8egVM7X+m4/ksTnVvoPZ83VrrwdM0MxpdTyStC9GrDqyQasn1Pi1Y
fhB6Je/axYvLhxjzUJmeUVHvkS3ZTc5PXER2bh9oCnvHhYRvhD+D17OSjm0DYom9
iibC5Eli
-----END CERTIFICATE-----