ESET Online Help

Search English
Select the topic

Configure Identity Provider Connector (IdP Connector) in ESA Web Console

The configuration involves details of both Identity Provider (IdP) and Service Provider (SP).

1.In ESA Web Console, navigate to Components > Identity Provider Connector.

2.Click Create New Identity Provider Configuration.

3.In Basic settings:

oType a desired Configuration Name. It will be used in the list of IdP Connector configurations.

oType a desired Path Name which will be used as part of Configuration URL used in further configuration.

4.In 2FA settings:

oLeave 2FA enabled selected to require second authentication factor from users who have any 2FA configured.

oTo allow users not configured for any 2FA to log in through this IdP Connector configuration, leave Allow non-2FA selected.

5.In Original Identity Provider:

oConfiguration from the Original Identity Provider

Use metadata—use this option if the configuration metadata of the IdP is available through secure connection (HTTPS) or as a local file. Type that secure URL (starting with https:// or file://) to the Metadata URL field.

Configure manually—if you use this option, you have to retrieve and type manually the following details of the of the IdP:

oSingle Sign-on Destination where the authenticated user is redirected to log in. Some identity providers refer to it as Login URL.

oSingle Logout Destination where the user is redirected to log out. Some identity providers refer to it as Logout URL.

oSignature Validation Certificate—signing certificate of the IdP.

oConfiguration to the Original Identity provider

This section provides all essential information and data to configure the original identity provider to work with ESA IdP Connector.

i.If the identity provider can read configuration from metadata, provide it the URL displayed in Metadata URL. Otherwise, use the information from the other fields (Identifier, Sign-on response URL, Logout response URL, Logout URL), and export the Singing Certificate and Decryption Certificate if your identity provider requires it .

ii.Configure the identity provider to issue Name ID claim in the format <username>@<domain> (the common options are email address or UPN). ESA IdP Connector will then register the user identified by <username> at the ESA Authentication Server in the <domain> realm.

6.Adjust Advanced Security Settings to meet your preferences, or if your IdP requires it.

oSign Requests to the original Identity Provider—if selected, Singing Certificate of ESA has to be configured as trusted on the machine hosting the IdP.

oValidate original Identity Provider certificate—if selected, the signing certificate of IdP must be configured trusted on the machine hosting ESA.

oCheck original Identity Provider certificate revocation—if selected, ESA checks if the signing certificate of IdP is still valid.
 

7.Click Add Service Provider, and type a desired Display Name. It will be used in the list of configured service providers within the being configured IdP Connector.

oConfiguration from the Service Provider

i.Use metadata—use this option if the configuration metadata of the identity provider is available through secure connection (HTTPS). Type that secure URL (starting with https://) to the Service Provider Metadata URL field.

ii.Configure manually—if you use this option, you have to retrieve and type manually the following details of the of the service provider:

oIssuer. Some SPs refer to it as Audience URL or Entity ID.

oSingle Sign-on Destination where the authenticated user is redirected. Some SPs refer to it as Assertion Consumer Service URL.

oSingle Logout Destination where the user is redirected after logout.

oSignature Validation Certificate—signing certificate of the SP.

b.Configuration to the Service Provider:

This section provides all essential information and data to configure the original identity provider to work with ESA IdP Connector

i.If the SP can read configuration from metadata, provide it the URL displayed in Metadata URL. Otherwise, use the information from the other fields (Identifier, Sign-on URL, Logout URL), and export the Singing Certificate and Decryption Certificate if your SP requires it .

ii.To remove, add or update collected identity information (claim) before forwarding it to the SP, create desired rules in the Claims Translation section. See claim translation examples below.

8.Adjust Advanced Security Settings to meet your preferences, or if your SP requires it.

oCheck signature of requests from the Service Provider—if selected, the certificate of the SP has to be configured in ESA.

oValidate Service Provider certificate—if selected, the certificate of SP must be configured trusted on the machine hosting ESA.

oCheck Service Provider certificate revocation—if selected, ESA checks if the certificate of SP is still valid.

9.Click Save.

 

Claim translation examples

In the examples below we assume that we logged in through an IdP and the following claims were received by ESA IdP Connector:

http://original_identity_provider/claim/nameid: sample@user.com

http://original_identity_provider/claim/displayname: SU

http://original_identity_provider/claim/name: Sample User

http://original_identity_provider/claim/nameid: sample@user.com

http://original_identity_provider/claim/saml2nameid: sample@user.com

http://original_identity_provider/claim/samle2nameidformat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Remove a certain claim

To remove "http://original_identity_provider/claim/displayname: SU" from the set of claims above, configure the following rule in ESA IdP Connector:

1.Click Add.

2.Select Remove from the list-box.

3.For Type, type "http://original_identity_provider/claim/displayname" without quotation marks.

4.Click Save.

To create a new claim with a custom value or update an existing claim (replace its value)

To replace "SU" with "sampleuser" in "http://original_identity_provider/claim/displayname: SU", configure the following rule in ESA IdP Connector:

1.Click Add.

2.Select Add from the list-box.

3.For Type, type "http://original_identity_provider/claim/displayname" without quotation marks.

4.For Constant value, type "sampleuser".

5.Click Save.

If "http://original_identity_provider/claim/displayname" did not exist in the received set of claims, it would be created with the value defined in Constant value:

"http://original_identity_provider/claim/displayname: sampleuser"

To create a new claim with the value of an existing claim

To create "http://original_identity_provider/claim/profilename" claim with the value of "http://original_identity_provider/claim/displayname" claim, configure the following rule in ESA IdP Connector:

1.Click Add.

2.Select Copy from the list-box.

3.For From type, type "http://original_identity_provider/claim/displayname" without quotation marks.

4.For To type, type "http://original_identity_provider/claim/profilename" without quotation marks.

5.Click Save.