ESET Online Help

Search English
Select the topic

Configure Identity Provider Connector (IdP Connector) in ESA Web Console

The configuration involves details of both Identity Provider (IdP) and Service Provider (SP).

  1. In ESAC Web Console, navigate to Components > Identity Provider Connector.
  2. Click Create New Identity Provider Configuration.
  3. In Basic settings:
    1. Type a desired Configuration Name. It will be used in the list of IdP Connector configurations.
    2. Type a desired Path Name which will be used as part of Configuration URL used in further configuration.
  4. In 2FA settings:
    1. Leave 2FA enabled selected to require second authentication factor from users who have any 2FA configured.
    2. To allow users not configured for any 2FA to log in through this IdP Connector configuration, leave Allow non-2FA selected.
  5. In Original Identity Provider:
    1. Configuration from the Original Identity Provider
        • Use metadata—use this option if the configuration metadata of the IdP is available through secure connection (HTTPS) or as a local file. Enter that secure URL (starting with https:// or file://) to the Metadata URL field.
        • Configure manually—if you use this option, you have to retrieve and enter manually the following details of the of the IdP:
          • Single Sign-on Destination where the authenticated user is redirected to log in. Some identity providers refer to it as Login URL.
          • Single Logout Destination where the user is redirected to log out. Some identity providers refer to it as Logout URL.
          • Signature Validation Certificate—signing certificate of the IdP.
    1. Configuration to the Original Identity provider

This section provides all essential information and data to configure the original identity provider to work with ESA IdP Connector.

      1. If the identity provider can read configuration from metadata, provide it the URL displayed in Metadata URL. Otherwise, use the information from the other fields (Identifier, Sign-on response URL, Logout response URL, Logout URL), and export the Singing Certificate and Decryption Certificate if your identity provider requires it .
      2. Configure the identity provider to issue Name ID claim in the format <username>@<domain> (the common options are e-mail address or UPN). ESA IdP Connector will then register the user identified by <username> at the ESA Authentication Server in the <domain> realm.
  2. Adjust Advanced Security Settings to meet your preferences, or if your IdP requires it.
    • Sign Requests to the original Identity Provider—if selected, Singing Certificate of ESA has to be configured as trusted on the machine hosting the IdP.
    • Validate original Identity Provider certificate—if selected, the signing certificate of IdP must be configured trusted on the machine hosting ESA.
    • Check original Identity Provider certificate revocation—if selected, ESA checks if the signing certificate of IdP is still valid.
  1. Click Add Service Provider, and type a desired Display Name. It will be used in the list of configured service providers within the being configured IdP Connector.
    1. Configuration from the Service Provider
      1. Use metadata—use this option if the configuration metadata of the identity provider is available through secure connection (HTTPS). Enter that secure URL (starting with https://) to the Service Provider Metadata URL field.
      2. Configure manually—if you use this option, you have to retrieve and enter manually the following details of the of the service provider:
        • Issuer. Some SPs refer to it as Audience URL or Entity ID.
        • Single Sign-on Destination where the authenticated user is redirected. Some SPs refer to it as Assertion Consumer Service URL.
        • Single Logout Destination where the user is redirected after logout.
        • Signature Validation Certificate—signing certificate of the SP.
    2. Configuration to the Service Provider:

This section provides all essential information and data to configure the original identity provider to work with ESA IdP Connector

        1. If the SP can read configuration from metadata, provide it the URL displayed in Metadata URL. Otherwise, use the information from the other fields (Identifier, Sign-on URL, Logout URL), and export the Singing Certificate and Decryption Certificate if your SP requires it .
        2. To remove, add or update collected identity information (claim) prior to forwarding it to the SP, create desired rules in the Claims Translation section. See claim translation examples below.
  2. Adjust Advanced Security Settings to meet your preferences, or if your SP requires it.
    1. Check signature of requests from the Service Provider—if selected, the certificate of the SP has to be configured in ESA.
    2. Validate Service Provider certificate—if selected, the certificate of SP must be configured trusted on the machine hosting ESA.
    3. Check Service Provider certificate revocation—if selected, ESA checks if the certificate of SP is still valid.
  3. Click Save.

 

Claim translation examples

In the examples below we assume that we logged in through an IdP and the following claims were received by ESA IdP Connector:

Remove a certain claim

To remove "http://original_identity_provider/claim/displayname: SU" from the set of claims above, configure the following rule in ESA IdP Connector:

  1. Click Add.
  2. Select Remove from the list-box.
  3. For Type, enter "http://original_identity_provider/claim/displayname" without quotation marks.
  4. Click Save.

To create a new claim with a custom value or update an existing claim (replace its value)

To replace "SU" with "sampleuser" in "http://original_identity_provider/claim/displayname: SU", configure the following rule in ESA IdP Connector:

  1. Click Add.
  2. Select Add from the list-box.
  3. For Type, enter "http://original_identity_provider/claim/displayname" without quotation marks.
  4. For Constant value, enter "sampleuser".
  5. Click Save.

If "http://original_identity_provider/claim/displayname" did not exist in the received set of claims, it would be created with the value defined in Constant value:

"http://original_identity_provider/claim/displayname: sampleuser"

To create a new claim with the value of an existing claim

To create "http://original_identity_provider/claim/profilename" claim with the value of "http://original_identity_provider/claim/displayname" claim, configure the following rule in ESA IdP Connector:

  1. Click Add.
  2. Select Copy from the list-box.
  3. For From type, enter "http://original_identity_provider/claim/displayname" without quotation marks.
  4. For To type, enter "http://original_identity_provider/claim/profilename" without quotation marks.
  5. Click Save.