Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
This article describes how to enable two-factor authentication to the Nexus PRIME clients PRIME Explorer and PRIME Self-Service.
This is solved by setting up a SAML 2.0 federation with PRIME as a Service Provider and an Identity Provider, such as Nexus Hybrid Access Gateway.
Prerequisites
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
Installations PRIME must be set up:
Install the The identity provider must be set up. If Hybrid Access Gateway is used, see here:
The following certificates must be created:
Examples: Certificate for signing and encryption for PRIME Examples: Certificates
If you need instructions to create demo certificates or extract certificates to the required formats, see Create or extract certificates for SSL and SAML. |
Set up PRIME as service provider
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
To integrate PRIME with SAML SSO, the SAML authentication profile must be used.
|
Expand | ||
---|---|---|
| ||
The defined keystore file must contain the certificates and the private key used for signing and decryption. A keystore is mandatory to configure. Trying to save a configuration without a keystore, triggers an error message.
|
Expand | ||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
Each SAML federation can have multiple service providers, for example PRIME Explorer, Self-Service and any other application to be included in the federation. Each service provider must have a metadata file. For each service provider, do the following to create a metadata file:
This table describes some elements and attributes of the Service Provider metadata xml file:
|
Expand | ||
---|---|---|
| ||
After the metadata files have been created they must be uploaded to the authentication profile in PRIME Designer. Multiple service providers can be configured, for example for the different PRIME applications and any other applications to be included in the federation.
|
Expand | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
PRIME Self-Service needs the following additional configurations:
|
Set up identity provider, for example Hybrid Access Gateway
Expand | |||||
---|---|---|---|---|---|
| |||||
To have a secure communication between the identity provider and PRIME, server certificates must be provided by each server. Example - Add server certificate in Hybrid Access Gateway:
|
Expand | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
Private keys are used to digitally sign SAML messages and encrypt their content. Both parties need their own key-pair that could be created in self-signed mode (for testing purpose) or received from a public key infrastructure (for productive systems). Example - Enable Hybrid Access Gateway to use the SAML certificate for signing:
|
Expand | ||
---|---|---|
| ||
As identity provider, you can use any SAML2 compliant system. Follow the instructions of that software in order to configure it as SAML IdP. If you use Hybrid Access Gateway as identity provider, follow the steps here to create a DNS name. Example - Create a DNS name for the Hybrid Access Gateway access point:
|
Expand | ||
---|---|---|
| ||
The identity provider must be configured to define the SAML federation with the service provider, using the metadata created in PRIME. Example - Add service provider in Hybrid Access Gateway:
|
Expand | ||
---|---|---|
| ||
After the service provider was configured successfully in the identity provider, the SAML metadata must be downloaded and uploaded in PRIME. Example - Download the metadata from Hybrid Access Gateway:
|
Upload identity provider metadata to PRIME
Expand | ||
---|---|---|
| ||
After the metadata files have been created they must be uploaded to the authentication profile in PRIME Designer. This section describes how to upload the identity provider metadata files.
|
This article is valid from PRIME 3.12