How do I integrate Ianum with a SonicWall SMA?
Description
Ianum is a cloud platform for passwordless authentication and user data management. The strength relies in the use of smartphones and blockchain-inspired encryption, so that only those who have the keys can authenticate and see their data. This guarantees a secure system where Ianum acts as a guarantee layer, but has but has no access to unencrypted users' data.
Ianum Platform is made of a series of services, each one with its specific task. Microservices can be Personal Data Management when you need to ask for users’ personal data, Consensus Management, when during a login you would like to ask for consensus, as well as Passwordless Authentication, to let users login using their smartphone. Full list is available at www.ianum.com.
All these microservices can be used both internally within companies (they are SAML compatible) or towards end users (e-commerce login, etc.), as well as for GDPR compliant data management and data consent.
To connect Ianum services you need to create a Gate, that is a virtual connection between your services and Ianum Platform. Each gate has a unique identifier (unique URL) and it’s where users needs to go through to be identified.
Gates can be of 3 types:
- public: when you need to authenticate any users that try to access that gate. Example: e-commerce
- private: when you want only a specific list of users to be able to access that gate. ex.: backend application
- Identity Provider: same as private, but compatible with SAML 2.0 protocol, so to be used in any SAML 2.0 compatible business tool
In this article we will focus on the integration between SMA 12.3 Tunnel Access and a Ianum Identity Provider using the SAML 2.0 protocol.
Resolution
To complete the connection you need first to configure the connection with Ianum , configuring it as an Identity Provider. Next step, you need to configure connection with SonicWall, so that users allowed by Identity Provider are accepted by SonicWall system.
- Ianum setup
Navigate to the Ianum Developer area (https://id.ianum.com/ianum). If you need this for a personal account, go ahead. If you need for a company, create a company profile clicking on the top-right menu and selecting “Add new profile”.
- Create the Gate
- Create a gate by selecting the type “Identity Provider”
- Configure IdP
In the Identity Provider tab you can find the parameters needed to configure the IdP on SonicWall side.
- Start creating groups for your users (from Group section) and Attributes you want to set for your users (from Attributes section).
- Add users to your IdP
Go back in the Passwordless Auth service to add your users. To add a user you need to specify the email of that user so that he can receive the invitation into the Identity Provider. Then you can set his attributes and the groups he’s part of.
- Create SonicWall App
You are now ready to create the Application to connect SonicWall. Go in the Identity Provider section and add a new App.
- Create a gate by selecting the type “Identity Provider”
- You can put the information of the SonicWall Service Provider, as well as decide which groups are allowed to enter and mapping the attributes of the users for that Service Provider. Here you can also download the Certificate for your app.
Mappers are needed cause if you have created an attribute of type ID, and the Service Provider has the same parameter called identificator you need to create a mapper to say that Identity Provider has to return the value ID but calling it identificator just for this App.
Remember to tell your users to control their emails and accept the invitation. To do that, they have to download Ianum App from Play Store or App Store, and do the first login by clicking the link in the email received.
- Create the Gate
- SonicWall Setup
- Define the SAML workplace Portal
Login to the SMA device and click Workplace
- Add Ianum CA
Ianum CA was saved before from Ianum Developer Area.
Make sure it can be used to check signed SAML requests:
- Setup an IDP Authentication server
Most of the fields come from Ianum Developer Area SSO page.
The fields in Red come from Ianum Developer Area SSO page while the ones in green are related toyour specific setup.
Name : logical name for the authentication server, any name meaningful to you
Appliance ID : this is the FQDN used by Ianum to talk back to the SMA and transmit the SAML assertion, it must exist as a Workplace portal which is also selected below in green. MAKE SURE to use HTTPS and a / at the end of the URl
- Setup Tunnel Access
Make sure an IP pool is assigned:
An access rule must allow access to “Connect Tunnel” resource.
- Test the configuration
Now it’s time to test the configuration. You can go to your service provider and click on Ianum-SAML login.
You’ll be redirected to Ianum Identity Provider and you’ll see a page with a QR Code.
Now you need to download the Ianum App from the App Store or the Google Play Store. Then you need to activate it inserting your phone number and insert the verification code received through an SMS. You’re ready to Scan the QR Code!
After you scanned it, the first time you’ll be asked to enter a code (the code received through email) and it’s a code to match your Ianum Identity with the user allowed to access the Identity Provider.
If the user has clicked the link in the invitation email sent when the user has been added to Identity Provider, the code won’t be asked.
After you entered the code, you’ll complete the login procedure and you’ll be redirected to your Service Provider page. You’re successfully logged in.
- Define the SAML workplace Portal