Configuring SAML Authentication with ADFS for DLP
search cancel

Configuring SAML Authentication with ADFS for DLP

book

Article ID: 391675

calendar_today

Updated On:

Products

Data Loss Prevention Enterprise Suite

Issue/Introduction

Configuring SAML Authentication with ADFS for DLP

Environment

DLP 15.8 +

Cause

NA

Resolution

 
  1. Set up and configure the authentication method:
    1. Delete (or rename) the springSecurityContext.xml file in the [your install directory]/Protect/tomcat/webapps/ProtectManager/WEB-INF/.
    2. Go to the [your install directory]/Protect/tomcat/webapps/ProtectManager/security/template folder and select SpringSecurityContext-SAML.xml template file.
    3. Copy the file SpringSecurityContext-SAML.xml into the [your install directory]/Protect/tomcat/webapps/ProtectManager/WEB-INF/ folder.
    4. Rename the file to springSecurityContext.xml.
  2. Set up the SAML authentication configuration:
    1. Open [your install directory]/Protect/tomcat/webapps/ProtectManager/WEB-INF/ and set the entityBaseURL property to your Enforce URL: https://<host name or IP>/ProtectManager on springSecurityContext.xml file.
    2. Set the property value of "nameID" by editing the property name ="nameID" value in the Spring file to 'unspecified' or another nameID that your IdP supports.
    3. For e.g. <property name="nameID" value=urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
  3. Add the following element in the SpringSecurityContext.xml file under <bean class="org.springframework.security.saml.websso.WebSSOProfileOptions"> section.:
    <property name="includeScoping" value="false"/>
  4. Add below lines to SpringSecurityContext.xml updated value (highlighting added for clarity on what was changed):
  5. <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl">
    <property name="storageFactory">
        <bean class="org.springframework.security.saml.storage.EmptyStorageFactory"/>
      </property>
    </bean>
  6. Download Enforce SAML metadata.
    1. Restart the Enforce Server.
    2. Log on as Administrator using the Bypass url (https://<hostnameOrlp>/ProtectManager/admin/Logon). 
    3. Go to System > Settings > General and navigate to the DLP User Authentication section.
    4. Click the link to the right of The SAML config file for your IdP to download the metadata.
  7. Share the downloaded metadata file with Idp.
  8. Copy the IdP metadata to DLP:
    1. Download the IdP Metadata XML file 
    2. Paste it to \Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat\webapps\ProtectManager\security\
    3. Rename file name to idp-metadata.xml or you can replace the content of the existing file.
  9. Import the Signing certificate into the DLP samlkeystore.jks:
    • Command to import the certificate: keytool -importcert -file /path/to/singing/cert -keystore /path/to/dlp/samlkeystore.jks -alias signing_cert
    • Keystore Paths:
      Windows: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\[VERSION]\Protect\tomcat\webapps\ProtectManager\security\samlkeystore.jks
      Linux: /opt/Symantec/DataLossPrevention/EnforceServer/[VERSION]/Protect/tomcat/webapps/ProtectManager/security/
  10. Update each user with a Valid SAML mapping:
    1. System > Login Management > DLP Users > SAML Name mapping section
    2. This is the data you expect your IdP to return in the SAML Response to DLP to validate a user (such as their email address or other user attributes) (This is case sensitive).
  11. On AD FS management system change setting 'Secure hash algorithm' to SHA1 from SHA256. Note SHA256 is currently not supported for AD FS article 237330.

Additional Information

 
Powered by Wolken Software