Using VIP Access Manager as an IdP for the VIP Self Service Portal/My VIP

book

Article ID: 150874

calendar_today

Updated On:

Products

VIP Access Manager

Issue/Introduction

 

Resolution

In environments using VIP Access Manager (SAM) with a local authentication service only without a VIP Enterprise Gateway, or to simply consolidate SSO applications visible to end-users in the SSO Portal, it is possible to take advantage of the VIP Self-Service Portal (or the next generation My VIP Portal) where users can manage and register their own VIP credentials without needing to contact their organization's help desk or a VIP administrator.

Instructions:

  1. Generate and export a VIP certificate in both PEM and PKCS#12 formats in VIP Manager. This process is detailed in TECH238134.
  2. Import the PKCS#12 certificate to the SAM Admin Console under Platform > Certificates by clicking on Import Certificate.
  3. From the Admin Console in SAM, create a new application connector by going to Applications > Application Connectors in the top navigation bar and selecting the generic template under Symantec Applications.
    1. Give the connector a name and select the appropriate Access Policy.
    2. Use SAML 2.0 for the Connector Mode.
    3. Click Next.
    4. Fill in a Site Display Name that will be used to identify the application to users in the SSO Portal.
    5. Click Next.
    6. Use IDP-initiated mode.
      1. My VIP: https://login.vip.symantec.com/viplogin/saml2/SSO
    7. Set the SP Entity ID as https://ssp.vip.symantec.com/vipssp
      1. My VIP: https://login.vip.symantec.com/viplogin/saml2/SSO
    8. Click Next.
    9. Under SAML Identifier Information section:
      1. For the Identifier Type select Subject from the drop-down.
      2. The Identifier Attribute should match the desired VIP username format (i.e. sAMAccountName, UserPrincipalName, email address, etc). The current normalized attribute mappings can be reviewed under Users > Virtual ID Mapping.
    10. Click Next.
    11. Check and fill out the Override IdP Entity ID section using a unique value such as the connector ID string from the end of the IdP URL. For example, if the IdP URL is https://sso.corp.lab/ssg-saml/saml/userData?id=180f94a6-b3b5-465a-0000-92b463f40da8, the entity ID could be set to 180f94a6-b3b5-465a-0000-92b463f40da8. The IdP URL is unique to each application connector.
    12. Check Include SSG-IDP Certificate in Response and select the VIP certificate that was previously imported into SAM. Use SHA-1 for the signature algorithm.
    13. Click Next.
    14. Check Enable Application Connector Instance at next publish.
    15. Click Next.
    16. Click Save.
    17. Publish the changes to make them active.
  4. In VIP Manager complete the third party IdP section under Account > Single Sign-on.
    1. Click Edit next to IDP Service Settings.
    2. Set the Entity ID as the IdP Entity ID configured in the Override IdP Entity ID section of the application connector settings in SAM.
    3. Upload the VIP certificate that was previously downloaded in PEM format.
    4. Click Submit.