Configuring Single Sign-On

NetGovern Archive and NetGovern Search both support Single Sign On (SSO).

With SSO, once you log in through your Identity Provider, you do not have to sign in separately to NetGovern Archive, and users do not have to sign in separately to NetGovern Search. Logins to NetGovern occur automatically and invisibly.

How SSO Works in NetGovern

NetGovern Archive and NetGovern Search both use Security Assertion Markup Language (SAML) to achieve Single Sign On. SAML is an open standard for exchanging authentication and authorization data between an Identity Provider and a Service Provider. Authentication is performed through Active Directory (AD) by recognizing a user's domain, which often corresponds to their email address.

For many organizations, Active Directory Federation Services (ADFS) acts as the Identity Provider.

NetGovern Archive, NetGovern Search, and Proxy access are each considered a separate Service Provider. Enabling SSO on Proxy access is optional but recommended.

NOTE
NetGovern Search does not use Multi-Factor Authentication (MFA). However, ADFS may use MFA, prompting your users to provide different types of personal information in order to authenticate.
NOTE
What is called a Service Provider in SAML terminology is called a Relying Part in ADFS terminology.

Once SSO is configured in NetGovern, a typical workflow will proceed as follows:

  • User logs in to ADFS.
  • User attempts to access the NetGovern login screen.
  • Invisibly, ADFS is prompted for a SAML (or signed) assertion to authenticate the user and authorize login.
  • NetGovern APID verifies the signed assertion.
  • The user is automatically logged in to NetGovern.

If the user attempt to sign in to NetGovern before they sign in to ADFS, they are redirected to the ADFS sign-in page, where they are prompted to enter credentials.

In all cases, once SSO is configured, the login screens for both NetGovern Archive and NetGovern Search are disabled and invisible.

NOTE
If SSO is enabled, Admin users should not be synced.
NOTE
Once SAML is enabled, users cannot change their NetGovern password, since the welcome screen where this option appears is no longer visible. Since authentication occurs through Active Directory, the NetGovern password is irrelevant when SSO is enabled.

Timeouts

NetGovern Search has various timeouts designed to boost system security regarding user authentication. When SSO is enabled in NetGovern Search and a timeout occurs, the Search session will refresh automatically after a timeout alert.

The NetGovern Archive permanently auto-refreshes.

In both cases, SSO overrides timeouts in NetGovern.

Assertion Validity

Assertions are permanent in NetGovern by default. The Administrator may choose to revoke assertions for specific users.

Certificates

You need a separate valid certificate for both the Identity Provider and for the Service Providers. You can have one certificate for all Service Providers (NetGovern Archive, NetGovern Search, and Proxy access) as long as they are on the same server. If the Service Providers are on different servers, each will need its own certificate.

The certificate cannot be self-signed unless you are using it as a test. AD FS will not accept a self-signed certificate.

IMPORTANT
If the certificate host name does not match the host name that users access, SSO might not work. During configuration, an auto-detect function will assist you in detecting anomalies.

Bypassing SSO for Admins

Admins can use the URL ending in /saml/ to bypass SSO when doing admin tasks.

NOTE
In most cases, Admin synchronization is required for SSO bypass to work as expected.
NOTE
Closing a browser will not log the user out of SSO in all cases.

For group users to bypass Search or the Admin UI, you need to set the Bypass Route.

  • On the SSO tab, under SSO Type, select SAML.
  • Under SSO Bypass Users, click Add Route.
  • Set the Bypass Route
  • NOTE
    You are not able to set the Bypass Route unless you have already set the Admin Route on the Admin Users tab.

Bypassing SSO for End Users (NOSSO)

After SSO is set up, any local, manually created end user can bypass SSO by using the Admin UI URL ending in /nosso/.

Example:

https://10.201.2.230/nosso

The user must belong to a designated "nosso" group in AD in order to access this function.

The URL ending in /nosso/ will also work for admins.

Similar to SSO, a NetGovern Search session in /nosso/ will refresh automatically after a timeout alert.

NOTE
Closing a browser will not log the user out o fSSO in all cases.

Outlook Add-In

Since there is no connection between Outlook Add-in and ADFS, enabling Single Sign On (SSO) through SAML on Outlook Add-In is not possible. Instead, authentication is performed through NetGovern Search. During Outlook Add-In setup, you have the option to authorize Outlook Add-In to use NetGovern Search credentials. Upon first successful login to the Outlook Add-In, each user sees the following grant rights page:

If the user selects Allow, Outlook Add-In will have authorization to use NetGovern Search credentials indefinitely, unless assertions are revoked.

Going forward, log into Outlook Add-In will occur automatically whether or not the user is logged into NetGovern Search, and whether or not SAML is enabled in the Admin UI.

Maintaining Administrator Access

Once SAML is enabled, you no longer log in to the Admin UI using Administrator credentials. Instead, you log in using credentials associated to your personal email address. Therefore, before you enable SAML, you must ensure that you assign Administrator access to yourself—see Configuring an Administrator.

WARNING
If you do not do this, you will lock yourself out as an Administrator once SAML is enabled.

Configuring SSO

There are two ways to configure SSO in NetGovern: either by using ADFS, or another Identity Provider. Steps for both are provided further below.

Maintaining Administrator Access

Once SAML is enabled, you no longer log in to the Admin UI using Administrator credentials. Instead, you log in using credentials associated to your personal email address. Therefore, before you enable SAML, you must ensure that you assign Administrator access to yourself—see Configuring an Administrator.

WARNING
If you do not do this, you will lock yourself out as an Administrator once SAML is enabled.

When a computer is domain-joined, configuration is required if you would like to skip formed-based login. Use the following instructions to modify ADFS to enable Windows Integrated Authentication (WIA). When WIA is enabled, the user does not have to re-authenticate using ADFS.

Performed on the desktop:

  • Internet Explorer (IE) and Google Chrome: On the desktop, add your company URL in the Intranet field in IE settings.
  • Example: *.CompanyXyz.com
  • Mozilla Firefox:
  • Go to about:config
  • Go to network.automatic-ntlm-auth.trusted-uris property
  • Add the target FQDN (i.e., search.netgovern.com)

Performed on the ADFS server:

    • Google Chrome and Mozilla Firefox: Use the following commands:
    • Set-ADFSProperties –ExtendedProtectionTokenCheck None
    • Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Firefox/25.0", "Firefox/47.0", "Mozilla/4.0", "Mozilla/5.0")

    • The following steps must be taken in the Admin UI and ADFS must be in place.

    NOTE
    In the event that you would like to perform a test setup before proceeding with actual configuration, you can select a built-in mock Identity Provider called Test. This can be used for test or demo environments. However, for security reasons, you should not use a mock Identity Provider for production environments.
    • Log into the Admin UI. In Services, and open the SSO tab.
    • Under SSO Type, select SAML.
    • Enter the metadata URL for your Identity Provider on this page. Alternately, you can enter the host name of the ADFS system and the URL will populate automatically.
    • Click Test, then click Save.
    • Configure your Identity Provider to use NetGovern services as the Service Provider. Enter the following metadata URLs:
    • NetGovern Administration: https://<hostname>/sso/metadata.xml
    • NetGovern Search: https://<search box hostname>:8443/saml/metadata.xml
    • Add a new Relying Party Trust in the ADFS control panel for NetGovern Administration/Quarantine. Enter the following information:
    • Federation metadata address: https://<hostname>/sso/metadata.xml
    • Display Name: NetGovern
    • Right-click on the Relying Party Trust you just created and select Edit Claim Rules.
    • Add a new rule using Send LDAP Attributes as Claims as the Claim rule template.
    • Set the Attribute Store to Active Directory.
    • Map LDAP Attribute to Outgoing Claim Type as follows:
    • Save your new claim rule.
    • Add another rule using Send Group Membership as a Claim as the claim rule template. Enter the following details:
    • Save your new claim rule.
    • Add a new Relying Party Trust in the ADFS control panel for NetGovern Search. Enter the following information.
    • The default Federation metadata address: https://<search hostname>:8443/saml/metadata.xml
    • Display Name: NetGovern Search.
    • Right-click the newly-created Relying Party Trust and select Edit Claim Rules.
    • Add a new rule using Send LDAP Attributes as Claims as the Claim rule template.
    • Set the Attribute Store to Active Directory.
    • Map LDAP Attribute to Outgoing Claim Type as follows:

    You should now be able to log in to NetGovern Archive and NetGovern Search using SSO.

    The following steps are available in the Admin UI and require you to have an Identity Provider in place.

    NOTE
    In the event that you would like to perform a test setup before proceeding with actual configuration, you can select a built-in mock Identity Provider called Test. This can be used for test or demo environments. However, for security reasons, you should not use a mock Identity Provider for production environments.
    • Log into the Admin UI. In Services, open the SSO tab.
    • Under SSO Type, select SAML.
    • Enter the metadata URL for your Identity Provider on this page.
    • Click Test, then click Save.
    • Configure your Identity Provider to use NetGovern services as the Service Provider. Enter the following metadata URLs:
    • NetGovern Administration: https://<hostname>/sso/metadata.xml
    • NetGovern Search: https://<search box hostname>:8443/saml/metadata.xml
    • Map the attributes in your Identity Provider from LDAP (or elsewhere). Enter the following values:
    • NOTE
      Attributes may appear slightly different, depending on your Identity Provider.
    • Map the attributes for group membership for administrators. Enter the following values:
    • NOTE
      Attributes may appear slightly different, depending on your Identity Provider.

    You should now be able to log in to NetGovern Archive and NetGovern Search using SSO.

    You can configure Single Sign-On (SSO) for the NetGovern Admin UI or NetGovern Search using SAML with the Azure AD Identity Provider.

    IMPORTANT
    You can only use the Identity Provider to configure SSO integration for the NetGovern Admin UI or NetGovern Search.
    • Log in to the Azure portal as an Administrator with enterprise application creation rights.
    • In the Browse Azure AD Gallery overview, select Create your own application.
    • Enter the name of your application in the relevant field. Select the Integrate any other application you don't find in the gallery (Non-gallery) option.
    • The application's overview page will open.
    • From the left-hand pane of the overview page, select Single sign-on. Click on SAML to get started.
    • In the Basic SAML Configuration section, enter the values displayed below. Click Edit to begin.
    • Enter the Identifier (Entity ID). This is the URL of the application that you are configuring. Choose one of the following:
      • For the NetGovern Admin UI: 
      • https://admin.netmail.com/sso/metadata.xml
      • For NetGovern Search: 
      • https://search.netmail.com/saml/metadata.xml
    • Enter the Reply URL (Assertion Customer Service URL). Choose one of the following:
      • For the NetGovern Admin UI: 
      • https://admin.netmail.com
      • For NetGovern Search:
      • https://search.netmail.com
    • Enter the Sign On URL. This is the same value entered as the Reply URL.
    • Do not enter the Relay State URL.
    • Enter the Logout URL only if you are configuring NetGovern Search. For NetGovern Search, enter the following Logout URL: 
    • https://search.netmail.com/logged_out.html

    • In the next section, Attributes & Claims, leave the default parameters.

      NOTE
      Your IPRO Support Representative might advise you to adjust the default parameters. To begin, click Edit.

      For the NetGovern Admin UI, enter the following:

      For NetGovern Search, enter the following:

    • In the next section, SAML Signing Certificate, copy the value entered in the App Federation MetaData URL field. You will be entering this in the NetGovern Admin UI.

    • Log in to the NetGovern Admin UI and navigate to Services > SSO.

    • In the Identity Provider Configuration section, paste the App Federation MetaData URL. Click Save.

    • Return to the Azure portal. Review the application configuration details.

    • (Optional) Click Test to verify Single Sign-On.

    • NOTE
      This option is only available when you have at least one available user with archived and/or indexed data.

    • Enable Users and Groups to use Single Sign-On by granting access to the configured application. From the left-hand pane of the application's overview page, select Users and Groups.

      You can manually search for Users and/or Groups by using the Search Bar or you can click on Add user/group. The Users and Groups selected will be able to access the NetGovern Admin UI or NetGovern Search using Single Sign-On (SSO).

    Using SSO requires a valid certificate. A self-signed certificate will not be sufficient for NetIQ Access Manager 4.5. Please ensure that your NetGovern system is using a valid, properly-signed certificate before continuing.

    • Log into the Admin UI. In Services, open the SAML tab.
    • For Identity Provider, enter the hostname of the NetIQ Access Manager system, and the rest of the URL will populate automatically.
    • Example: https://netiq_fqdn/nidp/saml2/metadata
    • Click Test, then click Save.
    • Configure your Identity Provider to use your NetGovern services as the Service Provider. Enter the following metadata URLs:
    • NetGovern Administration: https://<hostname>/sso/metadata.xml
    • NetGovern Search: https://<search hostname>:8443/saml/metadata.xml
    • Log into NetIQ Access Manager.
    • In the Identity Servers tab, click Edit Configuration.
    • Go to IDPCluster > Roles > Manage Policies.
    • In Policies, select New and provide a name (i.e., “Admin”). This rule ensures that if the authenticated user is a member of the Admin group in eDirectory, access to the NetGovern Admin UI will be granted. Click OK.
    • Create conditions for Admins and actions as shown. Click OK on this page, and on the following page.
    • Now do the same for Non-Admins. In Policies, select New and provide a name (i.e., “Non-Admin”). This rule ensures that if the authenticated user is a member of the Non-Admin group in eDirectory, access to the NetGovern Admin UI will be granted. Click OK.
    • Create conditions for Non-Admins and actions as shown. Click OK on this page, and on the following page.
    • Apply the changes and click Close.
    • Make sure the new rules you just created are enabled. Select them and click Enable. Click Apply and OK.
    • You must update the configuration every time you make changes. On the Identity Servers page, click Update All, then click OK. Click Refresh. On this page, selection options may vary.
    • You must update the devices in Access Gateway. Go to Devices > Access Gateways > AG-Cluster, and click Servers to update.
    • In Identity Servers, go to the Shared Settings tab.
    • Click New to create Attribute Mapping for “nameidentifier”. The syntax must be exact. Click OK.
    • Click New to create Attribute Mapping for “emailaddress”. The syntax must be exact. Click OK.
    • Click New to create Attribute Mapping for “role”. The syntax must be exact. Click OK.
    • You must update the configuration. On the Identity Servers page, click Update All, then click OK. Click Refresh. On this page, selection options may vary.
    • On the Identity Servers page, click Edit. On the IDPCluster page, go to the SAML2.0 tab to add a Trusted Provider. Click New and select Identity Provider.
    • Name the Trusted Provider “Admin” and enter the following URL:
    • https://<hostname>/sso/metadata.xml
    • Return to the SAML2.0 tab to add another Trusted Provider. Click New and select Identity Provider.
    • Name the Trusted Provider “Search” and enter the following URL:
    • https://<search hostname>:8443/saml/metadata.xml
    • Click Next to gather the metadata.
    • Go to Identity Servers > IDPCluster > Search > Configuration > Trust. Check Encrypt assertions and Encrypt name identifiers for the Search service.
    • Next, do the same for the Admin service. Go to Identity Servers > IDPCluster > UUI > Configuration > Trust. Check Encrypt assertions and Encrypt name identifiers.
    • Go to Identity Servers > IDPCluster > Search > Configuration > Attributes. Ensure that under Send with authentication, both “cn” and “mail” attributes and All Roles are selected for the Search service. Click Apply, then click OK.
    • Next, do the same for the Admin service. Go to Identity Servers > IDPCluster > UUI > Configuration > Attributes. Ensure that under Send with authentication, both “cn” and “mail” attributes and All Roles are selected. Click Apply, then click OK.
    • Go to Identity Servers > IDPCluster > Search > Configuration > Authentication Response. Set Binding to Post. Set Unspecified to <Not Specified>.
    • Next, do the same for the Admin service. Go to Identity Servers > IDPCluster > UUI > Configuration > Authentication Response. Set Binding to Post. Set Unspecified to <Not Specified>.
    • You must update the configuration. On the Identity Servers page, click Update All, then click OK. Click Refresh. On this page, selection options may vary.
    • Go to Dashboard > Applications > Access and Roles, and select the Admin and Non-Admin roles you previously created. click the Configuration Panel link to update the configuration. SSO configuration in NetIQ Access Manager 4.5 is now complete.

    In order for the Live EDA feature in NetGovern Search to be integrated with Live EDA in Ipro for Enterprise, Single Sign-On must be configured accordingly.

    • Go to Services > SSO.
    • Under SSO Type, select OpenID Connect.
    • Select Ipro IDP.
    • Enter the Identity Provider URL.
    • Click Save.
    • Log into the Admin UI. In Services, go to the SSO tab.
    • Clear the Identity Provider URL box.
    • Click Save.

    SSO should now be disabled.

    In most cases, if SSO is configured incorrectly, the ADFS event log can specify the error.

    In the event that you have set up SAML incorrectly, you have to redo configuration in the admin URL ending in /saml/.

    Example:

    https://10.201.2.230/saml

    Enter your credentials and repeat the configuration steps above.

    You can also enter the URL ending in /sso/metadata.xml in order to view and validate authentication details.

    Example:

    https://10.201.2.230/sso/metadata.xml