Introduction

Authentication Management is the first line of defense and one of the critical building blocks of the organization’s security as it is necessary for user accountability. It allows access to valuable data only to those who the organization approves. This whitepaper provides insights on one of the authentication configurations (SAML) of the TCPWave IPAM application.

About SAML Authentication

The SAML protocol, or the Security Assertion Markup Language (SAML), was released in 2002 by OASIS. It is an assertion protocol used for Single Sign-On (SSO) that exchanges authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). The current version of SAML is SAML 2.0.

The SAML specifies three roles:

Principal User: The actual user initiating the request or trying to access a resource from the SP.
Identity Provider: The party that provides and maintains the identity of the users.
Service Provider: It is the actual service to which the user tries to log in. Example: It can be a website or application.

Workflow

The general SAML authentication workflow is as follows:

The principal users request a service from the SP.
The SP requests and obtains an authentication assertion from the IdP.

Text

Description automatically generated

Configurations

TCPWave IPAM supports integration with Identity and Access Management - SAML 2.0 compliant, such as Okta. TCPWave IPAM acts as SP, whereas the Okta acts as the SAML IdP and uses SSO to authenticate the users. You must configure TCPWave IPAM as Service Provider in Okta and configure IdP (SAML) in the TCPWave IPAM through the global options.

Service Provider Configuration in Okta

To configure TCPWave IPAM as SP in Okta:

Log in to the Okta portal, and the system displays the dashboard page.
Click Applications from the left menu bar.
Click Create App Integration, and the system displays the Create a new page integration.
Select SAML -2.0.
Click Next. The system displays Create SAML Integration page.
Under the general settings, complete the following:

Enter App Name and App logo.
Click Next. The system navigates you to Configure SAML

In Configure SAML >> SAML settings, complete the following fields:

Graphical user interface, text, application, email

Description automatically generated

Enter the Single sign on URL = https:// host>:<port>/tims/acs
Enter Audience URI (SP Entity ID) = https://<host>:<port>/tims/metadata
Name ID format = Enter the email address.

Complete the following attributes in the Attributes sections

FirstName user.firstName
LastName user.lastName
Email user.email

Once the application is created, select the Sign On tab, and click View Setup Instructions. The system displays the following values:

Identity Provider Single Sign-On URL
Identity Provider Issuer
X.509 Certificate

SAML Configuration in the TCPWave IPAM

To enable SAML:

Navigate to Administration >> Security Management >> Authentication Configuration. The system displays the Authentication Configuration page with the authentication types grid.

Graphical user interface, application

Description automatically generated

Select the authentication type SAML.
Click . The system displays a validation message “Are you sure to switch to SAML-based authentication? Click Yes to proceed.”
Click YES.

If all the following global options required for configuring SAML IdP are set, TIMS switches the authentication mechanism to SAML.

Global Options

The following global options are added to facilitate IdP integration.

SAML Organization Name: Name of the organization configured in SAML IdP.
SAML Organization Display Name: Organization name to display.
SAML Support Name: Admin configured SAML IdP for support.
SAML Support Email: Email of the admin configured in SAML IdP for support.
SAML IDP Entity ID: Entity ID of the SAML IdP. This is used to distinguish between various applications configured in the same SAML IdP for the organization. This attribute is mandatory.
SAML IDP SSO URL: URL of the SAML IdP single sign-on endpoint. Control is passed to this URL for user authentication. This attribute is mandatory.
SAML IDP SLO URL: URL of the SAML IdP logout endpoint. Control is passed to this URL for when a TIMS user logs out. This flow is not supported by all the IdPs as the preferred method to sign out is from the IdP’s dashboard. This attribute is mandatory.
SAML IDP Certificate: Certificate of the SAML IdP; this is needed to have the messages encrypted between IdP and TIMS (SP). This attribute is mandatory. In this field, you are required to enter X.509 cert.
Okta does not have an SLO URL, so use the SSO URL and replace SSO with SLO for SAML IdP SLO URL global attribute. Create Users or select the existing users and assign the newly created application to the user.
The system displays the following Login page instead of the TIMS login dialog

Graphical user interface, application

Description automatically generated

The organization name, application name, etc., are from the values configured in IdP. Once the credentials of the user-created in IdP are entered, TIMS UI comes up.

Benefits – SAML Authentication

A single user identity for all resources – web and cloud services
Streamlined Access
No need to renew passwords
Lowered risk of the data breach
Single pane management of applications and identities
Improves customer sign-in experience

Conclusion

TCPWave leverages authentication protocols that provide most organizations access to more IT resources. It in turn, supports the business objectives. For information on how TCPWave and its extensive security features can meet your needs, contact the TCPWave Sales Team.