Authenticating using SAML

Introduction

This article outlines the information and steps you need to take in order to configure a Hypersocket VPN to authenticate to a Hypersocket SAML Identity Provider running on a Hypersocket SSO server.

Once configured your users will be redirected to your Hypersocket SSO Server to authenticate. 

 

Step 1 - Create the Resource on the SSO server

Log into your Hypersocket SSO server as admin and navigate to Single Sign On -> SAML and click Create

Give the resource a meaningful name, such as Hypersocket VPN.

In the Metadata tab enter the Consumer URL, which will be the URL of your VPN server. e.g. 'https://hypervpn.5ocket.net/hypersocket/ui'.

 

Select the Assertion tab and click the plus icon  and add an attribute called api with a value of Hypersocket.

On the Roles tab, set which roles will be able to use this resource.

Step 2 - Export metadata and certificate

Next to the newly created resource, click the options icon  and select Download Metadata. Save this file for the next step.

 

Navigate to Configuration -> Certificates, click the options icon  next to SAML RSA and select Download Certificate.

 

Before proceeding to the next step, open the XML file containing the metadata and locate the logon and logoff service URLs. These are located towards the end of the document and will look like

https://hypersso.5ocket.net/hypersocket/api/sso/logon/98304

https://hypersso.5ocket.net/hypersocket/api/sso/logoff/98304

Copy the entire URL as these will be entered into the authentication settings on the VPN server.

Also take a copy of your entityId which will be located at the top and look something like,

https://hypersso.5ocket.net/hypersocket/api/sso/metadata/98304

 

Step 3 - Configure VPN SAML settings

Log on to your VPN server as admin. First you will need to install the SAML Authentication module if it is not already installed.

Navigate to Extensions -> Extensions then select the Available tab. Download the extension and restart the server.

 

Now navigate to Authentication -> Settings and select the SAML tab. Enter the values for Entity ID, Sign-in URL and Sign-out URL that you copied from the metadata.

Next to Certificate, click the choose file icon  and select the certificate file downloaded earlier. Then click the upload icon .

 

Step 4 - Configure VPN authentication

Navigate to Authentication -> Schemes and delete  the Username + Password scheme from the browser scheme. Select the SAML scheme from the right hand side by clicking the plus icon.

Click save to update the authentication scheme.

 

Step 4 - Final Checks

You must ensure you know the password for the admin account on the SSO server as you could otherwise lock yourself out of the VPN server.

It might be a good idea during the first test to stay logged in to the VPN on one browser whilst you test SAML in another one, in case you need to revert or alter any configuration which is stopping SAML from working.

 

Step 5 - Example login

A user navigates to the Hypersocket VPN login page, the VPN no longer prompts for the username and password. Instead the user selects Logon.

The web browser then redirects to the SSO server URL which does the prompt for authentication. The user enters their credentials here.

When successfully authenticated, the browser redirects back to the VPN server again and they are successfully logged on.

 

 

Have more questions? Submit a request

Comments