Specific IdP settings

For each IdP type there are a number of specific settings that must be configured.

LDAP & LDAP certificate Provider

The following fields apply to both LDAP and LDAP certificate providers. See the following subsections for fields specific to LDAP and LDAP certificate providers.

Complete the following fields to configure an LDAP or LDAP certificate provider:

• Hostnames or IP Addresses. You can enter more than one host. AppGate ZTNA will choose one at random and use that each time. This provides load balancing and fail-over capability. It is assumed that all the remaining settings will be common across the LDAP hosts.

• Port. Typically, 389 for LDAP, 636 for LDAP over SSL or 1812 for RADIUS

• Enable SSL. Use of SSL (LDAPS) is strongly recommended.To use SSL - an X.509 public key certificate should be uploaded to Trusted Certificates.

• Service Account DN. We recommend that the Service account should have the minimum rights required to read the tree below base DN. Example "CN=Administrator, OU=Admins, OU=Users, DC=corp, DC=yourdomain, DC=com"

• Service Account Password. This is the password for the service account user. It is important to configure the IdP to minimize LDAP look up times. Please refer to authentication services for advice on using some of the following fields to the best effect.

• Base DN. Distinguished Name of user search base. Limits the scope of the user search in order to improve performance (avoids search covering the whole directory).

• User Filter. LDAP filter can be used to include/exclude specific groups (of user accounts). User Filter provides a powerful way to write expressions which can be used include/exclude specific groups of users; for instance, 'All disabled user objects' or 'All users with "Password Never Expires" set'. There are some good examples here: https://social.technet.microsoft.com

• Object Class (deprecated). Deprecated. Use User Filter field.

NOTE

Do not use User Filter and Object Class together or the results will be concatenated together.

• Username Attribute. Attribute name of username field. Defaults to sAMAccountName in ActiveDirectory.

• Membership Filter. The filter to use while retrieving nested groups of the user in Active Directory. Defaults to (objectCategory=group).

• Membership Base DN. Distinguished Name of group search base in Active Directory. Limits the scope of the membership query in order to improve performance. Defaults to the Base DN setting.

LDAP Provider

The following fields appear only for LDAP providers:

• Enable Password Warning. When configuring Active Directory, enabling this will warn users when their passwords are about to expire.

  • Threshold (days). Number of days prior to expiration that the warning will be displayed to the user.

  • Message. The given message will be displayed to the user. Use this field to guide the users on how to change their passwords. The expiration time will displayed on the client on a separate section.

The Password Warning Message supports HTML so your message might be:
Your Company Domain password is about to expire </br><a href="https://iam-passwd.corp.company.com">Click here to update it.</a>.

A system user-claim is provided (ag.passwordWarning); this can be used in a condition to allow extra network access while the warning is active. This in turn would allow remote (from the network) users sufficient access rights to be able to reset their passwords without having to come into the office. Below are two possible methods for doing password renewals:

• WebAccess expired password reset option available on Windows Server 2012R2 or Server 2016 - see https://social.technet.microsoft.com/wiki/contents/articles/10755.windows-server-2012-rds-enabling-the-rd-webaccess-expired-password-reset-option.aspx

• On Windows, if sufficient network access rights are allowed (see Allowing full 'network like' access), then the reset password option should work when a user does CTRL ALT DEL.

LDAP Certificate Provider

The following fields appear only for LDAP certificate providers:

• User Certificate Priorities. An exact match on the Template and/or the Issuer field can be used to set the order the Certificates are shown in the client. Certain CAs issue Certificates that include an Issuer and a Certificate Template Information field. Enter one or more exact values (as found in these certificate fields) and then order the list. You can mix the two types of field. Valid to date will be used afterwards, with the furthest away being prioritized.

• CA Certificates. The CA certificates to verify client certificates. If the client certificate is signed by an intermediate CA, the whole chain must be uploaded. If the client certificate includes valid AIA extension, the root certificate suffices.

NOTE

When any certificates are approaching their expiration, then the Controller will issue a warning in the dashboard 30 days prior.

• Skip X.509 external checks. When enabled the Controller WILL NOT contact the endpoints on the certificate extensions in order to verify revocation status and pull the intermediate CA certificates. NOT RECOMMENDED.

• Certificate User Attribute. The Subject Alternative Name field is required to verify the username. Enter the LDAP attribute which maps to this name so the Appgate system can harvest all the users LDAP attributes.

• Verify Certificate on LDAP. Upon successful authentication, the Controller gets the public certificate from the client. This can be compared to the certificate on LDAP. If they are not the same, the authentication will fail. This optional check fetches the user's certificate from LDAP and then performs an additional binary comparison of the two certificates.

  • Attribute. Enter the LDAP Attribute that points to the users' certificates on LDAP. In Active Directory this is normally 'userCertificate'.

OIDC Provider

See System Configuration for more information about how OIDC has been implemented in AppGate ZTNA. OIDC works differently from SAML, so you can use the same IdP configuration for client, Portal, and the admin UI. Look in https://myidp/.well-known/openid-configuration if you are having issues finding these fields in the IdP configuration screens.

Complete the following fields to configure an OIDC provider:

• Issuer. The base URL provided by the IdP - used when authorizing with the OIDC IdP.

• Audience/Client ID. Enter the unique client ID from the configuration in your OIDC IdP.

• Scope. Each scope added here returns a set of user attributes. By default, three are included.

• Google OIDC Configuration. Google's implementation of OIDC requires some specific settings for it to work correctly.

  • Client Secret. Enter the client secret that must be used for PKCE.

  • Enable Refresh Token. Make the refresh token part of the OIDC request (instead of being part of the OIDC scope).

RADIUS Provider

Complete the following fields to configure a RADIUS provider:

• Hostnames or IP Addresses. You can enter more than one host. AppGate ZTNA will choose one at random and use that each time. This provides load balancing and fail-over capability. It is assumed that all the remaining settings will be common across the LDAP hosts.

• Port. Typically, 389 for LDAP, 636 for LDAP over SSL or 1812 for RADIUS

• Shared Secret. The shared secret for the specific RADIUS server.

• Authentication Protocol. Authentication protocol used to login to the RADIUS server, such as CHAP or PAP. Use CHAP if you have a choice.

SAML Provider

See System Configuration for more information about how SAML has been implemented in AppGate ZTNA. SAML has been implemented differently for the client, Portal, and admin UI, so you will have to configure SAML once for each.

Complete the following fields to configure a SAML provider:

• Use XML Metadata file. You may upload the Metadata XML file from the SAML provider to configure this provider. It will fill in the Single Sign-On URL, Issuer, and Public Certificate fields.

This is the recommended way to populate these fields as it avoids needing to match fields between the SAML provider and AppGate ZTNA. Most SAML providers provide a facility for downloading the metadata in their UI (or there may be a special URL you need to use for getting the metadata).

The only field left to complete is Audience (and the optional Decryption Key field).

Manually complete the following fields:

• Audience. The Audience URI - this attribute must match exactly the value entered in your SAML identity provider settings.

• ForceAuthn. Enables ForceAuthn flag in the SAML Request. If the SAML Provider supports this flag, it will require user to enter their credentials every time client requires SAML authentication.

• Public Certificate. X509 public key certificate that you downloaded from your identity provider. It is used to verify the SAML assertion is signed by the provider. Copy and paste the contents of the certificate into the dialog box or click "Choose a file" and browse to the file.

NOTE

When any certificates are approaching their expiration, then the Controller will issue a warning in the dashboard 30 days prior.

• Decryption Key. Optional. Private PEM key used to decrypt encrypted assertions.