Reset Search
 

 

Article

KB40079 - Configuring PCS as a Service Provider (SP) with Centrify IdP

« Go Back

Information

 
Last Modified Date12/10/2015 7:59 PM
Synopsis
When configuring SAML authentication with the PCS device as the SP and Centrify as the IdP, special considerations is needed when configuring the WS-Fed Advanced script for Centrify IdP. 
Problem or Goal
Centrify IdP has been configured and is working for SAML based authentication using other SP's.  However, when configured with a PCS device as an SP, authentication fails with one or more of the following error messages:
  • Invalid/Missing sign-in URL
  • No valid assertion found in SAML response
Cause
For WS-Fed applications, you must edit the advanced script to specify which user attribute and other settings should go inside the security token response (RSTR).

Note:  Before editing the script, be sure to located the claims information that you need to specify in the script, as mentioned in gathering existing information in your WS-Fed application.
Solution
The following are required parameters that must be configured in the advanced script for the SAML assertion in Centrify to be used with the PCS device as the SP.

On the advanced configuration page, there is an option to adjust the default script. This needs to be done (and can be reset for testing, if needed).
For the purposes of the PCS / PPS devices, 4 items need to be adjusted. The default values refer to a site known as login.myapp.com.
  • setAudience();
  • setRecipient();
  • setServiceUrl();
  • setHttpDestination();

The value for setAudience is the sign-in URL being used for SAML authentication. For example,
setAudience('https://vpn.pulsesecure.net/'); or setAudience('https://vpn.pulsesecure.net/SAML');

The value for setRecipient is the Connect Secure Instance ID from the SAML server that is created. This can be used by multiple sign-in URLs. For example,
setRecipient('https://vpn.pulsesecure.net/dana-na/auth/saml-endpoint.cgi?p=sp1');
    
The value for setServiceUrl is the same as setAudience. It can be set with or without a path. For example,
setServiceUrl('https://vpn.pulsesecure.net/'); or setServiceURL('https://vpn.pulsesecure.net/SAML');

The value for setHttpDestination is the SAML Consumer Agent on the IVE. This URL is the same when the IVE is used for validation against an IdP. For example,
setHttpDestination('https://vpn.pulsesecure.net/dana-na/auth/saml-consumer.cgi');
Related Links
Attachment 1 
Created ByNick Christen

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255