KB22101 [AAA] SAML support on FIPS SA devices

This article provides information on the support extended by FIPS devices for SAML.

 

Pulse Connect Secure supports SAML for SSO functionality to itself and backend servers. On FIPS devices, not all SAML functionalities are supported. This article defines what is supported on FIPS devices.

The SAML functionality is not integrated with how the private key is managed on FIPS devices. This causes any SAML functionality that requires access to the private key to fail.

SAML features on FIPS devices will work in the following scenarios:

When configuring the PCS as a Consumer/ServiceProvider:

To do this, configure a SAML Auth server on the PCS:
 

• All SAML1.1 configurations will work.

 

• The SAML2.0 configuration will work only if the signing and encryption of assertions is disabled (to do this, set the Select Device Certificate for Signing and Select Device Certificate for Encryption options to Not Applicable).
   

  

When configuring PCS as an IdentityProvider/Producer:

To do this, configure a SAML SSO policy on the PCS under Resource Policies > Web > SAML SSO.
 

• SAML 1.1 will work only in Artifact Profile. POST profile is currently not supported.

 

• SAML 2.0 will work only in Artifact Profile. POST profile is currently not supported.