Configuring Single Sign-On Authentication

Tripwire Log Center supports the Security Assertion Markup Language (SAML) 2.0 protocol for single sign-on (SSO) authentication. SAML is an XML-based protocol that uses security tokens to pass authentication credentials between a SAML authority (Identity Provider or IdP) and a SAML consumer, such as the TLC Manager.

Once SSO authentication has been successfully configured (as described below), TLC will authenticate with the IdP when a TLC user attempts to log in from a TLC Console. If the IdP recognizes the login credentials, it sends a response to the TLC Manager, which is known as a SAML assertion. Each SAML assertion consists of the following tags:

X509Certificate contains the encoded certificate used by the IdP.

SubjectConfirmationData contains the Address attribute, which is the IP Address of the TLC Console host machine from which the user is attempting to log in.

NameID contains the ID of the user account.

To enable single sign-on authentication, complete the following steps:

Create at least one TLC user account with administrator privileges and an authentication method of Single sign-on (see Creating and Deleting User Accounts).

Acquire the IdP metadata file from your IdP server.

On each of your TLC Managers, copy this file to the following directory:

<TLC_Manager_install_dir>\Data\SSOMetadata\

Where <TLC_Manager_install_dir> is the installation directory for TLC Manager.

If needed, re-name these files to idp-metadata.xml.

Open the Authentication tab of your Primary Manager's properties dialog (see Working with Managers).

In the Authentication tab, click Create TLC Metadata to create the tlc-metadata-<ip_address>.xml file (see Table 41).

On the IdP:

Add each of your TLC Managers to the Service Providers list.

Copy the tlc-metadata-<ip_address>.xml file to the IdP's metadata folder.

To expose the IDs of TLC user accounts, enter "uid" as the value for the NameID tag.

If needed, expose the X509Certificate and SubjectConfirmationData tags.

Restart the IdP.

Tip	For further details about configuring your IdP, see your IdP's user documentation.

In the Authentication tab of your Primary Manager's properties dialog, complete the Single sign-on section (see Table 41) and click OK.

Tip	In some cases, Windows might block the IdP's certificate when a user attempts to log in. If this occurs, authentication will fail and the TLC Console will present an error. To avoid this issue, Tripwire recommends either: Using an IdP certificate with a key length that meets the Windows requirement, or Lowering the Windows requirement in order to match the certificate's key length. For more information about the Windows requirement for key lengths, click here.

Tip

In some cases, Windows might block the IdP's certificate when a user attempts to log in. If this occurs, authentication will fail and the TLC Console will present an error.

To avoid this issue, Tripwire recommends either:

Using an IdP certificate with a key length that meets the Windows requirement, or

Lowering the Windows requirement in order to match the certificate's key length.

For more information about the Windows requirement for key lengths, click here.

Table 41. Fields in the Single sign-on section of the Authentication tab
Field/Button	Description
Enable	Enables authentication with your IdP using SSO. If enabled, all other authentication types will be disabled (i.e., Internal, LDAP/AD, and RADIUS). Caution: When you enable or disable SSO authentication, TLC terminates all active user sessions.
Identity Provider login URL	The URL of your IdP. For example: https://<idp>/idp/profile/SAML2/Redirect/SSO Where <idp> is the IP address or host name of the IdP. To authorize the idp-metadata.xml file for use with your IdP, click Authorize.
Identity Provider metadata	Indicates the status of the idp-metadata.xml file. To enable SSO authentication, the status must be Authorized. - Authorized indicates the idp-metadata.xml file is in the SSOMetadata directory and has been authorized to connect with the IdP. - Unauthorized indicates the idp-metadata.xml file is in the SSOMetadata directory but has not been authorized to connect with the IdP. - Modified indicates the idp-metadata.xml file was authorized to connect with the IdP but has subsequently been altered. - Not Found indicates the SSOMetadata folder does not contain the idp-metadata.xml file.
Certificate store	The certificate store containing the certificate used for communications with other TLC systems (see Configuring your Manager's SSL Certificate).
Certificate name	The name of the certificate. By default, TLC selects the certificate used to install TLC Manager. To select a different certificate on the TLC Console host system, click Find Certificate.
Create TLC Metadata	Generates the following metadata file: <TLC_Manager_install_dir>\Data\SSOMetadata\tlc-metadata-<ip_address>.xml Where <TLC_Manager_install_dir> is the installation directory for TLC Manager, and <ip_address> is the TLC Manager's IP address. The IdP uses this metadata file to authenticate the Manager. Note: In this directory (SSOMetadata), this process also creates a text file containing a checksum value for the metadata file.