mcafee cloud identity manager google-ldap quick start guide · cloud identity manager integration...

Order Number: 326986-002US

McAfee® Cloud Identity Manager Google-LDAP Quick Start GuideFor McAfee® Cloud Identity Manager v3.1

August 2012

McAfee® Cloud Identity Manager Google-LDAP Quick Start Guide August 20122 Order Number: 326986-002US

COPYRIGHTCopyright © 2012 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, and WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

August 2012 McAfee® Cloud Identity Manager Google-LDAP Quick Start GuideOrder Number: 326986-002US 3

Document Revision History

Revision Number Description Release Date

001US McAfee® Cloud Identity Manager Google-LDAP Quick Start Guide v2.1 March 2012

002US McAfee® Cloud Identity Manager Google-LDAP Quick Start Guide v3.1 August 2012


Contents

1.0 Introduction to McAfee® Cloud Identity Manager ......................................................71.1 Supported Environments ......................................................................................81.2 Supported Browsers ............................................................................................81.3 Available Documentation ......................................................................................91.4 Technical Support................................................................................................9

2.0 Configuring SSO for a Google User........................................................................... 112.1 Audience.......................................................................................................... 112.2 Prerequisites..................................................................................................... 112.3 How to Configure and Test a Google Cloud Connector............................................. 122.4 Create an LDAP Identity Store............................................................................. 132.5 Create an LDAP Identity Connector ...................................................................... 142.6 Configuring a Google Cloud Connector.................................................................. 16

2.6.1 Select Google as the Cloud Application Type .............................................. 172.6.2 Select the Identity Connector................................................................... 182.6.3 Configure SAML Credential Mapping.......................................................... 192.6.4 Configure the SAML Assertion .................................................................. 202.6.5 Configure User Provisioning ..................................................................... 222.6.6 Apply an Authorization Policy ................................................................... 232.6.7 Review the Google Cloud Connector Configuration ...................................... 23

2.7 Certificate Management ..................................................................................... 242.8 Enable SSO and SLO in Google............................................................................ 242.9 Test the Google SSO Connection ......................................................................... 25


Introduction to McAfee® Cloud Identity Manager

1.0 Introduction to McAfee® Cloud Identity Manager

McAfee® Cloud Identity Manager (McAfee® CIM) simplifies the management and secures the use of cloud, Software as a Service (SaaS), and web applications for companies and large organizations. Service and application providers can also use McAfee® CIM to simplify and improve the authentication process for their customers.

McAfee® CIM provides support for the following features:• Extensible Framework• Web Single Sign On (SSO)• Multiple Authentication Methods• Credential Mapping and User Provisioning• Authorization Policies and Access Control Enforcement• Event Auditing and Monitoring• Connectors for Popular Cloud Services and Applications• Web-based Management Console

McAfee® CIM runs as a stand-alone server and is configured by an administrator using a web-based Management Console accessible from a web browser. For information about installing McAfee® CIM as a stand-alone server or as a cluster of servers, see the McAfee® Cloud Identity Manager Installation Guide. For information about configuring McAfee® CIM in the Management Console, see the McAfee® Cloud Identity Manager Administrator’s Guide.

McAfee® CIM provides connectors for many popular cloud services and applications, including Google Apps* and Salesforce.com*. These connectors are built in to McAfee® CIM and simplify the deployment of the cloud service or application in an organization. Web SSO requires configuration in the Management Console and in the cloud application’s user interface. Instructions for configuring SSO on the cloud application side are included in the documentation set.

For customers who have Java*-based or .NET* web applications that do not support SAML2 authentication, McAfee® CIM provides a custom connector. For information on integrating Java-based and .NET web applications with McAfee® CIM, see the McAfee® Cloud Identity Manager Integration Guide.

For software developers who want to write their own cloud service connectors or authentication modules, McAfee® CIM provides an SDK. For more information about the SDK, see the McAfee® Cloud Identity Manager Developer’s Guide.



1.1 Supported EnvironmentsMcAfee® CIM supports the following environments:

1.2 Supported BrowsersMcAfee® CIM provides two types of browser support:

• Application Portal — For end users who seek access to SaaS and web applications through a portal using McAfee® CIM identity services, McAfee® CIM supports the following desktop and mobile web browsers. Note that McAfee® CIM services are running in the background and are not visible to the end user:Desktop browsers

Chrome* 16Firefox* 9Internet Explorer* 7, 8 and 9Safari* 5.1.2

Mobile browsersAndroid* 2.0 devices and WebKit* browseriOS* devices and Safari browser

• Management Console — The McAfee® CIM Management Console is a web-based user interface that provides administrators with a single, central point of management and control through a web browser on a local computer. For Management Console administrators, McAfee® CIM supports the following desktop and mobile web browsers:Desktop browsers

Firefox 9Internet Explorer 7, 8 and 9

Mobile browsersNone are currently supported.

Version Architecture

IA-32 Intel® 64

Linux* OS

Red Hat* Enterprise Linux* Serverand Advanced Platform 5.0

yes yes

Windows* OS

Windows Server 2003 Standard Edition* yes yes

Windows Server 2003 DataCenter Edition* yes yes

Windows Server 2003 Enterprise Edition* yes yes

Windows Server 2008* yes yes



1.3 Available DocumentationThe McAfee® CIM documentation set includes the following guides:

• McAfee® Cloud Identity Manager Administrator’s Guide — The Administrator’s Guide is a complete guide to the Management Console and covers the configuration tasks needed to administer McAfee® CIM.

• McAfee® Cloud Identity Manager Developer’s Guide — The Developer’s Guide provides information for software developers who want to write custom Java code that extends McAfee® CIM functionality.

• McAfee® Cloud Identity Manager Installation Guide — The Installation Guide includes the tasks and procedures that you need to install and uninstall McAfee® CIM as a stand-alone server on Microsoft Windows and Linux operating system platforms. The guide also includes how to start and stop the McAfee® CIM service after it is installed.

• McAfee® Cloud Identity Manager Integration Guide — The Integration Guide provides instructions on how to integrate Java-based and .NET* web applications that do not support SAML2 authentication with McAfee® CIM.

Note: In addition to these guides, there are separate guides that document how to configure the different Cloud Connectors. For more information, see the McAfee® Cloud Identity Manager Administrator’s Guide.

1.4 Technical SupportFor technical assistance, contact McAfee® Technical Support by one of the following options:

Phone number: 1-800-937-2237

Support portal: https://mysupport.mcafee.com

https://mysupport.mcafee.com

https://mysupport.mcafee.com


Configuring SSO for a Google User

2.0 Configuring SSO for a Google User

In the Software as a Service (SaaS) model, the Service Provider hosts the application and data in the cloud, and end users access the hosted service over the Internet through a web browser on a local computer. Google is an example of a Service Provider that offers Software as a Service, including these Google Apps: Google Mail (Gmail), Google Calendar, Google Docs, and Google Contacts.

McAfee® CIM offers a built-in Google Cloud Connector that simplifies the integration of Google Apps with McAfee® CIM identity and SSO services. A Cloud Connector is the configuration that allows McAfee® CIM to connect to and provide services for a cloud application. When a Google Cloud Connector is configured, McAfee® CIM can provide identity and SSO services for Google users who want access to Google Apps in the cloud.

Each Cloud Connector instance is paired with an Identity Connector during configuration. An Identity Connector is the configuration that allows McAfee® CIM to connect to and communicate with an identity store. Each Identity Connector can be paired with multiple Cloud Connectors.

2.1 AudienceThis Quick Start Guide is intended for experienced administrators who do not need a lot of background information and want to get started quickly. When needed, you can find more complete information in the McAfee® Cloud Identity Manager Administrator’s Guide.

2.2 PrerequisitesBefore you configure a Google Cloud Connector, verify that you have the following prerequisites:

• An instance of McAfee® CIM installed on Windows or Linux — See the McAfee® Cloud Identity Manager Installation Guide.

• A Google administrator account, the administrator’s email address and password, and the name of the Google Apps domain — If you do not have an administrator account, you can visit the following link to obtain one: http://www.google.com/apps.

http://www.google.com/apps





2.3 How to Configure and Test a Google Cloud ConnectorThis guide shows you how to configure and test a Google Cloud Connector paired with an LDAP Identity Connector. Configuring and testing a Google Cloud Connector with an LDAP Identity Connector involves the following steps. For more information, see the corresponding sections:1. Create an identity store and an Identity Connector in the Management Console —

See sections 2.4 Create an LDAP Identity Store and 2.5 Create an LDAP Identity Connector.

2. Configure a Google Cloud Connector in the Management Console — See section 2.6 Configuring a Google Cloud Connector.

3. Certificate Management — See section 2.7 Certificate Management.4. Configure your Google administrator account for integration with McAfee® CIM —

See section 2.8 Enable SSO and SLO in Google.5. Test the Google Cloud Connector — See section 2.9 Test the Google SSO

Connection.Note: Although the Google Cloud Connector is configured with an LDAP Identity Connector in

these procedures, you can use any supported Identity Connector.



2.4 Create an LDAP Identity StoreIn this procedure, you create and configure an LDAP identity store in the Management Console.

To create an LDAP identity store1. Open the Management Console, click Identity Connectors on the Cloud

Connectors drop-down menu, and select the Identity Store option.2. Click +New Identity Store.

The New Identity Store dialog opens.3. Select LDAP for the identity store Type.4. To configure an SSL connection to the LDAP identity store, select the Enable SSL

check box.5. Specify the following fields for the LDAP identity store:

Server HostSpecifies the host name or IP address of the server on which the LDAP identitystore is installed.

Server PortSpecifies the port number of the server on which the LDAP identity store isinstalled.

UsernameSpecifies the user name required for access to the LDAP identity store.

PasswordSpecifies the password required for access to the LDAP identity store.

6. (Optional) Click Test to test the connection to the LDAP identity store and verify the settings.

7. Click Save Identity Store.The LDAP configuration is saved and added to the Identity Store view.



2.5 Create an LDAP Identity ConnectorIn this procedure, you create and configure an LDAP Identity Connector using the LDAP identity store that you created in section 2.4 Create an LDAP Identity Store.

To create an LDAP Identity Connector1. Open the Management Console, and click Identity Connectors on the Cloud

Connectors drop-down menu.2. Click +New Identity Connector.

The New Identity Connector dialog opens.

3. Type a name in the Identity Connector field.4. Select “LDAP” from the Identity Connector Type drop-down menu.

The New Identity Connector dialog expands to show configuration options and output attributes for an LDAP Identity Connector.



5. Select the LDAP identity store that you created from the Identity Store drop-down menu.The fields in the configuration options and output attributes areas are populated with values for the specified LDAP identity store.

6. Click Save Identity Connector.The Identity Connector configuration is saved and added to the Identity Connector view.



2.6 Configuring a Google Cloud ConnectorGoogle cloud applications support SAML authentication. To configure a Google Cloud Connector, you select the cloud application type and the Identity Connector, you configure SAML credential mapping, a SAML assertion, and user provisioning, and you review the configuration. For more information, see the corresponding sections:1. Cloud Application Type — See section 2.6.1 Select Google as the Cloud Application

Type.2. Identity Connector — See section 2.6.2 Select the Identity Connector.3. SAML Credential Mapping — See section 2.6.3 Configure SAML Credential Mapping.4. SAML Assertion — See section 2.6.4 Configure the SAML Assertion.5. User Provisioning — See section 2.6.5 Configure User Provisioning.6. Authorization Enforcement — See section 2.6.6 Apply an Authorization Policy.

Note: The Authorization Enforcement step is optional.7. Review — See section 2.6.7 Review the Google Cloud Connector Configuration.

Note: Although the Google Cloud Connector is configured with an LDAP Identity Connector in this example, you can use any supported Identity Connector.



2.6.1 Select Google as the Cloud Application Type

Select Google as the cloud application type.

To select Google as the cloud application type1. On the Cloud Connectors tab of the Management Console, click +New Cloud

Connector.The Cloud Connector wizard opens on the Cloud Application Type step.

2. Click the Google icon.3. Type a name for the Google Cloud Connector in the Cloud Connector Name field.

Note: The name can contain only letters, numbers, and the following characters: “.”, “_” and “-”. The name cannot contain spaces or exceed 64 characters in length and is not case-sensitive. Specify a meaningful name. For example, a name that identifies the Cloud Connector-Identity Connector combination is more useful than a URL which can change.

4. Type the name of your Google Apps domain in the Google Apps domain field.5. Click Next.

The Identity Connector step opens.



2.6.2 Select the Identity Connector

Select the LDAP or other supported Identity Connector that you created, and click Next.

The SAML Credential Mapping step opens.



2.6.3 Configure SAML Credential Mapping

In the SAML Credential Mapping step, you map identity information from McAfee® CIM to the target application. The Credential Mapping source is the user attribute name in the McAfee® CIM system. The target is the attribute name that you specify in your Google administrator’s account.

A SAML subject is the user whose identity is authenticated. The SAML subject type is the type of identity information. The SAML subject source is the value that corresponds to the specified subject type. For example, if the subject type is an authentication result, then the subject source is an attribute value output by the Identity Connector.

The following screen shot shows that “username” is the attribute name that you specify in your Google account. For more information, see section 2.8 Enable SSO and SLO in Google.

To configure SAML credential mapping1. Select AUTHN_RESULT_FIELD from the Subject Type drop-down menu.2. Select “mail” from the Subject Source drop-down menu.3. Verify that the Source and Target attribute names are correct on the credential

mapping table.4. Click Next.

The SAML Assertion step opens.



2.6.4 Configure the SAML Assertion

Configuring SAML2 authentication in the Google Cloud Connector wizard includes configuring the SAML assertion. In general, the SAML assertion is a message sent from an Identity Provider to a Service Provider asserting the authenticity of the message contents. The SAML assertion contains information about the user’s identity and attributes.

In this procedure, you configure Service Provider (SP)-initiated and Identity Provider (IdP)-initiated SSO:

• SP-initiated SSO — The Google application initiates the sign-on process and requires the McAfee® CIM sign-in and sign-out URLs.

• IdP-initiated SSO — McAfee® CIM initiates the sign-on process and requires the name of the Google service. McAfee® CIM supports Google Mail, Google Calendar, and Google Docs.

Note: This procedure omits the Advanced Configuration steps. For more information about Advanced Configuration, see the McAfee® Cloud Identity Manager Administrator’s Guide.



To configure the SAML Assertion1. Select a key pair from the Signature Keys drop-down menu.

Note: For testing the Google Cloud Connector, you can use the default key pair (named “intel cloud expressway”) that comes preconfigured with McAfee® CIM. For deploying the Google Cloud Connector, you need to provide your own key pair. For more information, see section 2.7 Certificate Management.

2. To configure SP-initiated SSO, copy the Sign-in page URL and Sign-out page URL from the SAML Assertion dialog to the corresponding fields in your Google Apps administrator account.Sign-in page URL example:

https://localhost:8443/identityservice/package/idpLDAP-connect/saml2/SSO/Google-connect

Sign-out page URL example:https://localhost:8443/identityservice/package/idpLDAP-connect/saml2/SLO/Google-connect

3. To configure IdP-initiated SSO, select the IDP Initiated SSO check box, and select one of the supported Google services from the Target service drop-down menu

4. Click Next.The User Provisioning step opens.



2.6.5 Configure User Provisioning

When user account mapping is enabled, McAfee® CIM automatically provisions user accounts in the Google application as users sign on. When provisioning a user, McAfee® CIM creates a new or updates an existing user account in Google using identity mapping rules that you configure on the User Provisioning dialog. The rules map user attributes from McAfee® CIM, the source, to Google, the target.

When configuring user provisioning, the source is the name of the user attribute in the McAfee® CIM system. The target is the name of the attribute in the Google user account.

To configure user provisioning1. Select the Enable user account mapping check box.

The User Provisioning dialog expands to include the Google email and password settings and the User Account Mapping table.

2. Type the email address and password of your Google administrator account in the Admin Email and Admin Password fields, respectively.

3. (Optional) Click Test to test the connection to the Google application and verify the settings.

4. Verify that the Source and Target attribute names are correct on the User Account Mapping table.

5. Click Next.The Authorization Enforcement step opens.



2.6.6 Apply an Authorization Policy

On the Authorization Enforcement step, you can configure an on-connection authorization policy. An on-connection policy is applied just once, when the user seeks access to the Google application for the first time. Group membership is an example of an authorization policy that can be applied once, when the user first connects to the application.

Note: For more information about the Authorization Enforcement step, see the McAfee® Cloud Identity Manager Administrator’s Guide.

You can skip this optional step. Click Next. The Review step opens.

2.6.7 Review the Google Cloud Connector Configuration

On the Review step, you can view the application type, application name, and the Identity Connector. You can also use the SSO test URL to test the connection to McAfee® CIM identity and SSO services and to access the Google cloud application. The Alias is a short name that you can use in place of the longer test URL. For more information, see section 2.9 Test the Google SSO Connection.

To accept and save the configuration, click Finish. The Google Cloud Connector configuration is saved and added to the Cloud Connectors page in the Management Console.



2.7 Certificate ManagementOn the SAML Assertion step of the Cloud Connector wizard, you need an X.509 certificate key pair. For testing the Google Cloud Connector, you can use the default key pair (named “intel cloud expressway”) that comes preconfigured with McAfee® CIM. However, when you deploy the Google Cloud Connector, you need a key pair provided by Google. These options are summarized as follows:

• Testing the Google Cloud Connector — To use the default key pair that comes preconfigured with McAfee® CIM, export it in the Management Console, and upload it in your Google administrator account.

• Deploying the Google Cloud Connector — To use a key pair provided by Google, download it in your Google administrator account, and import it in the Management Console.

Note: You can access the Certificate Management page in the Management Console by clicking Certificate Management on the Admin tab drop-down menu. For more information, see the McAfee® Cloud Identity Manager Administrator’s Guide.

2.8 Enable SSO and SLO in GoogleAfter you create the Google Cloud Connector in the McAfee® CIM Management Console, you enable SSO and SLO in your Google administrator account. To do so, you need the values you configured for the following fields on the SAML Assertion step of the Cloud Connector wizard:

• Sign-in page URL• Sign-out page URL

Note: If you do not have a Google administrator account, you can visit the following link to obtain one: http://www.google.com/apps.

To enable SSO and SLO in Google1. Log in to your Google administrator account.2. On the dashboard, click Domain Settings.3. Click the User settings tab on the Domain settings page.4. Select the Enable provisioning API check box.5. Click Set up single sign-on (SSO).6. Complete the following fields and settings:

a. Select the Enable Single Sign-on check box.b. Copy the following values from the SAML Assertion step of the Cloud Connector

wizard in the Management Console and paste them in your Google account:Sign-in page URL

Specifies the URL of the McAfee® CIM SSO service used by Google when initiating SSO.

Sign-out page URLSpecifies the URL of the McAfee® CIM SLO service used by Google when initiating SLO.

c. Specify the URL of the page on which end users can change their passwords in the Change password URL field.

d. Browse for the Verification certificate file, and upload it in your Google account.Note: Download this file in the Management Console.



e. Select the Use a domain specific issuer check box.f. Click Save Changes.

2.9 Test the Google SSO ConnectionTo test the Google SSO connection, enter the Google SSO test URL in your browser. You can find the test URL in the following locations in the McAfee® CIM Management Console:

• On the Review dialog in the Cloud Connector wizard — To navigate to the Review dialog, click the Edit icon corresponding to the Google Cloud Connector on the Cloud Connectors page, and then select the Review step in the open Cloud Connector wizard.

• On the General Info tab — To open the General Info tab, click the troubleshooting icon corresponding to the Google Cloud Connector on the Cloud Connectors page. The SSO test URL is located in the SSO Demo Service area.

To test the Google SSO connection1. Enter the following URL in your browser:

https://<eca360sso-server>/identityservice/package/idp<id-connect>/portal<eca360sso-server>

Specifies the host name or IP address of the server on which McAfee® CIM is installed and the port number of the McAfee® CIM service.Format: hostname:portnumber

<id-connect>Specifies the name of the Identity Connector selected when the Google Cloud Connector was configured.

McAfee® CIM presents a login page.2. Type your McAfee® CIM user name and password in the fields on the login page.

You are authenticated, and a demonstration portal page is displayed.3. To test the Google SSO connection, click the Google icons.

You are logged in without authenticating again.

mcafee cloud identity manager google-ldap quick start guide · cloud identity manager integration...

Documents