PhenixID

Step by Step – Pulse Secure MFA and SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to enable multi-factor authentication and Single-Sign On for Pulse Secure (https://www.pulsesecure.net/) using SAML2.

One advantage of connecting through SAML2 is that it gives a nicer user experience for password-less authentication (compare Radius e.g.)

System Requirements

  • PhenixID Authentication Server 3.1 (or 3.0 with patch, please contact PhenixID support for patch) or higher
  • Pulse Secure administration rights
  • The users to be federated must be present in Pulse Secure (Manually added or automatically provisioned)

Instruction

Overview

This document will guide you through the steps to enable multi-factor authentication and Single-Sign on for Pulse Connect Secure.

PhenixID Server acting as SAML IdP

  1. Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticator here)
  2. Depending on your setup, fetch the Pulse Secure Connect userID value from the appropriate attribute (typically  sAMAccountName (or uid if using other LDAP directory)) on the user object.
  3. Use sAMAccountName/uid as Name ID attribute.
  4. Go to Scenarios->Federation-> <newly_added_scenario> -> Identity Provider. Deselect “Require signed requests”. Save.
  5. Then export your SAML IdP metadata by going to the URL:
    https://<YourServerDomainName>/saml/authenticate/<authenticator_alias>?getIDPMeta
    and download the metadata to a xml file.
  6. Save the IDP Signing Certificate as a file (follow this instruction)
  7. Fetch the IdP entityID value (see below).
  8. Fetch the IdP Post SSO value (see below).
  9. Fetch the IdP Post SLO value (see below).

Configure Pulse Secure Connect

  1. Follow this guide on how to add Pulse Secure Connect as SAML Service Provider. Set these values:
    1. Configuration Mode = Manual
    2. Identity Provider Entity ID = <Set to value fetched in previous step (7)>
    3. Identity Provider Single Sign On Service URL = <Set to value fetched in previous step (8)>
    4. User Name Template = <Leave blank>
    5. Support Single Logout = <Enable>. Set SLO Url to <Set to value fetched in previous step (9)>
    6. SSO Method = POST
    7. Response Signing Certificate = <Upload certificate from previous step (6).
    8. Enable Signing Certificate status checking = <Disable>
    9. Authentication Context Classes = <Leave empty>
    10. Save
    11. Click “Download metadata” below Service Provider Metadata Settings.
    12. Save the file

Add trust to Pulse Secure Connect on PhenixID Authentication Services

  1. Login to configuration manager
  2. Open Scenarios->Federation->SAML Metadata upload
  3. Click the plus sign
  4. Add Pulse Secure SAML SP Metadata by uploading the file downloaded in previous step.

Test

  1. Browse to your Pulse Secure Connect site
  2. This should result in a redirect to PhenixID Authentication Server
  3. Authenticate
  4. If authentication was successful, a redirect to Pulse Secure Connect should occur (with SAML assertion)
  5. The user should now be logged in.
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se