When you use Duo as an authentication method, you need to set some parameters.
Service Identifier
Service Certificate file
Service Certificate Password
Identification ID
Sign Authentication Request
Single Sign/On Service URL
Sign-Out URL
Partner Certificate File
In the following topic we'll cover how to properly configure SAML with Okta as an authentication method using Thinfinity VirtualUI :
****
In this quick tutorial, we will show how to properly configure Okta SAML for Thinfinity Remote Desktop Server.
1) Navigate to your Okta space, go to the Applications tab, and create a new application using the “Create New App” button :
2) Chose “SAML 2.0” as the Authentication Method.
3) Assign a name to the application.
4) Configure the “Single sign-on URL” and “Audience URI” .
The “Single Sign-on URL” address should be the following : https://[MyThinfinityWebSite]/SAMLAssertionConsumerService
The Audience URI should be the URI used to connect to Thinfinity : https://[MyThinfinityWebSite]/
5) Choose the Feeback options that applies to your application :
6) Now that the application is created, it should redirect you to the “Settings” window. Click on “View Setup Instructions” for further information :
In here you will get the “Identity Provider Single Sign-on URL”, the Identity Provider Issuer, and the Certificate provided by Okta.
7) Now, open the Thinfinity Remote Desktop Server Manager or Thinfinity VirtualUI Server manager, navigate to the “Authentication” tab, press the “Add” option and click on “SAML” :
8) In here, you will have to add the different values provided by Okta in order to enable SAML :
Service Identifier = Audience URI (SP Entity ID)
Service Certificate File = Your certificate’s file.
Service Certificate Password = Your certificate’s password.
Identificacion Entity ID = Identity Provider Issuer
Single Sign-On Service URL = Identity Provider Single Sign-On URL
Sign-Out URL = This value is optional.
Partner Certificate File = X.509 Certificate provided by Okta.
Below you’ll find an example on how it should look like :
After you finish adding all those values, press “Ok”.
10 ) Click on the “Mappings” tab and then press “Add” under the Authentication ID Mask.
Add the email address of the Okta user you want to validate and press “Ok”.
Then, under the “Associated Permissions” field, press on the “Add” button and search for the Active Directory User
After you add the appropriate mappings, click on the “Apply” button.
11) Navigate to the Thinfinity’s landing page, and you should see the “Login With SAML” option listed as an Authentication Method.
****
On the Centrify’s Admin Portal.
1) Click on “Apps” -> “Web Apps” :
2) Click on “Custom” and next to SAML, press “Add”
3) Give your application a name , and click on the “Trust” tab .
Click on “Manual Configuration” , and copy the IdP Entity ID , and download the certificate provided by Centrify.
4) Then copy the “Single Sign on URL” , and the “Single Logout URL” :
5) Now , on the “Service Provide Configuration” , click on “Manual Configuration” and configure the following :
After doing these changes, click on the “Save” button.
6) Now we need to configure Thinfinity with all this information .
Open the Server Manager and navigate to the “Authentication” tab, press “Add” , and then SAML :
7) Now we must configure the connection itself :
· Service identifier = https://YourThinfinitySite:[Port\]
· Service Cert File = [Path_To_Your_Certificate]
· Service Cert Pass = [Certificate_Password]
· Identification Entity = [IdP Entity ID / Issuer]
· Single Sing on Service URL = [Single Sign on URL]
· Sign-out URL = [Single Logout URL]
· Partnet Cert File = [Certificate Provided by Centrify]
Once you configured it properly , click “Ok” and then “Apply”
8) Now go the Thinfinity landing page and you should see the “Login with SAML” option now available to use.