Fortanix Self-Defending KMS accounts can be integrated with third-party Single Sign-On (SSO) providers. When an account is configured for SSO, users in that account will be able to login with their SSO credentials. Currently, the following SSO mechanisms are available: SAML and OpenID Connect / OAuth. To set up SSO for your account, log in as administrator and go to the Authentication tab on the Account Settings page and select Single Sign-On, then add the desired SSO mechanism and provide required configuration values.
Configuring a SAML Provider
To enable SAML for your account, first, obtain the Identity Provider (IdP) metadata XML file. Then upload or paste the SAML IdP metadata in Fortanix Self-Defending KMS settings. The IdP must meet the requirements set forth below. The SSO configuration page will inform you if the provided IdP metadata is compatible.
SAML Identity Provider Registration
When configuring Fortanix Self-Defending KMS as a Service Provider with your IdP, provide the following information:
- Entity ID:
https://sdkms.fortanix.com/saml/metadata.xml
- POST binding URL:
https://sdkms.fortanix.com/saml
SAML Identity Provider Requirements
In order to use a SAML IdP with Fortanix Self-Defending KMS, the IdP must:
- Adhere to SAML 2.0, Web Browser SSO profile
- Use one or more signing keys specified as an X.509 certificate
- Use the
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
name format - Accept the POST binding for requests
- Not require signed requests
- Use the POST binding for response
- Sign responses, assertions, or both
Configuring an OpenID Connect / OAuth provider
To enable SSO using OpenID Connect / OAuth for your account, first obtain the following information from your Identity Provider (IdP):
- Client ID
- Client Secret
You would need to register Fortanix Self-Defending KMS with your IdP to obtain these credentials. Provide the following values to your IdP:
- Application type: web application
- Redirect URL:
https://sdkms.fortanix.com/oauth
The IdP must meet the requirements set forth below. You need to configure the IdP parameters in Fortanix Self-Defending KMS. The following information is needed:
- Provider name
- Logo URL (optional)
- Authorization endpoint URL
- Token endpoint URL
- Token endpoint authentication method (
client_secret_basic
orclient_secret_form
) - UserInfo endpoint URL (optional)
- TLS configuration: use Global Root CAs or provide a custom CA certificate
Most of these parameters are published in a well-known location by identity providers. For example:
OpenID Connect / OAuth Identity Provider Requirements
In order to use an OpenID Connect / OAuth IdP with Fortanix Self-Defending KMS, the IdP must:
- Support Authorization Code Flow described in OpenID Connect Core specification
- Support
email
scope - Provide user’s email address to Fortanix Self-Defending KMS in Token or UserInfo response
- Provide non-encrypted ID token during Token response
LDAP Authentication
Fortanix Self-Defending KMS can be configured to authenticate users through an LDAP-compliant directory. Fortanix Self-Defending KMS supports ldaps
scheme as well as ldap
and in both cases, the communication with the directory server is encrypted with TLS. When using the ldap
scheme, the StartTLS
operation is initiated immediately after connecting to the server.
LDAP authentication is performed in two steps:
- Resolve user’s email address to a Distinguished Name (DN)
- Authenticate to the directory using the DN and user-supplied password
DN Resolution Methods
To resolve the user’s email address to a DN, Fortanix Self-Defending KMS can be configured to use one of the following methods.
Search the Directory
Fortanix Self-Defending KMS can search the directory to find the user object matching the user’s email address. The search is performed in a subtree and using the following filter: (&(objectClass={0})(mail={1}))
where {0}
is the configured object class (e.g. User
or inetOrgPerson
) and {1}
is the user’s email address. Some directories do not allow anonymous search, in which case a service account for Fortanix Self-Defending KMS should be created in the directory. When configured this way, the mail
attribute must be set for user objects in the directory.
Construct the DN from an Email Address
Given an email address of the form name@domain
, Fortanix Self-Defending KMS can be configured to look up a format string based on the domain
part and insert the name
part in the format string to construct the DN. For example, if example.com
is configured with the format string uid={},ou=users,dc=example,dc=com
, then the email address test@example.com
will be mapped to the following DN: uid=test,ou=users,dc=example,dc=com
. The format string must include the placeholder {}
which is replaced by the name
part.
UPN Login
With Active Directory, Fortanix Self-Defending KMS can use the email address in place of the DN. When specifying an email address in place of the DN, Active Directory would check the value against the userPrincipalName
attribute and if that attribute is not set, then it would accept values that match SamAccountName @ domain
, where SamAccountName
is the legacy user identifier attribute and domain
is the fully qualified domain name of the Active Directory domain controller. We recommend setting the userPrincipalName
attribute for all users in the directory when configuring Fortanix Self-Defending KMS with the UPN login method.
LDAP Authorization
In addition to authentication, Fortanix Self-Defending KMS can leverage group membership in an LDAP-compliant directory to assign users to groups dynamically. This requires mapping LDAP groups to Fortanix Self-Defending KMS groups which are achieved by defining external roles in Fortanix Self-Defending KMS and mapping these external roles to Fortanix Self-Defending KMS groups. After a user authenticates to Fortanix Self-Defending KMS using LDAP, Fortanix Self-Defending KMS retrieves the list of directory groups that the user belongs to and if those groups are mapped to Fortanix Self-Defending KMS groups, the user is added to the mapped Fortanix Self-Defending KMS groups for the current session.
Defining External Roles
Account administrators can create external roles for the account. To do that, they must have added one or more LDAP integrations in account authentication settings. Using the LDAP search functionality, account administrators can look for group objects in an LDAP directory and import those as external roles into Fortanix Self-Defending KMS. After importing the LDAP groups to Fortanix Self-Defending KMS, group administrators can map the external roles to their group by specifying the desired access level.
For example, if an Active Directory group identified by the distinguished name CN=My Group,CN=Users,DC=example,DC=com
is added as an external role, an administrator of a group Example
can map that external role to Example
with access level Group Auditor
When a user that belongs to this Active Directory group authenticates to Fortanix Self-Defending KMS through LDAP, his session will have auditor access to the Example
group. Note that the user must be an account member since account administrators and auditors have default access to all groups. Also note that the user need not be added to the Example
group directly, but the user will have access to the Example
group based on his/her Active Directory group membership and if the user is kicked out of that Active Directory group, he/she will lose access to the Fortanix Self-Defending KMS group as well.
Authorization Settings
When enabling LDAP authorization, the account administrator can specify how long each authorization is valid. When an authorization expires, Fortanix Self-Defending KMS will ask the LDAP directory for the user's current group memberships and updates the user's session accordingly.
It is also possible to specify a required role for all users and apps of the account authenticating through LDAP. The required roles supported are account administrator, account auditor, account member, regular apps, and administrative apps. If a user or app is not a member of this directory group and does not have the corresponding LDAP role, Fortanix Self-Defending KMS will prevent that user from selecting the account.
When authorization is enabled for an LDAP integration, the following settings are required:
- Base DN
- User Object Class
The Service Account
setting is also needed if the directory does not allow an anonymous search. Note that these settings are also applicable when DN resolution is set to Search by Mail
.
Additional Requirements
In order to use the LDAP authorization mechanism the LDAP directory must support identifying objects with unique ids using one of the following attributes:
- entryUUID
defined in RFC 4530, supported by Open LDAP and others
- objectGUID
used by Active Directory
When comparing an external role against a user's LDAP groups, Fortanix Self-Defending KMS uses the group's unique id instead of its distinguished name. Unique ids are more flexible compared to DNs since changing object attributes does not affect its unique id but it may change its DN, for example, the group name is usually a part of its DN.
LDAP Identity Provider Requirements
The identity provider must:
- Conform to LDAPv3 protocol specified in RFC 4511 and other related RFCs
- Either support
ldaps
scheme or if using theldap
scheme, it must support theStartTLS
extended operation
Multiple accounts
Different accounts might have different SSO providers. As such, a user can be in multiple accounts with different SSO providers. Such a user will need to select which SSO provider to use during the login process. When switching accounts, a user might need to re-authenticate to satisfy the new account’s authentication requirements.