IIJ ID SAML Configuration

This article will help you on how to integrate IIJ ID into Safous ZTNA service as the external Identity Provider for authentication. Before continuing the steps in this article, please ensure you already have:

  • Know the basic information about Safous ZTNA SAML configuration in here.
  • Have account in IIJ ID with ID Administrator Management privilege

 

 

IIJ ID Application Configuration:

  1. Login to your IIJ IDaaS portal 
  2. Once logged-in, go to Application > Application Management
  3. In Application Management click "Add Application" > "Add Custom Application"
  4. In type selection, please select SAML Application option and click "Next"
  5. Next page will be open, then you need to fill the form that being provided. Once filled, click "Add Application"
    • Application name, this is the required field where required to differentiate between one application to another
    • Application description, this field will be helpful for you to give information about this app purpose or function
    • Application logo, with this you can add custom logo for your application 
    • Select an ID provider, please ensure to choose "Use application-specific entity ID"

  6. Now, your newly created application can be seen on Application Management, then click "edit" on the application
  7. You will be redirected to setting page of the application, which you need to choose Federation tab
  8. On SAML Basic Information, you need to fill and choose these form to be filled
    • Choose "Enter SAML Information"
    • Single sign-on URL, need to be filled with the callback URL provided by the User Portal of your tenant (e.g https://login.<tenant>.ztna.safous.com/v1/auth/saml/1/callback)
    • Entity ID, is need to be filled because it will became a parameters where you need to add later in you Safous ZTNA configuration as Entity Issuer
    • NameID Format, choose the bottom one (SAML 2.0)
    • Assertion signing algorithm, chose "RSA-SHA1"

  9. Next, on Specifying User Identifier (NameID) choose "ID" from the dropdown and then for Attribute Mapping (User Attribute) click "Add Mapping". It will looks like this screenshot and then click "Update"


  10. Go to Application User tab, then click "Add Application user"
  11. In the Add Application User page, you can choose to add the users based users or groups
  12. Once you add the necessary users and/or groups, you need to choose "Display the icon" on Display on my Application option. Then click "Add Application user"
  13. Every users that you added will be shown in the Application User details
  14. Go to ID Provider tab and take notes for all these values that you need in your Safous ZTNA IdP setting later on
    • SSO Endpoint URL (POST binding), which is the SSO Url 
    • Entity ID, which is the SSO Issuer
    • PEM, which is the CA TrustedCertificate
  15. That's all you need to configured and take a notes in your IIJ ID environment.

 

 

Safous ZTNA Tenant Configuration

  1. login to https://portal.safous.com
  2. Go to Settings tab> ZTNA
  3. In Configurations, choose Identity Provider
  4. It will open the list of identity providers that have been integrated, by default it only has local 
  5. Click on New IDP, which it will expand the form of IDP
  6. Input the name and ensure the status is enable (green)
  7. Ensure you are choosing the SAML for the identity provider setting
  8. Input your Entity ID from IIJ ID SAML Basic Information that you take notes previously in Entity Issuer field
  9. Input your Entity ID from IIJ ID ID Provider tab that you take notes previously in SSO Issuer field
  10. Input your SSO Endpoint URL (POST binding) from IIJ ID ID Provider  that you take notes previously in SSO URL field
  11. Input your email in Username Attribute field
  12. Input your email in Email Attribute field
  13. Input your PEM from IIJ ID ID Provider tab CA TrustedCertificate field
  14. The rest of Safous ZTNA SAML configuration please refer to here.
  15. Once you done with the configuration, click "Save"
  16. Recheck your "Redirect URI" is it still the same as the one you configured in IIJ ID or not by clicking on plus (+) signed of IDP you've integrated

  17. If the "Redirect URI" still the same, you can leave it as is but it is not, you need to changed the one one IIJ ID
  18. If everything correctly configured, you can login to the user portal https://users.<xxxx>.ztna.safous.com and check "With IdP", which you will see your SAML configuration