Configure MFA for an Application or Service
Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security
SAML is a method used to exchange information between a service provider and an identity provider. A service provider is the provider of a third-party service that users connect to, such as Salesforce or Microsoft. An identity provider, such as AuthPoint, authenticates users when they log in to a service or application.
In AuthPoint, SAML resources connect AuthPoint with a service provider. Add SAML resources and define authentication policies for the resources to require that users authenticate before they can connect to those services and applications.
When you add SAML resources, we recommend that you also add an IdP portal resource. The IdP portal is a portal page that shows users a list of SAML resources available to them. For more information, see Configure the IdP Portal.
See the AuthPoint Integration Guides for steps to configure AuthPoint MFA for specific applications and services.
SAML Authentication Data Flow
This diagram shows the data flow of an MFA transaction for a SAML resource with the push authentication method.
When the user tries to log in to an application that requires authentication, the AuthPoint authentication page appears. To log in, the user types their AuthPoint password (if required) and chooses an authentication method. In this example, the user chooses to authenticate with a push notification. AuthPoint sends a push notification to the user's mobile device that the user approves to authenticate and log in.
When a user authenticates to a SAML resource, the user receives a prompt to share their location. This prompt appears even if your AuthPoint account does not use geofence and geokinetics policy objects.
Configure Authentication for a Third-Party Application
Before you add a SAML resource, you must configure SAML authentication for your third-party service provider. To do this, you must get the AuthPoint metadata from the Certificate Management page in the AuthPoint management UI.
The AuthPoint metadata provides your resource with information that is necessary to identify AuthPoint and establish a trusted relationship between the third-party service provider and the identity provider (AuthPoint).
Some service providers require the metadata file to configure authentication, while others only require the metadata URL. Which one you need depends on the third-party service provider.
- From the AuthPoint navigation menu, select Resources.
- Click Certificate.
- On the Certificate Management page, next to AuthPoint certificate you will associate with your resource, click and select an option to download the metadata, copy the metadata URL, download the certificate, or copy the fingerprint based on what the service provider for your resources requires.
The AuthPoint metadata provides your resource with information necessary to identify AuthPoint as a trusted identity provider. This is necessary for SAML authentication.
- Import the AuthPoint metadata file to the service provider and get the Service Provider Entity ID and Assertion Consumer Service from the service provider. These values are necessary to configure the SAML resource in AuthPoint. Refer to the AuthPoint Integration Guides for the steps to configure specific SAML resources.
Add a SAML Resource in AuthPoint
To add a SAML resource, in the AuthPoint management UI:
- From the AuthPoint navigation menu, select Resources.
- Click Add Resource.
The Add Resource page opens.
- From the Type drop-down list, select SAML.
- In the Name text box, type a name for the resource.
- From the Application Type drop-down list, select the relevant application or select Others if the application is not listed. For the Others application type, you can specify the relay state, custom attributes, and a custom image to appear for this application in the IdP portal.
You can click the Integration Guide link to open a help topic with the steps to set up your application. This link is context sensitive.
- (Optional) If you selected the Others application type, you can specify a Relay State parameter for this SAML resource.
- In the Service Provider Entity ID and Assertion Consumer Service text boxes, type the values from the service provider of the application.
- From the User ID drop-down list, select which user ID attribute to send to the service provider. The service provider compares the user ID attribute for the AuthPoint user with the user name in your application. These values must match.
For example, Salesforce requires a user name in an email format that includes a domain. Because the AuthPoint user name does not include a domain, your user ID must be email to match the Salesforce user name.
- (Optional) Click Choose File to upload a certificate from the service provider. When you upload a certificate, you can select the Encryption enabled toggle to enable or disable encryption for the SAML communication.
- From the AuthPoint Certificate drop-down list, select the AuthPoint certificate to associate with your resource. This must be the same certificate that you downloaded the metadata for in the Configure Authentication for a Third-Party Application section.
- If applicable, complete any additional fields required for the application.
- (Optional) If you selected the Others application type, you can specify one or more custom attributes for this SAML resource. This is necessary for some applications. To add a custom attribute:
- Click Add Attribute.
The Add Attribute window opens. - Enter the Attribute Name. This value is case-sensitive.
- From the Get Value From drop-down list, select what value is used for this custom attribute. If the value is static, select Fixed value and specify the fixed value to use.
- Click Save.
- Click Add Attribute.
- (Optional) If you selected the Others application type, you can upload a custom image to appear for this application in the IdP portal. To upload an image, drag an image file from your computer, or click Select a file to import and select an image file.
- Click Save.
- Add the SAML resource to your existing authentication policies, or add new authentications policies for the SAML resource. Authentication policies specify which resources users can authenticate to and which authentication methods they can use. For more information, see About AuthPoint Authentication Policies.