Pre-Requisites for PortalGuard Single Sign-On
You want to configure your PortalGuard Instance for use as a Single Sign-On Identity Provider.
Follow the steps below to create a Signing Certificate and configure the Identity Provider Configuration Editor for Single Sign-On to the standard industry protocols (SAML, CAS, Shibboleth, WS-Federation, etc.).
Signing Certificate Creation
- Navigate to the PortalGuard Server and locate the installation kit used when first installing PortalGuard.
- If you no longer have the installation kit, the latest version can be downloaded from this link.
- Within the installation kit, navigate to the '_Optional' folder.
- For newer versions of PortalGuard, this folder has been renamed to 'ADDINS'
- Locate the following files:
- Copy both files to your clipboard and paste them in the 'Program Files\PistolStar\PortalGuard' folder.
- Copy the path to that location to your clipboard and open an Administrative Command Prompt (CMD.exe).
- Use the CD command and paste in the path to change to that directory i.e.:
- cd C:\Program Files\PistolStar\PortalGuard\
- Run the following command to use OpenSSL to create a Self-Signed Certificate for PortalGuard to use for SSO:
- openssl req -sha256 -x509 -days 3650 -newkey rsa:2048 -keyout PGIdP.pem -out PGIdP.pem -config ./openssl.cnf
- IMPORTANT:You will be asked to create a 'PEM Pass Phrase'. While you will not see the keystrokes in the prompt, it is recording what you type. When you hit 'Enter', you will be asked to verify the pass phrase by re-entering it. BE SURE TO REMEMBER/RECORD THIS PASSWORD as you will need it again to complete the SSO prerequisites.
- A series of prompts will appear, asking you to fill out some basic information about your environment. You MUST enter at least an "Organization Name" and "Common Name" for the certificate. Accurate information will help identify this cert to others in your environment, however, any other field can be left blank by simply hitting 'Enter'.
- After you complete the required entries for the first command, you will be returned to a standard terminal prompt. From there, run the following command:
- openssl x509 -outform PEM -in PGIdP.pem -out PGIdP.cer
- This command will not require any additional input from your end.
- After running both commands, you should find two new files in your 'Program Files\PistolStar\PortalGuard' directory:
- This is the public/private keypair for your PortalGuard Identity Provider. This file should NEVER be shared with another person or service.
- This is the public key that will be added to your Identity Provider metadata, and can be provided to service providers as needed for integration.
General IdP Settings Configuration
- With the Signing Certificate created, open the Identity Provider Configuration Editor and click on the 'General IdP Settings' button:
- Navigate to the Signing tab:
- Signing Cert File:
- Use the 'Browse' button to locate and select the 'PGIdP.pem' file created above.
- Signing Cert Password:
- Input the password for the 'PGIdP.pem' file here. This was created in step #7 of the 'Signing Certificate Creation' section above.
- Navigate to the Response tab:
- This should be a unique identifier for your specific PortalGuard IdP
- For simplicity, we recommend keeping a URL format, complete with https:// (i.e. https://portalguard.your-domain.com)
- This URL does NOT need to exist, but it can match your existing URL for PortalGuard.
- Save these Settings
Configure the Attribute Store
- In the Identity Provider Configuration Editor, navigate to the Attribute Stores tab:
- Highlight 'default' and click the 'Edit' button.
- IMPORTANT NOTE: You should have an 'Attribute Store' to match each 'User Repository' configured in the PortalGuard Configuration Editor. The fields in both configurations should match.
- The 'Attribute Store' configuration is used by PortalGuard to determine where and how to pull attributes to utilize as Claims throughout the Single Sign-On process.
- Once you have matched the 'Attribute Store' configuration to the 'User Repository', save the configuration.
- Click on the 'Apply to Identity Provider' button and then 'Sync' to commit these changes.
REV. 10/2018 | PortalGuard