Single Sign-On Pre-Requisites - PortalGuard Identity Provider (IdP) -
You want to configure the PortalGuard Identity Provider (IdP) in order to utilize Single Sign-On.
Follow the steps below to prepare your PortalGuard IdP.
Create the Signing Certificate
- Navigate to the PortalGuard server and locate the installation kit.
- This is the folder containing the original MSI installer for PortalGuard. If you have recently upgraded, reference that folder.
- Navigate to the 'ADDINS' folder and locate the following two files:
- Copy those folders and paste them in your 'Program Files\PistolStar\PortalGuard' directory.
- Open an elevated CMD and CD to this directory.
- Run the following command and follow the prompts that appear to generate a self-signed certificate:
- openssl req -sha256 -x509 -days 3650 -newkey rsa:2048 -keyout PGIdP.pem -out PGIdP.pem -config ./openssl.cnf
- The resulting output should resemble the following:
- IMPORTANT NOTE: You will be asked to enter a pass phrase for the file. Please note that while your keystrokes will not appear to register in the DOS prompt, they are being recorded. Simply hit enter when you are ready and you will then be asked to re-enter the pass phrase for validation.
- Verify that a new file named 'PGIdP.pem' exists in the 'Program Files\PistolStar\PortalGuard' directory.
- Run the following command to extract the public portion of the certificate to its own file:
- openssl x509 -outform PEM -in PGIdP.pem -out PGIdP.cer
- This command requires no additional input.
- Verify that a new file named 'PGIdP.cer' exists in the 'Program Files\PistolStar\PortalGuard' directory.
Configure the Identity Provider Configuration Editor
- From the PortalGuard server, open the Identity Provider Configuration Editor.
- Click on the 'General IdP Settings' button.
- Navigate to the Signing tab.
- Click on the 'Browse' button and then 'Browse' within the popup that appears to locate the 'PGIdP.pem' file that you created in the previous steps.
- This file should be located in the 'Program Files\PistolStar\PortalGuard' folder.
- Enter the pass phrase that you established when creating the pass phrase.
- Your final result should resemble the following:
- Navigate to the Response tab.
- Set a value for the 'Issuer' field.
- Important Note: This value should be unique and cannot be used by any other IdP in your environment or otherwise. In light of that, the simplest format is to utilize a URL structure as seen in the example above. The URL that you use here does NOT have to be a legitimate URL in DNS.
- Click on the 'Save' button.
- From the main screen of the Identity Provider Configuration Editor, navigate to the Attribute Stores tab.
- Ensure your Attribute Stores tab contains an entry for each 'User Repository' configured within the PortalGuard Configuration Editor.
- The LDAP Basic, LDAP Advanced, and Resolution tabs should all match between the two configurations.
- These 'Attribute Stores' are utilized to look up the user and populate claims to be sent to a Service Provider during SSO.
- After making the necessary changes, click on the 'Apply to Identity Provider' button.
- Click on the 'Sync' button to finalize the settings.
REV. 03/2019 | PortalGuard