RSA Secured Implementation Guide

for VPN Products

Last Modified August 27, 2004

1. Partner Information

Partner Name Juniper Networks

Web Site http://www.juniper.com/
Product Name Juniper Networks NetScreen-SA 3000
Version & Platform 4.1
Product Description The NetScreen Instant Virtual Extranet enables you to give
employees, partners, and customers, secure and controlled access to
your corporate file servers, Web servers, native messaging and email
clients, hosted servers and more from any Web browser, anywhere.
The IVE eliminates the need to deploy extranet toolkits in a traditional
DMZ or provision a remote access VPN for employees. The appliance
intermediates data between external connections, from which it
receives secure requests, and internal resources, to which it makes
requests, on behalf of authenticated users.
Product Category Perimeter Defense (Firewalls, VPNs & Intrusion Detection)

2. Contact Information

Sales Contact Support Contact

Juniper Networks RSA Security
Phone (866) 298-6428 (800) 638-8296 (800) 995-5095
Web https://www.juniper.net/solutions/ http://www.juniper.net/support/ http://knowledge.rsasecurity.com

Page: 1
3. Solution Summary

Feature Details

VPN product acts as SAML Yes

Asserting Party (AP) for RSA FIM

VPN product provides Web Single Yes

Sign-On (SSO) to ClearTrust-
protected resources via SAML

Common SAML version(s) 1.1

supported

Web SSO Profile(s) supported BAP, BPP

Integration Overview

Juniper Networks NetScreen-SA IVE version 4.1 can provide Single-Sign-On (SSO) to RSA ClearTrust
via the RSA Federated Identity Manager (FIM) version 2.5. Juniper IVE can act as a SAML Asserting
Party (AP) for the RSA FIM by passing SAML authentication assertions to the RSA FIM for processing.
Users are then automatically provided with a ClearTrust Single Sign-On session cookie via the FIMs
RSA ClearTrust ticket plug-in. This prevents the need to perform additional authentication(s) to
ClearTrust-protected resources once a user has successfully authenticated to the SSL VPN.
Juniper Networks NetScreen-SA 3000 version 4.1 supports SAML 1.1 and the BAP and BPP Web SSO
profiles.

4. Product Requirements

Hardware and Software Requirements

Component Name: Juniper Networks NetScreen-SA 3000

Operating System Version (Patch-level)
Juniper Networks
4.1-(build 6641)
NetScreen-SA 3000

Page: 2
5. Product Configuration

Configuring SAML Support on the Juniper Networks NetScreen-SA 3000

To write a SAML SSO artifact profile resource policy:
1. In the Web console, choose Resource Policies > Web > SAML > SSO

2. On the Web Policies page, click New Policy.

3. On the SAML SSO Policy page, enter:
A name to label this policy.
A description of the policy. (optional)

4. In the Resources section, specify the resources to which this policy applies. See the IVE
Administration Guide for more information.

5. In the Roles section, specify:

Page: 3
 Policy applies to ALL roles
To apply this policy to all users.
Policy applies to SELECTED roles
To apply this policy only to users who are mapped to roles in the Selected roles
list. Make sure to add roles to this list from the Available roles list.
Policy applies to all roles OTHER THAN those selected below
To apply this policy to all users except for those who map to the roles in the
Selected roles list. Make sure to add roles to this list from the Available roles list.

6. In the Action section, specify:

Use the SAML SSO defined below

The IVE performs a single-sign on (SSO) request to the specified URL using the
data specified in the SAML SSO details section. The IVE makes the SSO request
when a user tries to access to a SAML resource specified in the Resources list.
Do NOT use SAML
The IVE does not perform a SSO request.
Use Detailed Rules
To specify one or more detailed rules for this policy. See IVE Administration Guide
for more information.
7. In the SAML SSO Details section, specify:
SAML Assertion Consumer Service URL

Page: 4
 Enter the URL that the IVE should use to contact the assertion consumer service
(that is, the access management server). For example: https://hostname/acs.
(Note that the IVE also uses this field to determine the SAML recipient for its
assertions.)

Important: If you enter a URL that begins with HTTPS, you must install the
assertion consumer services root CA on the IVE (as explained in the
Certificates section of the IVE Administration Guide).
Profile
Select POST to indicate that the IVE should push information to the assertion
consumer service during SSO transactions. You must also select the certificate
you will be using to sign assertions, as this is required in the Browser POST
Profile.

Select Artifact to indicate that the assertion consumer service should pull
information from the IVE during SSO transactions.

Source ID
Enter the Source ID for the IVE. If you enter a:
Plain text stringThe IVE converts, pads, or truncates it to a 20-byte string.
Base-64 encoded stringThe IVE unencodes it and ensures that it is 20 bytes.
If your access management system requires base-64 encoded source IDs, you can
create a 20 byte string and then use a tool such as OpenSSL to base-64 encode it.

Important: The IVE identifier (that is, the source ID) must map to the following
URL on the assertion consumer service (as explained in Trusted application
URLs on page 3):
https://<IVEhostname>/dana-ws/saml.ws
Issuer

Page: 5
 Enter a unique string that the IVE can use to identify itself when it generates
assertions (typically its hostname).

Important: You must configure the assertion consumer service to recognize

the IVEs unique string.
8. In the User Identity section, specify how the IVE and the assertion consumer service
should identify the user:
Subject Name Type
DNSend the username in the format of a DN (distinguished name) attribute.
Email AddressSend the username in the format of an email address.
WindowsSend the username in the format of a Windows domain qualified
username.
OtherSend the username in another format agreed upon by the IVE and the
assertion consumer service.
Subject Name
Use the variables described in the IVE Administration Guide to specify the
username that the IVE should pass to the assertion consumer service. Or, enter
static text.

Important: You must send a username or attribute that the assertion consumer
service will recognize (as explained in User Identity in the IVE Administration
Guide). For a default ClearTrust installation, the name format would be
uid=<USER>. If you are using a different Name Format for ClearTrust/FIM
mapping, you must enter the appropriate value.
9. In the Web Service Authentication section, specify the authentication method that the IVE
should use to authenticate the assertion consumer service:
None
Do not authenticate the assertion consumer service.
Username
Authenticate the assertion consumer service using a username and password.
Enter the username and password that the assertion consumer service must send
the IVE.

Page: 6
 Certificate Attribute
Authenticate the assertion consumer service using certificate attributes. Enter the
attributes that the assertion consumer service must send the IVE (one attribute per
line). For example, cn=sales. You must use values that match the values contained
in the assertion consumer services certificate.

Important: If you select this option, you must install the assertion consumer
services root CA on the IVE (as explained in Certificates in the IVE
Administration Guide).
10. Cookie DomainEnter a comma-separated list of domains to which we send the SSO
cookie.

11. Click Save Changes.

12. On the SAML SSO Policies page, order the policies according to how you want the IVE to
evaluate them. Keep in mind that once the IVE matches the resource requested by the
user to a resource in a policys (or a detailed rules) Resource list, it performs the specified
action and stops processing policies.
For an example Web resource policy, see the figures in the IVE Administration Guide.

Note: The session timeouts on the IVE and your access management system may not
coordinate with one another. If a users RSA ClearTrust session cookie times out before his
IVE cookie (DSIDcookie) times out, then single sign-on between the two systems is lost.
The user is forced to sign in again when he times out of the access management system.

Configuring RSA FIM Asserting Party Settings for Juniper IVE

Note: The example screenshots provided below are for demonstration purposes only. Your
environment may or may not vary from this example. All parameters are determined by your
deployment environment unless specified otherwise.
To set up the Juniper IVE as a Trusted Asserting Party for the RSA FIM, perform the following
steps:

Page: 7
1. Configure the Asserting Party Settings:

Note the SOAP Binding Service URL and SourceID obtained from the IVE.
2. Configure settings for Web SSO

The example here is configured for Browser Post Profile (BPP).

Important: It is required that you select MUST NOT contain a subject namespace in
this section. Then select the RSA_ClearTrust_X.509_Subject_Plug-in from the drop-
down box.
The IVE will also send the IP Address and DNS address if available, so set these two
parameters to MAY.
3. Configure settings for Digital Signatures:

Note that for BPP the IVE only signs SAML responses, not the assertions themselves, so if
signatures are required, set the responses to MUST be signed and the assertions MUST
NOT be signed.
Note also that for BAP, the IVE does not sign responses. Signing of responses is only
supported with BPP.

Page: 8
6. Certification Checklist for VPN Products
Date Tested: 05/18/04

Product Tested Version

RSA Federated Identity Manager (FIM) 2.5
RSA ClearTrust 5.5.2
Juniper Networks NetScreen-SA 3000 4.1-(build 6641)

Test Case Result

Note: All VPN test cases assume that Partner Product is configured as the
Asserting Party (AP) and the RSA Federated Identity Manager (FIM) is
configured as the Relying Party (RP).
SAML SAML
SAML Asserting Party (AP)
1.0 1.1
Partner Product produces valid authentication assertion in response to valid
P
authentication query from FIM
RSA FIM consumes valid authentication assertion, requested in valid
P
authentication query to Partner Product
Partner Product produces valid attribute assertion in valid response to attribute
N/A
query from FIM
RSA FIM consumes valid attribute assertion, requested in valid attribute query
N/A
to Partner Product
Partner Product produces valid assertions in valid response to
N/A
AssertionIDReference request from FIM
RSA FIM consumes valid assertions, requested in valid AssertionIDReference
N/A
request to Partner Product

Web Browser SSO Profiles

Browser/Artifact Profile (BAP)

Valid assertions produced in response to AssertionArtifact request P
Valid assertions request corresponding to artifacts sent in HTTP message
HTTP BASIC Authentication P
Anonymous SSL P
Mutual Auth SSL P
Valid signed response sent to and validated by FIM (RP) N/A
Valid signed assertion sent to and validated by FIM (RP) N/A
Successful validation of signed requests from FIM (RP) N/A
Valid RSA ClearTrust token generated via RSA ClearTrust ticket plug-in P
Browser/POST Profile (BPP)
Valid Assertions Received in Valid HTTP POST P
Valid Assertions Sent in Valid HTTP POST P
Valid RSA ClearTrust token generated via RSA ClearTrust ticket plug-in P
Valid signed assertion sent to and validated by FIM (RP) P
Successful validation of signed requests from FIM (RP) P

JEC *P=Pass or Yes F=Fail N/A=Non-available function

Page: 9
7. Notes

The session timeouts on the IVE and your access management system may not
coordinate with one another. If a users RSA ClearTrust session cookie times out before his
IVE cookie (DSIDcookie) times out, then single sign-on between the two systems is lost.
The user is forced to sign in again when he times out of the access management system.

The IVE does not support attribute statements, which declare specific details about the
user (such as John Smith is a member of the gold group).

The IVE can consume and enforce an authorization decision statement however; these
types of SAML statements are not currently supported by RSA FIM.

8. Known Issues

Important: The IVE has been tested and does not work with FIM 2.0.

Page: 10