Gunther Kochmann

Integrating authentication to your Luna account with your own Single-sign-on (SSO) service

Blog Post created by Gunther Kochmann Employee on Jun 18, 2015

How many passwords are you able to remember and how many are you actually expected to memorize for your day-to-day job?

 

Well, those could be many. Everyone's got a ton of different services to work with every day, while all require a password to remember for access to the service/application/database. Of course this pain is not new and many organizations have now implemented Single-sign-on solutions to reduce the number of different passwords required within the organization - ideally this means only one password will be required now.

 

Now Akamai LUNA Control Center comes around the corner and with that a new password which is of course different from your well-memorized SSO organization's password! And on top of that this password requires rotation every three months, got certain minimum criteria to meet on charcters and length, which probably applies to your organization's password equally.

 

Akamai has thought about this and supports SAML 2.0 integration with organization's Single-sign-on (SSO) solution:

 

Luna Control Center supports SAML 2.0 Integration for fully federated control of users, single sign-on, and multifactor authentication, according to an organization’s security policy. This solution is for customers using their own identity provider. Prior to allowing access to Luna Control Center resources, the customer validates the user‘s identity.

 

Doesn't this sound great?

 

Here is an overview how this would look like at high level (IdP would be your organization's, SP Akamai's):

 

SSO-overview.JPG

 

Details on the integration you may find in LUNA -> Support -> User and Developer Guides -> LUNA Control Center -> Single Sign-On with SAML Integration Guide

 

Main steps would be:

 

  1. Prerequisites
    • customer IdP must support SAML 2.0
    • attribute 'userid' required in the SAML assertion sent by the identify provider
    • determine a hostname for the service provider endpoint (done in LUNA Control Center)
    • of course have your own identify provider set up
    • have authentication/public key from your identity provider at hand
    • for more details on information required for identity provider and service provider setup refer to the guide mentioned above
  2. Provisioning STEP ONE & TWO
    • in LUNA go to CONFIGURE -> Organization -> Manage SSO with SAML
    • for a new configuration click 'Create Identity Provider Configuration'
    • complete the fields as follows:
      • service provider endpoints - it is the hostname through which you will be able to access LUNA's services and you may set the first part of the hostname/domain, e.g. xyz.luna-sp.com
      • entity ID - this is the entity ID or issuer name that uniquely identifies your identity provider
      • single sign-on URL - find this information with your identity provider
      • email address - for notifications from LUNA Control Center
      • public key - from identity provider
    • save details
  3. Provisioning STEP THREE
    • once the above steps have been completed the DNS entry for your service provider endpoint xyz.luna-sp.com will be setup
    • the required CNAME will be ready within 1-2 business days (it's a manual process currently)
    • for the moment the 'Current Status' column will show 'Saved', which means it is not yet activated/ready for service
    • now click the gear icon and select 'Download' to fetch the LUNA SAML metadata which you will need for configuring your identity provider
    • in order to activate the new configuration, go to the gear icon and select 'Provision' ('Current Status' will show progress)
  4. Testing
    • testing may begin only after Current Status shows 'Provisioned' and End-Point Status shows 'End-point provisioned'
    • apart from that you have provisioned the LUNA SAML metadata on your identity provider
    • ideal for testing purposes would be to have two configurations created, where one is for testing and the other for production environment

 

Most-important FAQ:

 

Q. What happens to direct login, once SAML has been integrated? Will users be able to continue using their Luna credentials to access Luna Control Center? Is it possible to designate users as SAML only?

 

A. Users Luna credentials will work for a direct login. However, you can choose to require SAML only, and can request that direct login be turned off. Until this switch is made, users will be able to access Luna both ways.

Outcomes