Skip to main content

WALLIX Access Manager

SAML - Access Manager configuration

  • Go to your Access Manager admin page

  • Click on: ConfigurationSAML Identity Providers+Add

  • Select your organization

  • Write Trustelem for the identity provider's Name

  • In the tab Service Provider:

    • In the field WALLIX-AM Entity ID, enter the value WALLIX-AM
    • Turn OFF Sign Messages, Encrypt Messages
    • Turn ON Signed Response, Signed Assertion
  • In the tab Identity Provider:

    • Import the Trustelem metadata file
    • Copy the Redirect Binding Uri and paste it in Redirect Logout Uri replacing « sso » by « on_logout »
  • In the tab Domain:

    • In the field Domain Name, enter the domain for federated users
      WALLIX Access Manager builds the user's identifier with the combination: login ID + @ + domain
    • Click on the pen, and enter the following attributes:
      Login → uid
      Display Name Attribute → displayname
      Email Attribute → email
      Language Attribute → lang
    • Choose a Default Profile for new users

SAML - Trustelem configuration

  • Enter the root URL of your Access Manager (ex: https://wam.com/wabam)

  • Enter your organization identifier (you can find it in: Access Manager → Configuration → Organizations)

  • Enter the domain defined in Access Manager, tab Domain of your SAML Identity Provider

am-app.png

SAML - Notes

  • The date/time on machine running Access Manager has to be exact, or SAML will not work.

  • WALLIX Access Manager auto-provisions unknown users.

  • In WALLIX Access Manager, you can activate the DEBUG mode and download the logs: SettingsApplication SettingsLogs

  • If the users authenticate using email on the Bastion, you need a custom script on the Trustelem app:

msg.setAttr("uid",user.email);

If you need a different AM profile :

  • on the Access Manager, in the SAML setup in the Domain tab:
    • in "Default Profile" section: select "No Default Profile" ,
    • in the "Attributes" section: click on on the edit button (pen), set the "Profile Attribute" to "profile"
  • on Trustelem, in the app settings, add a custom script :
//Define a default profile attribute which matchs the NAME of the Access Manager profile
msg.setAttr("profile","User")
//Change it depending on the email address
if(user.email=="rose.keler@trustelem.demo"){msg.setAttr("profile","Auditor")}
//Change it depending on the groups
for (let group in groups) {
  if(group=="Trustelem group name"){msg.setAttr("profile","Auditor")}
}

am-app2.png

Radius - Access Manager and Trustelem configuration

In a specific case, it's better to use Radius instead of SAML.

  • The users come from an Active Directory --> SAML
  • The users come from an Active Directory but you use mainly "account mapping" --> Radius
  • You have some users on the Bastion/Access Manager who are not created yet --> SAML
  • You have only a few local users that already exist --> SAML
    • the users will have to change their password because they will be managed on Trustelem
  • You have a lot of existing users and you don't want them to change their password --> Radius

You can use Radius for all cases but SAML is better so it's not recommended:

  • SAML doesn't need the use of the LDAP/Radius proxy to work
  • SAML is easy and fast to setup
  • SAML is more secured
  • SAML needs the rights for the users to access the AM and Trustelem, no additional workflows
  • SAML is compatible with any kind of 2nd factors
    • push notifications are not working well using radius
    • fido keys (USB token) are not compatible with radius

Knowing that, if you need to use radius, the steps are:

  • Setup Active Directory if needed: Active Directory synchronization
  • Setup the LDAP/Radius proxy: LDAP-Radius
  • Add an Access Manager application on Trustelem
  • Add a Radius Server on Access Manager: Configuration/RADIUS Servers
    • Name: whatever you want
    • Host: the IP/fqdn of the machine running the proxy LDAP/Radius
    • Protocol: PAP
    • Authentication Port: can be find on the Services tab in Trustelem admin page
    • Connection Timeout: 30 to 60s recommended
    • Shared Secret: can be find on the Services tab in Trustelem admin page, clicking on the eye icon
    • NAS Identifier: empty
  • Edit the Access Manager domain used for the authentication and in Associated Authenticators, on Login type select Email address or Simple login (depending of the login attribute on the Bastion, and the option "Strip Domain" on the Access Manager Bastion setup), and 2 on Factor.
  • Define the access rules on Trustelem: Access rules
  • Setup the 2nd factors on Trustelem: Multi factors authentication