WALLIX Access Manager
Contents
- Trustelem Radius on Access Manager for AD users
- Trustelem Radius on Access Manager for AM users
- Trustelem SAML on Access Manager for AD users
- Trustelem SAML on Access Manager for Trustelem users
- Debug
Trustelem Radius on Access Manager for AD users
Install Trustelem Connect
Start by installing Trustelem Connect.
This will give Trustelem the ability to process Radius authentications.
The documentation is the following:
https://trustelem-doc.wallix.com/books/trustelem-administration/page/ldap-radius-trustelem-connect
You don't need to read the chapter Setup an application to use Trustelem Connect, the specific instructions for an Access Manager application will be detailed in this chapter.
The common mistakes will be also detailed, but if the authentication is not working you should start by reading the Debug chapter in this LDAP-Radius - Trustelem Connect documentation.
On Trustelem admin page
- Go on the tab Apps and create an Access Manager application
- Let the root url / organization identifier / domain fields empty
- Enable the Radius protocol
- Go on the Service setup in the Install Trustelem Connect chapter
- Click on Add an application + and select the Access Manager
- Enable Radius protocol by clicking on the Radius button
- the listen address can be localhost, all existing IP address on the machine = *, or a specific IP = ...
- this will open the defined udp (Radius) or tcp (LDAP) port on the machine running Trustelem Connect on the IP 127.0.0.1 (localhost) OR on all local IPs (*) OR on a specific local IP (...)
- if you have a dedicated VM for the connector, choose *
- If you don't already have a Bastion using it, you can let the default port 1812. Otherwise, you can use 2812, 3812...
- Click Save
On Access Manager admin page
- Add a Radius Server on Access Manager: Configuration/RADIUS Servers
- Organization: select the organization where your AD users are
- Name: choose what you want
- Host: the IP/fqdn of the machine running Trustelem Connect
- Protocol: PAP
- Authentication Port: the port is defined on the Trustelem Service previously setup (should be 1812 or 2812)
- Connection Timeout: let de default value, unless you have latency on your network
- Login type: simple login
- Shared Secret: this secret can be found in the Trustelem Access Manager app model.
-
NAS Identifier: empty
- Click on Test Connection then Save
- Edit the Access Manager domain used for the authentication of your AD users --> Configuration > Domains > should be the Active Directory domain
- In the field Associated Authenticators: Active Directory Authenticator Factor 1 - Radius Authenticator Factor 2
You can't test the authentication yet, first you need to define the access rules on Trustelem.
The documentation is provided in the page: https://trustelem-doc.wallix.com/books/trustelem-administration/page/access-rules
For this kind of authentication, you need a Radius access rule set to 2nd factor only.
Note: for the user authentication, first provide the AD login and password then provide the Trustelem TOTP code, even if the name of the input is Password again.
Trustelem Radius on Access Manager for AM users
Install Trustelem Connect
Start by installing Trustelem Connect.
This will give Trustelem the ability to process Radius authentications.
The documentation is the following:
https://trustelem-doc.wallix.com/books/trustelem-administration/page/ldap-radius-trustelem-connect
You don't need to read the chapter Setup an application to use Trustelem Connect, the specific instructions for an Access Manager application will be detailed in this chapter.
The common mistakes will be also detailed, but if the authentication is not working you should start by reading the Debug chapter in this LDAP-Radius - Trustelem Connect documentation.
On Trustelem admin page
- Go on the tab Apps and create an Access Manager application
- Let the root url / organization identifier / domain fields empty
- Enable the Radius protocol
- Go on the Service setup in the Install Trustelem Connect chapter
- Click on Add an application + and select the Access Manager
- Enable Radius protocol by clicking on the Radius button
- the listen address can be localhost, all existing IP address on the machine = *, or a specific IP = ...
- this will open the defined udp (Radius) or tcp (LDAP) port on the machine running Trustelem Connect on the IP 127.0.0.1 (localhost) OR on all local IPs (*) OR on a specific local IP (...)
- if you have a dedicated VM for the connector, choose *
- If you don't already have a Bastion using it, you can let the default port 1812. Otherwise, you can use 2812, 3812...
- Click Save
On Access Manager admin page
- Add a Radius Server on Access Manager: Configuration/RADIUS Servers
- Organization: select the organization where your AM users are
- Name: whatever you want
- Host: the IP/fqdn of the machine running Trustelem Connect
- Protocol: PAP
- Authentication Port: the port is defined on the Trustelem Service previously setup (should be 1812 or 2812)
- Connection Timeout: let de default value, unless you have latency on your network
- Login type: simple login
- Shared Secret: this secret can be found in the Trustelem Access Manager app model.
-
NAS Identifier: empty
- Click on Test Connection then Save
- Edit the Access Manager domain used for the authentication of your AM users --> Configuration > Domains > should be the local domain
- In the field Associated Authenticators:
- if you want to keep AM user password: Local database Factor 1 - Radius Authenticator Factor 2
- if you want to use Trustelem password: Local database Factor Unused - Radius Authenticator Factor 1
You can't test the authentication yet, first you need to define the access rules on Trustelem.
The documentation is provided in the page: https://trustelem-doc.wallix.com/books/trustelem-administration/page/access-rules
For this kind of authentication, you need a:
-
Radius access rule set to 2nd factor only if you want to keep AM user password
--> first provide the local login and password then provide the Trustelem TOTP code, even if the name of the input is Password again - Radius access rule set to 2 factors if you want to use Trustelem password
Trustelem SAML on Access Manager for AD users
On Trustelem admin page
-
Go on the tab Apps and create an Access Manager application
-
Enter the root URL of your Access Manager (ex:
https://wam.com/wabam) -
Enter your organization identifier (you can find it in: Access Manager → Configuration → Organizations)
- The organization must have a Bastion configured
- The organization must not already have the needed domain used (see next point)--> a domain is unique in an organization.
-
Enter the correct domain value. This domain has to match the Authentication domain name of your Active Directory Authentication domain
. -
If on Access Manager you need different profiles for Users, click on the + at the end of the line Custom scripting
-
The point is to send the name of an Access Manager profile in a SAML attribute named profile :
//Define a default profile attribute which matches the name of the Access Manager profile
msg.setAttr("profile","User")
//Change the default profile depending on the email address
if(user.email=="rose.keler@trustelem.demo"){msg.setAttr("profile","Auditor")}
//Change the default profile depending on Trustelem groups
for (let group in groups) {
if(group=="Trustelem admin group name"){msg.setAttr("profile","Administrator")}
}
- Save the modifications
- Download the metadata file
On Access Manager admin page
-
Click on: Configuration → SAML Identity Providers → +Add
-
Select your organization (the one with the identifier used on Trustelem setup)
-
Choose a name, for the identity provider setup
-
In the tab Service Provider:
- In the field WALLIX-AM Entity ID, enter the value WALLIX-AM
- Turn OFF Sign Messages, Encrypt Messages
- Turn ON Signed Response, Signed Assertion
-
In the tab Identity Provider:
- Import the Trustelem metadata file
- Copy the Redirect Binding Uri and paste it in Redirect Logout Uri, replacing « sso » by « on_logout »
-
In the tab Domain:
- In the field Domain Name, enter the domain for federated users : still the same value used on the Bastion and on Trustelem setup
- Choose a Default Profile for new users.
- Usually it is User
- You can let No Default Profile if Trustelem is in charge of the profile.
- Click on the pen on the line Attributes, and enter the following attributes:
Login → uid
Display Name Attribute → displayname
Email Attribute → email
Language Attribute → lang Profile Attribute → let this field empty, or enter profile depending on if Trustelem provides this attribute or not
You can't test the authentication yet, first you need to define the access rules on Trustelem.
The documentation is provided in the page: https://trustelem-doc.wallix.com/books/trustelem-administration/page/access-rules
For this kind of authentication, you need internal and external set to 2 factors
Trustelem SAML on Access Manager for Trustelem users
On Trustelem admin page
-
Go on the tab Apps and create an Access Manager application
-
Enter the root URL of your Access Manager (ex:
https://wam.com/wabam) -
Enter your organization identifier (you can find it in: Access Manager → Configuration → Organizations)
- The organization must have a Bastion configured
- The organization must not already have the needed domain used (see next point)--> a domain is unique in an organization.
-
Enter the correct domain value. This domain has to match the Authentication domain name of your Trustelem Active Directory Authentication domain
. -
If on Access Manager you need different profiles for Users, click on the + at the end of the line Custom scripting
-
The point is to send the name of an Access Manager profile in a SAML attribute named profile :
//Define a default profile attribute which matches the name of the Access Manager profile
msg.setAttr("profile","User")
//Change the default profile depending on the email address
if(user.email=="rose.keler@trustelem.demo"){msg.setAttr("profile","Auditor")}
//Change the default profile depending on Trustelem groups
for (let group in groups) {
if(group=="Trustelem admin group name"){msg.setAttr("profile","Administrator")}
}
- Save the modifications
- Download the metadata file
On Access Manager admin page
-
Click on: Configuration → SAML Identity Providers → +Add
-
Select your organization (the one with the identifier used on Trustelem setup)
-
Choose a name, for the identity provider setup
-
In the tab Service Provider:
- In the field WALLIX-AM Entity ID, enter the value WALLIX-AM
- Turn OFF Sign Messages, Encrypt Messages
- Turn ON Signed Response, Signed Assertion
-
In the tab Identity Provider:
- Import the Trustelem metadata file
- Copy the Redirect Binding Uri and paste it in Redirect Logout Uri, replacing « sso » by « on_logout »
-
In the tab Domain:
- In the field Domain Name, enter the domain for federated users : still the same value used on the Bastion and on Trustelem setup
- Choose a Default Profile for new users.
- Usually it is User
- You can let No Default Profile if Trustelem is in charge of the profile.
- Click on the pen on the line Attributes, and enter the following attributes:
Login → email
Display Name Attribute → displayname
Email Attribute → email
Language Attribute → lang Profile Attribute → let this field empty, or enter profile depending on if Trustelem provides this attribute or not
You can't test the authentication yet, first you need to define the access rules on Trustelem.
The documentation is provided in the page: https://trustelem-doc.wallix.com/books/trustelem-administration/page/access-rules
For this kind of authentication, you need internal and external set to 2 factors
Debug
If the Radius authentication is not working:
- Read the debug chapter of LDAP-Radius Trustelem Connect
- Verify if the protocol is set to PAP
- Reminder: if the password is not handle by Trustelem, the authentication is login + password (AD, local...) then Trustelem TOTP even if the input name is Password again.
If the SAML authentication is not working:
- Verify if the setup is correct: there is a lot of information to copy and paste, and an error can quickly happen.
- Verify the time on Access Manager: SAML assertion are valid for a short period.
- Verify if the user doesn't already exist. For instance if the SAML domain was used before for LDAP authentication, the users may already exist. In these case the authentication will not work and it has to be deleted first.
- Verify the attributes mapped in Access Manager
--> reminder: a local Trustelem user must have an uid set to email - Verify if the domain used in the SAML setup is the same used on the Bastion for the Authentication domain name
If after that you still you don't have a working SAML authentication, you can try 2 things:
- Download the browser plugin SAML tracer. This plugin will show you the certificate and the attributes send by Trustelem to the Access Manager.
- Activate Access Manager logs: Settings > Application Settings > Configuration > SAML enabled at DEBUG level
Try to authenticate again, then download the logs on the Access Manager logs setting page.
The files can help you to understand the issue, but they are not easy to read.
