Difference between revisions of "MobileIron Integration"

From Swivel Knowledgebase
Jump to: navigation, search
Line 7: Line 7:
 
[[Category:Sentry]]
 
[[Category:Sentry]]
 
[[Category:Pinsafe]]
 
[[Category:Pinsafe]]
 
  
 
'''AuthControl Sentry/Cloud to MobileIron
 
'''AuthControl Sentry/Cloud to MobileIron

Revision as of 20:18, 25 October 2017


AuthControl Sentry/Cloud to MobileIron

Integration Notes


Overview

Swivel Secure can provide strong and two factor authentication to the Mobile Iron. AuthControl Sentry is a linux based IdP for SAML federations. It is provided as on-prem or Cloud SaaS flavours, providing an adaptative authentication multifactor, managed by a system of points, depending on the factor used and the target app to access. This document outlines the details required to carry this out.


Prerequisites

Working MobileIron (MobileIron Sentry appliance) MobileIron Core 9.X and Connector 9.X Swivel 4.x


How does it work

At App level we use conditional access to Cloud SaaS federated with SAMLv2. The Federated Identity works in 3-way trust with Access between Identity Provider (IDP), Service Provider (SP) and the Access provided by MobileIron AdminPortal/Access Gateway.

SwivelSecure Configuration

Enabling Standard Federation - Sales Force

The standard federation involves just this 3 fields:

  • Portal URL: (this Endpoint URL can be found on the Setup -> Security Controls -> Single Sign-On

Settings page in Salesforce.com, listed as ‘Salesforce Login URL’ under the Endpoints section. It is unique to your Salesforce.com instance and domain.

  • Entity ID:, Reflected on SalesForce SSO configuration for My Domain
  • Federeated id: That needs to match with the attributed defined on Salesforce.com and Swivel


SAML std.PNG


Once that we have a working federation from AuthControl and the SP, (in the example we will use SalesForce), this is just an standard SalesForce and Custom IdP federation on MI Access console, as the MFA part from Swivel will be triggered once MI Access has approved the connection. AuthControl Senty provides with a metadata url to quickly get the XML from IdP. It uses POST method for federation.


SAML std IDPMetadata.PNG


SAML Customization of Mobile Iron settings, Portal URL, Entity ID and Federated ID:


SAML std MI Access.PNG


SAML Customization in the Sales Force Side. Settings for Mobile Iron.


SAML std SSO MI.PNG


After the application settings definitions applied the aplications are available in the web portal of the AuthControl Sentry.


SAML std AuthControl Portal SalesForceNO365.PNG


User Login in Authcontrol SalesForce using the MI Account


SAML std AuthControl SalesForce login.PNG


SSO for SalesForce using Mobile Iron and Turing image from SwivelSecure. This means that the user logins using the Swivel Secure credentials, with the selected method (in this case Turing image) into the Sales Force (without the need of use Sales Force Credentials).


SAML std SSO SalesForce MI Turing.PNG


Successfull login in Sales Force.


SalesForce Buid App.PNG


Enabling Standard Federation - Office 365

In the case of Office365, AuthControl requires that the main federation will be performed with ADFS. On a working federation, a complement have to be installed on ADFS 3.0 server.


O365 Adfs SwivelSecure settings.PNG


There’s a couple of choices depending if the customer is using ADFS Proxy servers or not.

This plugin installs Swivel as an MFA to be applied via ADFS Authentication Policy Settings.

Set SwivelSecure as Authentication Provider

O365 Adfs SwivelSecure EditGlobalAuthPol.PNG


On Swiven AuthControl Sentry side, we will create an Application configuration with MI Access, IdP and Office365 endpoints:


O365 Adfs AuthControl SSO.PNG


This way, ADFS will require PINPAD or Turing image in order to validate and access to Office365, in addition to ADFS primary authentication policy.


O365 Adfs AuthControl SSO OK.PNG


Related Articles

  • ADFS configuration

https://kb.swivelsecure.com/w/index.php/Microsoft_ADFS_3_Authentication

Additional Information

For assistance in the Swivel Secure installation and configuration please firstly contact your reseller and then email Swivel Secure support at supportdesk@swivelsecure.com