Pulse Secure Connect and Trusona Integration Guide

This guide details the steps required to configure Trusona for your Pulse Secure Connect installation.

By Tom Piscitell
Updated May 12, 2021

• 1. Overview
• 2. Prerequisites
• 3. Verify your domain
• 4. Creating a SAML integration in Trusona
  • 4.1. Create a Trusona SAML integration
  • 4.2. Retrieve the Metadata URL
• 5. Configure Pulse Secure
  • 5.1. System SAML Configuration
  • 5.2. Add a SAML Metadata Provider
  • 5.3. Add a SAML Auth Server
  • 5.4. Configure the Pulse Secure SAML integration in the Trusona Dashboard
  • 5.5. Add an LDAP Auth Server for Authorization
  • 5.6. Configure a User Realm to use Trusona
  • 5.7. Configure your Sign-in policy
• 6. Verify the Configuration

1. Overview

Pulse Secure Connect integrates with Trusona using SAML 2.0 providing primary authentication without passwords. The Trusona user’s verified email address will be returned in the SAML Response.

Further authorization is performed by Pulse Secure by making an LDAP query based on the verified email address in the SAML assertion from Trusona.

2. Prerequisites

This document assumes you a have Pulse Connect Secure 9.0R1 or later and an LDAP store such as Microsoft Active Directory.

Before proceeding, ensure that you have the following steps completed:

1. Have admin access to the Trusona Dashboard
2. Have admin access to the Pulse Secure Admin Console
3. Have access to your Domain’s DNS records to verify your domain

3. Verify your domain

1. Navigate to the Trusona Dashboard and log into your account
2. From your Trusona account dashboard, select ‘Domains’ on the left-hand navigation
3. Enter in the domain you would like to verify and select ‘Verify’

4. Add the generated TXT Record to your domain’s DNS records. Once the TXT record has been created, it can take a couple of minutes for us to verify your domain due to propagation
5. Refresh the page after a couple of minutes in order to see if your domain has been verified

4. Creating a SAML integration in Trusona

4.1. Create a Trusona SAML integration

1. From the Trusona Dashboard, select ‘Generic SAML’ on the left-hand navigation
2. On the Generic SAML Integrations page, select Create SAML integration
3. Enter the following information:

• Name: Provide a name for your integration

4. Select ‘Save’

4.2. Retrieve the Metadata URL

1. On the Generic SAML Integrations page, find your newly created Pulse Secure SAML integration
2. Click on ‘Actions’
3. Select ‘View Metadata URL’
4. Take note of the URL as this will be needed in a later step. This is your Download URL

5. Configure Pulse Secure

Once you have created a SAML integration within the Trusona Dashboard, you can begin configuring a SAML IdP on your Pulse Secure.

5.1. System SAML Configuration

1. In the Pulse Secure Admin Console, go to System -> Configuration -> SAML
2. Select ‘Settings’

3. Validate or populate the ‘Host FQDN for SAML’ field with the FQDN of your Pulse Secure Appliance.
4. Select ‘Save Changes’

5.2. Add a SAML Metadata Provider

1. Go to System -> Configuration -> SAML
2. Select ‘New Metadata Provider’

3. Name: Provide a name, such as Trusona
4. Location: Remote
5. Download URL: Enter the Download URL. This is the URL of your Trusona SAML Metadata file found in section 4.2.
6. Roles: Identity Provider
7. Select ‘Save Changes’

5.3. Add a SAML Auth Server

1. Go to Authentication > Auth. Servers
2. Choose ‘New: SAML Server’ and select ‘New Server’
3. Server Name: Provide a name, such as Trusona
4. SAML Version: 2.0
5. Configuration Mode: Metadata
6. Identity Provider Entity Id: Select the Entity Id from your Trusona SAML Metadata XML file. You can find this in the Metadata XML generated in section 4.2.

7. Identity Provider Single Sign On Service URL: Verify the correct Single Sign On Service URL is populated. You can find this in the Metadata XML generated in section 4.2.

8. SSO Method: POST
9. Select Certificate: Select the Trusona SSO Gateway Certificate
10. Select Device Certificate for Signing: Choose a valid certificate that will be used for signing the requests
11. Metadata Validity: 365 days
12. Select ‘Save Changes’

13. Edit the Authentication Server you just created and click ‘Download Metadata’.
14. Open the downloaded Metadata file and extract the following:
    • AssertionConsumerService URL
    • The Cert Data and save it as a .crt file. Be sure to add —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– to the file. See example screenshot below

5.4. Configure the Pulse Secure SAML integration in the Trusona Dashboard

1. Navigate to the Trusona Dashboard and log into your account.
2. Select ‘Generic SAML’ on the left-hand navigation
3. Locate the Pulse Secure Integration you previously created
4. Select ‘Actions’ > Edit

5. Email Domains: Select one or multiple verified domains
6. Assertion Consumer Service URL: Enter in the Pulse Secure AssertionConsumerService URL from the metadata file downloaded in section 5.3
7. Certificate: Upload the certificate file you created when extracting the Cert Data from the Pulse Secure Metadata file in section 5.3
8. Starting URL: Enter in the URL that your users navigate to in order to log into the Pulse Secure VPN
9. Select ‘Save’.

5.5. Add an LDAP Auth Server for Authorization

Trusona requires looking up the user by their mail attribute. This may be incompatible with other uses of the LDAP Auth Server. Therefore, Trusona recommends creating a new LDAP Auth Server specifically for Trusona. General configuration of the LDAP Auth Server Settings is out of scope for this document. Please refer to the Pulse Secure Connect Administration Guide for more information.

To configure the LDAP Auth Server to lookup users by their mail attribute do the following in the Pulse Secure Admin Console:

1. Go to Authentication > Auth. Servers
2. Select the LDAP Auth Server you wish to edit.

3. Under Finding user entries, set “Filter” to mail=
4. Select ‘Save Changes’

5.6. Configure a User Realm to use Trusona

1. Go to Users -> User Realms and create a new realm or edit an existing one.

2. Under Servers, set Authentication to the Trusona SAML Auth Server configured in section 5.3
3. Under Servers, set User Directory/Attribute to the LDAP Auth Server configured in section 5.5
4. Select ‘Save Changes’

Note: Ensure Role mapping is configured for the User Realm. If not configured, users may not be able to sign into the VPN with Trusona.

5.7. Configure your Sign-in policy

In order for your users to be prompted for Trusona, you need to edit an existing sign-in policy or create a new one.

1. Go to Authentication > Signing In > Sign-In Policies
2. Edit an existing User URL or create a new one
3. User Type: Users
4. Sign-in Page: Default Sign-In Page
5. Under Authentication Realm, select ‘User picks from a list of Authentication Realms’ and add the user realm you configured with Trusona.
6. Select ‘Save Changes’

6. Verify the Configuration

1. Create a user in your LDAP directory with the mail attribute set.
2. Install the Trusona app and register a user using the same email address as specified in the mail attribute for the user that was created in LDAP.
3. Visit the public URL for your Pulse instance.
4. You will be directed to a Trusona login page with a QR code.
5. Scan the QR code using the Trusona app.
6. You will receive a Security Challenge in the Trusona app that allows you to accept or reject the login attempt.
7. Accept the Security Challenge.
8. You will be directed to the Pulse dashboard page.

---