Pulse Secure Connect Integration Guide

This guide details the steps required to configure Trusona for your Pulse Secure Connect installation.

What’s in this doc

Overview

Pulse Secure Connect integrates with Trusona using SAML 2.0 providing primary authentication without passwords. The Trusona user’s verified email address will be returned in the SAML Response.

Further authorization is performed by Pulse Secure by making an LDAP query based on the verified email address in the SAML assertion from Trusona.

Prerequisites

This document assumes you a have Pulse Connect Secure 9.0R1 or later and an LDAP store such as Microsoft Active Directory.

Tested Configuration

  • Pulse Secure Connect 9.0R1
  • Windows Server 2016 AD
  • SAML Integration w/ Trusona Gateway

SAML Authentication w/ LDAP Authorization

Complete the following steps to configure a User Realm to use Trusona for authentication and an LDAP server for authorization.

System SAML Configuration

Ensure your global SAML configuration is correct.

  1. Under System -> Configuration -> SAML choose Settings
  2. Validate or populate Host FQDN for SAML with the FQDN of your Pulse Secure Appliance
  3. Save Changes

Add a SAML Metadata Provider

  1. Under System -> Configuration -> SAML choose New Metadata Provider
  2. Provide a Name, such as Trusona
  3. Select Remote for location
  4. Enter the Download URL provided by Trusona
  5. Check Identity Provider for roles
  6. Save Changes, it may take a few moments for the values to populate from the Metadata Service  

    Add a SAML Auth Server

  7. Under Authentication -> Auth. Servers choose new SAML Server and click new server
  8. Provide a name, such as Trusona
  9. Select 2.0 for SAML Version
  10. Choose Metadata for Configuration Mode
  11. Choose the Identity Provider Entity Id from your Trusona SAML Metadata Provider
  12. Choose POST for SSO Method
  13. Select the Trusona SSO Certificate
  14. Select a valid Device Certificate for Signing
  15. Save Changes
  16. Edit the Authentication Server you just created and click Download Metadata.
  17. Provide the metadata file to Trusona to complete your integration.

Add a LDAP Auth Server for Authorization

Trusona requires looking up the user by their mail attribute. This may be incompatible with other uses of the LDAP Auth Server. Therefore, Trusona recommends creating a new LDAP Auth Server specifically for Trusona. General configuration of the LDAP Auth Server Settings is out of scope for this document. Please refer to the Pulse Secure Connect Administration Guide for more information.

To configure the LDAP Auth Server to lookup users by their mail attribute do the following:

  1. Edit the LDAP Auth Server.
  2. Under “Finding user entries”. Set “Filter” to mail=
  3. Save Changes

Configure a User Realm to use Trusona

  1. Under Users -> User Realms create a new realm or edit an existing one.
  2. Under Servers, set Authentication to the Trusona SAML Auth Server configured above.
  3. Under Servers, set User Directory/Attribute to the LDAP Auth Server configured above.
  4. Save Changes

Verify the Configuration

  1. Create a user in your LDAP directory with the mail attribute set.
  2. Install the Trusona app and register a user using the same email address as specified in the mail attribute for the user that was created in LDAP.
  3. Visit the public URL for your Pulse instance.
  4. You should be directed to a Trusona login page with a QR code.
  5. Scan the QR code using the Trusona app.
  6. You should receive a prompt in the Trusona app that allows you to accept or reject the login attempt.
  7. Accept the login attempt.
  8. You should be directed to the Pulse dashboard page.