USSRELAB - Vision One SSO with ADFS Idp and ZTSA Testing

[TOC]

Setting Up LAB

Install AD and DNS

Install ADCS (Root CA authority) on ADFS VM

Step 1: Install ADCS Role

Open Server Manager: Click on the Start button, then click on Server Manager.
Add Roles and Features: In the Server Manager dashboard, click on Manage and select Add Roles and Features.
Before You Begin: Click Next on the “Before you begin” page, if displayed.
Installation Type: Choose Role-based or feature-based installation and click Next.
Server Selection: Ensure the correct server is selected and click Next.
Server Roles: Scroll down and check Active Directory Certificate Services. When prompted to add features that are required for Active Directory Certificate Services, click Add Features, then click Next.
Features: No additional features are needed unless you have specific requirements. Click Next.
AD CS: You will see an information screen about AD CS. Click Next.
Role Services: Choose the services you need. For a basic CA, check Certification Authority. You might also want to select Certification Authority Web Enrollment for web-based certificate requests, Online Responder for OCSP, etc., depending on your needs. Click Next after selection.
Confirmation: Review your selections. Optionally, you can select Restart the destination server automatically if required. Click Install.
Results: Wait for the installation to complete and click Close.

Step 2: Configure ADCS

After installing ADCS, you need to configure the role services, starting with the Certification Authority.

Post-Installation Configuration: In Server Manager, you will see a notification flag with a warning symbol. Click on it and choose Configure Active Directory Certificate Services on the destination server.
Credentials: The AD CS Configuration wizard opens. If prompted, provide credentials that have enterprise admin permissions.
Role Services: Select Certification Authority and any other role services you installed that need configuration. Click Next.
Setup Type: Choose Enterprise CA if your organization uses Active Directory. Choose Standalone CA if not. Most scenarios require an Enterprise CA. Click Next.
CA Type: Select the type of CA. Options include Root CA or Subordinate CA. Choose Root CA if this is the first or only CA in your network. Click Next.
Private Key: Choose to Create a new private key. If configuring a Subordinate CA and you’ve received a certificate from an external CA, you would choose the other option. Click Next.
Cryptographic Options: Choose the cryptographic service provider (CSP), hash algorithm, and key length. The defaults are generally acceptable, but ensure they meet your organization’s security policies. Click Next.
CA Name: Specify the name of your CA. This name will appear on issued certificates. Click Next.
Validity Period: Set the validity period for the CA’s certificate. This depends on your organization’s policy and the role of this CA. Click Next.
Certificate Database: Specify locations for the certificate database and the certificate database log. The default locations are usually fine unless you have specific storage requirements. Click Next.
Confirmation: Review your selections and click Configure.
Results: After configuration completes, click Close.

Step 3: Verify Installation

Open Certification Authority Console: Open Server Manager, click on Tools, and select Certification Authority. This opens the Certification Authority MMC snap-in.
Check the CA Status: In the Certification Authority console, your new CA should be listed and running.

Create the certificate for ADFS server

Step 1: Create a Certificate Signing Request (CSR)

Create an INF File: First, create an INF file (e.g., csr.inf) that specifies the properties of the certificate you wish to request. Open Notepad, paste the following content, and adjust it as needed for your situation:

[NewRequest]
Subject = "CN=adfs.ussrelab.com"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

Generate the CSR: Open Command Prompt as Administrator and run the following command to generate the CSR:
1
certreq -new csr.inf adfs.csr

Step 2: Submit the CSR to Your CA

Submit the CSR: Use the certreq command to submit the CSR to your CA. Replace CAName with the name of your CA, and adjust the template name (TemplateName) if necessary:

1	`certreq -submit -attrib "CertificateTemplate:WebServer" adfs.csr adfs.cer`

Step 3: Convert the Issued Certificate to PFX

After your CA issues the certificate, you’ll receive a certificate file (e.g., csr.cer). To combine this certificate with its private key into a PFX file, you can use the certreq tool if the certificate was issued to the same machine where the CSR was generated, ensuring the private key is present.

Import the Certificate: First, import the issued certificate back to the machine where you generated the CSR. This step associates the certificate with the private key:
1
certreq -accept adfs.cer
Export to PFX: Use the MMC (Microsoft Management Console) to export the certificate and private key to a PFX file because this allows you to include the private key and set a password for the PFX file. However, if you prefer using command-line tools and have OpenSSL installed, you can also use OpenSSL for the export if you have access to the private key file separately. For most Windows server environments, especially when dealing with AD CS, the MMC method is recommended and more straightforward for users who generated their CSR on the same server.

Using MMC to Export the Certificate

Open MMC, add the Certificates snap-in for the Local Computer account.
Navigate to Personal > Certificates.
Find your imported certificate, right-click on it, select All Tasks > Export…
Follow the wizard to export the certificate and private key, ensuring you select the option to include the private key. Choose the PFX format and set a password when prompted.

Install ADFS as SSO Idp

Configure and Setting up ADFS Server

Step 1: Add the ADFS Role

Open Server Manager: Click on the Start button, and then click on Server Manager.
Add Roles and Features: In Server Manager, click on Manage and then select Add Roles and Features.
Before You Begin Page: Click Next if you’re presented with a “Before you begin” page.
Installation Type: On the Installation Type screen, select Role-based or feature-based installation and click Next.
Server Selection: Ensure the current server is highlighted under Server Pool. Click Next.
Server Roles: Scroll down and check Active Directory Federation Services. When prompted to add features that are required for Active Directory Federation Services, click Add Features, then click Next.
Features: No additional features are needed unless you have specific requirements. Click Next.
AD FS: The wizard presents an introduction to AD FS. Read the information if desired and click Next.
Confirmation: Review your selections. You can choose to Restart the destination server automatically if required. Click Install.
Results: Wait for the installation process to complete. Click Close when done.

Step 2: Configure the ADFS Service

After installing the ADFS role, you need to configure the ADFS service.

Post-Deployment Configuration: Once the role installation completes, you’ll see a notification flag at the top of the Server Manager. Click on it and select Configure the federation service on this server.
AD FS Configuration Wizard: The AD FS Configuration Wizard starts.
- Welcome: Choose Create the first federation server in a federation server farm and click Next if this is your first ADFS server.
- Connect to AD DS: Provide an account with Administrator privileges on the local computer and click Next.
- Specify Farm: Specify the SSL certificate for the federation service. You should have already installed an SSL certificate that matches the federation service name you plan to use. Select the certificate from the list.
- Specify Service Properties: Enter the Federation Service Name and Federation Service Display Name. The federation service name should match the common name (CN) of the SSL certificate.
- Specify Service Account: Create or specify a service account that the ADFS service will use. You can use an existing domain user account or a group Managed Service Account (gMSA) if your environment supports it.
- Specify Configuration Database: Choose whether to use a Windows Internal Database (WID) or SQL Server. For most deployments, WID is sufficient.
- Review Options: Review your selections and click Next.
- Pre-requisite Checks: The wizard will perform pre-requisite checks. If everything is okay, click Configure.
- Results: After the configuration is complete, review the results and click Close.

Once the configuration is complete, open the ADFS Management Console from the Server Manager Tools menu.
Check the ADFS service status to ensure it’s running.
Navigate to https://adfs.ussrelab.com/adfs/ls/idpinitiatedsignon.htm from a web browser to test the sign-on page. You might need to enable this page via PowerShell if it’s not already enabled.
Note: If the IdP-initiated sign-on page is not enabled, you can enable it by running the following PowerShell command on the ADFS server:
1
Set-AdfsProperties -EnableIdpInitiatedSignonPage $true

[^Internal AD service setup guide]: How to set up Active Directory service for testing
[^ZTSA SSO auth flow]: https://wiki.jarvis.trendmicro.com/display/ZTH/ZTSA+Agent+SSO+auth+flow
[^ZTSA SSO and transparent auth]: https://wiki.jarvis.trendmicro.com/display/ZTH/ZTSA+SSO+and+transparent+authentication

Vision One SASE/ZTSA Testing

Setting up 3rd Party Integration with On-premise AD

Setting up Vision One IAM SSO with ADFS

Step 1: Export ADFS Federation Metadata XML

Locate the ADFS Federation Metadata URL: By default, ADFS publishes its federation metadata at a URL following this pattern: https://<Your_ADFS_Server_FQDN>/FederationMetadata/2007-06/FederationMetadata.xml. Replace <Your_ADFS_Server_FQDN> with the Fully Qualified Domain Name of your ADFS server.
Download the Federation Metadata:
- Open a web browser and navigate to the ADFS federation metadata URL.
- The federation metadata XML should be displayed in the browser. Right-click the page and choose the option to save the page as an XML file on your computer.

Step 2: Provide the Metadata XML to Your Application

Upload the Federation Metadata XML: Create Identify provider on V1 console as below, by uploading the XML file you saved from your ADFS server.

Step 3: Create a Relying Party Trust in ADFS

For ADFS to trust and send assertions to your application, you must create a relying party trust for the application in ADFS:

Open the ADFS Management Console: On your ADFS server, open the ADFS Management snap-in.
Add Relying Party Trust:
- Navigate to Trust Relationships > Relying Party Trusts.
- Click on Add Relying Party Trust in the right pane to start the wizard.
- If you have federation metadata URL for your application, choose to import data from a URL. If you only have the metadata XML file, choose to import data from a file and provide the path to your application’s metadata XML.
- Follow the prompts to configure the trust according to your security requirements and the information provided by your application.
Configure Claim Rules: After creating the trust, you’ll need to configure claim rules that determine what user information (claims) ADFS sends to your application. This typically involves mapping attributes from Active Directory to claim types that your application understands.

Refer to: https://docs.trendmicro.com/en-us/documentation/article/trend-vision-one-configuring-active-d

[!WARNING]

It does not work for my ADFS SSO login after I followed the help center article of V1, the workaround is to use UPN instead of E-Mail Address for incoming claim type.
Review and Apply Configuration: Ensure all configurations are correct and apply them. Your application should now be integrated with ADFS, and users should be able to authenticate using their Active Directory credentials.

Step 4: Test the Integration

Access the Application: Attempt to log in through the application using an account from your Active Directory.
Verify SSO: If the integration is successful, you should be redirected to the ADFS login page (if not already authenticated) and then back to the application after authentication, without needing to provide application-specific credentials.

[!NOTE]

SAML authentication failed for Vision One is due to the SSO SAML acount was not configured and verified as I have not configured the email MTA and account yet, however the ADFS SSO login authentication is completed without any problem actually if you see above page.

Enable and ZTSA Internet Access

Set up on-premise Zero Trust Internet Access Gateway and your test endpoint

[!NOTE]

Two important things:

Need to enable “Zero Trust Secure Acces On-Premises Gateway service” on service gateway

Create your PAC file and configure your web browser to use the PAC file

Option-1: ZTSA SSO Authentication with ADFS Idp

The authentication flow is as below (3rd patry Idp refers to the ADFS server in our lab)
When you browse the web sites at 1st time from test endpoint, you would be redirected to the SSO login page. After authentication, you will be able to continue to access the destinated web site you want to access.

[!NOTE]

As I have configured a rule “USSRELAB-TEST-ALLOW”, which blocked all search engines, so my access to “www.baidu.com“ is blocked by ZTSA after my SSO authentication, it is expected and also verifies ZTSA is functioning.

Below is my ZTSA rule configuration