Rublon

Secure Remote Access

By

Last updated on October 16, 2024

Overview

Rublon adds Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) along with Single Sign-On (SSO) to any SAML application. All generic SAML service providers that support Security Assertion Markup Language (SAML) 2.0 can be integrated with Rublon Multi-Factor Authentication using the Rublon Access Gateway. Further, users can access integrated SAML applications via the Rublon SSO Portal. The SSO Portal enables Single Sign-On logins for all applications integrated using the Access Gateway.

The Rublon Access Gateway works as an identity provider (IdP). However, it does not store user information in a database. Instead, the Access Gateway connects to an external Identity Provider (IdP) during primary authentication and asks the IdP to verify user credentials. Rublon supports multiple external Identity Providers (IdP), including but not limited to on-premises Active Directory, OpenLDAP, and FreeRADIUS.

Before You Start

  1. Check the list of described Rublon Access Gateway integrations. Chances are, your application is already there. In that case, follow the instructions for that particular integration instead of this generic documentation for more detailed steps and screenshots.
  2. Install and configure the Rublon Access Gateway.
  3. Install and configure the Rublon SSO Portal. This step is optional but highly recommended because the Rublon SSO Portal is required for Single Sign-On (SSO) user logins.

Configuration

Follow these steps to enable Rublon 2FA for your generic SAML service provider.

SAML Service Provider

The following are general steps for configuring MFA and SSO on a generic SAML service provider. While the names of tabs, options, and values may slightly differ from one application to another, the general idea behind the configuration is the same.

NOTE

Some service providers have instructions in their documentation section that describes the process of configuring SAML / SSO with an identity provider. You can use these instructions to facilitate the integration process and learn about the names of options and values on the service provider side.

1. Log in to the administrator panel of the SAML service provider and look for a tab or option such as SAML, SAML 2.0, SSO, or Single Sign-On.

2. You need to provide your Rublon Access Gateway instance information to the SAML service provider and save the changes. Find the required information in Applications → Information for configuring applications with Rublon Access Gateway.

You will need some or all of the following information from the Rublon Access Gateway:

  • SSO URL –  often called Single Sign-On URL or Single Sign-On endpoint on the service provider side
  • Logout URL – note that some service providers do not support Single Log-Out (SLO). If this is the case with your service provider, you will not need the Logout URL value.
  • Entity ID – sometimes called IdP Issuer
  • Certificate – click the DOWNLOAD CERTIFICATE button to download the certificate to your computer and then upload the certificate to the service provider or copy the entire contents of the certificate and paste it into a text field on the service provider side
  • Certificate Fingerprint – some service providers only require a certificate fingerprint
  • Metadata File – some service providers require a metadata file; click the DOWNLOAD XML METADATA button and then upload the metadata file on the service provider side

3. While still in the SAML / SSO section of the administrator panel of your SAML service provider, look for and copy the following values (the names may be slightly different):

  • Assertion Consumer Service (ACS) URL
  • Service Provider (SP) Entity ID
  • Single Logout Service – note that some service providers do not support Single Log-Out (SLO). If this is the case with your service provider, you will not find this value

You will need these values later when adding an application to the Rublon Access Gateway.

4. See if you can export a Service Provider (SP) metadata file. You can use a file like that to automatically add a new application to the Rublon Access Gateway fast. However, not all SAML service providers allow exporting a metadata file.

Rublon Access Gateway

1. In Rublon Access Gateway, go to Applications.

2. If you have a metadata file from the Service Provider (SP), you can import it. Otherwise, select the Add Application tab, fill in the form manually, and click SAVE to add a new application. Refer to Manually adding application for more information on every field.

While most integrations do not require you to map any attributes, some integrations require Attribute Mapping. Look up the documentation of your SAML service provider for information on attribute mapping. If you cannot find any information and yet you suspect your integration needs attribute mappings, you can try some of the following mappings:

IdP AttributeSAML Response Attribute
mailEmail
givenNameFirstName
snLastName

3. Your configuration is now complete. You can log in to the SAML Service Provider with Rublon 2FA.

Log in to your Generic SAML Service Provider with Rublon 2FA

If you have configured the Rublon SSO Portal, access your application via the Portal. If not, initiate the sign-in process like you always did before enabling Rublon. The example below portrays logging into a generic SAML Service Provider outside the SSO Portal.

1. Initiate login to your application.

2. You will be redirected to the Rublon Access Gateway login page.

3. Provide your username and password. Click SIGN IN. A window will appear with a selection of various 2FA options from Rublon. Let’s choose Mobile Push.

4. You will be sent a push notification. Tap APPROVE.

5. You will be successfully logged in to your SAML Service Provider.

Troubleshooting

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Access Gateway – List of Documented Integrations

Rublon Access Gateway – Documentation

Rublon SSO Portal – Documentation

MFA for Generic RADIUS Applications

MFA for Generic LDAP Applications