For more than a decade, Pulse Connect Secure© (PCS) Secure Socket Layer (SSL) Virtual Private Network (VPN) (formerly Juniper SSL VPN) has been a trusted partner for government agencies in providing secure access to web portals. As more and more accounts are being hacked and web sites are being compromised, single-factor authentication with a username and password has become insufficient in adequately protecting authenticated web portals. Multi-factor authentication (MFA), granting user access only when two or more independent pieces of information are presented, now has become a necessary tool in the prevention of security breaches.
Oak Ridge National Laboratory (ORNL) Data System Sciences and Engineering (DSSE) researcher Brad Nance examined three MFA solutions that utilize the features of PCS. The first solution utilizes a certificate authentication server to implement authentication using a client-side certificate presented by a Personal Identity Verification (PIV) card. The second solution uses Security Assertion Markup Language based (SAML–based) authentication wherein PCS acts as a Service Provider (SP) that reaches out to an Identity Provider (IdP) to implement authentication. The third solution uses a SAML–based authentication wherein PCS acts as the IdP that forwards the user to the SP once the user has successfully authenticated using a PIV card.
Significance and Impact
PCS provides multiple configuration options for supplying MFA to secure web portals. PCS can act as both an SP and an IdP in a SAML–based configuration. It also can be configured to accept client-side certificates (including certificates presented on PIV cards) from a trusted client Certificate Authority (CA). With the capability to provide solutions for client-side authentication and SAML–based authentication, the PCS SSL VPN appliance should continue as a primary player when building authentication solutions in government environments.
PULSE CONNECT SECURE© ARCHITECTURE
The PCS SSL VPN appliance has several multi-level components that work together to provide a customizable user interface and an authentication framework for securely accessing protected resources. The PCS architectural components are Sign-in Policies, Sign-in Pages, Authentication Realm, Authentication Server, Authorization Server, Authentication Policy, Role Mapping, User Roles, and Trusted Client CAs.
SAML is an open standard defining interaction between the user, the SP, and the IdP. The interaction between the SP and the IdP includes a one-time exchange of SAML metadata that is used to establish a trust relationship between the SP and the IdP. The exchange includes an entity ID that acts as a unique identifier for the metadata. The interaction between the user and SP/IdP occurs in the form of SAML requests and responses that take place throughout the authentication and authorization process. At the end of a successful authentication process, the SAML response includes an assertion that includes any user account attributes that need to be shared between entities.
PCS supports the SAML standard and can act as either an SP or an IdP, depending upon the configuration. When acting as the SP, PCS interacts with SAML–based IdPs that validate the identity of the end user. Examples of IdPs include Active Directory Federation Services (ADFS) and access management appliances/services. When acting as the IdP, PCS interacts with SAML–based SPs such as the Amazon Web Services (AWS) Management Console (MC). AWS MC can be configured as a SAML provider under their Identity and Access Management (IAM) category of services.
The following three MFA solutions utilizing the features of PCS were examined:
1. Solution 1: PIV Card Authentication. This solution demonstrates a configuration that is integrated within PCS. In this case, integration means that neither an IdP nor an SP is used for the implementation and that the solution utilizes the core features of PCS. With this solution, the end user authenticates using a client-side certificate presented from a PIV card.
2. Solution 2: SP–Initiated SAML–based Authentication. This solution is described as
SP–initiated SAML–based authentication because the end user initiates the authentication process by first accessing the PCS which is acting as the SP.
3. Solution 3: IdP–Initiated SAML–based Authentication (with PIV Card Authentication to IdP). This solution is described as IdP–initiated SAML–based authentication because the user initiates the authentication process by first accessing the PCS, which is acting as the IdP, then is directed to the SP once a successful authentication process is completed. A practical application of this solution would be PIV authentication to the AWS MC. Once the user successfully authenticates with PIV card, they are redirected to the AWS MC that is acting as the SP.