Integrating Entrust

This documentation is a detailed guide for setting up single sign-on (SSO) through Entrust, leveraging SAML 2.0 or OIDC.

The following procedures require copying and pasting information between Entrust and the Delinea Platform. We recommend opening both applications before you begin, and keeping both open until you are finished.

You do not need to configure both OIDC and SAML applications for your integration. Depending on your organization's infrastructure and preferences, you can choose either OIDC or SAML.

Prerequisites

On the Delinea Platform, you need to be an Admin with federation privileges.

In Entrust, you need admin access to create SAML and OIDC applications.

Build an Entrust SAML Application

  1. Log in to Entrust.

  2. Navigate to Dashboard > Applications > Applications List.

  3. Click (+) button to create a new application.

  4. To narrow the list of SAML Cloud Integration, search for SAML, and select Generic SAML Application.

  5. Provide a unique Application Name.

    • Optionally, provide a description and a logo for the application.

  6. Click Next.

  7. In the next section General, apply the following settings.

    Entrust setting

    Delinea Platform setting

    Default Assertion Consumer Service URL

    Platform callback URL

    https://[HOST-NAME].delinea.app/identity-federation/saml/assertion-consumer

    Service Provider Entity ID (Issuer)

    Customize certificate issuer sent to IDP

    Select this option, then copy and paste the value into the Service Provider Entity ID field of the Entrust SAML application.

    Single Logout Service URL

    Platform logout URL

    https://[HOST-NAME].delinea.app/identity-federation/saml/logout-consumer

  8. Continue updating the following application settings by selecting the value from the drop-down menu.

    Entrust setting

    Value

    SAML NameID Attribute

    Email

    SAML Signing Certificate

    `Default SAML Certificate` or you may specify another one

    SAML NameID Encoding Format

    EMAIL

    SAML Signature Algorithm

    SHA256


  9. Add SAML Attribute(s) with the key value pairs and click Submit.

    Name

    Value

    DisplayName

    <First Name> <Last Name>

    EmailAddress

    <Email>

    NameIdentifier

    <Unique User ID>

    UserPrincipalName

    <User Principal Name>


  10. Configure or update Resource Rules to specify the conditions users must meet to access the newly created application.

  11. Click Submit when you're finished configuring your Resource Rules.

  12. Next, navigate to the Applications List, find the SAML application, and download SAML IDP Metadata. This will be used when creating a SAML provider in the Delinea Platform.

Add the Provider to the Platform

  1. Log in to the Delinea Platform.

  2. Click Settings from the left navigation, then click Federation Providers.

  3. Click Add Provider.

  4. Select SAML from the drop-down menu. The Add Provider page opens.

Settings

In the Settings section, the first fields are automatically populated when you select the SAML provider configuration file and click Apply.

  1. SAML provider configuration: Click Select file.

  2. Navigate to and select the federation metadata XML file you downloaded. Apply appears above the right end of the SAML provider configuration field.

  3. Click Apply. The words Uploaded successfully will appear next to SAML provider configuration, and the empty fields below will be auto-populated:

    • Name: Auto-generated from metadata

    • Protocol: SAML (auto-filled)

    • Status: Disabled

    • Entity ID [example: https://sts.windows.net/808444af-4011-40d5-9b0a-a9a5c95f88e9/]

    • IDP Certificate: Click Select File, then navigate to and select the Signing Certificate file you downloaded, to populate the following fields:

      • Signature

      • Algorithm

      • Thumbprint

      • Not valid before

      • Not valid after

      • Issuer

  4. IDP Login URL: Paste in the Login URL copied from your new Entrust SAML application.

  1. IDP Logout URL: Paste in the Logout URL copied from your new Entrust SAML application.

  2. Platform Callback URL: https://[HOST-NAME].delinea.app/identity-federation/saml/assertion-consumer
    Copy the Platform Callback URL and paste into the appropriate field in your new Entrust SAML application.

  3. Platform Logout URL: https://[HOST-NAME].delinea.app/identity-federation/saml/logout-consumer

  4. Status: Select the box next to Enabled.

Advanced Settings

  1. Under Advanced Settings, select Customize certificate issuer sent to IdP.

  2. Copy the value provided and paste it into the Service Provider Entity ID field in the Entrust SAML application.

Also see Advanced Settings (SAML only) under Federation Management.

Attribute Mappings

  1. Update the Attribute Mappings as follows:

    Source

    Destination

    EmailAddress

    email

    DisplayName

    displayname

    NameIdentifier

    sub

    UserPrincipalName

    upn

Also see Attribute Mappings under Federation Management.

Group Mappings

See Mapping Federated Groups under Federation Management.

User Mappings

See Mapping Federated Users under Federation Management.

Domains

  1. Click Add Domain and enter the domain from the email addresses of the users you are including in this federation.

  2. Optionally enable the Status of the provider.

  3. When all required fields are populated, click Add Provider.

Build an Entrust OIDC Application

  1. Log in to Entrust.

  2. Navigate to Dashboard> Applications > Applications List.

  3. Click (+) button to create a new application.

  4. Search and select Generic Web Application.

  5. Provide a unique Application Name.

    • Optionally, provide a logo for the application, and a description.

  6. Click Next.

  7. Under the next section General, apply the following settings:

    Entrust setting

    Value

    Client ID

    Set automatically. Copy the Client ID into your Delinea Platform federation provider you will create later

    Client Secret

    Set automatically. Copy the Client ID into your Delinea Platform federation provider you will create later

    Token/Revocation Endpoint Client Authentication Method

    Client Secret Post

    Subject ID Attribute

    Email

    OIDC Signing Certificate

    `Default OIDC Certificate` or you may specify another one

    Initiate Login URI

    (Optional) – can be set to https://example.delinea.app

    Login Redirect URI

    Platform Callback URL (From the Delinea Platform)

    Follow steps 1-5 in the Add a Delinea Platform OIDC Provider section

     

    Grant Types Supported

    Authorization Code

    Authorization Code PKCE Code Challenge Method

    S256


  8. Ensure that you select the following application support scopes:

    • Your unique identifier

    • Email address

    • Telephone number (optional)

    • Profile information

  9. Next, add or update the supported claims and ensure that they are always returned with ID Token.

    Claim

    Attribute Value

    Always Return with ID Token

    name

    <First Name> <Last Name>

    Yes

    email

    <Email>

    Yes

    nameidentifier

    <Unique User ID>

    Yes

    upn

    <User Principal Name>

    Yes


  10. Click Submit.

  11. Configure or update Resource Rules to specify the conditions users must meet to access the newly created application.

  12. Click Submit when you are finished configuring your Resource Rules.

Add the Provider to the Platform

  1. Click Settings from the left navigation, then click Federation Providers.

  2. Click Add Provider.

  3. Select OIDC from the drop-down menu. The Add Provider page opens.

Settings

Delinea Platform

Entrust

Endpoint URL

Issuer URL (e.g. https://example.us.trustedauth.com/api/oidc)

This URL can typically be retrieved from the Issuer setting in the OIDC Configuration in Entrust.

Client ID

Client ID

Client Secret

Client Secret

  1. Name: Enter a unique name.

  2. Status: Select the box next to Enabled.

  3. Endpoint URL: This URL is based on your IdP application’s tenant ID.

  4. Client ID: Paste in the Client ID from your new IdP OIDC application page.

  5. Client Secret: Paste in the Client Secret from your new IdP OIDC application page.

  6. Prompt: See Prompt for Re-authentication (OIDC only) under Federation Management.

  7. Platform Callback URL: Copy the platform callback URL and paste it into the Redirect URIs field in your new IdP application.

Attribute Mappings

Source

Destination

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

email 

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

upn

name

displayname

nameidentifier

sub

Group Mappings

See Mapping Federated Groups under Federation Management.

User Mappings

See Mapping Federated Users under Federation Management.

Domains

  1. Click Add Domain and enter the domain from the email addresses of the users you are including in this federation.

  2. Optionally enable the Status of the provider.

  3. When all required fields are populated, click Add Provider.

Test Configuration

Before testing, make sure you address the following:

  • Be sure that you have a Entrust user that you can use for testing.

  • Make sure Entrust user has access to the application created.

  • Navigate to your provider in platform and enable debugging.

  • Launch an incognito window, navigate to the Delinea Platform and login with your Entrust user.

Known limitation(s)

  • Entrust does not appear to recognize the login_hint provided by the Delinea Platform for SAML.

  • With OIDC, users can be directed from the Entrust application portal to the Platform’s login page, enabling an SP-initiated authorization flow.