Juniper SSL VPN SAML Single Sign-On (SSO)

Juniper SSL VPN offers SP-initiated SAML SSO (for SSO access directly through the Juniper SSL VPN web application). The following is an overview of the steps required to configure the Juniper SSL VPN Web application for single sign-on (SSO) via SAML.

  1. Prepare Juniper SSL VPN for single sign-on (see Juniper SSL VPN requirements for SSO).

  2. In the Admin Portal, add the application and configure application settings.

    Once the application settings are configured, complete the user account mapping and assign the application to one or more roles.

  3. Configure the Juniper SSL VPN application for single sign-on.

    To configure Juniper SSL VPN for SSO, copy settings from the Application Settings page in the Admin Portal and paste them into the Juniper SSL VPN (Junos Pulse Secure Access Service) website. For details, see Configure Juniper SSL VPN on its web site.

After you are done configuring the application settings in the Admin Portal and the Juniper SSL VPN application, users are ready to authenticate using the CyberArk Cloud Directory.

Juniper SSL VPN requirements for SSO

Before you configure the Juniper SSL VPN web application for SSO, make sure you have a signed certificate. You can either download one from the Admin Portal or use your organization’s trusted certificate.

Set up the certificates for SSO

To establish a trusted connection between the web application and the CyberArk Identity, you need to have the same signing certificate in both the application and the application settings in the Admin Portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in the Admin Portal. You also upload the public key certificate in a .cer or .pem file to the web application.

What you need to know about Juniper SSL VPN

Each SAML application is different. The following table lists features and functionality specific to Juniper SSL VPN.

Capability

Supported?

Support details

Web browser client

Yes

 

Mobile client

No

 

SAML 2.0

Yes

 

SP-initiated SSO

Yes

Users may go directly to a supplied Juniper SSL VPN URL and then use the CyberArk Identity SSO to authenticate.

IdP-initiated SSO

No

 

Force user login via SSO only

No

Administrators and users can still log in with a user name and password after SSO is enabled.

Separate administrator login after SSO is enabled

No

 

User or Administrator account lockout risk

No

User name and password login is always available.

Automatic user provisioning

No

 

Self-service password

N/A

 

Access restriction using a corporate IP range

Yes

You can specify an IP Range in the Admin Portal Policy page to restrict access to the application.

Configure Juniper SSL VPN in the Admin Portal

It is helpful to open the web application and the Admin Portal simultaneously to copy and paste settings between the two browser windows. See Configure Juniper SSL VPN on its web site.

Configure Juniper SSL VPN on its web site

For more information about Juniper SSL VPN

For more information about configuring Juniper SSL VPN for SSO, contact Juniper SSL VPN support.