Kemp Loadmaster, inWebo SAML integration

inWebo MFA can be enabled as an authentication layer combined with Kemp to verify users idendities before they access the application server protected.

The purpose of this guide is to explain how to use InWebo as a SAML 2.0 Identity Provider for your Kemp Loadmaster account.

inWebo SAML connector initial configuration

Create a new SAML connector in the inWebo Administration console

  1. go to the "Secures Sites" tab,

  2. select "Add a connector of type" SAML 2.0.

In your SAML connector properties :

  1. click on “Download inWebo IdP SAML 2.0 metadata in XML format”

  2. click on “Download inWebo IdP SAML 2.0 certificate”

Kemp Loadmaster initial configuration

Import the inWebo IdP certificate in Kemp Loadmaster

  1. Navigate to Certificates & Security

  2. Select “Intermediate Certs “

  3. click on choose a file to select the inWebo IDP certificate exported previously.

  4. Choose a convenient name and click on Add Certificate.

Create an SSO Domain with SAML authentication

  • Go to Virtual Services>Manage SSO,

  • in section Client Side Single Sign On Configurations, provide the SSO configuration name

  • click the Add button

Configure the SSO

  1. Choose SAML as the Authentication Protocol.

  2. Select metadata File as IdP Provisioning.

  3. Click the Choose File button to select the metadata file exported from the inWebo administration console and click on Import IdP metadata File.

  4. Select the Idp Certificate you imported previously.

  5. Configure the SP Entity ID and click on Set SP Entity ID.

  6. Download the SP Signing Certificate by clicking the Download button.

The final configuration looks like the following.

Configure inWebo SAML connector with SP information

Prior to configuring the inWebo connector, you must convert the certificat downloaded from Kemp and build the metadata to match your environement. The inWebo connector will be updated with this information. The last step will be to create a Secure site linked to the inWebo SAML connector.

Convert the original Kemp certificate

Use the following command to convert the previously downloaded certificate.

openssl x509 -inform DER -in KEMP_SAML_Signing.cer -out KEMP_SAML_Signing.crt

Build and upload the SP Metadata

You need to create your own XML file with the SP information provided by Kemp. To do so you will have to modify within the XML file example below the EntityID, the location and the certificate to match your environement.

Make sure to configure

Edit the SAML connector in the inWebo administration console and copy paste the XML in section 2.

Leave section 3 and 4 with default values. You can also change the NameID format/value and attributes depending to match the requirements of the application protected by the Kemp loadmaster.

Click on Update to save your modifications.

Add a secure site for your SP

  1. in Secure site column of the secure site tab of the inWebo Administration console

  2. click on Add a Secure Site of type…

  3. select the SAML connector name you configured. Configure the Secure site to point to the application protected by the Kemp virtual service (http://kempportal.mylab.com/ in this example).

Activate the user authentication in Kemp Loadmaster

inWebo authentication must be enabled at the Virtual Service level using the ESP feature.

  1. create or modify a Virtual Service by navigating to Virtual Services>View/Modify Services.

  2. in the ESP section, enable ESP if not already enabled.

  3. select SAML as Client Authentication Mode

  4. select the SSO Domain you just created.

  5. make sure the Allowed Virtual Hosts and Allowed Virtual Directories match your environment.

 Test authentication

Once the previous steps are done, users will be redirected to inWebo to authenticate before being able to access the application protected by kemp.

Here is an example with an inWebo browser token