Parallels RAS SAML Configuration

system

Introduction

This article outlines the information and steps you need to take in order to configure the Parallels Remote Access Server's HTML5 Gateway to use LogonBox as a SAML Identity Provider.

Once configured your users will be redirected to your LogonBox Server to authenticate. 

This requires an Enterprise license to be installed.

 

 

 

Step 1 - Create the Resource from the Template

Log into your server as your admin account and navigate to Identity Services->SAML. Select Search Templates, find the Parallels RAS SAML template, select it and click Next.

 

You will be asked 3 items of information:

RAS Gateway URL: This is the main URL for your Parallels RAS HTML5 Gateway e.g https://parallels.mydomain.com

Entity ID: This will be the gateway URL above followed by /RASHTML5Gateway/sso/idp_1/metadata.xml. e.g. https://parallels.mydomain.com/RASHTML5Gateway/sso/idp_1/metadata.xml

Reply URL: This will be the gateway URL above followed by /RASHTML5Gateway/sso/idp_1/assert. e.g. https://parallels.mydomain.com/RASHTML5Gateway/sso/idp_1/assert

Note: the idp_1 number may differ depending on if SAML has already been used before, therefore these values will be checked later for accuracy in the Parallels RAS Console. Click Next.

 

You should be presented with this article. At this point you can click on Goto Article link to open this article in a separate browser window or click the X on the window to return to the SAML list of resources where your Parallels RAS SAML resource should now be present.

 

Edit the resource just created and click on the Assignment tab.

Add in which users, groups or roles should be allowed to authenticate to this resource. If you wish to add all LogonBox users, then start typing Everyone into Roles and select it when it appears and press Enter to add it to the list.

Click Update to save the configuration.

 

 

Step 2 - Download SAML metadata and certificate

You will need a couple of things from your LogonBox server in order to configure Parallels RAS. First you will need to download the SAML metadata.

In the table of SAML resources locate the Parallels RAS SAML resource, and click the options icon to activate the dropdown. Select Download Metadata; this is an XML file that contains information about the Identity Provider and its access points.

 

Now expand the resource with the + on the left and make a note of the Logon and Logoff URL. These will be needed later.


Next, navigate to the Certificates menu and locate the SAML RSA certificate. Again using the options icon to activate the dropdown, select Download Certificate

 

Before proceeding to the next step, open the XML file containing the metadata just downloaded and locate the entityID value, which should be located on the second line.

Make a note of this, it should look something like:

https://10.1.2.1/app/api/sso/metadata/432462


Step 3 - Configure Parallels RAS

Once you have setup the SAML resource on your server you will now need to launch the Parallels RAS Console application on your RAS server so that you can configure the RAS to use LogonBox as a third party Identity Provider.

 

Log on to the console and navigate to the Connection section, then select the SAML tab.

Click the + to add a new Identity Provider.

Give the provider a name, such as LogonBox and select the Theme you will use this with (e.g <Default>).

Select Manually enter the IdP information and click Next.

 

For the IdP entity ID, paste the Entity ID obtained above from the XML file.

For the IdP certificate, open the certificate downloaded from LogonBox in a text editor and copy/paste into this field.

For Logon URL, paste the Logon URL noted earlier.

For Logoff URL, paste the Logoff URL noted earlier.

Tick the Allow unencrypted assertion checkbox and click Finish.

 

Double click the SAML configuration just created to edit it and click the SP tab.

For the Host, enter the fully qualified hostname of your Parallels RAS server.

Check the values of SP entity ID and Reply URL to ensure these match up with the values set when creating the LogonBox SAML resource.

If these do not match, you will need to edit the Parallels RAS SAML resource on LogonBox and fix the Consumer URL and Audience URI values.

 

Click the Attributes tab. Untick UserPrincipalName and tick sAMAccountName.

Click OK to save the settings.

 

Go back to the General tab and check that Use with theme is set to the correct RAS Theme (e.g <Default>)

Finally, click Apply to commit the new settings.

 

Step 4 - Testing

 

There are two ways of connecting to the resource.

 

Launching from LogonBox

If a user is logged on to My Account in LogonBox, they should see the Parallels RAS resource in Browser Resources.

The user can click the rocket (launch) icon to go directly to Parallels RAS with no further authentication required.

 

Starting on the Parallels RAS HTML5 URL

In your browser, go directly to your Parallels RAS HTML5 Gateway URL, you should immediately be redirected to the LogonBox UI.

Log on with your AD credentials and click Next.

 

The user is then redirected back to Parallels RAS and is logged in successfully.