Home
Administering
Learn how to administer the product.
SAML Single Sign-On in AppScan Enterprise
Identity Provider in AppScan Enterprise
Configuring Microsoft ADFS for SAML-SSO in AppScan Enterprise
You can configure the Active Directory Federation Service (ADFS) for user authentication through SAML-SSO login method. ADFS allows users across organizational boundaries to access applications on Windows Server Operating Systems using a single set of login credentials. ADFS uses a claims-based access control authorization model to maintain application security and implement federated identity.
ASE-side configuration
Complete the additional SAML properties setup for the AppScan Enterprise application you have integrated in the Microsoft ADFS in the Attribute Mappings page.

Administering
Learn how to administer the product.
- Managing users, groups, and access permissions
  Learn how to manage user groups and access permission.
- SAML Single Sign-On in AppScan Enterprise
  - Enabling SAML Service Provider
    You must configure the SAML in the Service Provider, that is AppScan Enterprise application, to allow user assertion by an Identity Provider (IdP) through Single Sign-On authentication service.
  - Identity Provider in AppScan Enterprise
    - Configuring Okta for SAML-SSO in AppScan Enterprise
      You can configure Okta as an Identity Provider (IdP) for user authentication service that supports the SAML-SSO login method for both cloud-based and on-premise AppScan Enterprise application login. The Okta seamlessly integrates with the AppScan Enterprise user database directories such as Active Directory or LDAP.
    - Configuring PingFederate for SAML-SSO in AppScan Enterprise
      You can configure the PingFederate an enterprise federated server that serves as an Identity Provider (IdP) for user authentication service through SAML-SSO login method. It supports users login to applications that are accessed shared between multiple inter-organizational units under a larger organization. This IdP also offers cloud-based SSO capabilities.
    - Configuring Microsoft ADFS for SAML-SSO in AppScan Enterprise
      You can configure the Active Directory Federation Service (ADFS) for user authentication through SAML-SSO login method. ADFS allows users across organizational boundaries to access applications on Windows Server Operating Systems using a single set of login credentials. ADFS uses a claims-based access control authorization model to maintain application security and implement federated identity.
      - ASE-side configuration
        Complete the additional SAML properties setup for the AppScan Enterprise application you have integrated in the Microsoft ADFS in the Attribute Mappings page.
  - Enabling encryption for SAML based SSO in AppScan Enterprise
    When a user login to SP, in this case AppScan Enterprise, a request is sent to IdP for authenticating the user. You can encrypt this process of authentication and approval requests that occur between the SP and IdP by installing a self-signed certificate in the AppScan Enterprise Server.
- Configuring and downloading log files for Enterprise Console and AppScan Server
  Administrators can configure the settings for log files for the Enterprise Console and AppScan Server and download them when they need to troubleshoot issues. This function eliminates the need to search the file system of the computer where the Enterprise Console or AppScan Server is installed.
- Resetting Service Account Password in AppScan Enterprise through the ASE AdminUtil tool
  The AdminUtil tool helps users to avoid rerun the configuration wizard on the AppScan Enterprise Server and the DAST Scanner(s) to reset the password. You can run the utility in two modes - Interactive mode and Silent mode. For more information about resetting service account password through interactive mode, see Resetting Service Account Password in AppScan Enterprise through the ASE AdminUtil tool in silent mode
- Resetting Service Account Password in AppScan Enterprise through the ASE AdminUtil tool in silent mode
  The AppScan Enterprise (ASE) AdminUtil tool helps users to avoid rerun the configuration wizard on the AppScan Enterprise Server, IAST Communication service, DAST scanner(s), Database service, and Alert services to reset the password of service account. You can achieve this by running the utility in two modes - Interactive mode and Silent mode. For more information about resetting service account password through interactive mode, see Resetting Service Account Password in AppScan Enterprise through the ASE AdminUtil tool
- Monitoring AppScan Enterprise usage
  Create an Activity Log report to determine who is using AppScan Enterprise and what they are doing with it. The report lists the users that made changes and when the changes were made. Because the log is always recording activity, all you must do is create the report. Only Administrators can create the Activity Log report; however, any user can be given access to it as part of a report pack's properties. If you do not want other users to see the Activity Log report, change `All Other Users' to No Access on the Users and Groups page for the report pack.
- Activity Log
  Activity Log helps determine who is using AppScan Enterprise and what they are doing with it. It lists the users that made changes and when the changes were made. This is useful for security auditing to detect possible unauthorized or unusual activities performed by users. Only Administrators can view the Activity log. By default, the activity log data is retained for one year.
- Managing a server
  Product Administrators are responsible for managing each server to its optimal performance.
- Managing the scan queue
  See the status of scan jobs currently running or waiting to run so that you can prioritize the order in which your key scan jobs run. For example, you might have scan jobs that are part of a time-sensitive deliverable, like a holiday shopping special. You can move them to the top of the queue to make sure that they are prioritized first in the schedule.
- Updating security rules
  The security rules are updated as a part of your AppScan® Enterprise releases. You can verify the version and release date of the security rules by looking in the About link in the AppScan Enterprise main menu.
- Importing user-defined tests from AppScan Standard
  AppScan® Standard provides a database of thousands of tests. However, if your web application has issues that are specific to it, or if you want to write your own advisories for fixing issues, you can create your own tests. These tests are saved and included in your AppScan database of tests. You can also export them as a *.udt file to import into AppScan Enterprise.
- Maintaining your SQL Server database
  SQL Server database maintenance includes upgrading SQL servers, SQL database backup, log file configuration, and database usage.
- Preparing for Security Testing
  Learn how to prepare for security testing in AppScan Enterprise.
- Creating scan templates
  Learn how to create scan templates in AppScan Enterprise.

ASE-side configuration

Complete the additional SAML properties setup for the AppScan Enterprise application you have integrated in the Microsoft ADFS in the Attribute Mappings page.

Procedure

Install ASE and run the configuration wizard:
1. For the Authentication Mechanism, select LDAP Authentication.
2. For LDAP Server Type, select Microsoft Active Directory.
3. Complete the wizard.
Navigate to the configuration files folder in the directory where your ASE software package is installed. For example:
```
<installation directory>\AppScan Enterprise\Liberty\usr\servers\ase\config
```
Locate the file named onelogin.saml.properties.template, rename it onelogin.saml.properties and open it in a text editor.
Update the file with the following custom properties:
- onelogin.saml2.sp.entityid -
```
https://<host_name>:<port_number>/<ase_instance_name>/metadata.jsp
```
- onelogin.saml2.sp.assertion_consumer_service.url -
```
https://<host_name>:<port_number>/<ase_instance_name>/api/saml
```
- onelogin.saml2.idp.single_sign_on_service.url -
```
https://<<adfs_domain_name>>/adfs/ls
```
- onelogin.saml2.idp.x509cert - Base-64 encoded X.509 (.CER) in single line string format. To obtain this do the following:
  1. Go to ADFS Management > Services > Certificates > Token Signing > View Certificate > Detail > Copy file to > Select the Export option as Base-64 encoded X.509 (.CER)
  2. Convert the certificate data into the single line string format.
    Tip: You can use the https://www.samltool.com/format_x509cert.php tool to do this.

What to do next

To add users in AppScan using Microsoft ADFS, see Users and groups