About the End User Authentication Page

To access this page, select Secure Edge>Identity>User Authentication.

Configure authentication profiles to authenticate the end users.

Tasks You Can Perform

You can perform the following tasks from this page:

Create a SAML Profile.
Create an LDAPS Profile
Manage the Hosted Database

Create a SAML Profile

To create a SAML profile:

Select Secure Edge > Identity > User Authentication .

The End User Authentication page appears with the SAML profile tab.
Complete the configurations according to the guidelines in Table 1
Note:
Fields marked with an asterisk (*) are mandatory.

Figure 1: SAML Profile

Figure 2: IdP Attributes

Figure 3: IdP Metadata URL
Click OK.

Table 1: Fields on the SAML profile tab
Field	Description
SAML Profile
SAML Profile	Enable or disable SAML authentication.
ACS URLs	View the Assertion Consumer Service (ACS) URLs. The ACS URL directs your IdP where to send its SAML response after authenticating a user.
Directory Synchronization	Enable to use the user groups from your IdP directories in Secure Edge policy. Supported IdPs are Okta and Entra ID (Azure AD).
Identity Provider (IdP) Configuration
Identity Provider	Select an IdP. Available IdPs for directory synchronization are Okta and Entra ID (Azure AD).
Okta Configurations
Security API Token	Enter the Okta API token created using the API > Token > Create token menu on Okta admin console for Juniper Secure Edge. API token is valid for 30 days. If SAML profile or directory synchronization is made inactive/disabled for more than 30 days, it is revoked and cannot be used again. For reconfiguration, you need to create a new token.
Tenant Domain	Enter the domain configured in Okta. Locate the Okta domain by clicking your username in the top-right corner of the Okta admin console. The domain appears in the dropdown menu.
Validate	Click validate button to test the validity of the configurations.
Entra ID Configurations
Application ID	Enter the Application (client) ID assigned to you after completing App registrations on Microsoft Entra admin center for Juniper Secure Edge.
Directory (tenant) ID	Enter the Directory (tenant) ID assigned to you after completing App registrations on Microsoft Entra admin center for Juniper Secure Edge.
Client Secret	Enter the client secret generated using Certificates & secrets > Client secrets menu on Microsoft Entra admin center for Juniper Secure Edge. Microsoft Entra generates client secret with expiry date, so update client secret before expiry date.
Validate	Click validate button to test the validity of the configurations.
IdP Settings	Select Import Settings to import the IdP metadata in one go. The metadata file must be in XML format. To manually configure the IdP settings, select Enter settings manually. To copy the settings from an URL, select Enter metadata URL.
Metadata URL	Enter the IdP metadata URL. The Service Provider (SP) uses the metadata URL to validate that the SAML assertions are issued from the correct IdP.
Service Provider (SP)
Entity ID	Displays the unique identifier for the SAML Profile.
Username attribute	Enter the username attribute for SAML. Username attribute is mandatory and must be in e-mail address format. The username attribute is mapped to the user data, which is provided by IdP in the SAML assertion response.
Sign auth requests	Enable the toggle button to sign the SAML authentication requests sent from Juniper Secure Edge to IdP. If you enable sign authentication requests, you must provide both private key and public key certificate.
Private key	Enter the private key that you have generated locally. In Juniper Secure Edge, the private key is used to sign SAML authentication request. The private key is not shared with IdP.
Public key	Enter the public key that you have generated locally. The public key certificate is generated locally by the user. You must upload the same public key certificate in the IdP portal. In IdP, the public key certificate is used to validate the SAML authentication request sent by Juniper Secure Edge.
Group attribute	Enter the group attribute which the end-user belongs to which is then filtered and sent to IDP.
First name attribute	Enter the first name attribute of the SAML user. The first name attribute is used to create an user profile.
Last name attribute	Enter the last name attribute of the SAML user. The last name attribute is used to create an user profile.

Note:

For SAML, the retries and the locking period is configurable in SAML server.
By default, directory synchronization runs at regular intervals.

Create an LDAPS Profile

LDAPS profile configuration supports high availability (HA). You must configure both primary and secondary LDAPS servers. If you enable SSL encryption, the default SSL LDAP port number is 636. If you are not using SSL, the default port number is 389.

To create an LDAPS profile:

Select Secure Edge > Identity > User Authentication .

The End User Authentication page appears.
Click LDAPS tab.
Complete the configurations according to the guidelines in Table 2
Note:
Fields marked with an asterisk (*) are mandatory.

Figure 4: LDAPS Profile
Click OK.

Table 2: Fields on the LDAPS profile tab
Field	Description
Primary Server
Server address	Enter the IP address of LDAP authentication server. The server address is a unique IPv4 or IPv6 address that is assigned to a particular LDAP server and used to route information to the server.
SSL certificate	The client certificate for LDAP client to establish an LDAP over SSL connection. If you plan to use SSL encryption with your LDAP server, you must import the SSL certificate from the LDAP server. Click Browse, select the SSL certificate and click Open.
Port number	Specify a port on the LDAP server to which the LDAP client can connect to.
Secondary Server (Optional)	Click the toggle button to enable the secondary server.
Server address	Enter the IP address of secondary LDAP authentication server. The server address is a unique IPv4 or IPv6 address that is assigned to a particular LDAP server and used to route information to the server.
SSL certificate	The client certificate for LDAP client to establish an LDAP over SSL connection. If you plan to use SSL encryption with your secondary LDAP server, you must import the SSL certificate from the LDAP server. Click Browse, select the SSL certificate and click Open.
Port number	Specify a port on the secondary LDAP server to which the LDAP client can connect to.
Test LDAP Servers Connection	Click Test LDAP Servers Connection to check if the connection is established.
LDAP Authentication
Base domain name	Enter the distinguished name (DN) of the search base. Configure the distinguished name of the search base (LDAP base) that specifies the base of user directory. Every entry in the directory has a distinguished name (DN). The DN is the name that uniquely identifies an entry in the directory.
Bind domain name	Enter the distinguished name of the proxy account of the LDAP client to bind to the server with. Configure the distinguished name to bind the LDAP client with the LDAP server.
Bind password	Enter the credentials of the LDAP client to bind with the LDAP server. Configure the public key password. Click Test Authentication to check if the credentials are bound for authentication.
User Options
User attribute	Enter the username attribute that is used for comparing user entries. The username attribute has permissions to access the LDAP server.
User filter	Enter a value to use for the search parameter filter in LDAP.

Manage the Hosted Database

End users can be authenticated against a hosted database consisting of user's username (email address) and passwords. Administrators can use the Juniper Secure Edge portal to configure and activate the users in hosted database. Once the users are configured in the Juniper Secure Edge portal, the user will receive an e-mail consisting of their credentials (username and password). Once the user has this information, they can use their email address and password as credentials to authenticate.

Use the Hosted Database tab to add, modify, and delete an end user profile or group profiles.