.. _sso-pentasecurity-isign: Penta Security ISign+ ================================================= This guide provides the configuration method for performing the integration function between Penta Security ISign+, an integrated authentication security platform (SSO), and Genian NAC, a network access control system. Overview ------------------------------------------------- Before integration between Genian NAC and ISign+ products, users experienced inconvenience performing separate user authentication for each product. However, after integration, SSO is implemented between the two products, so when a user performs user authentication for ISign+, user authentication is automatically processed in Genian NAC. The Genian NAC agent is configured to apply authentication replacement for ISign+. For user authentication, the Genian NAC agent checks the user authentication status with the ISign+ server via the ISign+ agent, allowing network utilization in a normal authenticated state. Through this process, authentication is performed without storing the user's authentication information on the user's PC, ensuring the security of the user account while providing the convenience of performing the login process for both products with just one login. **Recommended Versions** .. csv-table:: :header: "Product Name (Component)", "Version", "Notes" :widths: 30 30 40 "Genian NAC (Policy Server)", "V5.0 or higher", "Release version after 2019.03" "Genian NAC (Agent)", "V5.0.32 or higher", "2020.06 이후 Release 버전" "ISign+", "3.0 or higher", "2020.06 이후 Release 버전" Purpose of Integration ------------------------------------------------- The integration of Genian NAC and Penta Security ISign+ provides the following effects. **SSO Environment Provision** - The Genian NAC agent is configured to utilize ISign+'s authentication information, checking user authentication status with the ISign+ server to allow authenticated users to utilize the network without additional Genian NAC authentication. **Automatic Connection to Network Blocking Reason and Guide Page for Unauthenticated ISign+ Users** - Genian NAC informs unauthenticated ISign+ users of the reason for network blocking and provides a guide page on how to take action for normal network usage. Prerequisites ------------------------------------------------- **Prepare Genian NAC Agent Plugin for Integration** Genian NAC utilizes a specially developed Genian NAC agent plugin for implementing user authentication integration to achieve SSO with ISign+. The plugin information is as follows: .. csv-table:: :header: "Genian NAC Agent Plugin File Name", "Notes" :widths: 50 50 "NAC-C_Penta2SSO-B-89852-2.1.8.gpf (detailed version may vary)", "Genian NAC Agent V5.0 or higher (2020.08 이후 Release 버전)" **Prepare SSO Module Path and Server Connection Information to Confirm ISign+ Authentication Information** Confirm the following information to verify ISign+ authentication information and status. 1) SSO Module Path: Confirm the SSO module path of ISign+ on the user's PC. 2) Check Server URL: ISign+ server's domain address or IP information. 3) Validate Server URL: ISign+ server's domain address or IP information. 4) Server Port: Default port 9080 5) Agent ID: Each integrated product has an ID (e.g., PSI_nac_CS_Prod / Genian NAC's ISign+ integration ID). Genian NAC Configuration for Integration ------------------------------------------------- This section covers only the minimum necessary Genian NAC settings for integration with ISign+. Perform this operation only once; it will be automatically applied thereafter. **Step 1: Upload Agent Plugin for Integration** 1) In Genian NAC Web Console, go to **System > Update > Genian Software > Agent Plugin** menu 2) Click **Tasks > Upload Plugins > Select File** button to select **NAC-C_Penta2SSO-B-89852-2.1.8.gpf** plugin to upload. 3) Click **Upload** button. **Step 2: Agent Plugin Configuration** 1) In Genian NAC Web Console, go to **Policy > Node Policy > Agent Action** menu. 2) Click **Penta SSO Alternative Authentication 2** plugin. 3) In **Action Execution Settings**, enter setting values as follows: .. csv-table:: :header: "Configuration Item", "Setting Value", "Notes" :widths: 15 35 50 "SSO Module Path", "*ISign* installation path + */SA_CSI.dll*", "ISign+ agent path" "Check Server URL", "*http://'ISign+ server'/api/v1/sso/checkserver*", "Confirm communication with authentication server" "Validate Server URL", "*http://'ISign+ server'/api/v1/sso/_validate*", "Confirm authentication status" "Server Port", "*9080*", "Default value" "Agent ID", "*PSI_nac_CS_Prod*", "Genian NAC's ISign+ integration ID" "Retry Cycle", "*10* seconds", "Retry cycle on integration failure" "Retry Count", "*3* times", "Authentication failure if exceeded" "Execution Account", "Select ``Agent Default Execution Account``", "Select account to execute the plugin. Selection based on SSO module installation path, execution permissions" **Step 3: Configure Node Policy for Integration Function Application** Through the following process, using Genian NAC's agent plugin, after confirming normal communication for authentication between the user PC and the server and verifying user authentication status, create a policy to allow network access. 1) In Genian NAC Web Console, go to **Policy > Node Policy** menu 2) Click the **Node Policy** containing the **node group** (e.g., all nodes) to which user authentication integration will be applied (if applying to a specific group only, create and use a separate node group) 3) Go to **Advanced > Authentication Policy > Single Sign-On Method** and select **External API** from the select box 4) Go to **Agent Action** at the bottom and click **Assign** button 5) Move **Penta DRM Alternative Authentication 2** node action to the right and click **Add** button 6) Click **Update** button at the bottom 7) Click **Apply Change Policy** button at the top right to apply policy