Step B: IdP Realms configuration, v20.06

Ensure that the SecureAuth IdP API can connect to User properties. In the API realm in "API Permissions," ensure the following:

2. In the Primary IdP Host field, localhost appears by default.

If the realm is hosted on a different SecureAuth IdP than the one hosting this RADIUS server, enter the IdP host name or the IP address of the SecureAuth IdP realm to be used with this RADIUS server.

Examples: hostname.secureauth.com or XXX.XXX.XXX.XXX (where "X" represents a number in the IP address).

3. OPTIONAL: In the Backup IdP Host field, enter the host name or IP address of each SecureAuth IdP appliance to use for failover functionality, with each entry separated by a comma ( , ).

Failover to a backup server can occur in these scenarios:

During failover, end-users can log on the VPN without disruption.

NOTE: For more information see View sample logs for RADIUS failover scenarios, v20.06.

4. Enter the IdP Realm name and number. Examples: secureauth53 or SecureAuth84

5. From the SecureAuth IdP server, copy the Application ID generated for the realm and paste that content in the API Application ID field.

NOTE: See the Authentication API guide for steps on generating the Application ID in the API Key section of the API tab.

6. From the SecureAuth IdP server, copy the Application Key generated for the realm and paste that content in the API Application Key field.

NOTE: See the Authentication API guide for steps on generating the Application Key in the API Key section of the API tab.

7. Click Add IdP to enable the realm for use with the RADIUS server, or click Cancel to return to the IdP Realms page without adding the realm.

To edit a realm's information or remove a realm from the list...

1. Find the IdP Realm to be edited and click its "edit" icon at the far right.

Edit IdP Realm

2. Do one of the following:

a. Click Cancel if no changes will be made, and the IdP Realm URL list is displayed.

b. Update any information that has changed on the realm and click Save Changes. Note that encrypted values appear for the saved API Application ID and API Application Key; or

c. Click Disable Realm if the realm will no longer be used with the RADIUS server. This action moves the realm to the Disabled IdP Realms list. See an example of a disabled IdP realm in the sample screen above.

3. If Disable Realm was clicked, the Remove Realm option becomes available. Do one of the following:

a. Click Cancel if no changes will be made and the IdP Realm URL list is displayed.

b. Click Remove Realm to remove the realm from the Disabled IdP Realms list and from the RADIUS server; or

c. Click Enable Realm to enable the realm for use with the RADIUS server. This action removes the realm from the Disabled IdP Realms list and includes it in the IdP Realm URL list.

Edit the IdP Web Config file

A default setting in the SecureAuth IdP v9.3 or earlier Web Config file causes RADIUS client end-user logins to fail for certain 2FA methods. To ensure end-users can log in using any 2FA method, remove the Property in the SecureAuth IdP Web Admin configuration by completing the following steps.

1. In the SecureAuth IdP realm you added in Step B, step 1 above, click the System Info tab.

2. On the System Info tab, in the Links section, select Click to edit Web Config file.

3. In the Web Config Editor section, under <appSettings>, remove the following line because SA RADIUS does not use /api/v1/otp/validate to validate OTP codes:

    <add key="OTPFieldMapping"value="<SecureAuth IdP Profile Property>"/>

4. Click Save.