- SecureAuth IdP 9.2
- API Documents
- Admin API Guide
- Workflow Realm Settings Endpoint
Workflow Realm Settings Endpoint
Introduction
Use the /workflow PATCH endpoint to dictate the end-user login process, configure Device Recognition, enable redirects, customize token settings.
Prerequisites
1. Complete the Enablement and Header Steps in the Admin API Guide
2. Have access to the application code that calls to the API endpoint(s)
3. Integrate a membership and profile directory(s) with SecureAuth IdP (Data Realm Settings Endpoint)
/workflow Endpoint
Note
The following endpoints are prepended with the URL, https://<SecureAuth IdP Domain>/api/v2/realms/<realm ID>
Workflow Settings /workflow PATCH Endpoint
Notice
Use this endpoint to configure the realm's workflow settings, including client-side login process, device recognition, token preferences, and user redirects.
HTTP Method | Endpoint | Example | SecureAuth IdP version |
---|---|---|---|
PATCH | /workflow | https://secureauth.company.com/api/v1/realms/26/workflow | v9.1 |
PATCH | /workflow | https://secureauth.company.com/api/v2/realms/26/workflow | v9.2 or later |
Tip
Defaulted values in bold
Field | Description | Accepted Values | Note |
---|---|---|---|
deviceRecognitionMethod | Settings for persistent token | N / A | |
integrationMethod | Device limitation and functionality of client | CertificationEnrollmentAndValidation | Only one option supported |
clientSideControl | Credential (persistent token) used in the workflow | DeviceBrowserFingerprinting | Only one option supported |
browserProfileSetting | Settings for Device Recognition browser profiles | N / A | |
fpMode | Deliver cookie to browser to compare with browser profile |
| For browser profile |
Deliver cookie to mobile device or use Device Recognition mobile app to compare with mobile profile |
| For mobile profile | |
cookieNamePrefix | Name prepended to cookie name | any | Full cookie name: cookieNamePrefix + company name + hashed value of user ID For browser and mobile profiles |
cookieExpireLength | Number of hours during which cookie is valid | any, numerical | For browser and mobile profiles |
matchFpIdInCookie | Require match between profile ID in directory and profile ID of current login |
| For browser and mobile profiles |
authenticationThreshold | Percentage of current profile score matched against stored profile score required to bypass additional authentication | any, defaulted to 90 | For browser and mobile profiles |
updateThreshold | Percentage of current profile score matched against stored profile score required to update stored profile after successful additional authentication | any, defaulted to 89 | For browser and mobile profiles |
mobileProfileSetting | Settings for Device Recognition mobile profiles | N / A | |
skipIpMatch | Skip IP address matching between device and stored profile |
| |
profileSetting | Settings for Device Recognition profiles | N / A | |
fpExpirationLength | Number of days during which profile is valid | any, defaulted to 0 | 0 or negative: no expiration |
fpExpirationSinceLastAccess | Number of days profile is valid since last access | any, defaulted to 0 | 0 or negative: no expiration |
allowOnlyOneFpCookiePerBrowser | One cookie allowed per browser |
| |
totalFpMaxCount | Number of Device Recognition profiles allowed per user account at single time | number, defaulted to -1 | -1 : no maximum amount |
whenExceedingMaxCount | Action to take when exceeding max profile amount |
| If totalFpMaxCount sets limit |
replaceInOrderBy | Method to replace existing profiles with new ones when exceeding max amount |
| If totalFpMax Count sets limit and " whenExceedingMaxCount": "Allow" |
fpAccessRecordsMaxCount | Number of access history records stored per profile | number, defaulted to 5 | |
loginScreen | Settings for client-side login pages | N / A | |
defaultWorkflow | Workflow for end-user login |
| |
publicPrivateMode | Designated mode for end-user login |
| |
publicPrivateModeDefault | Default selection on client-side login page |
| If " publicPrivateMode": "PublicPrivate" |
rememberPublicPrivateUserSelection | Automatically select end-user's last selected publicPrivateMode option |
| |
showInlinePasswordChange | Allow end-users to update expired passwords during login |
| Requires Web Admin UI configuration |
passwordThrottle | Settings for password throttling | N / A | Refer to Password Throttling Configuration Guide for more information |
enabled | Enable password throttling in realm |
| |
maxFailedAttempts | Number of failed attempts allowed before action takes place | number, defaulted to 5 | |
interval | Number of timeUnit during which failed attempts are counted | number, defaulted to 5 | |
timeUnit | Unit of time for interval |
| |
action | Action to take when maxFailedAttempts is reached during interval:timeUnit |
| |
storageLocation | Property that contains the timestamps and count of failed password attempts |
| |
sessionTimeout | Settings for browser session during workflow | N / A | |
sessionStateName | Name of session state | any, defaulted to ASP.NET_SessionId<realm ID> | |
idleTimeoutLength | Number of minutes during which end-user must interact with browser before session expires and re-authentication is required | number, defaulted to 10 | |
displayTimeoutMessage | Display message when session times out |
| |
tokenPersistence | Settings for persistent token (Device Recognition profiles) | N / A | |
validatePersistentToken | Check validity of token |
| |
renewPersistentToken | Generate new token once previous one is validated |
| |
redirect | Settings for workflow redirects | N / A | |
invalidPersistentTokenRedirect | URL to which end-users are redirected if persistent token is invalid | URL path, /<SecureAuth IdP Realm Name> | /<realm name> supported if realms on same appliance |
tokenMissingRedirect | URL to which end-users are redirected if persistent token is missing | URL path, /<SecureAuth IdP Realm Name> | |
profileMissingRedirect | URL to which end-users are redirected if profile is missing | URL path, /<SecureAuth IdP Realm Name>, defaulted to profilemissing.aspx | |
mobileRedirect | SecureAuth IdP realm to which end-users are redirected if on mobile device | realmName, e.g. SecureAuth14 | |
mobileIdentifiers | Identifiers of mobile devices to enable mobileRedirect | any, defaulted to ios,iphone,ipad,android,wp7 | |
terminationPoint | Settings for load balancer integration | N / A | |
clientFqdn | Fully Qualified Domain Name (FQDN) set as client point of termination for SecureAuth IdP validation | FQDN | |
sslTerminationCertificate | Trusted SSL certificate for bi-lateral authentication with SecureAuth IdP not acting as termination point | certificate BLOB | Not required if providing sslCertificateAddress |
sslCertificateAddress | Load balancer FQDN where SSL connection is terminated | FQDN | Not required if providing sslTerminationCertificate |
sslTerminationPoint | FQDN of where sslTerminationCert is terminated to allow SecureAuth IdP to validate information | FQDN | |
customIdentityConsumer | Settings for pre-authentication workflow | N / A | |
receiveToken | Type of token received by SecureAuth IdP from other site |
| |
requireBeginSite | Enable pre-authentication page for workflow |
| |
beginSite | Type of pre-authentication begin site |
| Begin sites may require Web Admin UI configuration |
windowsSsoUserImpersonation | Run SecureAuth IdP as user or service name when using IWA (Kerberos) |
| |
windowsSsoWindowsAuthentication | Enable Windows Desktop SSO (Kerberos) |
| |
yubiKeyProvisionPage | URL of end-user YubiKey provisioning page | URL path | |
customBeginSiteUrl | URL of pre-authentication begin site | URL path | If "beginSite": "Custom", otherwise null |
receiveTokenDataType | Location of user ID in token received by SecureAuth IdP |
| |
sendTokenDataType | Location of user ID in token sent by SecureAuth IdP |
| |
userIdCheck | Check for "Cisco-specific" user ID |
| For Cisco ASA integrations only |
allowTransparentSso | Enable transparent SSO between associated realms / applications |
| |
delimiter | XOR delimiter used with shared secret to encrypt user ID | any | |
getSharedSecret | Shared secret sent to SecureAuth IdP, provided by SP | number, 1 - 223 | |
setSharedSecret | Shared secret sent by SecureAuth IdP | number, 1 - 223 | |
fbaWebService | Settings for FBA Web Service | N / A | |
enabled | Enable FBA Web Service |
| |
username | Username for FBA Web Service communication | any | |
password | Password associated to username | any |
Parameters | Success Response |
---|---|
{ "deviceRecognitionMethod": { "integrationMethod": "CertificationEnrollmentAndValidation", "clientSideControl": null }, "browserProfileSetting": { "fpMode": "NoCookie", "cookieNamePrefix": "SecureAuthDFP_", "cookieExpireLength": 168, "matchFpIdInCookie": false, "authenticationThreshold": 90, "updateThreshold": 89 }, "mobileProfileSetting": { "fpMode": "Cookie", "cookieNamePrefix": "SecureAuthDFP_", "cookieExpireLength": 72, "matchFpIdInCookie": true, "skipIpMatch": true, "authenticationThreshold": 100, "updateThreshold": 90 }, "profileSetting": { "fpExpirationLength": 0, "fpExpirationSinceLastAccess": 0, "allowOnlyOneFpCookiePerBrowser": false, "totalFpMaxCount": -1, "whenExceedingMaxCount": "Allow", "replaceInOrderBy": "CreateTime", "fpAccessRecordsMaxCount": 5 }, "loginScreen": { "defaultWorkflow": "Username_SecondFactor_Password", "publicPrivateMode": "PublicPrivate", "publicPrivateDefault": "Private", "rememberPublicPrivateUserSelection": true, "showUserIdTextbox": false, "showInlinePasswordChange": false "passwordThrottle": { "enabled": true, "maxFailedAttempts": 5, "interval": 14, "timeUnit": "Minutes", "action": "LockUserAfterExceedingAttempts", "storageLocation": "AuxID3" } }, "sessionTimeout": { "sessionStateName": "ASP.NET_SessionId220", "idleTimeoutLength": 10, "displayTimeoutMessage": "Disabled" }, "tokenPersistence": { "validatePersistentToken": true, "renewPersistentToken": false }, "redirect": { "invalidatePersistentTokenRedirect": "", "tokenMissingRedirect": "", "profileMissingRedirect": "profilemissing.aspx", "mobileRedirect": "", "mobileIdentifiers": "ios,iphone,ipad,android,wp7" }, "terminationPoint": { "clientFqdn": "", "sslTerminationCertificate": "", "sslCertificateAddress": "", "sslTerminationPoint": "" }, "customIdentityConsumer": { "receiveToken": "SendTokenOnly", "requireBeginSite": false, "beginSite": "Custom", "windowsSsoUserImpersonation": false, "windowsSsoWindowsAuthentication": false, "yubiKeyProvisionPage": "", "customBeginSiteUrl": "", "receiveTokenDataType": "Name", "sendTokenDataType": "UserId", "userIdCheck": true, "allowTransparentSso": false, "delimiter": "", "getSharedSecret": 111, "setSharedSecret": 111 }, "fbaWebService": { "enabled": false, "username": "", "password": "" } } | { "status": "Success", "message": [] } |