Workflow Tab Configuration

1. Select the Integration Method from the dropdown

The selection made here alters the options for Client Side Control and IE / PFX / Java Cert Type

2. Select the Client Side Control option from the dropdown

The selection made here alters the options for IE / PFX / Java Cert Type, and may require additional configuration steps

3. Select the IE / PFX / Java Cert Type from the dropdown

This is based on the security preference

4. Select Password Expiration Date from the Certificate Expiration dropdown if the certificate is to expire when the password expires

Select Private Mode Cert Length if the certificate is to expire after a designated number of days

5. Select Cert Expiration Date from the Certificate Valid Until if the certificate is to remain valid up until the expiration

Select Private Mode Cert Length if the certificate is to remain valid during a designated number of days

6. Set the number of days during which a certificate does not expire and remains valid in the Private Mode Cert Length field if Private Mode Cert Length was selected in step 4 or 5

7. Set the number of hours during which the Public Mode Certificate is valid in the Public Mode Cert Length field

This is only for realms in which Certificate Enrollment is selected from the Integration Mode dropdown in the Device Recognition Method section

8. Set the number of hours during which the cookie delivered to a mobile device is valid in the Mobile Credential Length field (browser credential)

9. Provide a maximum amount of certificates that a user can have at a time in the Global Cert Limit field (optional)

10. Provide a maximum amount of mobile cookies that a user can have at a time in the Global Mobile Limit field (optional)

11. Select Fall Back to 2nd Factor or Display Error Message from the Check CRL dropdown for SecureAuth IdP to check the Certificate Revocation List

Select Disabled to opt out of checking the CRL as it is not necessary with SecureAuth IdP

12. Click Configure Email Notification to enable and set up Expired Certificate Warning emails (optional)

Expired Certificate Warning

Configuration Steps

1. Select Enabled from the Email Notification dropdown to enable the warning notifications

2. Select True from the Multiple Certs per User dropdown to notify users of all certificate expirations, rather than just one

3. Select the Email Property that corresponds to the data store field that contains the user's email address to which the notifications are sent from the Email Field dropdown

4. Set the number of days before the expiration on which the notifications begin in the Warning Period field

5. Select Daily from the Notification Interval dropdown for an email notification to be sent once a day

6. Set the Notification Start Time, at which the email is sent

Warning

Click Save once the configurations have been completed and before leaving the Expired Certificate Warning page to avoid losing changes

13. Configure the Device Recognition settings for the realm

Refer to Device Recognition for full configuration steps

Login Screen Options

14. Select the Default Workflow, which is the workflow through which users go to obtain access to the realm's resource

15. Select Private and Public Mode from the Public/Private Mode dropdown to enable both modes during the login process

If the end-user selects Private Mode on the login page, then SecureAuth IdP checks for a certificate / token / device profile, or delivers a certificate / token to the browser or pull information to create a device / browser profile for subsequent access attempts

16. Select which option is selected by default (if Private and Public Mode is enabled) on the end-user login page from the Default Public / Private dropdown

17. Select True from the Remember User Selection dropdown if the user's last Private / Public Mode selection is defaulted for subsequent access attempts

18. Select False (default) from the Skip UserID View dropdown, which provides a username input field on the login pages

19. Select False (default) from the Show UserID Textbox dropdown, which provides a username input field on the login pages for Certificate Enrollment and / or Cisco ASA integrations when the user ID is not provided by Cisco

20. Select Enabled from the Inline Password Change dropdown to allow users to change their password during the workflow process

21. Configure the realm for Password Throttling (optional)

Session Timeout

22. Set the Session State Name or leave it as the default value

23. Set the number of minutes after which the session is expired in the Idle Timeout Length field

24. Select the action to take after the session has been expired from the Display Timeout Message dropdown

Token Persistence

25. Select True from the Validate Persistent Token dropdown if SecureAuth IdP is to check the validity of the persistent token during the authentication process

Select False for this realm to only deliver certificates or create a profile, but not validate or renew the token

26. Select True from the Renew Persistent Token (After Validation) if the persistent token is to be renewed after SecureAuth IdP checks the validity (applicable only if True is selected in step 25)

Redirects

27. Set the Invalid Persistent Token Redirect field to where users are directed to acquire a new / valid persistent token, e.g. another SecureAuth IdP realm

This is especially useful in realms using (Valid Persistent Token) workflows as a valid token is required to access the resource

28. Set the Token Missing Redirect field to where users are directed to acquire a new token, e.g. enrollment or provisioning realm

This is used for Near Field Communications (NFC) tokens only

29. Set the Profile Missing Redirect field (or leave as default) to where users are directed to retrieve a missing profile, e.g. profilemissing.aspx

30. Set the If Mobile, Redirect To field to a SecureAuth IdP realm specifically configured for mobile access

31. Set the Mobile Identifiers to common keywords that can be used to detect mobile devices and browsers, which then triggers the mobile redirect to the realm selected in step 30

Termination Points

32. Set the Client FQDN to the Fully Qualified Domain Name (FQDN) of the client point of termination for SecureAuth IdP validation

33. Provide the SSL Termination Cert if enabling bi-lateral authentication and if not using SecureAuth IdP as the termination point

34. If the SSL Termination Cert (step 33) cannot be provided, then set the (or) SSL Cert Address to the FQDN or IP Address of the (typically) Load Balancer at which the SSL connection is being terminated to enable SecureAuth IdP to retrieve the SSL certificate

35. Set the SSL Termination Point to the FQDN of where the SSL certificate is terminated, which is communicated to SecureAuth IdP to validate the information

Java

36. Select True from the Encrypt Password (Java only) dropdown to encrypt the end-user's password (provided during login) being sent to the SecureAuth IdP server for validation (rather than in plain text)

37. Set the Java Timeout to the number of X during which Java can respond

If no response during the configured time, then an error is presented

38. Select the action to take if SecureAuth IdP fails to launch the Java Applet from the Java Applet Load Failure Fallback dropdown

39. Select the type of token SecureAuth IdP receives in the realm from the Receive Token dropdown

40. Select True from the Require Begin Site dropdown if users are to acquire tokens / other information from a different site before logging in with SecureAuth IdP; or select False (default) if no begin site is required

41. Select the type of Begin Site from the dropdown that is used in this realm, which auto-populates the Begin Site URL field (unless Custom is selected)

Refer to the specific Begin Site Configuration Guide for full configuration steps

42. Select where the User ID is stored in the received token from the Token Data Type (Receive) dropdown

43. Select where the User ID is stored in the token sent to the SP from the Token Data Type (Send) dropdown

44. Select False from the Allow Transparent SSO dropdown

Select True if this realm utilizes SecureAuth IdP SSO, and enables SP-initiated or Secure Portal SSO

Also refer to the specific Integration Guide to view the distinct configuration steps