Glossary

This glossary contains terms applicable to SecureAuth IdP and SecureAuth® Identity Platform releases.

You might find terms that apply only to certain product releases, in the Classic Experience, and in the New Experience.

A

Glossary

Access Token Lifetime

The number of hours during which an access token is valid. SecureAuth IdP generates an authorization code that is given to the client application. The application then requests an Access Token that is subsequently generated by SecureAuth IdP and given to the application. The authorization code is then discarded when the Access Token is received.

ACS / SAML Request Certificate

The Public Key of the Assertion Consumer Service (ACS) / SAML Request Certificate in Base64 format to enable SecureAuth IdP to accept a SAML assertion.

NOTE: The default page in the IIS Management Console must also be changed to SAML20idpinitACS.aspx for SecureAuth IdP to consume the SAML assertion.

Action

What happens automatically when the user does not pass the User Risk analysis. This can be one of the following:

  • Continue Adaptive Authentication: No action (analysis disabled).

  • Refuse authentication request: Immediately stop the user from continuing further in the login process.

  • Redirect to realm or URL: Redirect the user to a different site, provided in the Redirect URL field.

  • Require two-factor authentication: Require additional authentication from the user, on top of what is configured in the realm.

  • Skip two-factor authentication: Do not require authentication from the user, if configured in the realm.

  • Resume authentication workflow: Continue the user through the configured workflow.

  • Skip to post authentication: Send user straight to the post-authentication target, bypassing any additional workflow requirements.

Administrator-initiated Password Reset

Allow the help desk to reset users' passwords using SecureAuth's IdM API.

Advanced User Checks ("Advanced AD User Check" in Classic Experience)

SecureAuth IdP checks if the current account is locked or enabled, and verifies if the current password needs to be changed. If any of these checks fail, the user cannot to log in.

Allowed Groups

A list of the groups that are only allowed access to this realm.

Allowed Groups (Post Authentication - Mobile App Store)

A list of groups granted permission to view and download this application from the Mobile App Store.

Anonymous Queries ("Anonymous LookUp" in Classic Experience)

Enable the administrator to search the directory for users without supplying the username and/or password.

Appliance GUID

The appliance's Globally Unique Identifier (GUID) assigned by SecureAuth.

Appliance Host Name

The Fully Qualified Domain Name (FQDN) of the Operating System (OS) for the SecureAuth IdP appliance instance.

Application Description ("Realm Description" in Classic Experience)

The application description is for internal use only. It appears beneath the Application Name on the Summary Page in the New Experience. In the Classic Experience, it appears beneath the Page Header on the realm tile and in the realm list on the Web Admin. Administrators can write notes here to provide instructions or to briefly describe the purpose of the application / realm.

This displays in the left-side menu, under the Document Title.

Application ID

A unique ID that is required for a custom application to make calls to SecureAuth's Authentication API.

Application Key

A unique key value that is required for a custom application to make calls to SecureAuth's Authentication API.

Application Name (Data - SQL / ODBC / ASP.NET)

The name of the data store “section” in which users can be found. By default, this is "/".

Application Name ("Document Title" in Classic Experience)

The application name appears in the Application Manager list and as the title on the browser tab in the New Experience. In the Classic Experience, it appears on the admin side as well as the client side. On the admin side, this will be the header on the realm on the startup page, and will appear in the left-side menu under the Realm Name.

Application Name (Post Authentication - Mobile App Store)

The application name as it will appear in the Mobile App Store.

Application Name (Reg Methods)

The application name (target resource of the realm; for example, Salesforce) that appears on the Push-to-Accept login request.

Application Rule

A list of allowed applications or denied applications.

Application template library

Application templates are third-party application integrations that SecureAuth Identity Platform supports in cloud and hybrid deployments.

Assertion Consumer Services (ACS) ("SAML Consumer URL" in Classic Experience)

The URL provided by the Service Provider which is used to accept a SAML assertion.

Assertion Signing Certificate

Click the certificate link to download the public key certificate. This matches the company's private key certificate for appropriate assertion, and is sent to the SP to enable the integration.

Attribute Name ("Name" - Post Authentication - SAML Attributes in Classic Experience)

The specific name of the attribute. The SP requests which attributes are required and the exact names.

Audience ("SAML Audience" - Post Authentication - Classic Experience)

An optional value that is provided by the SP, and is the base domain of the application.

Audit Logs

Each audit log records all authentication events for each realm user and can be reviewed to check for any inconsistencies.

Authenticate App for iOS and Android

Provides a multi-factor authentication method for end user validation during the login process after the app is installed on a mobile device or Chromebook and then connected to the user profile.

Authenticated User Redirect ("Connection Type" in New Experience)

The target action of the realm. For example, where users are sent after they are authenticated.

Authentication Method (1.1) (Post Authentication)

The method used to authenticate the subject. This can be one of the following options:

  • urn:oasis:names:tc:SAML:1.0:am:HardwareToken: A hardware token was used to authenticate the user.

  • urn:ietf:rfc:1510: Kerberos was used to authenticate the user.

  • urn:oasis:names:tc:SAML:1.0:am:password: A password was used to authenticate the user.

  • urn:oasis:names:tc:SAML:1.0:am:PGP: PGP encryption was used to authenticate the user.

  • urn:ietf:rfc:2945: A Secure Remote Password (SRP) was used to authenticate the user.

  • urn:oasis:names:tc:SAML:1.0:am:SPKI: A Simple Public Key Infrastructure (SPKI) was used to authenticate the user.

  • urn:ietf:rfc:2246: An SSL / TLS Certificate-based Client was used to authenticate the user.

  • urn:oasis:names:tc:SAML:1.0:am:unspecified: The authentication mode is unspecified.

  • urn:oasis:names:tc:SAML:1.0:am:X509-PKI: An X.509 Public Key Infrastructure (PKI) was used to authenticate the user.

  • urn:oasis:names:tc:SAML:1.0:am:XKMS: An XML Key Management Specification (XKMA) Public Key was used to authenticate the user.

  • urn:ietf:rfc:3075: An XML Digital Signature was used to authenticate the user.

Authentication Method (Data)

The method used to the authenticate the user. This can be one of the following options:

  • Basic: The username and password are encoded in Base64 and sent in the header.

  • Cookie: SecureAuth IdP retrieves an authentication cookie from the Authentication Relative URL, and uses it in subsequent requests.

  • OAuth 2.0: The Bearer token is sent in the header.

Authentication Mode

The authentication workflow. Each mode varies in security strength and user-friction. This can be one of the following options:

  • Standard (User / 2nd Factor / Password): The typical (standard) mode utilized. The user enters username; next, completes a second factor of authentication; and then supplies the password. This order effectively mitigates attacks as the username, second factor, and password all need to be known in that order to achieve access.

  • User / Password on 1st Page (+2nd Factor): The user enters username and password on the same page, and then completes a second factor of authentication.

  • Valid Persistent Token + Registration Code: The user presents a token that was generated on a different realm, and then completes a second factor of authentication.

  • Valid Persistent Token + Reg Code + Password: The user presents a token that was generated on a different realm; next, completes a second factor of authentication; and then supplies the password.

  • Valid Persistent Token + Password: The user presents a token that was generated on a different realm, and then supplies the password.

  • User / Password on 1st Page (no 2nd Factor): The user enters username and the password on the same page.

  • UserName Only: The user enters username only.

  • Validate Persistent Token Only: The user presents a token that was generated on a different realm.

Authentication Relative URL

The endpoint used to retrieve the authentication cookie that is appended (relative) to the Base URL. This is only applicable if Authentication Method is set to Cookie.

Authentication Threshold

The percentage that the user's fingerprint (FP) ID must be higher than for a successful 2-Factor Authentication. If the user's FP ID is lower than the threshold value, another form of 2-Factor Authentication is required, such as SMS OTP, Telephony OTP, PUSH Notification, or OATH Token.

This is typically set between 90 - 100%, and must be higher than the Update Threshold.

AuthnContext Class

Additional authentication proof that may be requested by the SP.

The SP asks for certain Authentication Context Classes, which are categories that carry Authentication Context declarations (requested additional authentication information) and simplify the interpretation between SecureAuth IdP and the SP.

  • AuthenticatedTelephony: User is authenticated via the phone number, a user suffix, and a password element.

  • InternetProtocol: User is authenticated through the use of a provided IP address.

  • InternetProtocolPassword: User is authenticated through the use of a provided IP address and a username / password.

  • Kerberos: User is authenticated using a password to a local authentication authority to obtain a Kerberos ticket, which is then used for subsequent network authentication.

  • MobileOneFactorContract: User is authenticated through the device without requiring a PIN or other 2-Factor Authentication method for mobile customers with contracts.

  • MobileOneFactorUnregistered: Device is authenticated, but not the user for mobile customers without contracts.

  • MobileTwoFactorContract: Device is authenticated based on the contracted customer's registration procedures as well as a second factor method.

  • NomadTelephony: A "roaming" user is authenticated via the phone number, a user suffix, and a password element.

  • Password: User is authenticated with a password over an unprotected HTTP session.

  • PasswordProtectedTransport: User is authenticated with a password over a protected HTTP session.

  • PersonalTelephony: User is authenticated through a fixed-line telephone number and a user suffix.

  • PreviousSession: User is authenticated at some point in the past using any authentication mechanism.

  • SecureRemotePassword: User is authenticated via a Secure Remote Password, which is an augmented password-authenticated key agreement.

  • SmartcardPKI: User is authenticated via a smartcard with enclosed private key and a PIN.

  • SoftwarePKI: User is authenticated with an X.509 certificate stored in software.

  • SPKI: User is authenticated via a digital signature validated by a Simple Public Key Infrastructure (SPKI).

  • Telephony: User is authenticated via a telephony protocol.

  • TimeSyncToken: User is authenticated through a time synchronization token, which generates a unique value that changes at regular intervals.

  • TLSClient: User is authenticated via a client certificate that is secured with the Transport Layer Security (TLS) transport.

  • Unspecified: User is authenticated by unspecified means.

  • X509: User is authenticated via a digital signature validated by an X.509 Public Key Infrastructure (PKI).

  • XMLDSig: User is authenticated via a digital signature according to the rules of the XML Digital Signature specification.

Authorization Code

SecureAuth IdP, as the authorization server, creates an authorization code after the user authenticates that is presented to the client application. The client application then requests an access token, which is then generated by SecureAuth IdP to grant the user access.

Authorization Code Lifetime

The number of minutes during which an Authorization Code is valid. The client uses the Authorization Code to request an Access Token. If the Authorization Code expires, then the workflow restarts to generate a new one.

Auto Accept User Consent

Whether users are prompted to grant consent to a client for a given request, or if acceptance is assumed granted and tokens are issued.

Auto Authorize

Whether the client application must request consent to access data or if it can bypass the step and automatically pull information for access. The remaining fields in the OpenID Server section are the information that the application can pull with or without consent, based on the selection made.

Auto-Submit When One Avail

Enable SecureAuth IdP to auto-submit a 2-Factor option response when a user has only one option available.

Aux ID 1 - Aux ID 10

The SecureAuth IdP Auxiliary Properties that are mapped to directory fields containing user information.

B

Glossary

Base URL

The root URL of the User Risk integration instance. For example, Sailpoint or Exabeam.

Bearer

The Bearer token value, which is like a shared secret, that is used for authentication.

This is only applicable if Authentication Method is set to OAuth 2.0.

Begin Site

If True is selected from the Require Begin Site field, then select the type of Begin Site that is required for this realm. The options are:

  • Basic Authentication: SecureAuth IdP consumes a basic authentication from an application and extracts the user ID and password from a Base64 string in an authorized header. The user is not required to enter the username or password on the subsequent SecureAuth IdP login pages.

  • Certificate Finder V1: SecureAuth IdP searches for a Java certificate and extracts the user ID from it. The user is not required to enter the username on the subsequent SecureAuth IdP login pages.

  • Certificate Finder V2: Same as Certificate Finder V1, but includes a master page that resembles the login page theme to alert users that SecureAuth IdP is checking for a certificate.

  • Cisco ISE (pxGrid): SecureAuth IdP consumes user credentials from Cisco ISE login and uses the information to further validate the user.

  • Client Side SSL: Forces the browser to request a certificate before the user provides any information to enable access.

  • Fingerprint Finder: SecureAuth IdP searches for a Fingerprint cookie and extracts the user ID from it. The user is not required to enter the username on subsequent SecureAuth IdP login pages.

  • Form Post: SecureAuth IdP receives a form post from an application and extracts the user ID, password, and shared secret. The user is not required to enter the username or password on subsequent SecureAuth IdP login pages.

  • Multi-workflow: SecureAuth IdP utilizes the directory integration(s) and workflow configuration from multiple realms to redirect users to the appropriate post-authentication target based on in which data store they are located.

  • Native Certificate Finder: SecureAuth IdP accesses the browser's certificate store (IE only) to extract the native certificate, which is then used as the user's ID. The user is not required to enter the username on subsequent SecureAuth IdP login page.

  • Check JRE: For Cisco ASA integrations, SecureAuth IdP checks to see if user has Java installed as required for the integration.

  • Windows SSO: Enable the use of Windows Desktop Single Sign-on (SSO) to immediately and securely access resources via Kerberos-based authentication.

  • Windows SSO (skip workflow): Same as Windows SSO, but skips any configured workflow, e.g. 2-Factor Authentication.

  • Custom: Any begin site not listed in the dropdown. A custom URL is required in the Begin Site URL field.

Begin Site URL

The URL on which users land before the SecureAuth IdP login pages. This is auto-populated when a pre-configured Begin Site is selected from the Begin Site field, or can be a customized URL when Custom is selected.

C

Glossary

Cache Lockout Duration

The number of minutes during which SecureAuth IdP disables the use of Time-based Passcodes tokens for a locked account.

Cert Count

The number of certificates stored in a user's profile.

Certificate Expiration

The basis on which the certificate expires. The options are:

  • Password Expiration Date: The certificate expires when the user's password expires.

  • Private Mode Cert Length: The certificate expires based on the length of time entered in the Private Mode Cert Length field.

Certificate Key Identifier

The hashing algorithm used for certificate signing requests. The options are:

  • Capi Sha1

  • Sha1

Certificate URL

The certificate URL which is auto-populated if using WSE 3.0. If using WS 2.0, this must be set with SSL.

Certificate Use WSE 3.0

Whether SecureAuth IdP utilizes the message-level security (WSE 3.0 / WCF) or the transport-level security (WS 2.0 with SSL) to make a web service call to issue a certificate. Set to False if using a Proxy.

Certificate Valid Until

For how long the certificate is valid. The options are:

  • Cert Expiration Date: The certificate is valid up until before the expiration.

  • Private Mode Cert Length: The certificate expires based on the length of time entered in the Private Mode Cert Length field.

Cert Rev

Revoke the certificates stored in a user's profile.

  • Select Certificate: Select a certificate from the server's certificate store.

Cert Serial Nbr

The licensing certificate of the appliance.

Challenge Question (Post Authentication - Create User / Help Desk)

The challenge question used for the Help Desk 2-Factor Authentication method. When users employ the Help Desk mechanism, the admin asks a knowledge-based question to the user to validate the identity before providing a one-time password (OTP). See also KB Questions.

Change Password SP

The Change Password Stored Procedure (SP) name in the database.

Check CRL

The action taken if Certificate Revocation List checking is enabled. The options are:

  • Disabled: Do not check the CRL.

  • Fall Back to 2nd Factor: Check the CRL. If the certificate is invalid, then the system automatically performs 2-Factor Authentication to validate the certificate.

  • Display Error Message: Check the CRL and bring the user to a hard stop if certificate is invalid.

Claim

Additional profile data that is sent to client applications within the JSON Web Token (JWT). The listed Claims are options that would be requested by the client application. If an unlisted Claim needs to be included, you can add it in the Custom Claims section.

Clean Up Pre-Auth Cookie

Whether or not to remove the Pre-Auth Cookie after authentication.

Client Cert Serial Nbr

The certificate serial number of the SecureAuth IdP appliance to identify itself to the hosted facility when making the WSE 3.0 / WCF web service request.

Client Credentials

Enable communication between the client application and SecureAuth IdP utilizing the Client ID and the Client Secret.

Client FQDN

Enable an enterprise to set a Fully Qualified Domain Name (FQDN) as the client point of termination for SecureAuth IdP validation.

Client ID (Data - Azure AD)

The Client ID of the Native Client Application (configured on Azure AD).

Client ID (Post Authentication - OpenID Connect / OAuth 2.0 Client Details)

The Client ID is created automatically by SecureAuth IdP to be shared with the client application for authorization. This is similar to a user ID.

Client ID (Reg Methods - Facebook / Google / Windows Live / LinkedIn)

The Client ID assigned by Facebook / Google / Windows Live / LinkedIn to the user's application.

Client Secret (Post Authentication - OpenID Connect / OAuth 2.0 Client Details)

The Client Secret is created automatically by SecureAuth IdP to be shared with the client application for authorization. This is similar to a password.

Client Secret (Reg Methods - Facebook / Google / Windows Live / LinkedIn)

The shared secret assigned by Facebook / Google / Windows Live / LinkedIn to the company's application.

Client Side Control

The credential used in the realm workflow for the user. The options are:

  • Java Applet: Stores the SecureAuth IdP X.509 certificate in the JRE managed code file set.

  • Browser Plug-ins: Utilizes the native key store for certificate storage.

  • Universal Browser Credential (deprecated): Utilizes a difficult-to-remove cookie that is written to multiple locations on the client.

  • Device / Browser Fingerprinting: Rather than a cookie or certificate being placed on the device or browser, SecureAuth IdP can pull unique characteristics from the device or browser and create a fingerprint that is utilized for low-friction authentication.

Clock Skew

The number of minutes that SecureAuth IdP subtracts from the NotBefore SAML condition to account for any time difference between SecureAuth IdP and the Identity Provider.

Company GUID

The company's Globally Unique Identifier (GUID) assigned by SecureAuth present on all company's SecureAuth IdP appliances.

Connection Mode

How SecureAuth IdP and the directory connect. The options are:

  • Secure: Enable a secure LDAP connection on Port 389, using NTLMv2.

  • SSL: Enable a secure connection on Port 636, but uses Secure Socket Layer technology, which relies on certificates.

  • Standard: Enable a standard LDAP connection on Port 389 that uses basic authentication (plain text).

Connection String (Data - Membership Connection Settings - LDAP)

How SecureAuth IdP communicates with LDAP or Active Directory data stores and is built from the domain name and auto populated by clicking Generate LDAP Connection String.

Connection String (Data - Membership Connection Settings - Oracle)

The Oracle Database connection string, which is used to enable communication between the database and SecureAuth IdP. It should be in the following format with the company's own values:

Data Source=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1522)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=[DBName]))); User Id=[username];Password=[password]

Connection String (Data - Membership Connection Settings - SQL / ODBC / ASP.NET)

The SQL / ODBC / ASPNETDB connection string, which is used to enable communication between the data store and SecureAuth IdP. It is generated by clicking Generate Connection String, which utilizes the information provided in the previous fields; or check Custom Connection String to create a custom connection string.

Connection String (Data - Profile Connection Settings - Directory Server)

How SecureAuth IdP communicates with LDAP or Active Directory data stores and is built from the domain name.

Connection String (Data - Profile Connection Settings - SQL / ODBC / ASP.NET)

The SQL / ODBC / ASPNETDB connection string, which is used to enable communication between the data store and SecureAuth IdP. It is generated by clicking Generate Connection String, which utilizes the information provided in the previous fields; or check Custom Connection String to create a custom connection string

Connection String (Logs - Log Database)

How SecureAuth IdP communicates with the database logs. This field is auto-populated by clicking the Generate Connection String button.

Connection Timeout

The number of seconds permitted to query the log database and generate the results on the Reporting Page before the connection times out.

Connection Type ("Authenticated User Redirect" in Classic Experience)

Specifies how the service provider will send the authentication request to SecureAuth IdP, either SP- or IdP-initiated.

This configuration can't be modified in the Classic Experience.

Connection Type ("Type" in Classic Experience)

The company's enterprise data store. The options are:

  • Active Directory: Active Directory (AD) is a Microsoft directory service that was developed for Windows domain networks that uses either the sAMAccountName attribute or userPrincipalName (UPN) attribute for the logon name.

  • SQL Server: A SQL Server is a database server that utilizes the Structured Query Language (SQL).

Consent Storage Attribute

Client applications request to access certain information from the user's profile in the data store. The user must consent to these requests before continuing the workflow.

Determine which SecureAuth IdP Property stores the user's consent to avoid requesting it with every login. This consent can be revoked in the directory at any time.

Cookie Length

The number of hours during which the cookie is valid.

Custom Error Redirect

To where users are redirected when an error occurs if On or Remote Only is selected from the Custom Errors field.

Custom Errors

Redirect users to a different page when an error occurs rather than the defaulted error page that the webpage provides.

  • On: Redirect users to a custom error page.

  • Off: Do not redirect users to a custom error page.

  • Remote Only: Redirect only remote users to a custom error page.

Custom URL Schemes

The URL scheme of the native mobile app. For example, app1:/. Applicable for multi app and multi app groups check integrations only.

D

Glossary

Dashboard in SecureAuth® Identity Platform

Intelligence dashboard provides real time visibility to key metrics, insights into total number of logins, and a break down of logins by system, applications, data stores, and use of multi-factor method options.

Data Format

How the information is stored in a data store. The options are:

  • Plain Text: Stored as regular text, readable (default).

  • Standard Encryption: Stored and encrypted using RSA encryption.

  • Advanced Encryption: Stored and encrypted using AES encryption.

  • Standard Hash: Stored and encrypted using SHA 256 hash.

  • Plain Binary: Stored as a binary representation of the data (uses a .NET library to make it binary – may not be readable by all applications).

  • JSON: Stored in a universal format, readable by all applications (similar to Plain Text).

  • Encrypted JSON: Stored as JSON, with values inside encrypted using AES encryption.

Data Server ("Connection Type" in New Experience)

The data store from which to pull profile information.

Data Store Property ("Value" in Classic Experience)

The SecureAuth IdP Property that includes the attribute required. The options are Data Store properties which point to fields in the directory. This information is provided by the SP as it expects the attribute to be delivered a certain way.

DC Exclusions

Used to simplify the user ID for logging in. For example, set to DC=com,DC=local to make the user ID domain/username rather than the full name.

Debug Logs

Debug logs can record database operations, system processes, and errors that occur during the authentication workflow, and can be reviewed to check for any inconsistencies.

Decryption Key

The Decryption Key is stored in the web configuration file and must match the decryption key on the client application for SSO.

Delimiter (XOR)

The delimiter is used with the Shared Secret to encrypt the user ID, and is typically a symbol, such as a colon, semicolon, or quotation mark.

Denied Groups

A list of the groups that are denied access to this realm.

Denied Groups (Post Authentication - Mobile App Store)

A list of groups not granted access to view or download the application from the Mobile App Store.

Digital Fingerprints (Device / Browser Fingerprints)

SecureAuth IdP can collect client-unique information (digital fingerprints) from the end-user's device or browser and store it in the user profile in the directory. When the end-user utilizes the same device (or browser) to log in to SecureAuth IdP again, the current client-unique information (a new fingerprint) will be collected and compared with the previously registered fingerprint(s) for authentication. If one existing fingerprint matches the current fingerprint with an acceptable Authentication Threshold score, then the end-user will not be required to undergo additional 2-Factor Authentication (OTP).

Disallowed Keywords

The list of keywords that cannot be used.

Displayed Name

For some target resources, such as the Secure Portal, the user's name can be displayed on the page. Administrators then select which username will be displayed from the dropdown provided.

The following options correspond to the attributes mapped to the SecureAuth IdP Properties in the Data tab:

  • First Name: The user's first name, e.g. givenName in Active Directory.

  • Last Name: The user's last name, e.g. sn in Active Directory.

  • Phone 1: Typically the user's work number.

  • Phone 2: Typically the user's mobile number.

  • Phone 3 - Phone 4: Additional telephone options available to use.

  • Email 1: Typically the corporate email address.

  • Email 2 - Email 4: Additional email options available to use.

  • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.

These options are created from factors other than or in addition to the SecureAuth IdP Profile mapping:

  • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.

  • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com.

    These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

Display Timeout Message

How to alert the user when their session has expired. The options are:

  • Display Timeout: Display a message that alerts the user that the session has timed out.

  • Auto Restart: Automatically restart the page upon session expiration to prompt user to re-authenticate session.

  • Disabled: Do nothing until user interacts with the page, and then send them to re-authenticate the session.

DN Mapping

The SecureAuth IdP Property that contains the distinguishedName (DN).

  • First Name: The user's first name, e.g. givenName in Active Directory.

  • Last Name: The user's last name, e.g. sn in Active Directory.

  • Phone 1: Typically the user's work number.

  • Phone 2: Typically the user's mobile number.

  • Phone 3 - Phone 4: Additional telephone options available to use.

  • Email 1: Typically the corporate email address.

  • Email 2 - Email 4: Additional email options available to use.

  • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.

  • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.

Document Title ("Application Name" in New Experience)

The document title is shown on the admin side as well as the client side. On the admin side, this will be the header on the realm on the startup page, and will appear in the left-side menu under the Realm Name.

On the client side, this will be displayed on the browser's tab.

Domain (Data - Membership Connection Settings - LDAP) ("Source Domain" in New Experience)

The domain name of the directory.

Domain List

Auto-populated by the information from the Create using this realm and Workflow Options fields, and contains a list of the workflow realm domain names.

Domain (Overview - SMTP)

The domain name if the SMTP requires one for authentication purposes.

Domain (Post Authentication - Forms Authentication)

The domain name. The administrator can combine realms by entering a common domain name that generates a valid token that can work in different spaces (SSO). If this field is blank, the appliance domain becomes the default.

Domain (Post Authentication - SAML Assertion / WS Federation)

The domain of the SecureAuth IdP application. The full URL of the Public Server Address is required to download the Metadata File.

E

Glossary

Email Field 1 - Email Field 4

Select the type of authentication option(s) available for use for the email addresses mapped to the Email 1 - Email 4 Properties in the Data tab.

  • Enabled (HTML): Enable HTML emails to be used for the one-time password (OTP) delivery to the specified email for 2-Factor Authentication.

  • Enabled (TEXT): Enable TEXT emails to be used for the one-time password (OTP) delivery to the specified email for 2-Factor Authentication.

  • Disabled: The email option with this option selected is not used for any one-time password (OTP) delivery for 2-Factor Authentication.

Email Notification (Post Authentication - Create User)

Send a generic email to the user after a successful creation has been completed.

Email Notification (Workflow - Expired Certificate Warning)

Enable a Windows service email notification system that warns users of certificate expiration.

Email Password Mapping

The SecureAuth IdP Property that is mapped to the attribute that contains the Google Apps Email password.

  • First Name: The user's first name, e.g. givenName in Active Directory.

  • Last Name: The user's last name, e.g. sn in Active Directory.

  • Phone 1: Typically the user's work number.

  • Phone 2: Typically the user's mobile number.

  • Phone 3 - Phone 4: Additional telephone options available to use.

  • Email 1: Typically the corporate email address.

  • Email 2 - Email 4: Additional email options available to use.

  • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.

  • PIN: The user's static Personal Identification Number (PIN).

  • KB Question: The user's Knowledge-based Questions (e.g. "In what city did you grow up?").

  • KB Answer: The user's Knowledge-based Answers (e.g. Chicago, IL).

  • Cert Serial Number: A certificate that is generated by SecureAuth IdP and stored in the directory.

  • Cert Reset Date: The certificate revocation date. Certificates that are delivered before this date are invalidated

  • Certificate Count: How many certificates the user has stored in the profile. The maximum amount of certificates allowed per user can be configured in the Workflow tab.

  • Mobile Reset Date: The Mobile cookie revocation date. Cookies that are delivered before this date are invalidated.

  • Mobile Count: How many Mobile cookies the user has stored in the profile.

  • Ext. Sync Password Date: The date on which the Google Apps and enterprise directory passwords need to synchronize.

Enable / Disable User

Enable administrators to disable active user accounts, or enable disabled user accounts from the Help Desk page.

Enable FBA WebService

Enable or disable the appliance calling the SecureAuth Web Services to gather information.

Encode to Base64

Enable Base64 encoding of the username. This is necessary if the SP requires it.

Encryption Attribute ("Search Attribute" in Classic Experience)

The ID that SecureAuth IdP uses to search the directory for the user.

Encryption Cert

The public key provided by the SP. The SP keeps and maintains the private key.

Encrypt Password (Java Only)

For Java products only. When users enter their passwords, the passwords are encrypted using the Java Applet and sent to the SecureAuth IdP server as an encrypted string rather than as plain text.

Encrypt SAML Assertion

For additional security, enable SecureAuth IdP to encrypt the SAML assertion that is sent to the SP.

Encrypt Token

Encrypt the token sent from SecureAuth IdP to the application that contains the authenticated user ID and other profile attributes. Applicable for single and multi app integrations.

Error Logs

Error logs record all warnings and errors during the authentication workflow, and can be reviewed to check for any inconsistencies.

EULA

The URL for the company's end-user license agreement.

Expired Certificate Warning

Enable email notifications that warn users that their certificates will expire.

Extended Attribute Format

The format in which the Extended Attribute is delivered to the SP.

The SP expects the Extended Attribute to be delivered a certain way to provide the appropriate response. The options are:

  • Basic: Send Extended Attribute in Basic format.

  • URI: Send Extended Attribute in URI format.

  • Unspecified: The format is unspecified.

Extended Attribute Name

The specific name of the Extended Attribute. The SP specifies which attributes are required, and the name must match the name specified by the SP.

Extreme / High / Medium / Low Risk

For IP Reputation / Threat Data analysis, select specific Failure Actions for each risk level, based on the generated risk score.

  • Hard Stop: Immediately stop the user from continuing further in the login process.

  • Redirect: Redirect the user to a different site, provided in the Redirect URL field.

  • 2-Factor: Send the user through 2-Factor Authentication, where the identity can be confirmed, or an attacker can be stopped.

  • Step Up Auth: Require additional authentication from the user, on top of what is configured in the realm.

  • Step Down Auth: Do not require authentication from the user, if configured in the realm.

  • Resume Auth: Continue the user through the configured workflow.

  • Post Auth: Send user straight to the post-authentication target, bypassing any additional workflow requirements.

F

Glossary

Failover

In case of a system failure, SecureAuth IdP can seamlessly switch to a configured backup server to prevent disruptions in service.

Failure Action

What happens automatically when the user does not pass the specific Adaptive Authentication analysis. The options are:

  • Hard Stop: Immediately stop the user from continuing further in the login process.

  • Redirect: Redirect the user to a different site, provided in the Redirect URL field.

  • 2-Factor: Send the user through 2-Factor Authentication, where the identity can be confirmed, or an attacker can be stopped.

  • Step Up Auth: Require additional authentication from the user, on top of what is configured in the realm.

  • Step Down Auth: Do not require authentication from the user, if configured in the realm.

  • Resume Auth: Continue the user through the configured workflow.

  • Post Auth: Send user straight to the post-authentication target, bypassing any additional workflow requirements.

FF JRE Download

The Firefox Java Runtime Environment (JRE) Plugin URL.

FF Plugin Download

The Firefox Plugin URL.

Field

The field from the enterprise data store where the requested properties are located. SecureAuth IdP includes some common out-of-the-box Active Directory values; however, the data may be located in different fields.

Field Count

How many of the Show Enabled fields are required to be filled out by the user on the Self-service Account Update page.

  • 0 - 10: 0 - 10 fields are required to be filled out by the user.

Force Frame Breakout

If a web page is utilizing an iFrame, then enable the SecureAuth IdP webpages to break out into its own page rather than staying within the first web page.

Forgot Password URL

A client-side link that takes users to the Forgot / Reset Password realm, which can be configured in the Post Authentication tab. Here, users can retrieve lost passwords securely.

Forgot Username URL

A client-side link that takes users to the Forgot Username realm, which can be configured in the Post Authentication tab. Here, users can retrieve lost usernames securely.

FP Expiration Length

The number of days the fingerprint is valid. For example, if the expiration length is set to 10 days, then the user's fingerprint expires in 10 days, no matter how often it is used.

FP Expiration Since Last Access

The number of days the fingerprint is valid since last usage.

For example, if this is set to 10 days, then the user's fingerprint expires if it is not used during the 10 days since it was last employed.

FP Mode (Workflow - Digital Fingerprinting - Mobile Settings)

Elect whether to deliver a cookie to the device or browser, or to pull unique IDs from the mobile devices using the SecureAuth Device Recognition App (iOS and Android mobile app) and deliver them to match the fingerprint (FP) ID in the directory.

  • Cookie: Deliver a cookie to the device.

  • Mobile App: Deliver the UDID (pre-iOS 5) or the Advertiser ID (iOS 5+) for iOS; or the Device ID and a combination of the Model Name and OS Version for Android (requires the Device Recognition App).

FP Mode (Workflow - Digital Fingerprinting - Normal Browser Settings)

Elect whether to deliver a cookie to the browser that corresponds to the fingerprint (FP) in the data store.

FP's Access Records Max Count

The number of Fingerprint (FP) entries to save to each stored fingerprint profile.

G

Glossary

Geo-velocity

Geo-velocity analyzes the user's location based on the initial and subsequent IP Addresses and computes physical speed calculated from the difference between the two IP Address locations.

For example, if a user logs in from New York and then logs in an hour later from China, SecureAuth IdP automatically responds with an appropriate Failure Action if the calculated velocity is greater than the MPH (miles per hour) Limit.

Get Profile Relative URL

The endpoint used to get user profiles that is appended (relative) to the Base URL.

Get Profile SP

The Get Profile Stored Procedure (SP) name in the database.

Get Shared Secret (1 - 223)

The Shared Secret that is sent to SecureAuth IdP, which is provided by the Service Provider (SP).

Get User SP

The Get User Stored Procedure (SP) name in the database.

Global Cert Limit

Limit the number of certificates that a user can have active in the directory. Once the user has surpassed the limit, the user needs to call Help Desk to resolve the issue.

Global Mobile Limit

Limit the number of mobile cookies that a user can have that are active in the directory. Once the user has surpassed the limit, the user needs to call Help Desk to resolve the issue. Applicable for Mobile Enrollment and Validation realms.

Group

The groups to which the user belongs.

Group Filter Expression (Post Authentication - Extended SAML Attributes)

Filter the Extended Attribute value(s) by including groups that match the specified regular expression, such as "sp-*". Instead of sending over all of the group names, this RegEx enables SecureAuth IdP to send over only those that match the pattern.

Group Filter Expression (Post Authentication - SAML Attributes)

Further filter the attribute by including groups that start a certain way, such as "sp-*". Instead of sending over all of the group names, this RegEx enables SecureAuth IdP to send over only those that are necessary.

Group List (Post Authentication - Create User)

The list of groups to which the user belongs.

Group List (Workflow - Adaptive Authentication - User / Group Restriction)

The list of user groups that are either allowed or denied based on the selection made from the dropdown.

  • Allow: Only the list of user groups provided can access the realm.

  • Deny: The list of user groups provided cannot access the realm.

Group Name(s)

The list of user groups that are allowed or denied access based on the selection from the Validation Type field. Applicable for multi app and multi app groups check integrations only.

Groups Field

The field in the directory that corresponds to a user's groups.

H

Glossary

Help Desk Page

The Help Desk (Account Management) Page enables administrators and help desk teams to modify and update user profiles.

High Risk

The risk score range that classifies as high risk.

  • To: The range is from the set amount to infinity.

  • From: Set the range threshold.

HTTP Headers

The components of HTTP Headers that factor into the device fingerprint. Set the weight values for each HTTP Header component and for the System Components to equal a total of 100%.

  • User-Agent: The user agent string (identification) of the user agent.

  • Accept: The Content-Types that are acceptable for the response.

  • Accept CharSet: The character sets that are acceptable.

  • Accept Encoding: The list of acceptable encodings.

  • Accept Language: The list of acceptable human languages for response.

Hybrid

The workflow that is a combination of the Authorization Code and Implicit workflows that allows to request a combination of identity token, access token and code via the front channel using either a fragment encoded redirect (native and JS based clients) or a form post (server-based web applications).

I

Glossary

Identity Provider Name

A friendly name that appears in the Web Admin for future reference.

Idle Timeout Length

The boundaries within which a user needs to interact with the site before the session is expired and needs to be re-authenticated.

IdP Issuer ("WSFed / SAML Issuer" in Classic Experience)

The SAML ID of the Identity Provider (IdP). This can be any value as long as it's consistent on both sides, as the Issuer must match on the IdP and SP side exactly.

IE ActiveX

The Internet Explorer (IE) ActiveX version number.

IE JRE Download

The Internet Explorer Java Runtime Environment (JRE) Plugin URL.

IE / PFX / Java Cert Type

The certificate types based on the selection from the Client Side Control field.

  • 1024-bit Public Key: A public key with a key size of 1024-bit.

  • 2048-bit Public Key: A public key with a key size of 2048-bit.

  • Personal Certificate Only (1024-bit Public Key): A user certificate only with a key size of 1024-bit.

  • Machine and Personal Certificates (1024-bit Public Key): User and device certificates with key sizes of 1024-bit.

  • Personal Certificates Only (2048-bit Public Key): A user certificate only with a key size of 2048-bit.

  • Machine and Personal Certificates Only (2048-bit Public Key): User and device certificates with key sizes of 2048-bit.

If Mobile, Redirect To

Redirect users to different realms if SecureAuth IdP detects a mobile or a web browser. Select the SecureAuth IdP Realm configured specifically for mobile browsers to where users are redirected if using mobile devices.

Implicit Workflow

The workflow that enables SecureAuth IdP to generate an access token immediately after user authentication (without an authorization code) that is given to the client application.

Inbound SCEP Request

Enable SecureAuth IdP to provide certificates that are requested by an application. For example, MobileIron VSP.

Include SAML Conditions

Enable SecureAuth IdP to include SAML conditions in the SAML assertion. The SP requests this if it is necessary.

Initial Catalog (Data - SQL / ODBC / ASP.NET)

The database name when the connection is opened.

Initial Catalog (Logs - Logs Database)

The name of the logging database.

Inline Initialization

Redirect users to the self-service page to provide missing information, and then redirect them back to the Post Authentication action once the data has been provided.

Check the options for which Inline Initialization is enabled:

  • Missing Phone: Enable Inline Initialization for Missing Phone number.

  • Missing Email: Enable Inline Initialization for Missing Email address.

  • Missing KB Answers: Enable Inline Initialization for Missing Knowledge-based Answers.

  • Missing PIN: Enable Inline Initialization for Missing PIN.

Inline Password Change

Elect whether users can change their expired passwords during the workflow.

  • Enabled: Users can change their password during login and be redirected back to the target resource after the password is changed.

  • Disabled: Users cannot log in until they change their password in the self-service password reset realm.

  • Password Settings: Customize the password reset settings for the realm.

Integrated Security (Data - SQL / ODBC / ASP.NET)

Enable the use of the IIS app pool's service account for connection to the database and is a part of the connection string.

Integrated Security (Logs - Log Database)

Enable the use of the webpage's ID for connection to the database and is a part of the Connection String.

Integration Method

The device limitation and functionality of the client. The options are:

  • Certificate Enrollment and Validation: Used for standard web-based user workflows.

  • Certificate Enrollment Only: Used for X.509 Certificate Enrollment, when a certificate must be provisioned on a user's device.

  • Mobile Enrollment and Validation: Designed for legacy browser support on all devices, e.g. IE 6 and below.

Introspection

The workflow in which a previously-issued access token (from SecureAuth IdP) is sent to the Introspection endpoint at which SecureAuth IdP states whether it is still valid, along with expiration and scope information.

Invalid Persistent Token Redirect

To where users are redirected if their persistent token is invalid. For example, another realm.

IP Addresses

List of the allowed or denied IP Addresses that is based on the IP Address Rule selected.

IP Address Rule

Create a list of allowed IP Addresses or denied IP Addresses.

IP Blocking

Block IP Addresses by country by using the Configure IP Blocking setting.

IP Blocking URL

The IP Blocking URL that is auto-populated if using WSE 3.0, but must be set if using WS 2.0 with SSL.

IP Blocking Use WSE 3.0

Whether SecureAuth IdP utilizes the message-level security (WSE 3.0 / WCF) or the transport-level security (WS 2.0 with SSL) to make a web service call to retrieve IP-to-Country data.

  • True: Use WSE 3.0 / WCF.

  • False: Use WS 2.0 with SSL.

IP / Country Restriction

Allows or denies specific IP Addresses or country codes from accessing the realm.

IP List

The list of IP Addresses that are either allowed or denied based on the selection made from the dropdown.

  • Allow: Only the list of IP Addresses provided can access the realm.

  • Deny: The list of IP Addresses provided cannot access the realm.

  • IP List can be in one of the following formats, separated by comma:

  • Specific IP, for example: 72.32.245.182

  • CIDR Notation, for example: 72.32.245.0/24

  • IP range, for example: 72.32.245.1-72.32.245.254

The final IP List can be: 72.32.245.182,72.32.245.0/24,72.32.245.1-72.32.245.254

IP Risk Factor / IP Reputation / Threat Data

Utilizes threat intelligence system to detect risk, sent in a Risk Level Score.

IPSec Profile Update

Enable IPSec Profile Update to add IPSec Profile / Host Pairs.

  • Enabled: Enable IPSec Profile Update.

  • Disabled: Do not enable IPSec Profile Update.

Issued Cert SN

The certificate serial number provided by Symantec.

IssueInstant Valid Time

The number of hours during which the SAML assertion to SecureAuth IdP is valid. Applicable if not enabling SAML Conditions.

Issuer

The name of issuer that must be unique and is commonly in a URL format. This name displays in the iss claim within the JSON Web Token (JWT).

J

Glossary

Java Applet

The Java Applet version number.

Java Applet for JRE 7

The Java Applet for Java Runtime Environment (JRE) 7 version number.

Java Applet for JRE 8

The Java Applet for Java Runtime Environment (JRE) 8 version number.

Java Applet Load Failure Fallback

Applicable when SecureAuth IdP fails to launch the Java Applet. From here, elect whether the user falls back to Public Mode, Universal Browser Credential Mode, Cookie Mode, or the user is denied access.

Java Applet Wait

How long SecureAuth IdP waits for the Java Applet to initiate.

Java Detection

Enable SecureAuth IdP to check for Java presence.

Java Security Mode

Set the security level for the certificate storage. If set to zero (0), then a certificate can be transferred from one system to another; if set to four (4), then the certificate cannot be copied at all.

Java Timeout

Add time to wait for Java to respond. If no Timeout is set, or if Java does not respond during the allowed time period, then an error is presented.

JRE 7 Version

The Java Runtime Environment (JRE) 7 version number.

JRE Install Path

The Java Runtime Environment (JRE) Installation path, where SecureAuth IdP looks to retrieve the JRE if it is not already on the client machine.

JRE Install Path

The Java Runtime Environment (JRE) version number.

JSON Web Encryption

Enable the encryption of JSON Web Tokens (JWTs). This feature requires that the client requesting the encrypted JWTs to provide the X.509 public key via a JSON Web Key URI.

JSON Web Key URI

The URL at which the JSON document that is published with the public key information can be accessed. Applicable if Enabled is selected from the JSON Web Encryption field.

K

Glossary

KB Conversion

Enable SecureAuth IdP to convert knowledge-based questions to certificate-based encryption from Base64 encoding.

KB Format

How the knowledge-based questions and answers are formatted and stored in the directory. The options are:

  • Base64: This method allows the binary data to be stored as text. This can be easily decoded back.

  • Encryption: This method allows the encrypted data to be stored as text. This setting is more secure since requires decryption to decode the data.

KBQ Count

The number of knowledge-based questions to display. The user is not required to answer all; the required field are set in the Number of Answers field.

  • 1 - 6: Display 1 - 6 knowledge-based questions.

KBQ - KBA

The user's knowledge-based questions and answers used for 2-Factor Authentication.

KB Questions

KB (knowledge-based) Questions lets a Help Desk staff member verify an end-user's identity by asking a question only that user can answer. See also Challenge Question.

Key Value

The shared secret for the encryption key that enables communication between SecureAuth IdP and the SP. The Key Value must match on both sides.

L

Glossary

Link Function / Behavior

For the Native Certificate Enrollment Page, select the action to be taken after the enrollment is finalized.

  • Custom URL: The user is redirected to a custom URL that is provided in the Link URL field.

  • Close All Browsers: The default mode that closes all browser windows after completion. This may require browser plug-ins.

Links Shown on Portal Page

Select the realms to which the Portal Page points. SecureAuth IdP then creates hyperlinks for the realms that are checked to be displayed on the Portal Page.

Link URL

The URL link for the Enrollment Complete Page if Custom URL is selected from the Link Function / Behavior field.

Live Site ID

The Live Site ID provided by Microsoft in the welcome email.

Live Site URL

Where the user lands after authentication. Possible destinations are:

  • http://home.live.com/default.aspx?wa=wsignin1.0&lc=1033

  • http://workspace.office.live.com

  • http://spaces.live.com/?lc=1033

  • http://skydrive.live.com/home.aspx?provision=1

Lock User (after max attempts)

Lock user accounts upon reaching the maximum number of failed authentication attempts.

Lock User SP

The Lock User Stored Procedure (SP) name in the database.

Login for Endpoints, Windows and Mac

Adds SecureAuth’s multi-factor authentication to the Windows and Mac desktop and remote server login experience after the application is installed.

Login Request Timeout

For how long the Push-to-Accept login request is valid for the user to accept or deny.

  • 1 Minute - 5 Minutes: Choose between 1 and 5 minutes.

Login Seconds

The number of seconds allowed between the SecureAuth IdP authentication session and the Live@Edu session. It is defaulted to 5 seconds.

Log Instance ID

Used to mark log sets that are associated with this realm. Typically, it is the same name as the realm (SecureAuth1, SecureAuth2, etc.).

Login URL

The page where the user is sent when the token has expired and a new one needs to be created. For example, another SecureAuth IdP realm.

Low Risk

The risk score range that classifies as low risk.

  • To: The range is from the set amount to the Medium Risk From amount.

  • From: Set the range threshold.

LTPA Token Name

The name of the Lightweight Third-Party Authentication (LTPA) Token, used for access into Domino and Lotus Notes. The SP provides the Token Name.

M

Glossary

Mask Password

Elect to hide the password.

Match FP ID in Cookie

Require the fingerprint ID from the cookie to be presented and then matched to a fingerprint ID in the directory, with an acceptable Authentication Threshold score.

Max Device Count

Limit the number of devices that can receive Push Notifications and Push-to-Accept login requests. For no limit, set to -1.

Max Invalid Password Attempts

The maximum number of failed password entries a user is allowed before the account is locked.

Max Length for KBA

The maximum number of characters of which the knowledge-based answers can be composed.

Max Length for OTP

The maximum number of digits of which a one-time passcode can be composed.

Max Length for Password

The maximum number of characters of which a password can be composed.

Max Length for User ID

The maximum number of characters of which a user ID / username can be composed.

Medium Risk

The risk score range that classifies as medium risk.

  • To: The range is from the set amount to the High Risk From amount.

  • From: Set the range threshold.

Metadata File

The Metadata File is essentially what makes SAML work, and enables the secure transaction between SecureAuth IdP and the SP. Download the SAML Metadata File to upload it to the SP for automated configuration.

Mobile Credential Length

The amount of hours during which the Mobile certificate is valid. Applicable for Mobile Enrollment and Validation realms.

Mobile Identifiers

Common keywords that are used to identify mobile devices and browsers. SecureAuth IdP searches for these values in headers and would then redirect the user to realm selected from the Web / Mobile Transfer Site field.

NOTE: The IIS URL rewrite located in the IIS Management Console can also be utilized to configure this function.

Mobile Rev

Revoke mobile tokens / cookies stored in a user's profile.

Multi App

The integration of multiple native mobile applications in a single realm with the same workflow, directory integration, registration methods, etc.

Multiple Certs per User

Enable the email notifications to notify users of all certificates.

Multi-workflow Realms

The multi-workflow realms created by the information provided, and is auto-populated.

Must Change Password

Require the user to change the password entered in the previous field on next login.

  • True: Require the user to change password.

  • False: Do not require the user to change password.

Must Change Password at Next Login

Select whether the user must change the password on the next attempted login. This is useful when using Administrative Password Reset to change it from the randomized password to one that the user selects.

  • True: Require the user to change password at next login.

  • False: Do not require the user to change password at next login.

Must Contain How Many of the Following

Using the remaining Password Complexity section fields, specify which character sets must be used to create passwords. For example, if 2 is set, then the password must contain at least one (depending on the requirements listed in each of the fields) digit, symbol, uppercase letter, or lowercase letter, and at least one (1) of the characters not used for the first requirement, e.g. P@SSWORD (at least one uppercase letter and one symbol); if 4 is set, then the password must contain at least one (depending on the requirements listed in each of the fields) digit, symbol, uppercase letter, and lowercase letter, e.g. P@ssW0rd (at least one uppercase letter, one symbol, one lowercase letter, and one digit).

N

Glossary

Name Attributes

Send the First Name and Last Name attributes in the token (and query string) to the application.

Name ID Format

Metadata that describes the format in which the content contained in the User ID Mapping field is being asserted by SecureAuth IdP, specified by the SP. The options are:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: The application fully handles the user ID. This is most commonly utilized.

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: Tells the SP to parse the user ID as an email address.

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos: Enables Windows to correctly identify the node, which can be username, first name, or something else.

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent: Tells the SP that the user ID will be in a persistent format.

  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient: Tells the SP that the user ID will be in a transient format.

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName: Tells the SP that the user ID will be a Windows Domain Qualified Name.

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName: Tells the SP that the user ID will be in the field of X.509 Subject Name.

Name (Logs - Log Database)

An auto-populated name generated by SecureAuth IdP.

Name (Post Authentication - Forms Authentication)

The name of the token.

Name (Post Authentication - Mobile Browser Token)

The name of the Mobile Browser Token, which can be set to anything. When a user is logging in from a mobile browser, SecureAuth IdP searches for the name entered here.

Name (Post Authentication - OpenID Connect / OAuth 2.0 Client Details)

The title of the client.

Name (Post Authentication - OpenID Connect / OAuth 2.0 Scopes)

A user-friendly title for the scope that displays on the client-side consent page.

Name (Post Authentication - SAML Attributes) ("Attribute Name" in New Experience)

The specific name of the attribute. The SP requests which attributes are required and the exact names.

Namespace (1.1)

Communicate to the SP which attribute is being sent over, and is in the form of a URL. The SP should provide the exact Namespace if it is required.

No Score Returned

The user profile / risk score information is not found in the User Risk integration database.

Notification Interval

How often the email notifications are sent. the options are:

  • Hourly: An email is sent once every hour during the Warning Period.

  • Daily: An email is sent once every day during the Warning Period.

Notification Start Time

The time of day at which the notifications start.

Number of Answers

The number of knowledge-based questions the user must answer on the page. The value set here must be less than or equal to the KBQ Count selection.

  • 1 - 6: 1 - 6 knowledge-based questions must be answered.

Number of Past Passwords Remembered

How many passwords SecureAuth IdP remembers to ensure that the new password is not the same.

Number of Questions

The number of knowledge-based questions asked during the 2-Factor Authentication login process.

  • 1 - 6: 1 - 6 knowledge-based questions must be answered for 2-Factor Authentication.

O

Glossary

OATH Seed or Token

The type of App Enrollment / OATH provisioning utilized by the application(s).

  • OATH Seed (Single): Generate a single OATH seed that is utilized by all devices for all realms.

  • OATH Token (Multi): Generate an OATH Token that contains the unique OATH seed and the device ID for each individual enrollment. Using OATH Tokens, end-users can provision their devices against diverse SecureAuth IdP appliances and / or enterprise directories to create distinct tokens that ensure that the associated OATH seed can only work with that device.

Object

The unique identifier name for the account.

One Time Provisioning

Whether SecureAuth IdP generates a new seed for every provisioned device. If set to true, this disables the OATH usage on the previously provisioned device. If set to false, this enables SecureAuth IdP to reuse the same seed for each provisioned device and enables the use of multiple devices simultaneously.

One Time Use PIN

Enable a one-time use PIN that is immediately cleared from the user directory once it is used for 2-Factor Authentication. New users commonly use this for self-service 2-Factor enrollment.

Only 1 FP Cookie per Browser

Whether only one fingerprint (FP) cookie is allowed per browser.

Open PIN

Enable the user's PIN to be displayed in the directory as plain text.

OTP Format

Select what user information is validated.

  • OTP Only: Validate only the one-time passcode.

  • OTP + Password: Validate the one-time passcode, then the user's password.

  • Password + OTP: Validate the user's password, then the one-time passcode.

OTP Length

The number of digits used in one-time passwords (OTPs) for 2-Factor Authentication.

  • 4, 5, or 6: Choose from 4 to 6 digits for an OTP.

P

Glossary

p12 Password

The password that corresponds to the p12 file obtained from the Google Apps Client ID creation (provided by Google).

Page Header

The title that displays at the top of the client-side webpages, and is typically the same as the Document Title.

Passcode App for Windows and Mac

A Windows and Mac desktop application that generates one-time passcodes (OTPs) to use for validation during the login process.

Passcode Change Interval

The number of seconds during which the Time-based Passcode is valid. After the provided amount of seconds has passed, that OTP no longer works for the 2-Factor Authentication session.

Passcode Length

How many digits the Time-based Passcode is for 2-Factor Authentication.

Passcode Offset

A rolling time-frame window of minutes during which the OTP is valid, which allows for time differences between devices and servers.

Password Expired Days

The number of days from the last password change that the password is valid. Surpassing this amount, the password expires.

Password Format (Data - Membership Connection Settings - Oracle)

How the password is stored. This selection also dictates which Password Stored Procedure (SP) to use.

  • Clear: Password is stored in clear text (uses the Validate Password SP).

  • SHA1: Password is stored using the SHA1 hash algorithm (uses the Get Password SP and compared server side).

  • SHA2: Password is stored using the SHA2 hash algorithm (uses the Get Password SP and compared server side).

  • MD5: Password is stored using the MD5 hash algorithm (uses the Get Password SP and compared server side).

Password Format (Data - Membership Connection Settings - SQL)

How the SQL Database password is stored in the directory.

  • Clear: Store the password in clear text.

  • Hashed: Hash the password.

  • Encrypted: Encrypt the password.

Password Length Greater Than

The minimum length of characters passwords must be.

Password Reset Mode

The mode in which users can reset their passwords.

  • Enforce Password Change Requirements: Require users to follow all enforcements from the directory.

  • Administrative Password Reset: Bypass history check enforcements.

  • Administrative Reset with History Check: Create History Check with password reset to check the last password change date.

Password Salt

A unique string of text to append to passwords before they are hashed. Not applicable if Clear is selected in the Password Format field.

Password Syncing

The type of password being synchronized to the iOS device(s) for provisioning.

  • Random Password: A random password that is sent to the device that is unknown by the user.

  • User Password: The user's Google Apps Email password.

Password Warn Days

The amount of days before expiration during which users are warned about their password expiration. Applicable for the Inline Password Change feature.

Persistent

Set the timeout of the token.

  • True - Expires after Timeout: The token expires after the timeout regardless of the session.

  • False - Session Cookie: The token is good for the entire web session and expires as soon as the browser closes.

Persist Security Info (Data - SQL / ODBC / ASP.NET, Logs - Log Database)

Allow access to username and password information once the connection is open, and is part of the connection string.

Phone Attributes

Send the Phone 1 - Phone 4 attributes in the token (and query string) to the application.

Phone Field 1 - Phone Field 4

Select the type of authentication option(s) available for use for the phone numbers mapped to the Phone 1 - Phone 4 Properties in the Data tab.

  • Voice and SMS / Text: Enable the user to select either a phone call or a text message to receive the one-time passcode (OTP) for 2-Factor Authentication.

  • Voice Only: Enable only a phone call to the specified phone option to deliver the one-time password (OTP) for 2-Factor Authentication.

  • SMS / Text Only: Enable only a text message to the specified phone option to deliver the one-time password (OTP) for 2-Factor Authentication.

  • Disabled: The phone option with this choice selected is not used for any one-time password (OTP) delivery for 2-Factor Authentication.

Phone Mask (Regex)

Modify how much of the phone number is masked. By default, SecureAuth IdP displays phone numbers in the following way: xxx-xxx-1234.

PIN

The user's static Personal Identification Number (PIN).

PIN Field

Enable users to utilize a Personal Identification Number (PIN) for 2-Factor Authentication.

Place Groups in QueryString

Return the users' profile attributes to the application in a query string, in addition to the token sent.

Place Profile Attributes in QueryString

Return the users' groups to the application in a query string, in addition to the token sent.

Port

The SMTP's required port, and by default, it is set to Port 25.

Portal Page Authorization

Select if and how the Portal Page is accessible.

Post-Auth Cookie

The cookie that communicates to SecureAuth IdP that the user has been authenticated. This can be set to point to a specific realm so that the administrator knows where the user's identity was validated. Single Sign-on (SSO) is achieved with this cookie.

PostAuth WebService URL

A generic URL for any Post Authentication module to use if an additional web service call is required to complete the Post Authentication action.

Post Data

The Form Post information created from the URL and Create Post information.

Pre-Auth Cookie

The cookie generated from a Begin Site. SecureAuth IdP checks to see if there is a Pre-Auth Cookie present; and if there is, then SecureAuth IdP extracts the user ID from the token and proceeds with the login process. If the Pre-Auth Cookie is not present and Require Begin Site is set to True, then SecureAuth IdP sends the user back to the Begin Site to acquire the Pre-Auth Cookie.

Private Enterprise Number (PEN)

The Private Enterprise Number (PEN) of the Syslog server.

Private Key Setting

Which password is used to protect the profile for the iDevices and for Android device keys.

Private Mode Cert Length

If Private Mode is selected during the login workflow, this field determines the number of days during which the private mode certificate is valid.

Profile Field

The SecureAuth IdP Profile Property that contains that user's User Risk Score (written to by the User Risk integration).

  • Phone 1: Typically the user's work number.

  • Phone 2: Typically the user's mobile number.

  • Phone 3 - Phone 4: Additional telephone options available to use.

  • Email 1: Typically the corporate email address.

  • Email 2 - Email 4: Additional email options available to use.

  • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.

Profile Missing Redirect

To where users are redirected if their profile is missing. For example, profilemissing.aspx.

Property

The properties used by SecureAuth IdP. Based on the responses provided, SecureAuth IdP pulls and sends the information that corresponds to the directory fields for authentication and assertion purposes. The administrator can dictate what data is paired with which property, but SecureAuth IdP includes some out-of-the-box AD examples based on common practices.

Provider Name

An auto-populated name generated by SecureAuth IdP.

Proxy IP List

The IP Addresses of load balancers, gateways, proxies, or other devices in between the user and SecureAuth IdP to enable the appliance to identify the device to read the header.

Proxy Password

The Password associated to the Proxy Username of the proxy account required only if the proxy requires authentication.

Proxy Server Address

The IP Address or the Fully Qualified Domain Name (FQDN) of the Proxy Server.

Proxy Server Port

The TCP Port on which the proxy server is configured to respond.

Proxy Username

The Username of the proxy account required only if the proxy requires authentication.

Public IP Address

The Public IP Address if the Network Address Translation (NAT) is used to change the SecureAuth IdP IP Address to a Public IP Address.

Public Mode Cert Length

If Public Mode is selected during the login workflow, then this field sets the number of hours during which the certificate is valid. Applicable for Certificate Enrollment Only realms.

Public / Private Mode

The options provided to users on the page when logging in.

  • Private and Public Mode: Enable users to select Private or Public Mode for login. Private is used for known devices, whereas Public is chosen on unknown or untrusted devices.

  • Public Mode Only: Public mode is automatically selected for login. This is for any device, prompts for authentication, and SecureAuth IdP does not store a credential on the browser.

  • Private Mode Only: Private mode is automatically selected for login. This is for trusted devices, and SecureAuth IdP stores a credential on the browser.

Push URL

The Push URL that is auto-populated if using WSE 3.0, but must be set if using WS 2.0 with SSL.

Push Use WSE 3.0

Whether SecureAuth IdP utilizes the message-level security (WSE 3.0 / WCF) or the transport-level security (WS 2.0 with SSL) to make a web service call to make a Push Notification request. Select False if using a Proxy.

  • True: Use WSE 3.0 / WCF.

  • False: Use WS 2.0 with SSL.

R

Glossary

Realm Description ("Application Description" in New Experience)

The realm description is for internal use only. Administrators can write notes here to provide instructions or to briefly describe the purpose of the realm.

This displays in the left-side menu, under the Document Title.

Realm Name

A realm is a distinct authentication workflow. Each realm can be configured uniquely depending on the target (application, self-service page, help desk), the user accessing it, and how they are accessing it (registration methods).

The realm name is automatically assigned to each new realm, starting with SecureAuth0, which is the Admin Realm, and increasing sequentially with each new realm creation (SecureAuth1, SecureAuth2, etc.).

Receive Token

For company's own login pages or if company is using Windows SSO. Elect the type of token received from the site.

  • None: No token will be received, so a Begin Site (below) will be required.

  • Token: SecureAuth IdP expects to receive information, which could be anything; and SecureAuth IdP does not have to send the same information.

  • Clear Text Query String: User ID will be in a Clear Text Query String.

  • XOR / Base64 Query String: User ID will be in an XOR / Base64 Query String.

  • Send Token Only: SecureAuth IdP only sends a token (Begin Site is not required).

  • Send XOR / Base64 Only: User ID is encoded.

  • Receive Token Only: SecureAuth IdP sends the same token that it received.

Recipient ("SAML Recipient" in Classic Experience)

Identifiable information of the SAML recipient, which usually maps to the SAML Consumer URL. This is an optional field; but required for some SPs, such as Salesforce.

The value is typically the same as the Assertion Consumer Service (ACS) / SAML Consumer URL.

Redirect

Redirect users to a different page after saving self-services updates.

Redirect To

The auto-populated URL that is created by authenticated user redirect choice or selection. If Use Custom Redirect is selected, then the field needs to be set to where users are redirected after authentication.

Refresh Token

The workflow that enables a refresh token to be provided during authorization that can be used to get a new access token.

Refresh Token Lifetime

When an Access Token expires, it can be refreshed for an extended period of time without requiring a new login. This Lifetime is longer than the Access Token Lifetime value.

Relay State ("WSFed Reply To / SAML Target URL in New Experience")

The absolute URL of the target resource. The user is redirected to this URL after authentication.

Remember User Selection

Enable SecureAuth IdP to automatically enable Private or Public Mode based on the previous selection on that device.

Renew Persistent Token (after validation)

Enable SecureAuth IdP to provide a new persistent token after the previous one has been validated.

Replace in Order by (Reg Methods - Mobile Login Requests)

If Push device replacement is enabled, then select how the enrolled devices are replaced.

  • Created Time: Replace the oldest enrolled device with the new one.

  • Last Access Time: Replace the least recently used enrolled device with the new one.

Replace in Order by (Workflow - Digital Fingerprinting)

If fingerprint replacement is enabled, then select how the fingerprints are replaced.

  • Created Time: Replace the oldest enrolled fingerprint with the new one.

  • Last Access Time: Replace the least recently used fingerprint with the new one.

Request Blocking Enabled

Block WS-Trust requests via a blocking engine in the WS-Trust Security Token Services (STS).

Request Type

Select which Mobile Login Requests are available for 2-Factor Authentication use in the realm.

  • Disabled: Disable the use of Mobile Login Requests for 2-Factor Authentication.

  • Passcode (OTP): Enable Push Notifications as an available 2-Factor Authentication method.

  • Accept / Deny: Enable Push-to-Accept login requests as an available 2-Factor Authentication method.

  • Passcode (OTP) + Accept / Deny: Enable Push Notifications and Push-to-Accept login requests as available 2-Factor Authentication methods.

Require Begin Site

Whether a Begin Site is required for this realm or not. A begin site is a site on which users land before the SecureAuth IdP login pages.

Require Current Password

Whether the current password is required to reset a user's password. SecureAuth IdP's self-service password reset enables password reset with 2-Factor Authentication.

Require OATH PIN

Whether to require a static PIN to unlock the app / extension to generate OATH One-Time Passwords (OTPs).

Require SSL

Whether SSL is required to view the token.

Reset Complete URL (Return to)

To where users are redirected once they reset their passwords.

Reset Password SP

The Reset Password Stored Procedure (SP) name in the database.

Resource Owner

During the request, the client application will send its credentials (Client ID and Client Secret) along with the user's credentials (which are validated against the directory) to gain access. The user is not required to authenticate and no authorization code is required.

Restart Login URL

A client-side link that takes users back to the first page of the login process of that specific realm.

Restriction Type (Workflow - Adaptive Authentication - IP / Country Restriction)

Select whether the realm restricts login attempts by IP Addresses or Country Codes.

  • IP Restriction: Restrict the realm by IP Addresses.

  • Country Restriction: Restrict the realm by Country Codes.

Restriction Type (Workflow - Adaptive Authentication - User / Group Restriction)

Select whether the realm restricts login attempts by specific users or user groups.

  • User Restriction: Restrict the realm by specific user accounts.

  • Group Restriction: Restrict the realm by user groups.

Revocation

The workflow in which a previously-issued OAuth access token (from SecureAuth IdP) is explicitly revoked.

Role-based access control (RBAC)

Enables flexible visibility into appliance configurations. Use RBAC to define roles in the appliance settings and restrict who has access and ability to change configurations. (Available in hybrid and on-prem only.)

S

Glossary

Safari Plugin

The Safari Plugin version number.

Safe

The name of the Access Control (Safe) where credentials are stored.

SAML Audience (Post Authentication) ("Audience" in New Experience)

An optional value that is provided by the SP, and is the base domain of the application.

SAML Audience (Workflow)

The base domain of the Identity Provider from which SecureAuth IdP accepts the SAML assertion.

SAML Conditions

Check to enable SecureAuth IdP to utilize the NotBefore and NotOnOrAfter SAML conditions to produce a validity period of the SAML assertion to SecureAuth IdP.

SAML Consumer URL ("Assertion Consumer Services (ACS)" in New Experience)

The URL provided by the SP used to accept a SAML assertion.

SAML Data Encryption Method

The method (algorithm) used to encrypt the SAML Assertion, if True is selected from the Encrypt SAML Assertion field.

SAML Issuer

The unique SAML ID from the third-party Identity Provider.

SAML Key Encryption Method

The method (algorithm) used to encrypt the SAML Key.

SAML Offset Minutes

The number of minutes that SecureAuth IdP subtracts from the NotBefore SAML attribute to account for any time difference between SecureAuth IdP and the SP.

SAML Recipient ("Recipient" in New Experience)

Identifiable information of the SAML recipient, which usually maps to the SAML Consumer URL. This is an optional field; but required for some SPs, such as Salesforce.

The value is typically the same as the SAML Consumer URL.

SAML Response InResponseTo

Enable SecureAuth IdP to include the SAML Response InResponseTo in the SAML Assertion. The SP requests this if it is necessary.

This response is used in SP-initiated instances, and it enables SecureAuth IdP to communicate to the SP that it has received the user ID sent by the SP.

SAML Valid Hours

The time period during which the SAML assertion is valid. Choose a value from 1 to 48 to specify the NotOnOrAfter SAML attribute.

SAN

The Subject Alternative Name properties, which can be Default or customized.

  • Default: Use default settings.

  • Custom: Customize SAN properties in certificate.

Save to All Realms

Save the logging information from this realm to all existing realms on the appliance.

SCEP / NDES URL

The exposed URL for accepting SCEP requests by SCEP / NDES server.

SCEP Web Service URL

The local web service URL to accept SCEP requests, which typically will not need to change.

Scope (Post Authentication - OpenID Connect / OAuth 2.0 Client Scope Restrictions)

The name of the scope, which is what the client application requires to access in the user profile. A user will need to consent to the client accessing their user profile data before proceeding.

Scope (Post Authentication - OpenID Connect / OAuth 2.0 Scopes)

The name that is passed to the client. The client requests this URL-safe value from SecureAuth IdP (the authorization server).

Search Attribute ("Encryption Attribute" in New Experience)

The ID that SecureAuth IdP uses to search the directory for the user.

Search Filter

Tell SecureAuth IdP what field is expected for the username. It is auto populated by clicking Generate Search Filter. The user supplies the attribute that equals %v to log into realms.

SecureAuth Authentication API

The SecureAuth Authentication API embeds the SecureAuth Identity Platform functionality into a custom application, enabling flexible workflow configurations and user interfaces.

SecureAuth cloud services

SecureAuth cloud uses IP addresses to provide services to SecureAuth® Identity Platform, end user browsers, and mobile devices registered to provide multi-factor authentication methods.

SecureAuth® Identity Platform

Newer release of the SecureAuth product (release 19.07 and later) with a new UI and available as an on-prem, hybrid, or cloud deployment solution.

SecureAuth IdP

Classic version of the SecureAuth product (release 9.3 and earlier) with a Web Admin UI available only as an on-prem solution.

SecureAuth® RADIUS Server

Configure two-factor authentication login access to VPN and remote resources through RADIUS.

SecureAuth Version

The version of the SecureAuth IdP appliance.

Select CSS File to Load and Edit the Theme

The SecureAuth IdP appliance includes multiple themes, which dictates how the client-side webpages will appear. The 2016 Light Theme is selected by default.

Sender Address

The sender's email address that displays in the From field. For example, do-not-reply@company.com.

Sender Name

The alias name for the email address that displays in the From field. For example, SecureAuth Support.

Server Address

The address of the SMTP server through which OTP SecureAuth IdP emails (2-Factor Authentication, account update, password reset, etc.) are sent. This field is required.

Service Account (Data - Membership Connection Settings - LDAP)

An LDAP account that has read or write access to user accounts that SecureAuth IdP will authenticate.

  • @: Typically the name of the Domain (above), but can be different.

Service Cert Serial Nbr

The certificate serial number of the hosted facility used to facilitate the WSE 3.0 / WCF web service.

  • Select Certificate: Select the certificate from the appliance's certificate store.

Service Email

The EMAIL ADDRESS value from the Google Apps Service Account, e.g. XXXX@developer.gserviceaccount.com.

Session State Name

The name of the session state, which is defaulted to a value by SecureAuth IdP, but can be customized to act in a particular way.

Shared Secret

The Shared Secret (password) that is provided by the SP. This must match with the SP for the communication to be successful.

Show Exception on Page

Display a page listing the reasons why a user's password fails validation checking.

Show OTP on Enrollment Page

Display the one-time passcode (OTP) on the page after a user has successfully provisioned their account for Time-based Passcodes. This is especially useful for Browser Time-based Passcode usage to enable immediate access to the OTP to authenticate into another realm.

Show Password Complexity Rules

Display the configured password complexity requirements on the password reset page.

Show PIN Screen after

The number of seconds allowed for the application to remain idle before requiring the PIN to unlock the application.

  • 30 - 300 (seconds): Choose between 30 and 300 seconds.

Show Third-party App Support

Display the necessary information to provision a third-party app that generates Time-based Passcodes (Google Authenticator).

Show UserID Textbox

For Certificate Enrollment Only and Cisco ASA integrations, elect whether to show the User ID Textbox for users to provide their user ID if Cisco ASA does not send the user ID to SecureAuth IdP.

Show When Empty

Elect to show the one-time use PIN option on the 2-Factor Authentication login screen, even though it is not available.

Signing Algorithm

The signing algorithm used for signing JSON web tokens.

  • RSA SHA256: Use the X.509 certificated selected as the Signing Cert.

  • HMAC SHA256: Use the client secret for signing.

Signing Cert

The certificate used for signing the JSON Web Token (JWT) (the private key). The public key will then need to be exported and provided to the client application.

  • Select Certificate: Select the certificate from the appliance's certificate store.

Signing Cert Serial Number

The certificate for the SAML Assertion.

  • Select Certificate: Click to select the certificate that contains the Signing Cert Serial Number. A list of certificates that are stored in the SecureAuth IdP environment are provided from which to choose the appropriate certificate.

Sign SAML Assertion

Enable SecureAuth IdP to sign the SAML Assertion that is being sent over to the SP. This is a "stamp of approval" from SecureAuth IdP in the form of a certificate stating the user is trusted, and the SP informs the administrator if the assertion needs to be signed or not.

Sign SAML Message

Enable SecureAuth IdP to sign the SAML Message, which is the entire message including the SAML assertion that is sent to the SP. This is a "stamp of approval" from SecureAuth IdP in the form of a certificate stating the user is trusted, and the SP informs the administrator if the assertion needs to be signed or not.

Single App Redirect

If only one native mobile application integration is present in a single realm, then provide the custom URL scheme to ensure that users will always be redirected from SecureAuth IdP to the application. For example, app1:/.

Skip IP Match

Elect to skip matching the IP Address of the device to the IP Address recorded in the fingerprint (FP) ID in the user's data store profile.

Skip UserID View

Whether there is a UserID view (user ID textbox / page), which usually is selected for VPN enrollments as the UserID is received from the VPN.

Sliding Expiration

Enable the token to be valid as long as the user is interacting with the page.

  • True: The cookie does not expire as long as there is user interaction.

  • False: The cookie expires once it surpasses the Timeout (set in the Timeout field in the same section).

SMS URL

The SMS URL that is auto-populated if using WSE 3.0, but must be set if using WS 2.0 with SSL.

SMS Use WSE 3.0

Whether SecureAuth IdP utilizes the message-level security (WSE 3.0 / WCF) or the transport-level security (WS 2.0 with SSL) to make a web service call to make an OTP text message request. Select False if using a Proxy.

Source

Select from which directory integration SecureAuth IdP can pull the profile information for authentication and assertion purposes.

  • Default Provider: The data store selected as the Default Profile Provider in the Profile Provider Settings section.

  • Directory Server: The directory server (AD, LDAP, Tivoli, Lotus Domino, etc.) data store configured as an additional profile provider in the Profile Connection Settings section.

  • SQL Server: The SQL Server data store configured as an additional profile provider in the Profile Connection Settings section.

  • ODBC: The ODBC data store configured as an additional profile provider in the Profile Connection Settings section.

  • ASPNETDB: The ASP.NET data store configured as an additional profile provider in the Profile Connection Settings section.

  • Web Service: The Web Service (Multi-data Store) configured as an additional profile provider in the Profile Connection Settings section.

  • Oracle: The Oracle data store configured as an additional profile provider in the Profile Connection Settings section.

  • Azure AD: The Azure AD data store configured as an additional profile provider in the Profile Connection Settings section.

Source Domain ("Source" from Data - Membership Connection Settings - LDAP in Classic Experience")

The domain name of the directory.

Spec Format

The type of format used for RFC3164.

  • None Specified: Use normal RFC3164 fomatting (typical).

  • LEEF: Use for IBM Security QRadar SIEM only.

  • CEF: Use for HP ArcSight SIEM only.

SP Start Login ("SP Start URL" in Classic Experience)

The Service Provider's (SP) Start URL, where users log into the application. For SP-initiated Post Authentication integrations, this tells SecureAuth IdP to redirect users to the SP Start URL when landing on the SecureAuth IdP realm first in order to initiate the login process. This also assists SecureAuth IdP in accurately redirecting users for SSO.

SP Start URL ("SP Start Login" in New Experience)

The Service Provider's (SP) Start URL, where users log into the application. For SP-initiated Post Authentication integrations, this tells SecureAuth IdP to redirect users to the SP Start URL when landing on the SecureAuth IdP realm first in order to initiate the login process. This also assists SecureAuth IdP in accurately redirecting users for SSO.

SSL

Secure Socket Layer that acts as an encrypted tunnel through which emails are sent.

  • True: Use Secure Socket Layer to send emails.

  • False: Do not use Secure Socket Layer to send emails.

SSL Termination Cert

Used when not using SecureAuth IdP as the termination point. For bi-lateral authentication, a certificate is required here as the trusted SSL Certificate.

SSL Termination Point

The Fully Qualified Domain Name (FQDN) of where the SSL cert is terminated. This communicates to SecureAuth IdP where the certificate has been terminated, enabling IdP to validate the information.

Static OP Server URL

The URL for the OpenID Provider.

Static Post Data

The Form Post information created from the Create Static Post information.

  • Remove: Select an item in the Static Post Data field, and click Remove to delete.

Store LinkedIn ID at

The Property in which SecureAuth IdP stores the user's LinkedIn ID for 2-Factor Authentication.

  • Aux ID 1 - Aux ID 10: Choose between the Auxiliary IDs 1 - 10.

Subject

The subject text of the emails sent by SecureAuth IdP. For example, SecureAuth One-time Registration Code.

  • Show passcode in subject line: Display the one-time passcode in the Subject line and in the message body for quick reference.

SubjectConfirmationData Not Before

Enable SecureAuth IdP to include the SubjectConfirmationData Not Before in the SAML Assertion. The SP requests this if it is necessary.

This communicates that the SubjectConfirmationData will not be valid before the timestamp.

Supported Languages

Select which languages that the SecureAuth IdP appliance supports. SecureAuth IdP alters the language selection based on the user's browser settings.

Symantec VIP Field

Enable the client-side use of Symantec VIP for 2-Factor Authentication.

Symantec VIP Integration

Permit the use of Symantec VIP tokens for 2-Factor Authentication.

Symbols (!, @, #, $, %, &, *, etc.)

The minimum number of symbols required in each password (may not be required depending on the value set for the Must contain how many of the following field).

Sync Password

Conduct a one-way synchronization of the user's AD password to Google.

Sync Password Every Time

Synchronize the passwords every time from Google Apps to iOS devices. If set to True, then only one device can be used at a time.

Syslog Port

The port on which the Syslog Server listens.

Syslog RFC Spec

The required spec, provided by Syslog.

  • (none): None specified.

  • RFC3164: Use RFC3164.

  • RFC5424: Use RFC5424.

Syslog Server

The IP Address or the Fully Qualified Domain Name (FQDN) of the Syslog Server.

System Components

The system components that factor into the fingerprint. Set the weight values for each System Component and for the HTTP Headers components to equal a total of 100%.

  • Weight for plugin list: The list of plugins on the user's browser.

  • Weight for flash font: The fonts inside of a flash application.

  • Hostaddress/IP: The Host address or IP address.

  • Require exact match: Elect to require an exact match of the address. If enabled, then the user will have to perform a different 2-Factor Authentication without an exact match, even if the Authentication Threshold percentage is met.

  • Timezone: The time zone of the user's browser.

  • Screen Resolution: The screen resolution of the device / browser.

  • HTML5 localstorage: The HTML5 local storage.

  • HTML5 sessionstorage: The HTML5 session storage.

  • IE userdata support: The Internet Explorer (IE) user data support.

  • Cookie enabled/disabled: Based on the user's settings, whether cookies are enabled or disabled.

T

Glossary

Telephony URL

The Telephony URL that is auto-populated if using WSE 3.0, but must be set if using WS 2.0 with SSL.

Telephony Use WSE 3.0

Whether SecureAuth IdP utilizes the message-level security (WSE 3.0 / WCF) or the transport-level security (WS 2.0 with SSL) to make a web service call to make an OTP telephony call. Select False if using a Proxy.

Template

Select the template to use for SecureAuth IdP emails. OTPEmailTemplate is the default.

Tenant Domain

The Domain Name of the Azure Directory.

Test

Click to test that the web services communication is working and that certificates are valid.

Test Connection (Data)

Click to test that the directory integration was successful.

Test Connection (Logs - Log Database)

Click to verify the connection and to ensure successful integration.

Theme

The SecureAuth IdP appliance includes multiple themes, which dictates how the client-side webpages will appear. The 2016 Light Theme is selected by default.

Time-based Passcodes (OATH OTPs)

A time-based temporary passcode used for 2-Factor Authentication.

Timeout

The number of minutes during which a cookie is valid.

Token Data Type (Receive)

Tell SecureAuth IdP where the user ID is in the received token.

  • Name: The user ID will be in the Name Field.

  • User Data: The user ID will be in the User Data section.

Token Data Type (Send)

Tell SP where the user ID is in the sent token.

  • User ID: The user's username.

  • Password: The user's password.

  • Phone 1: Typically the user's work number.

  • Phone 2: Typically the user's mobile number.

  • Phone 3 - Phone 4: Additional telephone options available to use.

  • Email 1: Typically the corporate email address.

  • Email 2 - Email 4: Additional email options available to use.

  • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.

  • First Name: The user's first name, e.g. givenName in Active Directory.

  • Last Name: The user's last name, e.g. sn in Active Directory.

  • Custom Token Value: The custom token configured in the Custom Token Fields in the Custom Front End section (Workflow tab), which appear after selecting this option.

  • Token Settings: Customize the token settings for the realm.

Token Missing Redirect

To where users are redirected if their token is missing, e.g. enrollment / provisioning realm. This is used for Near Field Communications (NFC).

Token Name

A name for the token that is shared with the application. For example, UserID.

Total FP Max Count

The maximum amount of fingerprint (FP) IDs that can be stored in a user's profile at the same time. Set to -1 for no maximum count.

Transparent SSO

Enable transparent SSO, which is “behind the scenes” single sign-on between applications. Users will log in once via 2-Factor Authentication; and upon opening a new application, no credentials would be required.

Transport Method

How the encrypted user information is sent to the SP.

  • Query String: Send it as a Query String.

  • Cookie: Send it as a Cookie.

  • Header: Send it as a form post (dynamically posted as user types on the page).

Transport Name

The name of the value that is used to send the user information.

Trx Log Disable Code

The code provided by SecureAuth support to temporarily disable the Transaction web service calls.

Trx Log Mode Code

The code that is automatically assigned to the appliance during the build process and indicates whether it is intended for Transaction logging model or User based model.

Trx Log Service URL

The Transaction Log URL that is auto-populated if using WSE 3.0, but must be set if using WS 2.0 with SSL.

Trx Use WSE 3.0

Whether SecureAuth IdP utilizes the message-level security (WSE 3.0 / WCF) or the transport-level security (WS 2.0 with SSL) to make a web service call to track transactions. Select False if using a Proxy.

  • True: Use WSE 3.0 / WCF.

  • False: Use WS 2.0 with SSL.

U

Glossary

Unique Assertion ID

Generate a Unique Assertion ID (GUID) to pass to the SP, which is required by some applications.

Unlock User

Enable administrators to unlock locked user accounts from the Help Desk page.

Unlock User Account

Whether a user's account is unlocked upon password reset, or administrative action.

  • Automatically: Unlock user account when password is reset.

  • Do Not Unlock: Resetting the password will not unlock the account, and administrative action is required.

  • Show Button: Provide the option for users to unlock their accounts after password reset.

Unlock User SP

The Unlock User Stored Procedure (SP) name in the database.

Update Profile SP

The Update Profile Stored Procedure (SP) name in the database.

Update Threshold

The percentage that the user's fingerprint (FP) ID must be higher than to merge with the existing FP ID.

If the user's FP ID is lower than the Authentication Threshold, but higher than the Update Threshold, then SecureAuth IdP will merge the new FP ID with the previous one after a successful 2-Factor Authentication via another method. If the FP ID is lower than the Update Threshold, SecureAuth IdP will create an entirely new FP ID to store in the user's profile to use for subsequent authentications.

This is typically set between 80 - 90%, and must be lower than the Authentication Threshold.

Update User SP

The Update User Stored Procedure (SP) name in the database.

Upload a Page

Upload a page to change the look and feel of the target action of the realm.

  • Download Customized Pages: Select a customized page that comes out-of-the-box with SecureAuth IdP. These can be used for specific realms.

UPN Mapping

The SecureAuth IdP Property that contains the userPrincipalName (UPN).

  • First Name: The user's first name, e.g. givenName in Active Directory.

  • Last Name: The user's last name, e.g. sn in Active Directory.

  • Phone 1: Typically the user's work number.

  • Phone 2: Typically the user's mobile number.

  • Phone 3 - Phone 4: Additional telephone options available to use.

  • Email 1: Typically the corporate email address.

  • Email 2 - Email 4: Additional email options available to use.

  • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.

  • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.

URI

The URI link of the white-listed page to where the client can be redirected to capture the SecureAuth IdP response.

URL (Post Authentication - Post Data)

The data is sent to this URL.

URL (Post Authentication - URL Redirect)

To where users are redirected once the Post Authentication processing is complete.

Use CyberArk Vault for Credentials

Check to enable CyberArk Vault to provide the password of the directory service account to SecureAuth IdP rather than providing the service account username and password in the Web Admin.

Use Proxy Server

Enable the use of a Proxy Service, which routes communication in this realm through a web proxy.

User Agent Rule

Create a list of allowed user agents or denied user agents (devices, browsers, etc.).

User Agents

A list of the allowed or denied user agents that is based on the User Agent Rule selected.

User and Group Association

Enable the tool that associates existing users and groups within the LDAP data store using SecureAuth's IdM API.

User Consent Storage

Stores the consent granted to a client as an encrypted and compressed string value in the attribute specified in the Consent Storage Attribute field.

User Group Check Type

Create a list of allowed or denied user groups.

User Groups

A list of the allowed groups or denied groups based on the selection made from the User Group Check Type dropdown.

  • Include Nested Groups: Enable SecureAuth IdP to look within main groups to find subgroups (nested groups) for easier configuration.

    For example, main group A includes nested groups 1, 2, and 3. Rather than enabling or disabling access to groups 1, 2, and 3 separately, the administrator can allow or deny the three groups by checking the box and enabling or disabling access to group A.

UserID Check

For Cisco ASA integrations to check for a "Cisco-specific" user ID.

User ID (Data - SQL / ODBC / ASPNETDB)

The user ID of the account that has read and/or write access to the SQL / ODBC / ASPNETDB database.

User ID (Logs - Log Database)

The User ID to access the database logs.

User ID Profile Field

("User ID Mapping" in Classic Experience)

The user ID that is asserted to the target resource.

User ID Mapping ("User ID Profile Field" in New Experience)

The user ID that is asserted to the target resource.

  • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.

  • First Name: The user's first name, e.g. givenName in Active Directory.

  • Last Name: The user's last name, e.g. sn in Active Directory.

  • Phone 1: Typically the user's work number.

  • Phone 2: Typically the user's mobile number.

  • Phone 3 - Phone 4: Additional telephone options available to use.

  • Email 1: Typically the corporate email address.

  • Email 2 - Email 4: Additional email options available to use.

  • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.

  • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.

  • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com. These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

  • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.

  • Full Group DN List: The full groups list with Distinguished Names (DNs) to which a user belongs.

  • Custom Token Value: The custom token configured in the Custom Token Fields in the Custom Front End section (Workflow tab), which appear after selecting this option.

  • Transformation Engine: Click to configure on-the-fly attribute modifications / additions that will be asserted to the Service Provider (SP).

User Impersonation

Enable the SecureAuth IdP realm to run under a user or under a service name when using Integrated Windows Authentication (Kerberos).

User List

The list of user accounts that are either allowed or denied based on the selection made from the dropdown, comma separated.

User Management

Enable the tool that adds new user profiles, and retrieves and updates existing user profiles using SecureAuth's IdM API.

Username Delivery Option

How the username is delivered to the user in Forgot Username realm.

  • Display on Page: After a successful authentication, the username will display on the page.

  • Send in Email: The username is sent to the email address associated to the user.

User Risk Score

The SecureAuth User Risk Scoring Service calculates a user risk score in real-time by accessing user behavior described in the section above. The final score is a value between 0 and 100, where 0 is the least risk and 100 is the most risk.

User Self-service Password Change

Enable the end-user to change the current password with a new password using SecureAuth's IdM API.

Use SCEP

Enable SecureAuth IdP to use an existing Certificate Authority (CA) to issue certificates via SCEP. By default, it is set to false as SecureAuth IdP employs its own, hosted CA to issue the certificates.

Using iOS Provisioning with Google Apps

Whether the iOS password provisioning with Google Apps (synchronization of password changes from Google Apps to iOS devices) is being used. This setting is configured in the Post Authentication tab.

V

Glossary

Validate / Get Password SP

The Validate Password or Get Password Stored Procedure (SP) name in the database (depending on which SP is being used).

Validate Password Complexity

Enable SecureAuth IdP to check the complexity of the password based on the directory password requirements. Configure the settings in the Password Complexity section to display the requirements on the page.

Validate Persistent Token

Check whether the persistent token (Java, UBC, cookie, certificate, etc.) is still valid.

Validate User Type

How SecureAuth IdP validates the user from the directory information.

  • Search: SecureAuth IdP uses the search function to check if username and password are correct (slower search).

  • Bind: SecureAuth IdP makes a direct call to the directory to check if the username and password are correct (faster search).

Validate Yubikey

Enable or disable the use of Yubikeys for 2-Factor Authentication.

Validation

How to encrypt the cookie. The web configuration file specifies which format to use.

Validation Key

The Validation Key is stored in the web configuration file and must match the validation key on the client application for SSO.

Validation Mode

What is being sent in a form post to be validated.

  • No User Validation: No user information is posted.

  • Validate User ID: The User ID is posted.

  • Validate User ID + Shared Secret: The User ID and Shared Secret are posted.

  • Validate User ID + Password: The User ID and Password are posted.

  • Validate User ID + Password + Shared Secret: The User ID, Password, and Shared Secret are posted.

Validation Realm

Redirect users to a different realm if SecureAuth IdP detects that they are using an iPhone or iPad.

  • Select Realm: Select the SecureAuth IdP realm specifically configured for iPhone or iPads.

Validation Type

The type of restriction being placed on the native mobile application using the current Custom URL Scheme. Applicable for multi app and multi app groups check integrations only.

Value ("Data Store Property" in New Experience)

The SecureAuth IdP Property that includes the attribute required. The options are values from the Data tab, which point to fields in the directory. This information is provided by the SP as it expects the attribute to be delivered a certain way.

  • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.

  • First Name: The user's first name, e.g. givenName in Active Directory.

  • Last Name: The user’s last name, e.g. sn in Active Directory.

  • Phone 1: Typically the user's work number.

  • Phone 2: Typically the user's mobile number.

  • Phone 3 - Phone 4: Additional telephone options available to use.

  • Email 1: Typically the corporate email address.

  • Email 2 - Email 4: Additional email options available to use.

  • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.

  • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.

  • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com.

    These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

  • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.

  • Full Group DN List: The full groups list with Distinguished Names (DNs) to which a user belongs.

  • Custom Token Value: The custom token configured in the Custom Token Fields in the Custom Front End section (Workflow tab), which appear after selecting this option.

Velocity Limit

The maximum speed in Miles Per Hour users may have traveled between authentications. This speed is calculated based on the difference between the initial and subsequent IP Address locations and the recorded times when authentications occurred.

Version Number

The version number of the token, provided by the SP.

W

Glossary

Warning Period (Days)

The amount of days before expiration that a user is notified.

Web Config Backups

Select Click to view Web Config Backups to access web.config file backups to review changes made in the realms and to revert to older versions of the configurations.

Web Config Editor

Select Click to edit Web Config file to edit the source code of the realm directly.

Web / Mobile Transfer Site

Redirect users to different realms if SecureAuth IdP detects a mobile or a web browser.

  • Select Realm: Select the SecureAuth IdP Realm configured specifically for mobile browsers to where users are redirected if using mobile devices.

When Exceeding Max Count (Reg Methods - Mobile Login Requests)

The action taken when a user surpasses the Push device limit set in the Device Max Count field.

  • Not Allowed to Replace: A user cannot replace the enrolled device.

  • Allowed to Replace: A user can replace the enrolled device.

When Exceeding Max Count (Workflow - Digital Fingerprinting)

The action taken when a user surpasses the fingerprint (FP) limit set in the Total FP Max Count field.

  • Not Allowed to Replace: A user cannot replace the fingerprint.

  • Allowed to Replace: A user can replace the fingerprint.

Windows Authentication

Enable users to bypass the login process with Windows, as it uses a Kerberos ticket for the username and password (Windows Desktop SSO).

  • True: Enable Windows Authentication.

  • False: Do not enable Windows Authentication.

Windows FF2

The Windows Firefox 2 version number.

Windows FF3

The Windows Firefox 3 version number.

Windows FF4

The Windows Firefox 4 version number.

Windows FF5

The Windows Firefox 5 version number.

Wipe OATH Seed

Remove the stored OATH Seed from the user's profile upon enrolling for a new OATH Token. This option is especially useful for companies transitioning from OATH Seed use to OATH Token as they can choose to keep the provisioned OATH Seed, or start fresh.

Wipe Provisioned Data after

Lock the OTP application after 1-10 failed PIN attempts. If provisioned data is wiped, then the user needs to re-provision that device / browser for OATH tokens / Time-based Passcodes.

  • 1 - 10: Choose from 1 to 10 failed attempts before wiping the data.

Workflow Options

Enter the realm names (SecureAuth1, SecureAuth 2, etc.) that have distinct workflow options.

  • Create with Mobile Realm: Create an additional mobile-friendly realm.

  • Create without Mobile Realm: Do not create an additional mobile-friendly realm.

Writable

If this is checked, then changes can be made in the directory through SecureAuth IdP. A service account with write access is required.

For example, any self-service modifications that are enabled need to be checked "writable," otherwise the user will not be able to make the appropriate changes on the self-services page(s), and the directory will not be updated with the latest information.

WSFed Reply To / SAML Target URL ("Relay State" in New Experience)

The absolute URL of the target resource. The user is redirected to this URL after authentication.

WSFed / SAML Issuer ("IdP Issuer" in New Experience)

The SAML ID of the Identity Provider (IdP). This can be any value as long as it's consistent on both sides, as the Issuer must match on the IdP and SP side exactly.

WS-Fed Signing Algorithm

The algorithm used for the assertion signature.

  • SHA 1: Use 128 bytes in the signature, which is typically used for Office 365, Outlook Web Access, and others.

  • SHA 2: Use 256 bytes in the signature, which is typically used for modern, custom applications that support WS-Federation and SHA 2 signing algorithm.

WS-Fed Version

The WS-Federation version that is asserted from post authentication.

  • 1.2: Version 1.2, which is typically used for Office 365, Outlook Web Access, and others.

  • 1.3: Version 1.3, which is typically used for modern, custom apps that support WS-Federation.

WS-Trust Endpoints

Click View and Configure WS-Trust endpoints to configure the endpoints used in a WS-Trust integration. For example, Outlook.

Y

Glossary

YubiKey Provision Page

The page where users can provision their YubiKey devices. This should direct users to the YubiKey Provisioning realm, which is configured in the Post Authentication tab.