Skip to main content

Configure Identity Platform and Login for Endpoints

Use the following sections to set up your endpoint product with the cloud and hybrid model of SecureAuth Identity Platform release 21.04 or later. You will configure the Identity Platform to use Login for Endpoints.

If your team wants to use biometric identification like face (iOS only) or fingerprint recognition, you must complete the following set up. For biometric identification, you must use the 2019 theme (see Setting the default theme for new realms).

Note

The following instructions are appropriate for the three endpoint products: Login for Windows, Login for Mac, and Login for Linux. Differences will be called out according to operating system.

Prerequisites

  • Data store. Have a data store integrated in the Identity Platform.

    In the data store properties for your endpoint, set adminDescription in an unused ID field, like Aux ID 3 and set the data format to plain text. Later in this topic, you will map this field to the OTP Validation Property, which is used for end user authentication.

    To learn more, see Data store integrations.Data store integrations

  • Authentication Policy. Have an authentication policy set up for the endpoint.

    You can use a default policy, an existing policy, or set up a new policy specific for the endpoint login.

    For the login workflow in a policy, make sure to select a workflow that has MFA Method in it. For example, Username & Password | MFA Method works well for most organizations.

    To learn more, see Manage policies.Manage policies

Set up Login for Endpoints

Use the Endpoint Details tab to set up communication between the Identity Platform and your endpoint. You will configure the endpoint authentication and access information. You will then use the Aux ID you set previously to enable communication between the Identity Platform authentication API and the endpoint.

  1. On the left side of the Identity Platform page, click Login for Endpoint, and select the Endpoint Details tab.

    l4e_open.png
  2. Click Add Endpoint and on the Endpoint Details page, set the following configurations.

    endpoint_details_2202-01.png

    Endpoint Name

    Set the name of the endpoint.

    Endpoint Description

    Optional. Provide a description about this endpoint.

    Authentication Policy

    Set the login workflow and authentication policy for the endpoint.

    Data Store

    Set the data store to authenticate and allow user access to the endpoint.

    Start typing to bring up a list of data store names. You can enter more than one data store.

    Groups

    Use one of the following options:.

    • Slider in the On position (enabled): Allow users from every group in your selected data stores access to this application

    • Slider in the Off position (disabled): Enter the specific groups who are allowed access to this application.

    Tip

    Admins typically set it to Allow every group in your selected data stores access to this application.

    Otherwise, you could add specific user groups for user testing until making the switch over to more or all groups.

    Realm Number

    Select the Realm Number to use for this application.

    OTP validation property

    Set this to the value you set in the data store AUX ID property, like Aux ID 3.

    This is the Aux ID used to communicate with the Identity Platform to validate a one-time passcodes (OTP) from emails, phone calls, SMS, Help Desk, and notification passcode.

  3. Save your changes. Do not close the page and continue with the next step.

  4. Go to the API Configuration section at the bottom of the page.

    Copy both secret keys for the Application ID and Application key. Save them in a secure location where you can find them when needed.

    You cannot retrieve these API credentials again. If you lose them, you can get new secret keys from this page.

    Login for Endpoint API configuration

    You can ignore the Endpoint URL link for now.

  5. Close the page.

  6. On the main Login for Endpoints page, select the Installer Configuration tab and click Add Configuration.

    This is the Installer Configuration Details page where you customize the end user login experience in the installer configuration.

  7. On the General Settings tab, set up the installer configuration for your operating system.

    Login for Endpoints - general settings installer configuration

    Installer configuration Name

    Set the name of the installer configuration.

    This name is displayed in a list that could be very long, depending on how many endpoints you set up. Be sure to use a name that is easy to identify.

    Endpoint / Host Name

    Set to the name of the endpoint you created on the Endpoint Details page in Step 2.

    This connects the endpoint to communicate with the Identity Platform through the API.

    Allow self-signed certificate

    Turn on this option only in test or lab environments where the server has a self-signed certificate.

    When turned on, it turns off all certificate validations. To establish communication, the HTTP client then accepts valid certificates, self-signed certificates, expired certificates, invalid root certificates, certificates without matching common names, and so on.

    Do not turn on this option for production environments. In production, the option introduces critical security risks, like the potential "Man in the middle" attack which grants users access to a system without validating their credentials, and lets unauthorized users steal OATH seeds. If the option is set in production, it sends you a warning message that the option is enabled.

    After installing an endpoint with this option set, it remains effective until you uninstall the endpoint. Then, reinstall the endpoint using a configuration file with this option turned off.

    Install Login for Endpoint without connection to Identity Platform

    Turn on this option, for example, to to allow a third-party organization to configure machines for your end users. If the third-party organization does not have a connection to the Identity Platform, this option allows them to complete the configuration.

    When turned on, set the Grace Period and specify the number of days for password-only login. This setting is on the Multi-Factor Methods tab.

    Alternatively, to achieve the same results for self-service password reset (SSPR) without a connection to the Identity Platform, on the Multi-Factor Methods tab, use these settings:

    • Clear the Grace Period check box

    • Select the Enable adaptive authentications check box

    • Clear the Logging in with physical access check box

    • Clear the Logging in via remote desktop protocol check box

    Endpoint Operating System

    Select the operating system of the endpoint:

    • Windows

    • Mac OS

    • Linux

    Endpoint Type

    Select the type of endpoint:

    • Single-user login (laptops, single-user desktops)

    • Multiple-user login (servers, multi-user kiosks)

  8. Click Next Step.

  9. On the Multi-Factor Methods tab, customize the login experience for your end users.

    Existing customers might recognize the following options, which were set in the config.json file in previous releases.

    installer_config_mfa_2206.png

    Self-service password reset-only mode

    Available on Windows OS only

    Turn on this option to set up a self-service password reset (SSPR) option for end users to select on their login screen.

    win_sspr.png

    When this option is on, it deactivates all other options on the page. If you want the Password Reset link plus all the Login for Windows features (MFA, adaptive engine, etc.), configure the following:

    • Turn off the Self-service password reset-only mode.

    • Select the Enable update password link on the login interface check box and set the URL to SSPR site. (This option is on the Personalization tab, in the Password Reset section).

      For the URL, specify either the SecureAuth Identity Platform realm or the web page the user can access to reset their password.

    Ask for second-factor authentication when run as Administrator

    Available on Windows OS only

    Indicate whether a user who logs in with "Run as administrator" on the same machine used to log into a regular user account must authenticate again.

    • Select this check box – Log in with "Run as administrator" must authenticate again

    • Clear this check box – Log in with "Run as administrator" is not required to authenticate again

    Enable passwordless authentication

    Available on Windows OS only

    Select this check box to allow end users to use a fingerprint reader to authenticate by using any enrolled fingerprint.

    This is not the setting for second factor biometric authentication in the SecureAuth Authenticate app.

    On Login for Windows and Login for Mac, see Use fingerprint recognition on mobile in the End user login experience topic.

    On Login for Linux, see Approve login notification for fingerprint recognition in the End user login experience topic.

    Enable offline authentications

    Indicate whether end users can authenticate when offline.

    SecureAuth uses OATH seeds to validate OATH-based methods (like TOTP or HOTP) when end users log in. Most use cases require SecureAuth to store OATH seeds, and if they are not stored, end users cannot login while offline. In a scenario where, for example, a server is always online, you might not want to cache the OATH seed. This prevents a leak or theft of the OATH seed.

    Enable adaptive authentications

    Indicate whether to allow adaptive authentication.

    This setting acts similar to Adaptive Authentication settings in the Identity Platform. You can limit how admins and users log in in several ways, for example, by username, group, IP, and so on.

    Suggests use of an OATH-based method on first login regardless of your Adaptive Policy settings

    Set this option to display a message that suggests end users authenticate for the first login by using an OATH-based method, such as TOTP, HOTP, etc. This ensures that they can log in when offline.

    Login for Endpoints requires end users to use one OATH-based method, if at least one method is available to end users. If at least one OATH-based method is not available to end users, they can use any other available method, but offline login will not be available.

    Grace period

    Indicate whether there is a grace period (with a set number of days) in which end users can use a password-only login to a machine.

    After end users set up their second-factor methods, they can dismiss the password-only login screen.

    For a detailed description with a use case, see First login with password only section in the End user login experience topic.

    Bypass interval

    Define whether end users must authenticate again with a second factor after a set period of time.

    • Clear this check box – End users must authenticate with second factor each time they log in.

    • Select this check box – End users must use second factor for their first login, but do not need to authenticate again until after the set time has passed.

    For example, the time is set for 32400 seconds (9 hours) and the end user logs out after working for 8.5 hours. That evening, the end user decides to log in and finish a few tasks. More than 9 hours have passed so the end user will need to authenticate with a second factor.

    user_bypass

    Use the user_bypass property in the config.json file to define whether to allow end users to bypass second factor authentication. Usernames defined in the user_bypass property will not be prompted for authentication.

    The endpoint supports the following username field syntax:

    • .\\username – For local username. For example, ".\\jsmith"

    • username – For local username of the domain on which the machine is joined. For example, "jsmith". Note that usernames must match those in the Active Directory domain.

    • username@domain.local – For remote logins like remote desktop (RDP) and SSH/PAM, use the UPN format. For example, "jsmith@acme.local"

    For example:

    "user_bypass":[".\\username", "username", "username@domain.local"]

    Require multi-factor authentication when:

    Logging in with physical access

    • Login for Windows and Login for Mac – Select this check box to require MFA, using a login workflow like Username & Password | MFA Method. That is, not logging in remotely.

    • Login for Linux – Select this check box to allow a user to log into the same machine as a different user by using su or sudo.

    Windows: Logging in via remote desktop protocol

    Linux / Mac: Logging in via Remote Connection (SSH)

    • Windows – Select this check box to require multi-factor authentication when users log in via remote desktop protocol.

    • Linux / Mac – Select this check box to require multi-factor authentication when users log in through a remote console in a Secure Socket Shell (SSH) session.

    Bypass Multi-factor Authentication when

    Select this check box to not send an MFA prompt for users who need to login as a local admin.

    Users must belong to a local or domain group that you specify in the text box. Add local users only to the local group. Group names are case sensitive and must match those in the Active Directory domain.

    To add more than one group in the field, press Enter after each entry.

    Login for Windows and Login for Mac – Both endpoints support the following syntax:

    • group name – For groups of the domain on which the machine is joined. For example, BypassGroup. Note that group names must match those in the Active Directory domain.

    • domain\\groupname – For groups that are part of a specific domain. For example, customerDomain\\BypassGroup

    • .\\groupname – For local machine groups. For example, .\\Administrators

    Login for Linux – This endpoint supports the following syntax:

    • group name – For groups of the domain on which the machine is joined. For example, BypassGroup. Note that group names must match those in the Active Directory domain.

    • group-name@group-domain – For remote groups, use this UPN format syntax. For example, BypassGroup@customerDomain.local

    • .\\groupname – For local machine groups. For example, .\\Administrators

  10. Click Next Step.

  11. On the Personalization tab, personalize more of the user login experience.

    personalization_tab.png

    Personalization

    Auto add pre-logon access providers

    Available on Windows OS only

    Select this check box to allow a pre-login access provider so that end users can connect to VPN clients before logging into Login for Windows.

    Hide retry options

    Available on Windows OS only

    Select this check box to hide the "retry the connection" button on the login screen when Login for Windows is offline.

    Customize error message

    Select this check box to personalize the error message for end users who are locked out of their accounts. For example, you could enter a message like the following:

    "For assistance, please contact Acme helpdesk at 949-555-1212, help@acmeco.com, or https://helpdesk.acmeco.com."

    Request Timeout

    Set the timeout in seconds, that the Login for Endpoint waits for HTTP requests to respond. The default is 30 seconds. Use this option to reduce network wait times, because after it reaches the specified timeout value, it ends the network connection for HTTP requests.

    For example, if the endpoint tries to contact the Identity Platform, and cannot for any reason, the endpoint ends the network connection after reaching the timeout value. If this timeout value is not set, the endpoint keeps trying to reach the Identity Platform.

    ldap_timeout

    Use the ldap_timeout property in the config.json file to set the timeout in seconds, that the Login for Endpoint waits for LDAP requests to respond. The default is 30 seconds. Use this option to reduce network wait times, because after it reaches the specified timeout value, it ends the network connection for LDAP requests.

    For example, if the endpoint tries to contact the Active Directory, and cannot for any reason, the endpoint ends the network connection after reaching the timeout value. If this timeout value is not set, the endpoint keeps trying to reach the Active Directory.

    For example:

    "ldap_timeout": 30,

    Password Reset

    Enable update password link on the login interface

    Available on Windows OS only

    Select this check box to set up a self-service password reset (SSPR) link for end users to select on their login screen.

    In the text box, specify either the SecureAuth Identity Platform realm or the web page URL the user can access for resetting a password.

    If you use this setting, you will need to clear the Self-service password reset-only mode check box on the Multi-Factor Methods tab.

    Alternate Credential Providers

    Allow default operating system provider

    Available on Windows OS only

    Select this check box to add the default credential provider on the login screen. This allows end users to log in by using a password and second factor with the SecureAuth credential provider. Or, they can use a password only with the default credential provider.

    This option helps new teams starting out with Login for Windows to have a default credential provider option for end users to authenticate as a fallback.

    Allow other credential providers

    Available on Windows OS only

    Select this check box to allow the use of non-SecureAuth credential providers and other credential providers, like card scanners. Be aware of the following, especially the first item:

    • This option is only recommended in test environments. This allows test users to bypass Login for Windows so they can access their machines.

    • Users will be able to log in without using the Login for Windows credential provider, and potentially bypass multi-factor authentication.

    • Since users will see their normal login prompt, they will have to manually select a different login option to use Login for Windows.

  12. Save your changes.

    Saving creates a configuration file, which contains all the customizations that you set.

    config_file_list.png
  13. Download the configuration file, which you will need during installation. The configuration file must live in the same folder as the Login for Endpoint installer file that you will download later.

    Click the download icon in the Actions column. The downloaded file named config.json.

    If you open the config.json file, it looks like the following code, depending on the OS you are using and the customizations you set:

    Login for Windows config.json example

    {
        "platform": "windows",
        "version": "v2",
        "conf_version": 7,
        "allow_self_signed": false,
        "adaptive_enabled": true,
        "group_bypass": [],
        "store_seeds": true,
        "custom_error_message": "",
        "install_without_idp": false,
        "suggest_first_login": false,
        "request_timeout": 30,
        "apis": [
            {
                "host": "https://idpinstance.secureauth.com/SecureAuth7",
                "id": "6bc7bxxxxxxxxcxxxxxxxxxxxx",
                "secret": "c817e6xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
            }
        ],
        "alternate_providers": [],
        "multiple_user": false,
        "hide_retry_option": false,
        "bypass_interval": 0,
        "enabled_on_uac": false,
        "idm_sspr_url": "",
        "auto_add_plaps": false,
        "passwordless_enabled": false,
        "ldap_timeout": 30,
        "access_level": 0,
        "user_bypass": []
    }

    Login for Mac config.json example

    {
        "platform": "mac",
        "version": "v2",
        "conf_version": 7,
        "allow_self_signed": false,
        "adaptive_enabled": true,
        "group_bypass": [],
        "store_seeds": true,
        "custom_error_message": "",
        "install_without_idp": false,
        "suggest_first_login": false,
        "request_timeout": 30,
        "apis": [
            {
                "host": "https://idpinstance.secureauth.com/SecureAuth7",
                "id": "6bc7bxxxxxxxxcxxxxxxxxxxxx",
                "secret": "c817e6xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
            }
        ],
        "access_level": 0,
        "user_bypass": []
    }

    Login for Linux config.json example

    {
        "platform": "linux",
        "version": "v2",
        "conf_version": 7,
        "allow_self_signed": false,
        "adaptive_enabled": true,
        "group_bypass": [],
        "store_seeds": true,
        "custom_error_message": "",
        "install_without_idp": false,
        "suggest_first_login": false,
        "request_timeout": 30,
        "apis": [
            {
                "host": "https://idpinstance.secureauth.com/SecureAuth7",
                "id": "6bc7bxxxxxxxxcxxxxxxxxxxxx",
                "secret": "c817e6xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
            }
        ],
        "access_level": 0,
        "user_bypass": []
    }

    Note

    If you need to change any of your customizations, you must change them on the Installer Configuration page and download the file again. Any change you make requires an updated config.json file downloaded to the endpoint installation folder.

    Do not directly edit the config.json file unless instructed by SecureAuth Support.

  14. Your Login for Endpoint (Windows, Mac, or Linux) is set up with the Identity Platform.

    You are now ready to install the endpoint on the target workstation (laptop, desktop, server, etc).