Skip to main content

Identity Platform and Arculix integration

Set up SecureAuth® Identity Platform as an IdP factor to enable intelligent MFA with Arculix by SecureAuth and the Arculix Mobile app. With the powerful combination of the Identity Platform and Arculix, this extends your capabilities with a passwordless continuous authentication solution.

The end user login to an application starts in the Identity Platform to verify their identity. Then, it redirects the authentication process to Arculix for authentication with the Arculix Mobile app. Upon successful verification, it redirects the user back to the Identity Platform for access to an application.

Prerequisites

Identity Platform
  • Available in the following Identity Platform product releases:

    • Identity Platform release 22.12 or later

    • Identity Platform release 22.02 with hotfix 22.02-2 or later

    • Identity Platform release 21.04 with hotfix 21.04-9 or later

    • Identity Platform release 20.06 with hotfix 20.06-14 or later

    • Identity Platform release 19.07.01 with hotfix 19.07.01-36 or later

  • Have an Active Directory data store integrated in the Identity Platform

  • Have MFA authentication policy set up in the Identity Platform

  • Have an application integrated in the Identity Platform

Arculix
  • Have MFA authentication policy set up in Arculix

  • User account with administrative privileges for Arculix

  • Base URL for your Arculix account

    Note

    You'll need to know the base URL to the SSO landing page for your Arculix account in this format:

    https://sso.arculix.com/<yourorganization>

Arculix theme

A new Arculix theme is available for the end user login pages. Go to the Advanced Settings > Overview tab to set the Arculix theme.

Theme is available only in the Identity Platform release 22.12.

arculix_theme_overview_tab.png

Step 1: Set up data store (Active Directory)

In the Identity Platform settings for the Active Directory data store, set the connection and mapping values.

Note

Arculix expects the username@domain format when connecting to the Identity Platform.

Other than userPrincipalName, you can use Email if the user email has the username@domain format. And the domain in the email is the same as the domain set up in the data store connection setting.

  1. In the Identity Platform, go to the Active Directory data store.

    This might be in the New Experience or the Advanced Settings (formerly Classic Experience), depending on where you initially added this data store.

  2. In the connection settings for the data store, set the Search Filter to: (&(|(samAccountName=%v)(userPrincipalName=%v)))

    The following screenshots are examples of data store settings in the New Experience and Advanced Settings.

    g2_arculix_003.png

    Data store setting in the New Experience

    g2_acceptto_001.png

    Data store setting in the Advanced Settings

  3. In the data store profile property settings, map the userPrincipalName to an available Aux ID field, like Aux ID 9.

    The following screenshots are examples of data store settings in the New Experience and Advanced Settings.

    g2_arculix_004.png

    Data store properties in the New Experience

    g2_acceptto_002.png

    Data store properties in the Advanced Settings

  4. Save your changes.

Step 2: Set up SAML Consumer configuration

In the Identity Platform, set up the SAML consumer configuration for the Arculix side as an IdP factor.

  1. For an application in the Identity Platform, do one of the following:

    • In the New Experience, in the application settings (Application Manager or Internal Application Manager), click the Go to Advanced Settings to configure this integration with Arculix link. 

      Note: This link is available only in the Identity Platform release 21.04 or later.

      g2_arculix_015.png

      Link in the Application Manager

      g2_arculix_016.png

      Link in the Internal Application Manager

    • In the Advanced Settings for the selected application, select the Workflow tab.

      g2_arculix_012.png
  2. Scroll down to the SAML Consumer section and set the following configurations.

    IdP Factoring

    Set to True.

    User ID Mapping

    Set it to where you mapped the userPrincipalName in the data store profile properties.

    For example, Aux ID 9.

    g2_arculix_005.png
  3. Click Add Identity Provider and set the following configurations.

    Identity Provider Name

    Provide a friendly name for this integration. You'll want to copy this name for Arculix side of the integration.

    This name also displays in the SAML Consumer table.

    For example, IdP-Arculix

    SAML Issuer

    Enter the SAML Issuer information for your organization on the Arculix side. This is your Arculix base URL followed by /saml.

    For example, https://sso.arculix.com/<your-organization>/saml.

    SAML Audience

    Provide a name for this integration (you can use the same name as the Identity Provider Name, above).

    For example, IdP-Arculix

    IdP Login URL

    Enter the login URL for your organization on the Arculix side. This is your Arculix base URL followed by /saml/idp_factor.

    For example, https://sso.arculix.com/<your-organization>/saml/idp_factor

    g2_arculix_006.png
  4. Save your changes.

Step 3: Download SAML signing certificate

You'll need to download the SAML signing certificate for the Arculix side.

  1. In the Identity Platform Advanced Settings (formerly Classic Experience), select the Post Authentication tab.

  2. In the Post Authentication section, set Authenticated User Redirect to any SAML option like SAML 2.0 (SP Initiated) Assertion.

    g2_arculix_007.png
  3. In the SAML Assertion / WS Federation section, enter the name of the Domain and click the Metadata file Download link.

    g2_arculix_008.png

Step 4: Arculix SAML configuration as an Identity Provider (IdP)

In Arculix, you'll add an application for the Identity Platform and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations.

    Name

    Use the same Identity Provider Name that you set up in the Identity Platform in the SAML Consumer section in Step 2: Set up SAML Consumer configuration.

    This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, IdP-Arculix

    Type

    Set to SAML Service Provider.

    Out of Band Methods

    Select the allowed authentication methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, security key, and so on.

    Message for MFA Requests

    (Optional) Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

    g2_arculix_009.png
  4. Select the SAML Service Provider Configuration tab, and set the following configurations.

    Issuer or Entity ID

    Use the same Identity Provider Name that you set up in the Identity Platform in the SAML Consumer section in Step 2: Set up SAML Consumer configuration.

    For example, IdP-Arculix

    Log in URL

    Enter the login URL of the application provided by the Identity Platform.

    For example, https://secureauth.company.com/SecureAuth47/SAMLSP.aspx

    Username Field for Upstream IdP

    Set to userPrincipalName.

    Assertion Consumer Services (ACS) URL

    Enter the Assertion Consumer Service URL of the application provided by the Identity Platform.

    For example, https://secureauth.company.com/SecureAuth47/AssertionConsumerService.aspx

    Certificate

    For the Identity Platform certificate file you downloaded in Step 3: Download SAML signing certificate, open this certificate in a text editor like Notepad.

    Copy the certificate X509 metadata between the lines -----BEGIN CERTIFICATE--- and -----END CERTIFICATE-----.

    g2_arculix_017.png

    Paste the certificate x509 metadata into the Certificate field.

    g2_arculix_010.png
  5. Select the SAML IdP Settings tab and click Download Certificate.

    g2_arculix_011.png
  6. Save your changes.

Step 5: Upload Arculix certificate to the Identity Platform

  1. For the certificate file you downloaded in Step 4: Arculix SAML configuration as an Identity Provider (IdP), open it in a text editor like Notepad.

  2. Copy the certificate information between the lines ---BEGIN CERTIFICATE--- and ---END CERTIFICATE---.

  3. In the Identity Platform, go back to the SAML Consumer section.

  4. In the SAML Consumer table, click Edit for Arculix as an IdP (for example, IdP-Arculix).

    g2_arculix_005.png
  5. In the Signing Certificate field, paste the certificate information from Arculix.

    g2_arculix_014.png
  6. Save your changes.