SecureAuth IdP and Arculix integration (IdP Factoring)
Integrate SecureAuth® Identity Platform with Arculix to enable intelligent MFA. When you combine SecureAuth IdP and Arculix, you can improve your security posture with a passwordless continuous authentication solution.
As an IdP factor, SecureAuth IdP provides authentication and the flow goes through Arculix as an authentication and MFA factor.
The end user login to an application starts in SecureAuth IdP to verify their identity. Then, it redirects the authentication process to Arculix for intelligent authentication. After verifying the user, it sends them back through SecureAuth IdP to access an application.
Prerequisites
Identity Platform release 24.04
Note
For Identity Platform releases 23.07 or earlier, see the integration guide specific to an earlier Identity Platform release number like Identity Platform 23.07.
Have an integration with a supported data store in the Identity Platform
Have MFA authentication policy set up
Have at least one application integrated and attached to the authentication policy (Resources tab)
Have a configured Arculix instance and user account with administrative privileges for Arculix
Have an Identity Provider created in Arculix
Have a policy set up in Arculix
Base URL for your Arculix account
Note
You'll need to know the base URL to the SSO landing page for your Arculix account in this format:
https://sso.arculix.com/<yourorganization>
Arculix theme
A new Arculix theme is available for the end user login pages. In SecureAuth IdP, go to the Advanced Settings > Overview tab to set the Arculix theme.
Theme is available only in SecureAuth IdP release 22.12 or later.
Task A: Configure your data store
In SecureAuth IdP settings for the data store, set the connection and mapping values.
In SecureAuth IdP, go to the data store settings.
This might be in the New Experience or the Advanced Settings (formerly Classic Experience), depending on where you initially added this data store.
In the connection settings for the data store, set the appropriate Search Filter.
For example, set your search attribute to use
userPrincipalName
,mail
, or if you have Active Directory, use(&(|(samAccountName=%v)(userPrincipalName=%v)))
.Note
Arculix expects the
username@domain
email format when connecting to SecureAuth IdP.Make sure the domain in the email attribute is the same as the domain set up in the data store connection setting.
The following screenshot is an example of the data store Search Filter in the New Experience.
In the data store profile property settings, map the userPrincipalName search attribute from the data store to an available Aux ID field and clear the Writable check box.
For example, map userPrincipalName to Aux ID 9. This will be the "Request" in the SAML-based authentication to an external IdP like Arculix.
The following screenshot is an example of the data store mapping in the New Experience.
Save your changes.
Task B: Add Arculix as an external identity provider
In SecureAuth IdP, you will delegate the SAML-based authentication to an external IdP like Arculix. In this section you will add Arculix as an IdP in the authentication policy.
Open an authentication policy and select the Login Workflow tab.
In the Other settings section, click the blue Open settings link and move the slider to Enabled.
On the External Identity Provider page, set the following configurations.
Use SecureAuth IdP as the primary IdP
Select this check box as True.
True – SecureAuth IdP validates the user login.
False – Arculix validates the user login.
User ID Mapping (Request)
Set it to where you mapped the email Search Attribute like userPrincipalName, in the data store profile properties.
For example, Aux ID 9
User ID Mapping (Response)
Set it to the mapped SAML Consumer response from Arculix, like the samAccountName or Authenticated User ID.
For example, Authenticated User ID
Click Add Identity Provider and set the following configurations.
Name
Provide a descriptive name that identifies Arculix as an external identity provider.
For example, IdP-Arculix
SAML Issuer
Enter the SAML Issuer information for your organization on the Arculix side. This is your Arculix base URL followed by
/saml
.You can find this in Arculix in the Identity Provider Single Sign-on URL field.
For example,
https://sso.arculix.com/<your-organization>/saml
SAML Audience
Provide a descriptive name that identifies Arculix (you can use the same name as the Identity Provider Name, above).
For example, IdP-Arculix
IdP Login URL
Enter the login URL for your organization on the Arculix side. This is your Arculix base URL followed by
/saml/idp_factor
.For example,
https://sso.arculix.com/<your-organization>/saml/idp_factor
SAML Conditions
Select this check box. This activates the validation of time-based constraints on SAML assertions. It ensures they are only used within their valid time period of the SAML assertion. It checks:
NotBefore – Assertion is invalid if used before this time.
NotOnOrAfter – Assertion is invalid if used on or after this time.
This setting adds another layer of security. It stops the potential misuse of SAML assertions outside their intended time.
IssueInstant Valid Time
Set the number of hours during which the SAML assertion is valid.
Clock Skew
Set the number of minutes that SecureAuth IdP subtracts from the NotBefore SAML condition to account for any time differences between SecureAuth IdP and Arculix.
Signing Certificate
Paste the certificate blob from Arculix.
You can come back to this after you've completed Task D: Arculix SAML configuration as an identity provider (IdP). This is also covered in Task E: Paste Arculix certificate in SecureAuth IdP.
Save your changes.
Task C: Download SecureAuth IdP metadata
You'll need to download SecureAuth IdP SAML metadata (also known as the IdP signing certificate) for the Arculix side.
In the Application Manager, click the edit pencil icon for any SAML application.
Click the Info for service providers link.
On the Information for Service Providers page,for the IdP Signing Certificate, click the Download link.
Task D: Arculix SAML configuration as an identity provider (IdP)
In Arculix, you'll add an application for SecureAuth IdP and set the SAML configuration settings. This will be the identity provider (IdP) side of the configuration.
Log in to Arculix with an administrative account and go to Applications.
Click Create New Application.
In the New Application form, on the General tab, set the following configurations.
Name
Use the same Identity Provider Name that you set up in SecureAuth IdP in the SAML Consumer section in Task B: Add Arculix as an external identity provider.
This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.
For example, IdP-Arculix
Type
Set to SAML Service Provider.
Out of Band Methods
Select the allowed authentication methods end users can choose to approve MFA requests.
For example, Arculix Mobile app (push notifications), SMS, security key, and so on.
Message for MFA Requests
(Optional) Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.
Select the SAML Service Provider Configuration tab, and set the following configurations.
Upstream IdP
Select this check box to use SecureAuth IdP for the initial authentication and only use Arculix to handle the multi-factor authentication.
IdP Initiated
Leave this check box cleared.
Issuer or Entity ID
Use the same Identity Provider Name that you set up in SecureAuth IdP in the SAML Consumer section in Task B: Add Arculix as an external identity provider.
For example, IdP-Arculix
Log in URL
Enter the login URL of your SecureAuth IdP server.
For example,
https://secureauth.company.com/SecureAuth
The authentication policy in SA IdP has multiple applications attached on the Resources tab. So, you do not need to add a realm number in the URL.
Username Field for Upstream IdP
Set to userPrincipalName.
Assertion Consumer Services (ACS) URL
Leave this field blank.
Algorithm
Set to RSA-SHA256.
Certificate
Open the SecureAuth IdP metadata file you downloaded in Task C: Download SecureAuth IdP metadata, in a text editor like Notepad.
Copy the SecureAuth IdP certificate blob, including the beginning
-----BEGIN CERTIFICATE-----
and ending-----END CERTIFICATE-----
like the following example.Then, in the Service Provider Certificate field, paste the SecureAuth IdP certificate blob like the following example.
Select the SAML IdP Settings tab. Then, copy the Identity Provider Signing Certificate.
Save your changes.
Task E: Paste Arculix certificate in SecureAuth IdP
Go back to SecureAuth IdP, in the Policy > Workflow tab and open settings for the External Identity Provider.
For the Arculix identity provider certificate file you copied in Task D: Arculix SAML configuration as an identity provider (IdP), paste it in the Signing Certificate field.
Save your changes.