Documentation
Introduction

Use this guide to configure the Workflow tab in the Web Admin for each SecureAuth IdP realm.

This includes authentication modes, custom tokens, adaptive authentication (risk analysis), and certificate / token properties.

See Sample Workflow Configuration Guides for assistance.

Prerequisites

1. Create a New Realm for the target resource for which the configuration settings will apply, or open an existing realm for which configurations have already been started

2. Configure the Overview and the Data tabs in the Web Admin before configuring the Workflow tab

Workflow Configuration Steps

1. In the Product Configuration section, select the Integration Method from the dropdown

The selection made here will alter the options for Client Side Control and IE / PFX / Java Cert Type

  • Select Certification Enrollment and Validation for web-based authentication (used most frequently for majority of application integrations)
  • Select Certificate Enrollment Only for X.509 VPN authentication
  • Select Mobile Enrollment and Validation for mobile browser authentication or enrollment (e.g. native mobile apps, OATH enrollment)
 If Certification Enrollment and Validation is selected
Product Configuration

2. Select the Client Side Control option from the dropdown

The selection made here will alter the options for IE / PFX / Java Cert Type, and may require additional configuration steps

  • Select Java Applet to stores the SecureAuth IdP X.509 certificate in the JRE managed code file set
  • Select Browser Plug-ins to store the certificate in the native key store
  • Select Universal Browser Credential (UBC) to store a difficult-to-remove cookie in multiple places on the client
  • Select Device / Browser Fingerprinting to enable SecureAuth IdP's Fingerprinting mode, which pulls unique characteristics from the device or browser and stores them as a value in the user directory rather than storing a cookie or certificate on the client
 If Java Applet is selected
Product Configuration

 

3. Select 1024-bit Public Key or 2048-bit Public Key from the IE / PFX / Java Cert Type dropdown

This is based on the security preference

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Certificate / Token Properties

Additional configuration steps are required, and a new section will appear at the bottom of the Workflow page

 

4. Select Password Expiration Date from the Certificate Expiration dropdown if the certificate is to expire when the password expires

Select Private Mode Cert Length if the certificate is to expire after a designated number of days

5. Select Cert Expiration Date from the Certificate Valid Until if the certificate is to remain valid up until the expiration

Select Private Mode Cert Length if the certificate is to remain valid during a designated number of days

6. Set the number of days during which a certificate will not expire and will remain valid in the Private Mode Cert Length field if Private Mode Cert Length was selected in step 4 or 5

7. Set the number of hours during which the Public Mode Certificate is valid in the Public Mode Cert Length field

This is only for realms in which Certificate Enrollment is selected from the Integration Mode dropdown in the Product Configuration section

8. Set the number of hours during which the cookie delivered to a mobile device is valid in the Mobile Credential Length field (browser credential)

9. Provide a maximum amount of certificates that a user can have at a time in the Global Cert Limit field

10. Provide a maximum amount of mobile cookies that a user can have at a time in the Global Mobile Limit field

11. Select Fall Back to 2nd Factor or Display Error Message from the Check CRL dropdown for SecureAuth IdP to check the Certificate Revocation List

Select Disabled to opt out of checking the CRL as it is not necessary with SecureAuth IdP

12. Click Configure Email Notification to enable and set up Expired Certificate Warning emails (optional)

 To configure Email Notifications
Expired Certificate Warning

 

1. Select Enabled from the Email Notification dropdown to enable the warning notifications

2. Select True from the Multiple Certs per User dropdown to notify users of all certificate expirations, rather than just one

3. Select the Email Property that corresponds to the data store field that contains the user's email address to which the notifications will be sent from the Email Field dropdown

4. Set the number of days before the expiration on which the notifications will be begin in the Warning Period field

5. Select Daily from the Notification Interval dropdown if an email notification will be sent once a day

6. Set the Notification Start Time at which the email will be sent

Click Save once the configurations have been completed and before leaving the Email Notification page to avoid losing changes

 If Browser Plug-ins is selected
Product Configuration

 

3. Select the IE / PFX / Java Cert Type from the dropdown

This is based on the security preference

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Certificate / Token Properties

Additional configuration steps are required, and a new section will appear at the bottom of the Workflow page

 

4. Select Password Expiration Date from the Certificate Expiration dropdown if the certificate is to expire when the password expires

Select Private Mode Cert Length if the certificate is to expire after a designated number of days

5. Select Cert Expiration Date from the Certificate Valid Until if the certificate is to remain valid up until the expiration

Select Private Mode Cert Length if the certificate is to remain valid during a designated number of days

6. Set the number of days during which a certificate will not expire and will remain valid in the Private Mode Cert Length field if Private Mode Cert Length was selected in step 4 or 5

7. Set the number of hours during which the Public Mode Certificate is valid in the Public Mode Cert Length field

This is only for realms in which Certificate Enrollment is selected from the Integration Mode dropdown in the Product Configuration section

8. Set the number of hours during which the cookie delivered to a mobile device is valid in the Mobile Credential Length field (browser credential)

9. Provide a maximum amount of certificates that a user can have at a time in the Global Cert Limit field

10. Provide a maximum amount of mobile cookies that a user can have at a time in the Global Mobile Limit field

11. Select Fall Back to 2nd Factor or Display Error Message from the Check CRL dropdown for SecureAuth IdP to check the Certificate Revocation List

Select Disabled to opt out of checking the CRL as it is not necessary with SecureAuth IdP

12. Click Configure Email Notification to enable and set up Expired Certificate Warning emails (optional)

 To configure Email Notifications
Expired Certificate Warning

 

1. Select Enabled from the Email Notification dropdown to enable the warning notifications

2. Select True from the Multiple Certs per User dropdown to notify users of all certificate expirations, rather than just one

3. Select the Email Property that corresponds to the data store field that contains the user's email address to which the notifications will be sent from the Email Field dropdown

4. Set the number of days before the expiration on which the notifications will be begin in the Warning Period field

5. Select Daily from the Notification Interval dropdown if an email notification will be sent once a day

6. Set the Notification Start Time at which the email will be sent

Click Save once the configurations have been completed and before leaving the Email Notification page to avoid losing changes

 If Universal Browser Credential (UBC) is selected
Product Configuration

 

3. Select 1024-bit Public Key or 2048-bit Public Key from the IE / PFX / Java Cert Type dropdown

This is based on the security preference

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Certificate / Token Properties

Additional configuration steps are required, and a new section will appear at the bottom of the Workflow page

 

4. Select Password Expiration Date from the Certificate Expiration dropdown if the certificate is to expire when the password expires

Select Private Mode Cert Length if the certificate is to expire after a designated number of days

5. Select Cert Expiration Date from the Certificate Valid Until if the certificate is to remain valid up until the expiration

Select Private Mode Cert Length if the certificate is to remain valid during a designated number of days

6. Set the number of days during which a certificate will not expire and will remain valid in the Private Mode Cert Length field if Private Mode Cert Length was selected in step 4 or 5

7. Set the number of hours during which the Public Mode Certificate is valid in the Public Mode Cert Length field

This is only for realms in which Certificate Enrollment is selected from the Integration Mode dropdown in the Product Configuration section

8. Set the number of hours during which the cookie delivered to a mobile device is valid in the Mobile Credential Length field (browser credential)

9. Provide a maximum amount of certificates that a user can have at a time in the Global Cert Limit field

10. Provide a maximum amount of mobile cookies that a user can have at a time in the Global Mobile Limit field

11. Select Fall Back to 2nd Factor or Display Error Message from the Check CRL dropdown for SecureAuth IdP to check the Certificate Revocation List

Select Disabled to opt out of checking the CRL as it is not necessary with SecureAuth IdP

12. Click Configure Email Notification to enable and set up Expired Certificate Warning emails (optional)

 To configure Email Notifications
Expired Certificate Warning

 

1. Select Enabled from the Email Notification dropdown to enable the warning notifications

2. Select True from the Multiple Certs per User dropdown to notify users of all certificate expirations, rather than just one

3. Select the Email Property that corresponds to the data store field that contains the user's email address to which the notifications will be sent from the Email Field dropdown

4. Set the number of days before the expiration on which the notifications will be begin in the Warning Period field

5. Select Daily from the Notification Interval dropdown if an email notification will be sent once a day

6. Set the Notification Start Time at which the email will be sent

Click Save once the configurations have been completed and before leaving the Email Notification page to avoid losing changes

 If Device / Browser Fingerprinting is selected

Additional configuration steps are required, and a new section will appear at the bottom of the Workflow page

Browser/Mobile Device digital fingerprinting

 

3. Set the Weights of FP Components to emphasize significance of specific device / browser characteristics

The HTTP Headers and the System Components weights together must equal 100%

4. In the Normal Browser Settings section, select Cookie from the FP Mode dropdown if a cookie will be delivered to the browser that will correspond with the Fingerprint

This will enhance the recognition of the Fingerprint during SecureAuth IdP authentication

5. Provide a Cookie name prefix, which can be anything

6. Set the amount of hours for which the delivered cookie will be valid in the Cookie length field

7. Select True from the Match FP ID in cookie dropdown if SecureAuth IdP will verify the Cookie Name Prefix (Fingerprint ID) in the cookie

8. Set the Authentication Threshold to the acceptable percentage above which the Fingerprint can be the second factor during authentication

This is typically between 90-100%

9. Set the Update Threshold to the acceptable percentage above which the stored Fingerprint will be updated with the changes rather than having a new one created

This is typically between 80-90%, and must be below the Authentication Threshold

10. In the Mobile Settings section, select Mobile App if instead of delivering a Cookie to the device / browser, a unique ID will be pulled from the device that will correspond with the Fingerprint

11. Provide a Cookie name prefix, which can be anything

12. Set the amount of hours for which the delivered cookie will be valid in the Cookie length field

13. Select True from the Match FP ID in cookie dropdown if SecureAuth IdP will verify the Cookie Name Prefix (Fingerprint ID) in the cookie

14. Select True from the Skip IP Match dropdown if the IP Address on the device is not required to match the IP Address recorded in the Fingerprint

15. Set the Authentication Threshold to the acceptable percentage above which the Fingerprint can be the second factor during authentication

This is typically between 90-100%

16. Set the Update Threshold to the acceptable percentage above which the stored Fingerprint will be updated with the changes rather than having a new one created

This is typically between 80-90%, and must be below the Authentication Threshold

17. Set for how many total days the Fingerprint will be valid; set the FP expiration length to zero if there is no expiration

18. Set for how many days the Fingerprint will be valid since the user's last access; set the FP expiration since last access to zero if there is no expiration

19. Select True from the Only 1 FP per browser dropdown if multiple Fingerprints are not allowed

20. Set the Total FP max count to limit the number of Fingerprints that can be stored in a user's profile

Set this to -1 if there is no limit

21. Select Allow to Replace from the When exceeding max count dropdown if a Fingerprint can be replaced by a new one once the limit has been reached

Selecting Not Allow to Replace would require administrative action to remove the Fingerprint(s)

22. Select Created Time from the Replace in order by dropdown to replace the oldest created Fingerprint with a new one

Select Last Access Time to replace the least recently used Fingerprint with a new one

23. Set the FP's access record max count to the number of Fingerprint access histories that will be stored in the directory

 If Certificate Enrollment Only is selected
Product Configuration

 

2. The Client Side Control will be set to Browser Plug-ins / Keygen (no other option)

3. Select the IE / PFX / Java Cert Type from the dropdown

This is based on the security preference

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Certificate / Token Properties

Additional configuration steps are required, and a new section will appear at the bottom of the Workflow page

 

4. Select Password Expiration Date from the Certificate Expiration dropdown if the certificate is to expire when the password expires

Select Private Mode Cert Length if the certificate is to expire after a designated number of days

5. Select Cert Expiration Date from the Certificate Valid Until if the certificate is to remain valid up until the expiration

Select Private Mode Cert Length if the certificate is to remain valid during a designated number of days

6. Set the number of days during which a certificate will not expire and will remain valid in the Private Mode Cert Length field if Private Mode Cert Length was selected in step 4 or 5

7. Set the number of hours during which the Public Mode Certificate is valid in the Public Mode Cert Length field

This is only for realms in which Certificate Enrollment is selected from the Integration Mode dropdown in the Product Configuration section

8. Set the number of hours during which the cookie delivered to a mobile device is valid in the Mobile Credential Length field (browser credential)

9. Provide a maximum amount of certificates that a user can have at a time in the Global Cert Limit field

10. Provide a maximum amount of mobile cookies that a user can have at a time in the Global Mobile Limit field

11. Select Fall Back to 2nd Factor or Display Error Message from the Check CRL dropdown for SecureAuth IdP to check the Certificate Revocation List

Select Disabled to opt out of checking the CRL as it is not necessary with SecureAuth IdP

12. Click Configure Email Notification to enable and set up Expired Certificate Warning emails (optional)

 To configure Email Notifications
Expired Certificate Warning

 

1. Select Enabled from the Email Notification dropdown to enable the warning notifications

2. Select True from the Multiple Certs per User dropdown to notify users of all certificate expirations, rather than just one

3. Select the Email Property that corresponds to the data store field that contains the user's email address to which the notifications will be sent from the Email Field dropdown

4. Set the number of days before the expiration on which the notifications will be begin in the Warning Period field

5. Select Daily from the Notification Interval dropdown if an email notification will be sent once a day

6. Set the Notification Start Time at which the email will be sent

Click Save once the configurations have been completed and before leaving the Email Notification page to avoid losing changes

 If Mobile Enrollment and Validation is selected
Product Configuration

2. Select the Client Side Control option from the dropdown

The selection made here will alter the options for IE / PFX / Java Cert Type, and may require additional configuration steps

  • Select Browser Credential to store a cookie in the browser
  • Select Universal Browser Credential (UBC) to store a difficult-to-remove cookie in multiple places on the client
  • Select Device / Browser Fingerprinting to enable SecureAuth IdP's Fingerprinting mode, which pulls unique characteristics from the device or browser and stores them as a value in the user directory rather than storing a cookie or certificate on the client
 If Browser Credential is selected
Product Configuration

 

3. Select 1024-bit Public Key or 2048-bit Public Key from the IE / PFX / Java Cert Type dropdown

This is based on the security preference

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Certificate / Token Properties

Additional configuration steps are required, and a new section will appear at the bottom of the Workflow page

 

4. Select Password Expiration Date from the Certificate Expiration dropdown if the certificate is to expire when the password expires

Select Private Mode Cert Length if the certificate is to expire after a designated number of days

5. Select Cert Expiration Date from the Certificate Valid Until if the certificate is to remain valid up until the expiration

Select Private Mode Cert Length if the certificate is to remain valid during a designated number of days

6. Set the number of days during which a certificate will not expire and will remain valid in the Private Mode Cert Length field if Private Mode Cert Length was selected in step 4 or 5

7. Set the number of hours during which the Public Mode Certificate is valid in the Public Mode Cert Length field

This is only for realms in which Certificate Enrollment is selected from the Integration Mode dropdown in the Product Configuration section

8. Set the number of hours during which the cookie delivered to a mobile device is valid in the Mobile Credential Length field (browser credential)

9. Provide a maximum amount of certificates that a user can have at a time in the Global Cert Limit field

10. Provide a maximum amount of mobile cookies that a user can have at a time in the Global Mobile Limit field

11. Select Fall Back to 2nd Factor or Display Error Message from the Check CRL dropdown for SecureAuth IdP to check the Certificate Revocation List

Select Disabled to opt out of checking the CRL as it is not necessary with SecureAuth IdP

12. Click Configure Email Notification to enable and set up Expired Certificate Warning emails (optional)

 To configure Email Notifications
Expired Certificate Warning

 

1. Select Enabled from the Email Notification dropdown to enable the warning notifications

2. Select True from the Multiple Certs per User dropdown to notify users of all certificate expirations, rather than just one

3. Select the Email Property that corresponds to the data store field that contains the user's email address to which the notifications will be sent from the Email Field dropdown

4. Set the number of days before the expiration on which the notifications will be begin in the Warning Period field

5. Select Daily from the Notification Interval dropdown if an email notification will be sent once a day

6. Set the Notification Start Time at which the email will be sent

Click Save once the configurations have been completed and before leaving the Email Notification page to avoid losing changes

 If Universal Browser Credential (UBC) is selected
Product Configuration

 

3. Select 1024-bit Public Key or 2048-bit Public Key from the IE / PFX / Java Cert Type dropdown

This is based on the security preference

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Certificate / Token Properties

Additional configuration steps are required, and a new section will appear at the bottom of the Workflow page

 

4. Select Password Expiration Date from the Certificate Expiration dropdown if the certificate is to expire when the password expires

Select Private Mode Cert Length if the certificate is to expire after a designated number of days

5. Select Cert Expiration Date from the Certificate Valid Until if the certificate is to remain valid up until the expiration

Select Private Mode Cert Length if the certificate is to remain valid during a designated number of days

6. Set the number of days during which a certificate will not expire and will remain valid in the Private Mode Cert Length field if Private Mode Cert Length was selected in step 4 or 5

7. Set the number of hours during which the Public Mode Certificate is valid in the Public Mode Cert Length field

This is only for realms in which Certificate Enrollment is selected from the Integration Mode dropdown in the Product Configuration section

8. Set the number of hours during which the cookie delivered to a mobile device is valid in the Mobile Credential Length field (browser credential)

9. Provide a maximum amount of certificates that a user can have at a time in the Global Cert Limit field

10. Provide a maximum amount of mobile cookies that a user can have at a time in the Global Mobile Limit field

11. Select Fall Back to 2nd Factor or Display Error Message from the Check CRL dropdown for SecureAuth IdP to check the Certificate Revocation List

Select Disabled to opt out of checking the CRL as it is not necessary with SecureAuth IdP

12. Click Configure Email Notification to enable and set up Expired Certificate Warning emails (optional)

 To configure Email Notifications
Expired Certificate Warning

 

1. Select Enabled from the Email Notification dropdown to enable the warning notifications

2. Select True from the Multiple Certs per User dropdown to notify users of all certificate expirations, rather than just one

3. Select the Email Property that corresponds to the data store field that contains the user's email address to which the notifications will be sent from the Email Field dropdown

4. Set the number of days before the expiration on which the notifications will be begin in the Warning Period field

5. Select Daily from the Notification Interval dropdown if an email notification will be sent once a day

6. Set the Notification Start Time at which the email will be sent

Click Save once the configurations have been completed and before leaving the Email Notification page to avoid losing changes

 If Device / Browser Fingerprinting is selected

Additional configuration steps are required, and a new section will appear at the bottom of the Workflow page

Browser/Mobile Device digital fingerprinting

 

3. Set the Weights of FP Components to emphasize significance of specific device / browser characteristics

The HTTP Headers and the System Components weights together must equal 100%

4. In the Normal Browser Settings section, select Cookie from the FP Mode dropdown if a cookie will be delivered to the browser that will correspond with the Fingerprint

This will enhance the recognition of the Fingerprint during SecureAuth IdP authentication

5. Provide a Cookie name prefix, which can be anything

6. Set the amount of hours for which the delivered cookie will be valid in the Cookie length field

7. Select True from the Match FP ID in cookie dropdown if SecureAuth IdP will verify the Cookie Name Prefix (Fingerprint ID) in the cookie

8. Set the Authentication Threshold to the acceptable percentage above which the Fingerprint can be the second factor during authentication

This is typically between 90-100%

9. Set the Update Threshold to the acceptable percentage above which the stored Fingerprint will be updated with the changes rather than having a new one created

This is typically between 80-90%, and must be below the Authentication Threshold

10. In the Mobile Settings section, select Mobile App if instead of delivering a Cookie to the device / browser, a unique ID will be pulled from the device that will correspond with the Fingerprint

11. Provide a Cookie name prefix, which can be anything

12. Set the amount of hours for which the delivered cookie will be valid in the Cookie length field

13. Select True from the Match FP ID in cookie dropdown if SecureAuth IdP will verify the Cookie Name Prefix (Fingerprint ID) in the cookie

14. Select True from the Skip IP Match dropdown if the IP Address on the device is not required to match the IP Address recorded in the Fingerprint

15. Set the Authentication Threshold to the acceptable percentage above which the Fingerprint can be the second factor during authentication

This is typically between 90-100%

16. Set the Update Threshold to the acceptable percentage above which the stored Fingerprint will be updated with the changes rather than having a new one created

This is typically between 80-90%, and must be below the Authentication Threshold

17. Set for how many total days the Fingerprint will be valid; set the FP expiration length to zero if there is no expiration

18. Set for how many days the Fingerprint will be valid since the user's last access; set the FP expiration since last access to zero if there is no expiration

19. Select True from the Only 1 FP per browser dropdown if multiple Fingerprints are not allowed

20. Set the Total FP max count to limit the number of Fingerprints that can be stored in a user's profile

Set this to -1 if there is no limit

21. Select Allow to Replace from the When exceeding max count dropdown if a Fingerprint can be replaced by a new one once the limit has been reached

Selecting Not Allow to Replace would require administrative action to remove the Fingerprint(s)

22. Select Created Time from the Replace in order by dropdown to replace the oldest created Fingerprint with a new one

Select Last Access Time to replace the least recently used Fingerprint with a new one

23. Set the FP's access record max count to the number of Fingerprint access histories that will be stored in the directory

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Multi-Domain Configuration

 

4. Click View and Configure Multi-Store / Workflow only if this realm will enable multiple data store integrations that lead to distinct workflows (optional)

 To configure Multi-Store / Workflow
Multiple Workflow Configuration

 

1. Select an initial realm to copy from the Create using this realm dropdown

This is the realm on which users will start

2. Enter the realm that has the desired workflow in the Workflow options field

3. Select Create with mobile realm to generate a mobile-friendly version of the workflow

4. Click Add Realm to create the new realm that follows the desired multi-domain / multi-workflow

5. Click on a realm (e.g. SecureAuth5) in the Domain List and click Remove Realm to delete the multi-domain / multi-workflow

Click Save once the configurations have been completed and before leaving the Multi-Workflow page to avoid losing changes

Workflow

 

5. Select Private and Public Mode from the Public/Private Mode dropdown to enable both modes during the login process

If the end-user selects Private Mode on the login page, then SecureAuth IdP will check for a certificate / token / Fingerprint, or will deliver a certificate / token to the browser or pull information to create a Fingerprint for subsequent access attempts

6. Select which option will be selected by default (if Private and Public Mode is enabled) on the end-user login page from the Default Public / Private dropdown

7. Select True from the Remember User Selection dropdown if the user's last Private / Public Mode selection will be defaulted for subsequent access attempts

8. Select the Authentication Mode, which is the workflow through which users will go to obtain access

 Standard (User / 2nd Factor / Password)

This option will require configuration and the enablement of at least one registration method in the Registration Methods tab

 Second Factor Only

This option will require configuration and the enablement of at least one registration method in the Registration Methods tab

 User/Password on 1st Page (+2nd factor)

This option will require configuration and the enablement of at least one registration method in the Registration Methods tab

 Valid Persistent Token + Registration Code

This option will require a different realm in which the Client Side Control token/certificate/fingerprint is generated to use on this realm, and configuration and the enablement of at least one registration method in the Registration Methods tab

 Valid Persistent Token + Reg Code + Password

This option will require a different realm in which the Client Side Control token/certificate/fingerprint is generated to use on this realm, and configuration and the enablement of at least one registration method in the Registration Methods tab

 Valid Persistent Token + Password

This option will require a different realm in which the Client Side Control token/certificate/fingerprint is generated to use on this realm

 User/Password Only (On separate pages)

No special configuration is required for this option

 User/Password on 1st page (no 2nd factor)

No special configuration is required for this option

 UserName Only

No special configuration is required for this option

 Validate Persistent Token Only

This option will require a different realm in which the Client Side Control token/certificate/fingerprint is generated to use on this realm

9. Select Enabled from the Inline Password Change dropdown to redirect users back into the workflow after their passwords have been changed

10. Select True from the Encrypt Password (Java only) to encrypt the end-user's password (provided during login) being sent to the SecureAuth IdP server for validation

Applicable when Java Applet is selected from the Client Side Control dropdown

11. Set the Java Timeout

12. Select True from the Validate Persistent Token dropdown if SecureAuth IdP is to check the validity of the persistent token during the authentication process

13. Select True from the Renew Persistent Token (After Validation) if the persistent token is to be renewed after SecureAuth IdP checks the validity (step 12)

14. Select True from the User Impersonation dropdown if this realm will run under a user's account rather than the service account

15. Select False from the Windows Authentication dropdown

Select True if this realm will utilize Windows Desktop SSO

16. Select the action that will occur if the Java Applet fails to launch from the Allow Fall Back dropdown

17. Select False from the Allow Transparent SSO dropdown

Select True if this realm will utilize SecureAuth IdP SSO, and will enable SP-initiated or Secure Portal SSO

No configuration is necessary for the other fields, unless required for the customer's environment

The following sections require no configuration unless this realm has specific needs for them (noted in section titles)

 Custom Front End Configuration (if using a Begin Site or if SP requires it)
Custom Front End

 

Refer to the specific Begin Site Configuration Guide or the specific Integration Guide to view the distinct configuration steps

 Analyze Configuration (to include adaptive authentication in the workflow)
Analyze

The Risk Factor feature only requires specific licensing. Contact SecureAuth to upgrade the appliance

1. Check Enable to enable IP Restriction analysis

2. Select Allow from the IP Criteria dropdown to enable a list of IP addresses to access the target resource; select Deny to disable a list of IP addresses to access the target resource

3. Provide the IP List to distinguish which IP addresses will be allowed or denied access, based on the selection made in step 2

4. Select the Denied Action from the dropdown

5. Set the Redirect URL if Redirect is selected in step 4

6. Check Enable to enable IP Risk Factor analysis

7. Select the Acceptable Risk Level at or under which access is allowed

8. Select the Failure Action from the dropdown

9. Provide the Redirect URL if Redirect is selected in step 8

10. Check Enable to enable Group Restriction

11. Select Allow from the Group Criteria dropdown to enable a list of user groups to access the target resource; select Deny to disable a list of user groups to access the target resource

12. Provide the Group List to distinguish which user groups will be allowed or denied access, based on the selection made in step 11

13. Select the Denied Action from the dropdown

14. Provide the URL Redirect if Redirect is selected in step 13

15. Check Enable to enable Geo-velocity analysis

To enable Geo-velocity, map the Access Histories profile property to a directory attribute and make writable in the Data Tab

16. Set the Miles Per Hour Limit to define the speed of travel to ensure that login attempts in separate locations are made at possible times

17. Select the Failure Action from the dropdown

18. Provide the URL Redirect if Redirect is selected in step 17

(OPTIONAL) Redirect with Username Use Case Configuration Steps

Follow these optional configuration steps to redirect users to another SecureAuth IdP realm with the provided username

These steps are for the Redirect Denied Action and to enable end-users to log into the second realm without inputting their username once more

This use case's configuration requires settings on the initial realm (Realm A) and the realm to which end-users are redirected (Realm B)

Workflow

 

1. In Realm A only, in the Analyze section, select Redirect from the Denied Action dropdown

NOTE: This configuration can be completed in any of the four Analyze policies

Shown as an example is the Group Restriction policy

2. In the Redirect URL field, prepend RedirectWithToken.aspx?Target= to the realm URL, e.g. RedirectWithToken.aspx?Target=https://secureauth.company.com/secureauth2

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Post Authentication

The following steps are required for both Realm A and Realm B (the realm to which end-users are redirected from Realm A)

 

3. In the Forms Auth / SSO Token section, click View and Configure Forms Auth Keys / SSO Token

Forms Authentication

 

4. Set the Name to a unique, friendly token name

Machine Key

 

5. Set the Validation Key and Decryption Key to the same values; or if no keys have been generated, then keep as the defaulted values
 

 Example image

Authentication Cookies

 

6. Set the Pre-Auth Cookie and Post-Auth Cookie to the same, unique token name set in step 4

Click Save once the configurations have been completed and before leaving the Token Settings page to avoid losing changes

 User Access Configuration (if session timeout will occur automatically after a set period of time)
User Access

 

1. Set the Session State Name or leave it as the default value

2. Set the number of minutes after which the session will be expired in the Idle Timeout Length field

3. Select the action to take after the session has been expired from the Display Timeout Message dropdown

 Open ID Configuration (if using Open ID)
Open ID

 

1. Provide the Open ID Provider URL in the Static OP Server URL field

2. Select the type of identifying claim that will be used in Open ID from the Federated OpenID dropdown

 SAML 2.0 Service Provider Configuration (if SecureAuth IdP is accepting a SAML assertion)
SAML 2.0 Service Provider

 

1. Provide the Public key of the ACS / SAML Request Certificate to enable SecureAuth IdP to accept a SAML assertion

2. Provide the SP Start URL, which is typically a vanity URL of the Service Provider (SP), e.g. https://company.salesforce.com

 Form Post Configuration (if SecureAuth IdP is accepting a Form Post)
Form Post

 

Select what user information is being sent in the Form Post from the Validation Mode dropdown

 iPhone / iPad Handling Configuration (if users are to be redirected to a different realm when using an iPhone or iPad)
iPhone / iPad Handling

 

Select the SecureAuth IdP realm to which iPhone / iPad users will be redirected from the Validation Realm dropdown

 IP Blocking Configuration (if blocking IP addresses from specific countries)

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

IP Blocking

 

1. Select True from the Enable IP Blocking dropdown

2. Click Block IP Configuration to configure the restrictions

Block IPs by Country

 

3. Select any countries from which SecureAuth IdP will not accept IP addresses

Click Save once the configurations have been completed and before leaving the IP Blocking page to avoid losing changes

 FBA WebService Configuration (if using multi-data store web services and if required by SP)
FBA WebService

 

1. Select True from the Enable FBA WebService dropdown

2. Provide the FBA WebService UserName, which would be the same as the Webservice Username in the Data tab

3. Provide the FBA WebService Password that corresponds to the username

The Certificate / Token Properties and the Browser / Mobile Device Digital Fingerprinting sections' configuration steps can be found in Product Configuration at the top of this page

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes