Documentation

Introduction

Use this guide to understand the SecureAuth IdP Web Admin, including how to navigate through it, view realms, and create realms.

Prerequisites
Home Page

 

Web Admin is the browser-based tool used to administer and configure the SecureAuth IdP appliance and all realms.

Access the Web Admin:

Once the SecureAuth IdP appliance has been successfully installed, administrators can log into the server, open Internet Explorer, and click on the provided bookmark, SecureAuth Admin, which will direct them to this Home Page

Here, all realms can be viewed; and if the realm title is clicked (e.g. Password Reset), administrators will be taken into the realm to make any modifications

On any page in the Web Admin, click the SecureAuth logo at the top left to be taken back to this Home Page

Search for specific realms in the top right Search Bar by realm name (e.g. SecureAuth5), realm title (User Creation), or realm description (undefined); or navigate through each of them by selecting specific Page Numbers below the search feature

From here, the Admin Realm, Specialized Realms, and Create Realms can be accessed

Admin Realm

 

Access the Admin Realm (SecureAuth0) from the Home Page in the top menu

This realm is for the SecureAuth IdP Web Admin, and SecureAuth recommends that it is configured first to ensure the safety of the Web Admin

Follow the Admin Realm Configuration Guide to secure the Web Admin, enable external access, and to control access

It is recommended to configure the Admin Realm first to ensure secure remote access

Specialized Realms

Click Specialized Realms in the top menu, and App Enrollment to view and / or modify the pre-configured realm that enables users to enroll and provision devices / browsers for OATH OTPs and Mobile Login Requests (PUSH Notifications)

Refer to SecureAuth App Enrollment Configuration Guide for more information

Create Realms

 

Click Create Realms in the top menu, and Create New From Template to create and configure a new realm with the SecureAuth IdP Web Admin Wizard

 Create New Realm From Template Configuration Steps
Apps

 

1. Select an application from the provided list to establish the target resource of the new realm

For this example, Google Apps is selected

Step 1. General

 

2. Provide a Page Title/Header, e.g. Google Apps

This will appear in the Web Admin and on the end-user login pages

Step 2. Active Directory

3. Select Create New from the Data Source dropdown if the Active Directory integration to be used for Google Apps has not been configured in another realm; or select the SecureAuth IdP realm that has the required configurations from the Data Source dropdown

If a SecureAuth IdP realm is selected, the other fields will auto-populate with the appropriate values

4. Provide the Active Directory Domain

5. Provide the username of the SecureAuth IdP data store service account in the Service Account Login field

A service account with read access is required to abstract information for authentication and assertion, and (optional) write access is required to alter or add information to the data store from SecureAuth IdP (e.g. password update, provisioned devices, knowledge-based questions)

6. Provide the password that is associated to the above username in the Service Account Password field

Step 3. SAML

7. Select At Service Provider if the end-user will initiate the login process at Google Apps; select At SecureAuth if the end-user will initiate the login process at the SecureAuth IdP realm

8. Provide the Service Provider Start URL, which would be a vanity URL, such as https://mail.google.com/a/company.com

9. Provide the RelayState if At SecureAuth was selected in step 7

This is the same as the SAML Target URL in the Web Admin realm configuration

10. Select how SecureAuth IdP will map to the directory user account from the SAML ID (NameID) Mapping dropdown

Step 4. Workflow

 

11. Select Enabled from the Two-factor Authentication dropdown to enable a 2-Factor Authentication workflow for this realm

12. Select the type of persistent token that will be accepted and / or generated in this realm from the Two Factor Persistence dropdown

13. Check the boxes to enable SecureAuth IdP Properties that map to directory Fields (configured in the Data tab) to be used for 2-Factor Authentication

For example, checking Phone 2 enables Voice, SMS / Text, or both OTP delivery to the phone number mapped to Phone 2

14. Select Enabled from the Password Validation dropdown to require a password in addition to the username and second factor

15. Select On Separate/Last Page from the Password Location dropdown to enable a Standard Authentication Mode workflow (username + second factor + password)

Select On first page to have the username and password prompts on the first page, and then the 2-Factor Authentication process will follow

16. Click Next to review the configurations and from there, Submit the settings to create the realm

More configurations and settings may be required on top of the Wizard steps

 

Click Create Realms in the top menu, and Create New From Existing to create a new realm by copying the configurations of another realm

 Create New From Existing Configuration Steps
Create New From Existing

1. Select the SecureAuth IdP realm that contains the necessary configurations from the Select Realm to Copy dropdown

2. Click Add New Realm

3. A new realm will be created, and by clicking on the new realm on the Home Page, modifications can be made

Web Admin Tabs
Overview

 

The Overview tab is where basic information about the SecureAuth IdP realm is provided, as well as general SMTP email settings that will be used for any SecureAuth IdP email messages (2-Factor Authentication, Account Updates, etc.)

Here, administrators can also change the appearance of the end-user pages, the text shown on the end-user pages, and enabled languages

To configure the Overview tab, refer to Overview Tab Configuration

Data

 

The Data tab is for directory integration and user account mapping

SecureAuth IdP requires an on-premises data store with which it can integrate to extract information for authentication and assertion purposes, and to which it can write updated user information (e.g. passwords, phone numbers, knowledge-based questions, etc.)

In the Profile Fields section, mapping from SecureAuth IdP Properties to data store Fields is configured. This enables the exchange of user information without storing anything away from the directory

To configure the Data tab, refer to Data Tab Configuration

Workflow

 

The Workflow tab is to dictate how end-users will access the target resource

This includes the authentication mode (standard workflow, username / password only, persistent token only, etc.), adaptive authentication (risk analysis), token / cookie / fingerprint settings, and more

To configure the Workflow tab, refer to Workflow Tab Configuration

Registration Methods

 

The Registration Methods tab is to enable the many possible mechanisms available for 2-Factor Authentication

Here, administrators can permit the use of any registration methods per realm, and end-users can select their preferred mechanism during the login process

This tab also includes settings for Yubikey integration and Social IDs (Facebook, Google, LinkedIn, and Windows Live) for 2-Factor Authentication

To configure the Registration Methods tab, refer to Registration Methods Tab Configuration

Post Authentication

 

The Post Authentication tab is to designate the target resource of the realm

This page will alter depending on the selection made from the Authenticated User Redirect dropdown [e.g. SAML 2.0 (IdP Initiated) Assertion Page] to provide only the settings required for the target

Here, configurations can be made for out-of-the-box Identity Management (IdM) tools, like Self-service Password Reset, Account Update, User Creation, and Reporting; for applications that use SAML, WS-Federation, or OAuth 2.0; and for other post-authentication requests, like certificates or enrollment

To configure the Post Authentication tab, refer to Post Authentication Tab Configuration, which includes Integration Guides, IdM Tools Configuration Guides, and Certificate Delivery, and more

Logs

 

The Logs tab is to enable and review Audit, Debug, Error, and Certificate Logs for the realm

Administrators can review all authentication events and can search error logs to fix any issues that end-users may be experiencing during the login process

To configure the Logs tab, refer to Logs Tab Configuration

System Info

 

The System Info tab is more for review than configuration; however, there are items that may require modifications (proxy, SCEP, etc.)

Here, administrators can find information about the appliance, such as licensing information, certificate settings, and web.config backup files

To configure the System Info tab, refer to System Info Tab Configuration

What's Next

SecureAuth IdP is now successfully deployed. Move on to the Admin Realm Configuration Guide to configure the Admin realm.

For further information

Support options

Web: https://support.secureauth.com
Phone: 949-777-6959 option 2
Support Documentation Searchable database: https://docs.secureauth.com
SecureAuth Services Status and Notification Service: https://www.secureauth.com/support