Documentation

Introduction

Use this guide to configure the Workflow tab in the Web Admin for each SecureAuth IdP realm.

This includes authentication modes, custom tokens, adaptive authentication (risk analysis), and certificate / token properties.

See Sample Workflow Configuration Guides for assistance.

Prerequisites

1. Create a New Realm for the target resource for which the configuration settings will apply, or open an existing realm for which configurations have already been started

2. Configure the Overview and the Data tabs in the Web Admin before configuring the Workflow tab

Workflow Configuration Steps

1. In the Product Configuration section, select the Integration Method from the dropdown

The selection made here will alter the options for Client Side Control and IE / PFX / Java Cert Type

  • Select Certification Enrollment and Validation for web-based authentication (used most frequently for majority of application integrations)
  • Select Certificate Enrollment Only for X.509 VPN authentication
  • Select Mobile Enrollment and Validation for mobile browser authentication or enrollment (e.g. native mobile apps, OATH enrollment)
 If Certification Enrollment and Validation is selected
Product Configuration

2. Select the Client Side Control option from the dropdown

The selection made here will alter the options for IE / PFX / Java Cert Type, and may require additional configuration steps

  • Select Java Applet to stores the SecureAuth IdP X.509 certificate in the JRE managed code file set
  • Select Browser Plug-ins to store the certificate in the native key store
  • Select Universal Browser Credential (UBC) to store a difficult-to-remove cookie in multiple places on the client
  • Select Device / Browser Fingerprinting to enable SecureAuth IdP's Fingerprinting mode, which pulls unique characteristics from the device or browser and stores them as a value in the user directory rather than storing a cookie or certificate on the client
 If Java Applet is selected
Product Configuration

 

3. Select 1024-bit Public Key or 2048-bit Public Key from the IE / PFX / Java Cert Type dropdown

This is based on the security preference

 If Browser Plug-ins is selected
Product Configuration

 

3. Select the IE / PFX / Java Cert Type from the dropdown

This is based on the security preference

 If Universal Browser Credential (UBC) is selected
Product Configuration

 

3. Select 1024-bit Public Key or 2048-bit Public Key from the IE / PFX / Java Cert Type dropdown

This is based on the security preference

 If Device / Browser Fingerprinting is selected

Additional configuration steps are required, and a new section will appear at the bottom of the Workflow page

Browser/Mobile Device Digital Fingerprinting

 

3. Set the Weights of FP Components to emphasize significance of specific device / browser characteristics

The HTTP Headers and the System Components weights together must equal 100%

4. In the Normal Browser Settings section, select Cookie from the FP Mode dropdown if a cookie will be delivered to the browser that will correspond with the Fingerprint

This will enhance the recognition of the Fingerprint during SecureAuth IdP authentication

5. Provide a Cookie name prefix, which can be anything

6. Set the amount of hours for which the delivered cookie will be valid in the Cookie length field

7. Select True from the Match FP ID in cookie dropdown if SecureAuth IdP will verify the Cookie Name Prefix (Fingerprint ID) in the cookie

8. Set the Authentication Threshold to the acceptable percentage above which the Fingerprint can be the second factor during authentication  

This is typically between 90-100%

9. Set the Update Threshold to the acceptable percentage above which the stored Fingerprint will be updated with the changes rather than having a new one created

This is typically between 80-90%, and must be below the Authentication Threshold

10. In the Mobile Settings section, select Cookie from the FP Mode dropdown

11. Provide a Cookie name prefix, which can be anything

12. Set the amount of hours for which the delivered cookie will be valid in the Cookie length field

13. Select True from the Match FP ID in cookie dropdown if SecureAuth IdP will verify the Cookie Name Prefix (Fingerprint ID) in the cookie

14. Select True from the Skip IP Match dropdown if the IP Address on the device is not required to match the IP Address recorded in the Fingerprint

15. Set the Authentication Threshold to the acceptable percentage above which the Fingerprint can be the second factor during authentication

This is typically between 90-100%

16. Set the Update Threshold to the acceptable percentage above which the stored Fingerprint will be updated with the changes rather than having a new one created  

This is typically between 80-90%, and must be below the Authentication Threshold

17. Set for how many total days the Fingerprint will be valid; set the FP expiration length to zero if there is no expiration

18. Set for how many days the Fingerprint will be valid since the user's last access; set the FP expiration since last access to zero if there is no expiration

19. Select True from the Only 1 FP per browser dropdown if multiple Fingerprints for a browser are not allowed

20. Set the Total FP max count to limit the number of Fingerprints that can be stored in a user's profile

Set this to -1 if there is no limit

21. Select Allow to Replace from the When exceeding max count dropdown if a Fingerprint can be replaced by a new one once the limit has been reached

Selecting Not Allow to Replace would require administrative action to remove the Fingerprint(s)

22. Select Created Time from the Replace in order by dropdown to replace the oldest created Fingerprint with a new one

Select Last Access Time to replace the least recently used Fingerprint with a new one

23. Set the FP's access record max count to the number of Fingerprint access histories that will be stored in the directory

 If Certificate Enrollment Only is selected
Product Configuration

 

2. The Client Side Control will be set to Browser Plug-ins / Keygen (no other option)

3. Select the IE / PFX / Java Cert Type from the dropdown

This is based on the security preference

 If Mobile Enrollment and Validation is selected
Product Configuration

2. Select the Client Side Control option from the dropdown

The selection made here will alter the options for IE / PFX / Java Cert Type, and may require additional configuration steps

  • Select Browser Credential to store a cookie in the browser
  • Select Universal Browser Credential (UBC) to store a difficult-to-remove cookie in multiple places on the client
  • Select Device / Browser Fingerprinting to enable SecureAuth IdP's Fingerprinting mode, which pulls unique characteristics from the device or browser and stores them as a value in the user directory rather than storing a cookie or certificate on the client
 If Browser Credential is selected
Product Configuration

 

3. Select 1024-bit Public Key or 2048-bit Public Key from the IE / PFX / Java Cert Type dropdown

This is based on the security preference

 If Universal Browser Credential (UBC) is selected
Product Configuration

 

3. Select 1024-bit Public Key or 2048-bit Public Key from the IE / PFX / Java Cert Type dropdown

This is based on the security preference

 If Device / Browser Fingerprinting is selected

Additional configuration steps are required, and a new section will appear at the bottom of the Workflow page

Browser/Mobile Device Digital Fingerprinting

 

3. Set the Weights of FP Components to emphasize significance of specific device / browser characteristics

The HTTP Headers and the System Components weights together must equal 100%

4. In the Normal Browser Settings section, select Cookie from the FP Mode dropdown if a cookie will be delivered to the browser that will correspond with the Fingerprint

This will enhance the recognition of the Fingerprint during SecureAuth IdP authentication

5. Provide a Cookie name prefix, which can be anything

6. Set the amount of hours for which the delivered cookie will be valid in the Cookie length field

7. Select True from the Match FP ID in cookie dropdown if SecureAuth IdP will verify the Cookie Name Prefix (Fingerprint ID) in the cookie

8. Set the Authentication Threshold to the acceptable percentage above which the Fingerprint can be the second factor during authentication  

This is typically between 90-100%

9. Set the Update Threshold to the acceptable percentage above which the stored Fingerprint will be updated with the changes rather than having a new one created

This is typically between 80-90%, and must be below the Authentication Threshold

10. In the Mobile Settings section, select Cookie from the FP Mode dropdown

11. Provide a Cookie name prefix, which can be anything

12. Set the amount of hours for which the delivered cookie will be valid in the Cookie length field

13. Select True from the Match FP ID in cookie dropdown if SecureAuth IdP will verify the Cookie Name Prefix (Fingerprint ID) in the cookie

14. Select True from the Skip IP Match dropdown if the IP Address on the device is not required to match the IP Address recorded in the Fingerprint

15. Set the Authentication Threshold to the acceptable percentage above which the Fingerprint can be the second factor during authentication

This is typically between 90-100%

16. Set the Update Threshold to the acceptable percentage above which the stored Fingerprint will be updated with the changes rather than having a new one created  

This is typically between 80-90%, and must be below the Authentication Threshold

17. Set for how many total days the Fingerprint will be valid; set the FP expiration length to zero if there is no expiration

18. Set for how many days the Fingerprint will be valid since the user's last access; set the FP expiration since last access to zero if there is no expiration

19. Select True from the Only 1 FP per browser dropdown if multiple Fingerprints for a browser are not allowed

20. Set the Total FP max count to limit the number of Fingerprints that can be stored in a user's profile

Set this to -1 if there is no limit

21. Select Allow to Replace from the When exceeding max count dropdown if a Fingerprint can be replaced by a new one once the limit has been reached

Selecting Not Allow to Replace would require administrative action to remove the Fingerprint(s)

22. Select Created Time from the Replace in order by dropdown to replace the oldest created Fingerprint with a new one

Select Last Access Time to replace the least recently used Fingerprint with a new one

23. Set the FP's access record max count to the number of Fingerprint access histories that will be stored in the directory

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Multiple Workflow Configuration

 

4. Click View and Configure Multiple Workflow only if this realm will enable multiple data store integrations that lead to distinct workflows (optional)

 To configure Multiple Workflow
Multiple Workflow Configuration

 

Refer to Multi-Workflow Begin Site Configuration Guide for the configuration steps of this feature

Click Save once the configurations have been completed and before leaving the Multiple Workflow page to avoid losing changes

Workflow

 

5. Select Private and Public Mode from the Public/Private Mode dropdown to enable both modes during the login process

If the end-user selects Private Mode on the login page, then SecureAuth IdP will check for a certificate / token / Fingerprint, or will deliver a certificate / token to the browser or pull information to create a Fingerprint for subsequent access attempts

6. Select which option will be selected by default (if Private and Public Mode is enabled) on the end-user login page from the Default Public / Private dropdown

7. Select True from the Remember User Selection dropdown if the user's last Private / Public Mode selection will be defaulted for subsequent access attempts

8. Select the Authentication Mode, which is the workflow through which users will go to obtain access

 Standard (User / 2nd Factor / Password)

This option will require configuration and the enablement of at least one registration method in the Registration Methods tab

 Second Factor Only

This option will require configuration and the enablement of at least one registration method in the Registration Methods tab

 User/Password on 1st Page (+2nd factor)

This option will require configuration and the enablement of at least one registration method in the Registration Methods tab

 Valid Persistent Token + Registration Code

This option will require a different realm in which the Client Side Control token/certificate/fingerprint is generated to use on this realm, and configuration and the enablement of at least one registration method in the Registration Methods tab

 Valid Persistent Token + Reg Code + Password

This option will require a different realm in which the Client Side Control token/certificate/fingerprint is generated to use on this realm, and configuration and the enablement of at least one registration method in the Registration Methods tab

 Valid Persistent Token + Password

This option will require a different realm in which the Client Side Control token/certificate/fingerprint is generated to use on this realm

 User/Password Only (On separate pages)

No special configuration is required for this option 

 User/Password on 1st page (no 2nd factor)

No special configuration is required for this option 

 UserName Only

No special configuration is required for this option 

 Validate Persistent Token Only

This option will require a different realm in which the Client Side Control token/certificate/fingerprint is generated to use on this realm

9. Select Enabled from the Inline Password Change dropdown to redirect users back into the workflow after their passwords have been changed

10. Select True from the Encrypt Password (Java only) to encrypt the end-user's password (provided during login) being sent to the SecureAuth IdP server for validation

Applicable only when Java Applet is selected from the Client Side Control dropdown

11. Set the Java Timeout

12. Select True from the Validate Persistent Token dropdown if SecureAuth IdP is to check the validity of the persistent token during the authentication process

13. Select True from the Renew Persistent Token (After Validation) if the persistent token is to be renewed after SecureAuth IdP checks the validity (step 12)

14. Select True from the User Impersonation dropdown if this realm will run under a user's account rather than the service account

15. Select False from the Windows Authentication dropdown

Select True if this realm will utilize Windows Desktop SSO

16. Select the action that will occur if the Java Applet fails to launch from the Allow Fall Back dropdown

17. Select False from the Allow Transparent SSO dropdown

Select True if this realm will utilize SecureAuth IdP SSO, and will enable SP-initiated or Secure Portal SSO

No configuration is necessary for the other fields, unless required for the customer's environment

The following sections require no configuration unless this realm has specific needs for them (noted in section titles)

 Custom Front End Configuration (if using a Begin Site or if SP requires it)
Custom Front End

 

Refer to the specific Begin Site Configuration Guide or the specific Integration Guide to view the distinct configuration steps

 Adaptive Authentication Configuration (to include analysis in the workflow)
Adaptive Authentication

 

Refer to Adaptive Authentication Configuration Guide (version 8.2) for more information on these features

 User Access Configuration (if session timeout will occur automatically after a set period of time)
User Access

 

1. Set the Session State Name or leave it as the default value

2. Set the number of minutes after which the session will be expired in the Idle Timeout Length field

3. Select the action to take after the session has been expired from the Display Timeout Message dropdown

 Open ID Configuration (if using Open ID)
Open ID

 

1. Provide the Open ID Provider URL in the Static OP Server URL field

2. Select the type of identifying claim that will be used in Open ID from the Federated OpenID dropdown

 SAML Consumer Configuration (if SecureAuth IdP is accepting a SAML assertion from one or multiple Identity Providers)
SAML Consumer
 Form Post Configuration (if SecureAuth IdP is accepting a Form Post)
Form Post

 

Select what user information is being sent in the Form Post from the Validation Mode dropdown

 OATH Handler Configuration (if making RADIUS web service call to validate OTP and other information)
OATH Handler

 

Select what information is to be validated by SecureAuth IdP via the RADIUS web service call from the OTP Format dropdown

Note: The OATH Handler feature applies to SecureAuth RADIUS v1.0.x only – it does not apply to SecureAuth RADIUS v2.0.x

 iPhone / iPad Handling Configuration (if users are to be redirected to a different realm when using an iPhone or iPad)
iPhone / iPad Handling

 

Select the SecureAuth IdP realm to which iPhone / iPad users will be redirected from the Validation Realm dropdown

 IP Blocking Configuration (if blocking IP addresses from specific countries)

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

IP Blocking

 

1. Select True from the Enable IP Blocking dropdown

2. Click Block IP Configuration to configure the restrictions

Block IPs by Country

 

3. Select any countries from which SecureAuth IdP will not accept IP addresses

Click Save once the configurations have been completed and before leaving the IP Blocking page to avoid losing changes

 FBA WebService Configuration (if using multi-data store web services and if required by SP)
FBA WebService

 

1. Select True from the Enable FBA WebService dropdown

2. Provide the FBA WebService UserName, which would be the same as the Webservice Username in the Data tab

3. Provide the FBA WebService Password that corresponds to the username

Certificate / Token Properties

 

18. Select Password Expiration Date from the Certificate Expiration dropdown if the certificate is to expire when the password expires

Select Private Mode Cert Length if the certificate is to expire after a designated number of days

19. Select Cert Expiration Date from the Certificate Valid Until if the certificate is to remain valid up until the expiration

Select Private Mode Cert Length if the certificate is to remain valid during a designated number of days

20. Set the number of days during which a certificate will not expire and will remain valid in the Private Mode Cert Length field if Private Mode Cert Length was selected in step 4 or 5

21. Set the number of hours during which the Public Mode Certificate is valid in the Public Mode Cert Length field

This is only for realms in which Certificate Enrollment is selected from the Integration Mode dropdown in the Product Configuration section

22. Set the number of hours during which the cookie delivered to a mobile device is valid in the Mobile Credential Length field (browser credential)

23. Provide a maximum amount of certificates that a user can have at a time in the Global Cert Limit field

24. Provide a maximum amount of mobile cookies that a user can have at a time in the Global Mobile Limit field

25. Select Fall Back to 2nd Factor or Display Error Message from the Check CRL dropdown for SecureAuth IdP to check the Certificate Revocation List

Select Disabled to opt out of checking the CRL as it is not necessary with SecureAuth IdP

26. Click Configure Email Notification to enable and set up Expired Certificate Warning emails (optional)

 To configure Email Notifications
Expired Certificate Warning

 

1. Select Enabled from the Email Notification dropdown to enable the warning notifications

2. Select True from the Multiple Certs per User dropdown to notify users of all certificate expirations, rather than just one

3. Select the Email Property that corresponds to the data store field that contains the user's email address to which the notifications will be sent from the Email Field dropdown

4. Set the number of days before the expiration on which the notifications will be begin in the Warning Period field

5. Select Daily from the Notification Interval dropdown if an email notification will be sent once a day

6. Set the Notification Start Time at which the email will be sent

Click Save once the configurations have been completed and before leaving the Email Notification page to avoid losing changes

The Browser / Mobile Device Digital Fingerprinting section's configuration steps can be found in Product Configuration at the top of this page

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes