Documentation





SecureAuth IdP 9.x Web Admin Glossary


  • Glossary Key

    • Term

      Definition of term.

      • Dropdown / Associated Item: Definition of Item.
      Back to Top

Links to glossary sections: # A B C D E F G H I J K L M N O P R S T U V W Y

  • 32-bit Linux FF2

    The 32-bit Linux Firefox 2 version number.

  • 32-bit Linux FF3

    The 32-bit Linux Firefox 3 version number.

  • 32-bit Suse FF2

    The 32-bit Suse Firefox 2 version number.

  • 64-bit Linux FF2

    The 64-bit Linux Firefox 2 version number.

  • 64-bit Linux FF3

    The 64-bit Linux Firefox 3 version number.

  • 64-bit Suse FF3

    The 64-bit Suse Firefox 3 version number.

  • Access Token Lifetime

    The number of hours during which an access token is valid.

    SecureAuth IdP generates an authorization code that is given to the client application. The application then requests an Access Token that is subsequently generated by SecureAuth IdP and given to the application. The authorization code is then discarded when the Access Token is received.

  • ACS / SAML Request Certificate

    The Public Key of the Assertion Consumer Service (ACS) / SAML Request Certificate in Base64 format to enable SecureAuth IdP to accept a SAML assertion.

    NOTE: The default page in the IIS Management Console must also be changed to SAML20idpinitACS.aspx for SecureAuth IdP to consume the SAML assertion.

  • Action

    What happens automatically when the user does not pass the User Risk analysis.

    • Disable / Continue Adaptive Authentication: No action (analysis disabled).
    • Hard Stop / Refuse authentication request: Immediately stop the user from continuing further in the login process.
    • Redirect / Redirect to realm or URL: Redirect the user to a different site, provided in the Redirect URL field.
    • Step Up Auth / Require two-factor authentication: Require additional authentication from the user, on top of what is configured in the realm.
    • Step Down Auth / Skip two-factor authentication: Do not require authentication from the user, if configured in the realm.
    • Resume Auth / Resume authentication workflow: Continue the user through the configured workflow.
    • Post Auth / Skip to post authentication: Send user straight to the post-authentication target, bypassing any additional workflow requirements.
  • Add Client

    Click to add client applications for which SecureAuth IdP will be the authorization server.

  • Add Custom Claim

    Click to add a custom claim if the claim required by the client application is not listed in the Claims section.

  • Add Extended Attribute

    Click to add an additional extended attribute that contains user information sent over in the post-authentication assertion.

  • Add Identity Provider

    Click to add an Identity Provider (IdP) integration to SecureAuth IdP for the appliance to consume a SAML assertion.

  • Add Realm

    Click to populate the Domain List and the Multi-Workflow Realms fields.

  • Add Realm from Another Server

    Click to add a realm's data store integration from a different SecureAuth IdP appliance.

    The administrator can then organize the realms in order of directories to be checked for user information.

  • Add Realm from Local Server

    Click to add a realm's data store integration from the current SecureAuth IdP appliance.

    The administrator can then organize the realms in order of directories to be checked for user information.

  • Add Redirect URI

    Click to add a white-listed page to where the client application can redirected to capture the SecureAuth IdP responses.

  • Add Restricted Scope

    Click to implicitly restrict a client application from requesting a specific scope from users.

  • Add Scope

    Click to add a scope, which is what the client application requires to access in the user profile. A user will need to consent to the client accessing their user profile data before proceeding.

  • Address

    The domain of the service account's location (e.g. directory) to be scanned by AIM to access the password information.

  • Admin Email

    The email address of the Google Apps administrator account.

  • Administrator-initiated Password Reset

    Check to enable the help desk's ability to reset users' passwords using SecureAuth's IdM API.

  • Advanced AD User Check

    Check if the current account is locked or enabled, and verifies if the current password needs to be changed. If any of these checks fail, the user cannot to log in.

    • True: Enable AD User Check.
    • False: Do not enable AD User Check.
  • Allow Fall Back

    Applicable when SecureAuth IdP fails to launch the Java Applet. From here, elect whether the user falls back to Public Mode, Universal Browser Credential Mode, Cookie Mode, or the user is denied access.

    • True - Public Mode: The user goes through an out-of-band one-time password.
    • True - UBC: The Universal Browser Credential (UBC) is used instead.
    • True - Cookie: A cookie is used instead.
    • False: The user is denied access and is asked to contact Help Desk.
  • Allow Password Change

    Enable password change / reset in this realm.

    • True: Allow users to change their passwords.
    • False: Do not allow users to change their passwords.
  • Allow Transparent SSO
    Enable transparent SSO, which is “behind the scenes” single sign-on between applications. Users will log in once via 2-Factor Authentication; and upon opening a new application, no credentials would be required.

    • True: Enable transparent SSO.
    • False: Do not enable transparent SSO.
  • Allowed Groups (Membership Connection Settings - SQL / ODBC / ASP.NET / Oracle)

    A list of the groups that are only allowed access to this realm (leave empty if no restrictions).

  • Allowed Groups (Post Authentication - Mobile App Store)

    List of groups granted permission to view and download this application from the Mobile App Store, comma-delimited.

  • Allowed to Contain the User's Account Name

    Whether the user's password can include the account name.

    • True: Allow password to contain user's account name.
    • False: Do not allow password to contain user's account name.
  • Allowed User Groups (Profile Connection Settings - Directory Server)

    List of the groups allowed to access the realm.

    • Include Nested Groups: Enable SecureAuth IdP to look within main groups to find subgroups (nested groups) for easier configuration.
    • For example, main group A includes nested groups 1, 2, and 3. Rather than enabling or disabling access to groups 1, 2, and 3 separately, the administrator can allow or deny the three groups by checking the box and enabling or disabling access to group A.

  • Allowed User Groups (Profile Connection Settings - Web Service)

    A list of the groups that are only allowed access to this realm (leave empty if no restrictions).

  • Android Certificate Types

    Select the types of certificates that are installed on the Android device. Applications may require specific types of certificates and will request what is necessary.

  • Anonymous LookUp

    Enable the administrator to search the directory for users without supplying the username and/or password.

    • True: Enable Anonymous LookUp.
    • False: Do not enable Anonymous LookUp.
  • Append Domain Name

    Include a domain at the end of the username if one is not already provided.

    • True: Select if the user profile does not have a domain and a domain will be supplied.
    • False: Select if the user profile already contains the full user domain value in the data store.
  • Append HTTPS to SAML Target URL

    Whether HTTPS is added to the SAML target URL or not, if it is not already included in the address.

    • True: Add "HTTPS" to SAML target URL.
    • False: Do not add “HTTPS” to SAML target URL.
  • Appliance GUID

    The appliance's Globally Unique Identifier (GUID) assigned by SecureAuth.

  • Appliance Host Name

    The Fully Qualified Domain Name (FQDN) of the Operating System (OS) for the SecureAuth IdP appliance instance.

  • Application ID

    A unique ID that is required for a custom application to make calls to SecureAuth's Authentication API.

  • Application Key

    A unique key value that is required for a custom application to make calls to SecureAuth's Authentication API.

  • Application Logo

    Upload images for applications that will be on your Secure Portal webpage.

  • Application Name (Data - SQL / ODBC / ASP.NET)

    The name of the data store “section” in which users can be found. By default, this is "/".

  • Application Name (Reg Methods)

    The application name (target resource of the realm, e.g. Salesforce) that appears on the Push-to-Accept login request (optional value).

  • Application Name (Post Authentication - Mobile App Store)

    The application name as it will appear in the Mobile App Store.

  • Application Rule

    Create a list of allowed applications or denied applications.

    • Allow: Only the applications listed in the Applications field are allowed.
    • Deny: The applications listed in the Applications field are denied.
  • Applications

    List of the allowed or denied applications that is based on the Application Rule selected.

  • Assertion Signing Certificate

    Click the certificate link to download the public key certificate. This matches the company's private key certificate for appropriate assertion, and is sent to the SP to enable the integration.

  • Attribute Value

    Select an Added Property created in the Data tab to utilize in this Extended Attribute.

  • Audit Logs

    Check the box to enable the selected audit log. Each audit log records all authentication events for each realm user and can be reviewed to check for any inconsistencies.

  • Authenticated User Redirect

    The target action of the realm, i.e. where users are sent after they are authenticated.

    The selection made here dictates the configurable sections on the Post Authentication tab. Select Use Custom Redirect to view all sections.

  • Authentication Method (Data)

    The method used to the authenticate the user.

    • Basic: The username and password are encoded in Base64 and sent in the header.
    • Cookie: SecureAuth IdP retrieves an authentication cookie from the Authentication Relative URL, and uses it in subsequent requests.
    • OAuth 2.0: The Bearer token is sent in the header.
  • Authentication Method (1.1) (Post Authentication)

    The method used to authenticate the subject.

    • urn:oasis:names:tc:SAML:1.0:am:HardwareToken: A hardware token was used to authenticate the user.
    • urn:ietf:rfc:1510: Kerberos was used to authenticate the user.
    • urn:oasis:names:tc:SAML:1.0:am:password: A password was used to authenticate the user.
    • urn:oasis:names:tc:SAML:1.0:am:PGP: PGP encryption was used to authenticate the user.
    • urn:ietf:rfc:2945: A Secure Remote Password (SRP) was used to authenticate the user.
    • urn:oasis:names:tc:SAML:1.0:am:SPKI: A Simple Public Key Infrastructure (SPKI) was used to authenticate the user.
    • urn:ietf:rfc:2246: An SSL / TLS Certificate-based Client was used to authenticate the user.
    • urn:oasis:names:tc:SAML:1.0:am:unspecified: The authentication mode is unspecified.
    • urn:oasis:names:tc:SAML:1.0:am:X509-PKI: An X.509 Public Key Infrastructure (PKI) was used to authenticate the user.
    • urn:oasis:names:tc:SAML:1.0:am:XKMS: An XML Key Management Specification (XKMA) Public Key was used to authenticate the user.
    • urn:ietf:rfc:3075: An XML Digital Signature was used to authenticate the user.
  • Authentication Mode

    Dictate the authentication workflow. Each mode varies in security strength and user-friction.

    • Standard (User / 2nd Factor / Password): The typical (standard) mode utilized. The user enters username; next, completes a second factor of authentication; and then supplies the password. This order effectively mitigates attacks as the username, second factor, and password all need to be known in that order to achieve access.
    • User / Password on 1st Page (+2nd Factor): The user enters username and password on the same page, and then completes a second factor of authentication.
    • Valid Persistent Token + Registration Code: The user presents a token that was generated on a different realm, and then completes a second factor of authentication.
    • Valid Persistent Token + Reg Code + Password: The user presents a token that was generated on a different realm; next, completes a second factor of authentication; and then supplies the password.
    • Valid Persistent Token + Password: The user presents a token that was generated on a different realm, and then supplies the password.
    • User / Password on 1st Page (no 2nd Factor): The user enters username and the password on the same page.
    • UserName Only: The user enters username only.
    • Validate Persistent Token Only: The user presents a token that was generated on a different realm.
  • Authentication Relative URL

    The endpoint used to retrieve the authentication cookie that is appended (relative) to the Base URL.

    This is only applicable if Cookie is selected from the Authentication Method field.

  • Authentication Threshold

    The percentage that the user's fingerprint (FP) ID must be higher than for a successful 2-Factor Authentication. If the user's FP ID is lower than the threshold value, another form of 2-Factor Authentication is required, such as SMS OTP, Telephony OTP, PUSH Notification, or OATH Token.

    This is typically set between 90 - 100%, and must be higher than the Update Threshold.

  • AuthnContext Class

    Additional authentication proof that may be requested by the SP.

    The SP asks for certain Authentication Context Classes, which are categories that carry Authentication Context declarations (requested additional authentication information) and simplify the interpretation between SecureAuth IdP and the SP.

    • AuthenticatedTelephony: User is authenticated via the phone number, a user suffix, and a password element.
    • InternetProtocol: User is authenticated through the use of a provided IP address.
    • InternetProtocolPassword: User is authenticated through the use of a provided IP address and a username / password.
    • Kerberos: ser is authenticated using a password to a local authentication authority to obtain a Kerberos ticket, which is then used for subsequent network authentication.
    • MobileOneFactorContract: User is authenticated through the device without requiring a PIN or other 2-Factor Authentication method for mobile customers with contracts.
    • MobileOneFactorUnregistered: Device is authenticated, but not the user for mobile customers without contracts.
    • MobileTwoFactorContract: Device is authenticated based on the contracted customer's registration procedures as well as a second factor method.
    • NomadTelephony: A "roaming" user is authenticated via the phone number, a user suffix, and a password element.
    • Password: User is authenticated with a password over an unprotected HTTP session.
    • PasswordProtectedTransport: User is authenticated with a password over a protected HTTP session.
    • PersonalTelephony: User is authenticated through a fixed-line telephone number and a user suffix.
    • PreviousSession: User is authenticated at some point in the past using any authentication mechanism.
    • SecureRemotePassword: User is authenticated via a Secure Remote Password, which is an augmented password-authenticated key agreement.
    • SmartcardPKI: User is authenticated via a smartcard with enclosed private key and a PIN.
    • SoftwarePKI: User is authenticated with an X.509 certificate stored in software.
    • SPKI: User is authenticated via a digital signature validated by a Simple Public Key Infrastructure (SPKI).
    • Telephony: User is authenticated via a telephony protocol.
    • TimeSyncToken: User is authenticated through a time synchronization token, which generates a unique value that changes at regular intervals.
    • TLSClient: User is authenticated via a client certificate that is secured with the Transport Layer Security (TLS) transport.
    • Unspecified: User is authenticated by unspecified means.
    • X509: User is authenticated via a digital signature validated by an X.509 Public Key Infrastructure (PKI).
    • XMLDSig: User is authenticated via a digital signature according to the rules of the XML Digital Signature specification.
  • Authorization Code

    SecureAuth IdP, as the authorization server, creates an authorization code after the user authenticates that is presented to the client application. The client application then requests an access token, which is then generated by SecureAuth IdP to grant the user access.

    • True: Allow the Authorization Code workflow.
    • False: Do not allow the Authorization Code workflow.
  • Authorization Code Lifetime

    The number of minutes during which an Authorization Code is valid. The client uses the Authorization Code to request an Access Token.

    If the Authorization Code expires, then the workflow restarts to generate a new one.

  • Auto Accept User Consent

    Whether users are prompted to grant consent to a client for a given request, or if acceptance is assumed granted and tokens are issued.

    • True: Acceptance is assumed granted and tokens are issued.
    • False: Prompt users to grant consent.
  • Auto Authorize

    Whether the client application must request consent to access data or if it can bypass the step and automatically pull information for access.

    The remaining fields in the OpenID Server section are the information that the application can pull with or without consent, based on the selection made.

    • True: Do not require user consent.
    • False: Require user consent.
  • Auto-Submit When One Avail

    Enable SecureAuth IdP to auto-submit a 2-Factor option response when a user has only one option available.

    • Enabled: Auto-submit response.
    • Disabled: Do not auto-submit response and require user to select the option and submit the response.
  • Aux ID 1 - Aux ID 10 (Post Authentication - Create User)

    The SecureAuth IdP Auxiliary Properties that are mapped to directory fields containing user information.

    • Hide: This field will not show on the page.
    • Show: The field is shown and can be edited, but edits are not required.
    • Require: The field is shown and it must be edited.
  • Aux ID 1 - Aux ID 10 (Post Authentication - Help Desk)

    The SecureAuth IdP Auxiliary Properties that are mapped to directory fields containing user information.

    • Hide: This field will not show on the page.
    • Show Enabled: The field is shown and can be edited, but edits are not required.
    • Show Disabled: The field is shown, but cannot be edited.
  • Aux ID 1 - Aux ID 10 (Post Authentication - Self-service Account Update)

    The SecureAuth IdP Auxiliary Properties that are mapped to directory fields containing user information.

    • Hide: This field will not show on the page.
    • Show Disabled: The field is shown, but cannot be edited.
    • Show Enabled: The field is shown and can be edited, but edits are not required.
    • Show Required: The field is shown and it must be edited.
  • Auxiliary Attributes

    Send the Aux ID 1 - Aux ID 10 attributes in the token (and query string) to the application.

    • True: Send the specified auxiliary attribute to the application.
    • False: Do not send the specified auxiliary attribute to the application.
  •  
  • Base URL

    The root URL of the User Risk integration instance (e.g. Sailpoint or Exabeam).

  • Bearer

    The Bearer token value, which is like a shared secret, that is used for authentication.

    This is only applicable if OAuth 2.0 is selected from the Authentication Method field.

  • Begin Site

    If True is selected from the Require Begin Site field, then select the type of Begin Site that is required for this realm.

    • Basic Authentication: SecureAuth IdP consumes a basic authentication from an application and extracts the user ID and password from a Base64 string in an authorized header. The user is not required to enter the username or password on the subsequent SecureAuth IdP login pages.
    • Certificate Finder V1: SecureAuth IdP searches for a Java certificate and extracts the user ID from it. The user is not required to enter the username on the subsequent SecureAuth IdP login pages.
    • Certificate Finder V2: Same as Certificate Finder V1, but includes a master page that resembles the login page theme to alert users that SecureAuth IdP is checking for a certificate.
    • Cisco ISE (pxGrid): SecureAuth IdP consumes user credentials from Cisco ISE login and uses the information to further validate the user.
    • Client Side SSL: Forces the browser to request a certificate before the user provides any information to enable access.
    • Fingerprint Finder: SecureAuth IdP searches for a Fingerprint cookie and extracts the user ID from it. The user is not required to enter the username on subsequent SecureAuth IdP login pages.
    • Form Post: SecureAuth IdP receives a form post from an application and extracts the user ID, password, and shared secret. The user is not required to enter the username or password on subsequent SecureAuth IdP login pages.
    • Multi-workflow: SecureAuth IdP utilizes the directory integration(s) and workflow configuration from multiple realms to redirect users to the appropriate post-authentication target based on in which data store they are located.
    • Native Certificate Finder: SecureAuth IdP accesses the browser's certificate store (IE only) to extract the native certificate, which is then used as the user's ID. The user is not required to enter the username on subsequent SecureAuth IdP login page.
    • Check JRE: For Cisco ASA integrations, SecureAuth IdP checks to see if user has Java installed as required for the integration.
    • Windows SSO: Enable the use of Windows Desktop Single Sign-on (SSO) to immediately and securely access resources via Kerberos-based authentication.
    • Windows SSO (skip workflow): Same as Windows SSO, but skips any configured workflow, e.g. 2-Factor Authentication.
    • Custom: Any begin site not listed in the dropdown. A custom URL is required in the Begin Site URL field.
  • Begin Site URL

    The URL on which users land before the SecureAuth IdP login pages. This is auto-populated when a pre-configured Begin Site is selected from the Begin Site field, or can be a customized URL when Custom is selected.

  • Birthday Attribute

    To enable the client application to access the user's birthday, select the SecureAuth IdP Property that is mapped to the directory field containing the information.

    • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.
    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
    • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com.

      These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

    • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.
    • Full Group DN List: The full groups list with Distinguished Names (DNs) to which a user belongs.
    • Custom Token Value: The custom token configured in the Custom Token Fields in the Custom Front End section (Workflow tab), which appear after selecting this option.
  • Cache Lockout Duration

    The number of minutes during which SecureAuth IdP disables the use of Time-based Passcodes tokens for a locked account.

  • Cert Count Field

    The number of certificates stored in a user's profile.

    • Hide: This field will not show on the page.
    • Show Enabled: The field is shown and can be edited, but edits are not required.
    • Show Disabled: The field is shown, but cannot be edited.
  • Cert Rev Button

    The button to revoke the certificates stored in a user's profile.

    • Hide: This button will not show on the page.
    • Show: The button is shown and can be used.
  • Cert Rev Field

    Revoke the certificates stored in a user's profile.

    • Select Certificate: Select a certificate from the server's certificate store.
  • Cert Serial Nbr

    The licensing certificate of the appliance.

  • Certificate Expiration

    On which basis the certificate expires.

    • Password Expiration Date: The certificate expires when the user's password expires.
    • Private Mode Cert Length: The certificate expires based on the length of time entered in the Private Mode Cert Length field.
  • Certificate Key Identifier

    The hashing algorithm used for certificate signing requests.

    • Capi Sha1: Use Capi SHA1 for certificate signing requests.
    • Sha1: Use SHA1 for certificate signing requests.
  • Certificate URL

    The certificate URL that is auto-populated if using WSE 3.0, but must be set if using WS 2.0 with SSL.

  • Certificate Use WSE 3.0

    Whether SecureAuth IdP utilizes the message-level security (WSE 3.0 / WCF) or the transport-level security (WS 2.0 with SSL) to make a web service call to issue a certificate. Set to False if using a Proxy.

    • True: Use WSE 3.0 / WCF.
    • False: Use WS 2.0 with SSL.
  • Certificate Valid Until

    For how long the certificate is valid.

    • Cert Expiration Date: The certificate is valid up until before the expiration.
    • Private Mode Cert Length: The certificate expires based on the length of time entered in the Private Mode Cert Length field.
  • Challenge Question (Post Authentication - Create User / Help Desk)

    The challenge question used for the Help Desk 2-Factor Authentication method.

    When users employ the Help Desk mechanism, the admin asks a knowledge-based question to the user to validate the identity before providing a one-time password (OTP).

    • Hide: The field will not show on the page.
    • Show: The field is shown and can be edited, but edits are not required.
  • Change Password SP

    The Change Password Stored Procedure (SP) name in the database.

  • Charts

    Click to review log reports in the form of charts from this realm.

  • Check CRL

    The action taken if Certificate Revocation List checking is enabled.

    • Disabled: Do not check the CRL.
    • Fall Back to 2nd Factor: Check the CRL. If the certificate is invalid, then the system automatically performs 2-Factor Authentication to validate the certificate.
    • Display Error Message: Check the CRL and bring the user to a hard stop if certificate is invalid.
  • Choose File

    Select Choose File to upload the p12 file from the Google Apps Client ID creation.

  • Claim

    Additional profile data that is sent to client applications within the JSON Web Token (JWT).

    The listed Claims are options that would be requested by the client application. If an unlisted Claim needs to be included, add it below in the Custom Claims section.

  • Clean Up Pre-Auth Cookie

    Whether or not to remove the Pre-Auth Cookie after authentication.

    • True: Removes the Pre-Auth Cookie and requires re-authentication for subsequent logins.
    • False: Does not remove the Pre-Auth Cookie thereby enabling persistent access within the Timeout period.
  • Clear KBQ - KBA Checkbox

    The checkbox to reset the user's knowledge-based questions and answers.

    • Hide: The checkbox will not show on the page.
    • Show: The checkbox is shown and can be used.
  • Client Cert Serial Nbr

    The certificate serial number of the SecureAuth IdP appliance to identify itself to the hosted facility when making the WSE 3.0 / WCF web service request.

    • Select Certificate: Select the certificate from the appliance's certificate store.
  • Client Credentials

    Enable communication between the client application and SecureAuth IdP utilizing the Client ID and the Client Secret.

    • True: Allow the Client Credentials workflow.
    • False: Do not allow the Client Credentials workflow.
  • Client FQDN

    Enable an enterprise to set a Fully Qualified Domain Name (FQDN) as the client point of termination for SecureAuth IdP validation.

  • Client ID (Data - Azure AD)

    The Client ID of the Native Client Application (configured on Azure AD).

  • Client ID (Reg Methods - Facebook / Google / Windows Live / LinkedIn)

    The client ID assigned by Facebook / Google / Windows Live / LinkedIn to the user's application.

  • Client ID (Post Authentication - OpenID Connect / OAuth 2.0 Client Details)

    The Client ID is created automatically by SecureAuth IdP to be shared with the client application for authorization (similar to a user ID).

  • Client Secret (Reg Methods - Facebook / Google / Windows Live / LinkedIn)

    The shared secret assigned by Facebook / Google / Windows Live / LinkedIn to the company's application.

  • Client Secret (Post Authentication - OpenID Connect / OAuth 2.0 Client Details)

    The Client Secret is created automatically by SecureAuth IdP to be shared with the client application for authorization (similar to Password).

  • Client Side Control

    The credential used in the realm workflow for the user.

    • Java Applet: Stores the SecureAuth IdP X.509 certificate in the JRE managed code file set.
    • Browser Plug-ins: Utilizes the native key store for certificate storage.
    • Universal Browser Credential (deprecated): Utilizes a difficult-to-remove cookie that is written to multiple locations on the client.
    • Device / Browser Fingerprinting: Rather than a cookie or certificate being placed on the device or browser, SecureAuth IdP can pull unique characteristics from the device or browser and create a fingerprint that is utilized for low-friction authentication.
  • Clock Skew

    The number of minutes that SecureAuth IdP subtracts from the NotBefore SAML condition to account for any time difference between SecureAuth IdP and the Identity Provider.

  • Company GUID

    The company's Globally Unique Identifier (GUID) assigned by SecureAuth present on all company's SecureAuth IdP appliances.

  • Company Logo

    Upload the company's logo for SecureAuth IdP, user-facing webpages. If no logo is provided, then the SecureAuth logo will be shown instead.

  • Company Name (Reg Methods)

    The company name that appears on the Push-to-Accept login request (optional field).

  • Company Name (System Info)

    The company name that can be modified.

  • Condition Logic

    The condition logic for the IP Address Blocking, Application Blocking, and User Agent sections.

    • AND: Must meet all requirements from each section.
    • OR: Only required to meet one of the requirements from all sections.
  • Configure IP Blocking

    Click Block IP Configuration to configure the realm's IP Blocking.

  • Configure Multiple Workflow

    Enable SecureAuth IdP to check multiple data stores from distinct realms for user information and then to redirect them to the workflow associated to the realm in which the user profile is found.

  • Confirmation Method

    The method used to confirm the subject.

  • Connection Mode

    How SecureAuth IdP and the directory connect.

    • Secure: Enable a secure LDAP connection on Port 389, using NTLMv2.
    • SSL: Enable a secure connection on Port 636, but uses Secure Socket Layer technology, which relies on certificates.
    • Standard: Enable a standard LDAP connection on Port 389 that uses basic authentication (plain text).
  • Connection String (Data - Membership Connection Settings - SQL / ODBC / ASP.NET)

    The SQL / ODBC / ASPNETDB connection string, which is used to enable communication between the data store and SecureAuth IdP. It is generated by clicking Generate Connection String, which utilizes the information provided in the previous fields; or check Custom Connection String to create a custom connection string.

  • Connection String (Logs - Log Database)

    How SecureAuth IdP communicates with the database logs. This field is auto-populated by clicking the Generate Connection String button.

  • Connection String (Data - Membership Connection Settings - Oracle)

    The Oracle Database connection string, which is used to enable communication between the database and SecureAuth IdP. It should be in the following format with the company's own values:

    Data Source=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1522)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=[DBName]))); User Id=[username];Password=[password]

  • Connection String (Data - Profile Connection Settings - Directory Server)

    How SecureAuth IdP communicates with LDAP or Active Directory data stores and is built from the domain name.

  • Connection String (Data - Profile Connection Settings - SQL / ODBC / ASP.NET)

    The SQL / ODBC / ASPNETDB connection string, which is used to enable communication between the data store and SecureAuth IdP. It is generated by clicking Generate Connection String, which utilizes the information provided in the previous fields; or check Custom Connection String to create a custom connection string

  • Connection String (Data - Membership Connection Settings - LDAP)

    How SecureAuth IdP communicates with LDAP or Active Directory data stores and is built from the domain name and auto populated by clicking Generate LDAP Connection String.

  • Connection Timeout

    The number of seconds permitted to query the log database and generate the results on the Reporting Page before the connection times out.

  • Consent Storage Attribute

    Client applications request to access certain information from the user's profile in the data store. The user must consent to these requests before continuing the workflow.

    Determine which SecureAuth IdP Property stores the user's consent to avoid requesting it with every login. This consent can be revoked in the directory at any time.

    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
  • Cookie Length

    The number of hours during which the cookie is valid.

  • Cookie Name Prefix

    The name that is prepended to the cookie name, which can be anything. The full cookie name will appear as Cookie Name Prefix + company name + hashed value of user ID.

  • Cookieless

    Alert SecureAuth IdP whether or not to deliver a cookie.

    • UseCookies: SecureAuth IdP always attempts to drop a cookie (whether it is accepted or not).
    • UseUri: SecureAuth IdP always puts the cookie information in a query string.
    • AutoDetect: SecureAuth IdP sees if the browser has cookies enabled by checking the user settings. If they are enabled, SecureAuth IdP delivers a cookie.
    • UseDeviceProfile: SecureAuth IdP verifies if the device accepts cookies by checking the browser settings but not the user settings. If cookies are enabled on the browser, SecureAuth IdP delivers even if the user settings have them disabled.
  • Copyright Information

    Customize the copyright information here; otherwise, the default SecureAuth copyright content is provided. This appears in the footer of the client-side page(s).

  • Country Attribute

    To enable the client application to access the user's country, select the SecureAuth IdP Property that is mapped to the directory field containing the information.

    • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.
    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
    • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com.
    • These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

    • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.
    • Full Group DN List: The full groups list with Distinguished Names (DNs) to which a user belongs.
    • Custom Token Value: The custom token configured in the Custom Token Fields in the Custom Front End section (Workflow tab), which appear after selecting this option.
  • Country List

    The list of Country Codes that are either allowed or denied based on the selection made from the dropdown, comma separated.

    • Allow: Only the list of Country Codes provided can access the realm.
    • Deny: The list of Country Codes provided cannot access the realm.
  • Create Post

    The expected post data variable name that is required by the SP. Select the SecureAuth IdP Property that is mapped to the directory attribute containing the required information to post.

    • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.
    • Authenticated Password: The validated password of the Authenticated User.
    • OATH OTP: The One-time passcode (OTP) generated from an OATH token.
    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Create: Click Create to add the information to the Post Data field.
  • Create Static Post

    The expected post data variable name that is required by the SP that is always posted for every user and in every session (Post To field); and the static value that is posted (Value field).

    • Create: Click Create to add the information to the Static Post Data field.
  • Create User

    Automatically create the Google Apps user account if it does not already exist.

    • Enabled: Create Google Apps user account.
    • Disabled: Do not create Google Apps user account.
  • Create User SP

    The Create User Stored Procedure (SP) name in the database.

  • Create Using This Realm

    Select a realm to copy that is used in the new multi-domain workflow.

  • Current 2.0 Template

    If a 2.0 mobile template file is already uploaded to the realm, then the name appears here.

  • Current 3.0+ Template

    If a 3.0+ mobile template file is already uploaded to the realm, then the name appears here.

  • Custom DC 1

    Select the SecureAuth IdP Property or other information used for the customized DC 1 data, applicable if Custom is selected from the DC 1 field.

    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
    • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.
    • User Agent: The browser's identifiable information, including the version number and on which OS it runs.
  • Custom DC 2

    Select the SecureAuth IdP Property or other information used for the customized DC 2 data, applicable if Custom is selected from the DC 2 field.

    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
    • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.
    • User Agent: The browser's identifiable information, including the version number and on which OS it runs.
  • Custom Error Redirect

    To where users are redirected when an error occurs if On or Remote Only is selected from the Custom Errors field.

  • Custom Errors

    Redirect users to a different page when an error occurs rather than the defaulted error page that the webpage provides.

    • On: Redirect users to a custom error page.
    • Off: Do not redirect users to a custom error page.
    • Remote Only: Redirect only remote users to a custom error page.
  • Custom SAN

    Select the SecureAuth IdP Property or other information used for the customized SAN data, applicable if Custom is selected from the SAN field.

    • Username: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.
    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
    • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.
    • User Agent: The browser's identifiable information, including the version number and on which OS it runs.
  • Custom URL Schemes

    The URL scheme of the native mobile app, e.g. app1:/. Applicable for multi app and multi app groups check integrations only.

  • Data Format

    How the information is stored in data store.

    • Plain Text: Stored as regular text, readable (default).
    • Standard Encryption: Stored and encrypted using RSA encryption.
    • Advanced Encryption: Stored and encrypted using AES encryption.
    • Standard Hash: Stored and encrypted using SHA 256 hash.
    • Plain Binary: Stored as a binary representation of the data (uses a .NET library to make it binary – may not be readable by all applications).
    • JSON: Stored in a universal format, readable by all applications (similar to Plain Text).
    • Encrypted JSON: Stored as JSON, with values inside encrypted using AES encryption.
  • Data Server

    Select the data store from which to pull profile information.

    • Directory Server: A directory server, such as LDAP, AD, Novell eDirectory, Lotus Domino, and Sun ONE, is used from which to pull profile information.
    • SQL Server: A SQL Server database is used from which to pull profile information.
    • ODBC: An ODBC data store is used from which to pull profile information.
    • ASPNETDB: An ASP.NET Database is used from which to pull profile information.
    • Web Service (Multi-Data Store): A web service configuration with multiple directories is used from which to pull profile information.
    • Oracle Database: An Oracle Database is used from which to pull profile information.
    • Microsoft Azure AD: Azure AD is used from which to pull profile information.
    • REST API (read only): A REST API integration, used for User Risk Adaptive Authentication product integrations.
    • No Data Store: No data store is used from which to pull profile information. This is used for testing or in some SAML consumer scenarios.
  • Data Source (Data - Membership Connection Settings - SQL / ODBC / ASP.NET)

    The SQL / ODBC / ASPNETDB Server Name, which can be the IP Address or Fully Qualified Domain Name (FQDN).

  • Data Source (Logs - Log Database)

    The name of the Data Source of the SQL Server to where the logs are sent. This can be an IP Address or the Fully Qualified Domain Name (FQDN).

    By default, SecureAuth IdP is configured to use the SQL Express installation on the appliance.

  • Data Store (Data - Membership Connection Settings)

    Select the company's on-premises data store from the options in the dropdown.

    • Active Directory (sAMAccountName): Active Directory (AD) is a Microsoft directory service that was developed for Windows domain networks. This uses the sAMAccountName attribute for the logon name.
    • Active Directory (UPN): Active Directory (AD) is a Microsoft directory service that was developed for Windows domain networks. This uses the userPrincipalName (UPN) attribute, which is an internet-style logon name.
    • Lightweight Directory Services (AD-LDS): Active Directory Lightweight Directory Services (AD LDS) is a Microsoft directory service that is designed for use with directory-enabled applications.
    • Lotus Domino: Lotus Domino (IBM Domino) hosts social business applications.
    • Novell eDirectory: Novell eDirectory (NetIQ Directory) is an X.500 compatible directory service.
    • Sun ONE: Sun Open Net Environment (Sun ONE, also known as Sun Java System Directory Server) is the Sun Microsystems' LDAP directory server.
    • Tivoli Directory: Tivoli Directory (IBM Security Directory Server) is IBM's implementation of the Lightweight Directory Access Protocol (LDAP).
    • OpenLDAP: OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol (LDAP).
    • Other LDAP: Other Lightweight Directory Access Protocol (LDAP) implementations.
    • SQL Server: A SQL Server is a database server that utilizes the Structured Query Language (SQL).
    • Custom: The administrator can customize the configuration if the company's directory is not listed in the dropdown (requires SecureAuth assistance).
    • ODBC: Open Database Connectivity (ODBC) is a standard programming language middleware API used to access database management systems.
    • ASPNETDB: ASPNETDB is the default database when using ASP.NET Application Servers.
    • Web Service (Multi-Data Store): The SecureAuth Web Service that is used to search multiple data stores to find a user profile. Using this data store enables one workflow that utilizes multiple data stores to pull authentication information.
    • Oracle Database: Oracle's object-relational database management system.
    • Microsoft Azure AD: Microsoft's multi-tenant cloud based directory and identity management service.
    • Web Admin: For SecureAuth0 (Admin Realm) only (username and password external access).
    • No Data Store: Allows access to each user.
  • Data Store (Data - Profile Provider Settings)

    Select the data store from which to pull profile information.

    • Directory Server: A directory server, such as LDAP, AD, Novell eDirectory, Lotus Domino, and Sun ONE, is used from which to pull profile information.
    • SQL Server: A SQL Server database is used from which to pull profile information.
    • ODBC: An ODBC data store is used from which to pull profile information.
    • ASPNETDB: An ASP.NET Database is used from which to pull profile information.
    • Web Service (Multi-Data Store): A web service configuration with multiple directories is used from which to pull profile information.
    • Oracle Database: An Oracle Database is used from which to pull profile information.
    • Microsoft Azure AD: Azure AD is used from which to pull profile information.
    • No Data Store: No data store is used from which to pull profile information. This is used for testing or in some SAML consumer scenarios.
  • Days Since Last Password Changed

    Limit the frequency of password changes by setting minimum amount of days within which a password cannot be changed.

  • DC Exclusions

    Used to simplify the user ID for logging in. For example, set to DC=com,DC=local to make the user ID domain/username rather than the full name.

  • DC 1

    Customize a certificate or utilize the default Domain Component (DC) 1 properties.

    • Default: Use default settings.
    • Custom: Customize the DC 1 properties in the certificate.
  • DC 2

    Customize a certificate or utilize the default Domain Component (DC) 2 properties.

    • Default: Use default settings.
    • Custom: Customize the DC 2 properties in the certificate.
  • DC 3

    Eliminate the Domain Component (DC) 3 property from the certificate, or include it as the hard drive serial number hash.

    • No DC 3: Do not include DC 3.
    • Hard drive serial number hash: Include hard drive serial number hash.
  • Debug Logs

    Check the box to enable the selected debug log. Debug logs can record database operations, system processes, and errors that occur during the authentication workflow, and can be reviewed to check for any inconsistencies.

  • Decrypt

    Click to decrypt the web.config file in the file structure for this specific realm.

  • Decryption

    How to decrypt the cookie. The web configuration file specifies which format to use (Auto).

  • Decryption Key

    The Decryption Key is stored in the web configuration file and must match the decryption key on the client application for SSO.

  • Default Phone Country Code

    The default country code for phone numbers used in authentication workflow in case the directory does not contain this information.

  • Default Profile Provider

    Select the default profile provider from which most profile information is pulled (no selection required if True is selected from the Same as Above field).

    • Directory Server: The default profile provider is a directory server, such as LDAP, AD, Novell eDirectory, Lotus Domino, and Sun ONE.
    • SQL Server: The default profile provider is a SQL Server database.
    • ODBC: The default profile provider is an ODBC data store.
    • ASPNETDB: The default profile provider is an ASP.NET Database.
    • Web Service (Multi-Data Store): The default profile provider is a web service configuration with multiple directories.
    • Oracle Database: The default profile provider is an Oracle Database.
    • Microsoft Azure AD: The default profile provider is an Azure AD directory.
    • No Data Store: There is no default profile provider. This is used for testing or in some SAML consumer scenarios.
  • Default Public / Private

    The mode selected on the login page by default.

    • Default Public: Public Mode will be automatically selected, and the user would have to change it to Private Mode.
    • Default Private: Private Mode will be automatically selected, and the user would have to change it to Public Mode.
    • No Default: The user would have to choose either Public or Private Mode, as neither will be automatically selected.
  • Default Workflow

    Dictate the authentication workflow. Each mode varies in security strength and user-friction.

    • Username only: The user enters username only.
    • Username | Second Factor: The user enters username, and then completes a second factor of authentication.
    • (Valid Persistent Token) only: The user presents a token that was generated on a different realm.
    • Username & Password: The user enters username and the password on the same page.
    • Username & Password | Second Factor: The user enters username and password on the same page, and then completes a second factor of authentication.
    • Username | Password: The user enters username, and then supplies the password.
    • Username | Second Factor | Password: The typical (standard) mode utilized. The user enters username; next, completes a second factor of authentication; and then supplies the password. This order effectively mitigates attacks as the username, second factor, and password all need to be known in that order to achieve access.
    • (Valid Persistent Token) | Password: The user presents a token that was generated on a different realm, and then supplies the password.
    • (Valid Persistent Token) | Second Factor: The user presents a token that was generated on a different realm, and then completes a second factor of authentication.
    • (Valid Persistent Token) | Second Factor | Password: The user presents a token that was generated on a different realm; next, completes a second factor of authentication; and then supplies the password.
  • Delete User

    Enable administrators to delete user accounts from the Help Desk page.

    • Show: Enable administrators to delete user accounts.
    • Hide: Do not enable administrators to delete user accounts.
  • Delimiter (XOR)

    Set the XOR delimiter. The delimiter is used with the Shared Secret to encrypt the user ID, and is typically a symbol, such as a colon, semicolon, or quotation mark.

  • Denied Groups (Data)

    A list of the groups that are denied access to this realm (leave empty if no restrictions).

  • Denied Groups (Post Authentication - Mobile App Store)

    A list of groups not granted access to view or download the application from the Mobile App Store, comma-delimited.

  • Description

    A short description of the scope that displays on the client-side consent page.

  • Differ from Previous Password (# of chars)

    The difference in the amount of characters (letters, symbols, numbers) required for the new password.

  • Digital Fingerprints (Post Authentication - Help Desk)

    Revoke the digital fingerprints stored in a user's profile.

    • Hide: The field will not show on the page.
    • Show Enabled: The field is shown and can be set, but revocations are not required.
    • Show Disabled: The field is shown, but items cannot be revoked.
  • Digital Fingerprints (Post Authentication - Self-service Account Update)

    Revoke the digital fingerprints stored in a user's own profile.

    • Hide: The field will not show on the page.
    • Show Enabled: The field is shown and can be set, but revocations are not required.
    • Show Disabled: The field is shown, but items cannot be revoked.
  • Digits (0 - 9)

    The minimum number of digits required in each password (may not be required depending on the value set for the Must contain how many of the following field).

  • Directory Server

    Select the LDAP directory with which SecureAuth IdP integrates for profile mapping.

    • Active Directory (sAMAccountName): The profile directory integration is with an Active Directory (sAMAccountName).
    • Active Directory (UPN): The profile directory integration is with an Active Directory (UPN).
    • Lightweight Directory Services (AD-LDS): The profile directory integration is with a Lightweight Directory Services (AD-LDS) data store.
    • Lotus Domino: The profile directory integration is with a Lotus Domino data store.
    • Novell eDirectory: The profile directory integration is with a Novell eDirectory.
    • Sun ONE: The profile directory integration is with a Sun ONE data store.
    • Tivoli Directory: The profile directory integration is with a Tivoli Directory.
    • OpenLDAP: The profile directory integration is with an Open LDAP data store.
    • Other LDAP: The profile directory integration is with an Other LDAP data store.
  • Disallowed Keywords

    The list of keywords that cannot be used (comma separated).

  • Disclaimer

    Show a Disclaimer to client-side pages. The Disclaimer content can be customized in the Verbiage Editor section, under Advanced Settings in the Overview tab, by editing theuseridview_disclaimermsg field.

    • Page Footer: Disclaimer is located in the footer of the page.
    • Not Shown: Disclaimer is not displayed on the page.
  • Discoverable

    Check to list the associated scope value at the Discovery Configuration endpoint.

  • Display Timeout Message

    How to alert the user when their session has expired.

    • Display Timeout: Display a message that alerts the user that the session has timed out.
    • Auto Restart: Automatically restart the page upon session expiration to prompt user to re-authenticate session.
    • Disabled: Do nothing until user interacts with the page, and then send them to re-authenticate the session.
  • Displayed Name

    For some target resources, such as the Secure Portal, the user's name can be displayed on the page. Administrators then select which username will be displayed from the dropdown provided.

    The following options correspond to the attributes mapped to the SecureAuth IdP Properties in the Data tab:

    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.

    These options are created from factors other than or in addition to the SecureAuth IdP Profile mapping:

    • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.
    • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com.

      These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

  • DN Mapping

    The SecureAuth IdP Property that contains the distinguishedName (DN).

    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
  • Document Title

    The document title is shown on the admin side as well as the client side. On the admin side, this will be the header on the realm on the startup page, and will appear in the left-side menu under the Realm Name.

    On the client side, this will be displayed on the browser's tab.

  • Domain (Post Authentication - SAML Assertion / WS Federation)

    The domain of the SecureAuth IdP application. The full URL of the Public Server Address is required to download the Metadata File.

  • Domain (Post Authentication - Forms Authentication)

    The domain name. The administrator can combine realms by entering a common domain name that generates a valid token that can work in different spaces (SSO). If this field is blank, the appliance domain becomes the default.

  • Domain (Data - Membership Connection Settings - LDAP)

    The domain name of the directory.

  • Domain (Overview - SMTP)

    The domain name if the SMTP requires one for authentication purposes.

  • Domain List

    Auto-populated by the information from the Create using this realm and Workflow Options fields, and contains a list of the workflow realm domain names.

  •  
     
  • Email

    The email address for the help desk.

  • Email 1 - Email 4 (Post Authentication - Create User)

    The SecureAuth IdP Email Properties that are mapped to directory fields containing the user's email addresses.

    • Hide: This field will not show on the page.
    • Show: The field is shown and can be edited, but edits are not required.
    • Require: The field is shown and it must be edited.
  • Email 1 - Email 4 (Post Authentication - Help Desk)

    The SecureAuth IdP Email Properties that are mapped to directory fields containing the user's email addresses.

    • Hide: This field will not show on the page.
    • Show Enabled: The field is shown and can be edited, but edits are not required.
    • Show Disabled: The field is shown, but cannot be edited.
  • Email 1 - Email 4 (Post Authentication - Self-service Account Update)

    The SecureAuth IdP Email Properties that are mapped to directory fields containing the user's email addresses.

    • Hide: This field will not show on the page.
    • Show Disabled: The field is shown, but cannot be edited.
    • Show Enabled: The field is shown and can be edited, but edits are not required.
    • Show Required: The field is shown and must be edited.
  • Email Attribute

    To enable the client application to access the user's email, select the SecureAuth IdP Property that is mapped to the directory field containing the information.

    • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.
    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
    • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com.

      These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

    • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.
    • Full Group DN List: The full groups list with Distinguished Names (DNs) to which a user belongs.
    • Custom Token Value: The custom token configured in the Custom Token Fields in the Custom Front End section (Workflow tab), which appear after selecting this option.
  • Email Attributes

    Send the Email 1 - Email 4 attributes in the token (and query string) to the application.

    • True: Send the specified email attribute to the application.
    • False: Do not send the specified email attribute to the application.
  • Email Field

    To which SecureAuth IdP Property the email notification is sent.

    • Email 1: Typically the corporate email address.
    • Email 2 - 4: Additional email options available to use.
  • Email Field 1 - Email Field 4

    Select the type of authentication option(s) available for use for the email addresses mapped to the Email 1 - Email 4 Properties in the Data tab.

    • Enabled (HTML): Enable HTML emails to be used for the one-time password (OTP) delivery to the specified email for 2-Factor Authentication.
    • Enabled (TEXT): Enable TEXT emails to be used for the one-time password (OTP) delivery to the specified email for 2-Factor Authentication.
    • Disabled: The email option with this option selected is not used for any one-time password (OTP) delivery for 2-Factor Authentication.
  • Email Notification (Workflow - Expired Certificate Warning)

    Enable a Windows service email notification system that warns users of certificate expiration.

    • Enabled: Send warning email notifications.
    • Disabled: Do not send warning email notifications.
  • Email Notification (Post Authentication - Create User)

    Send a generic email to the user after a successful creation has been completed.

    • Don't Send: Do not send email notifications.
    • Always Send: Always send email notifications.
    • Show Checkbox: Select whether to send notification for each case.
    • Email by Group: Send email notifications by group lists.
  • Email Password Mapping

    The SecureAuth IdP Property that is mapped to the attribute that contains the Google Apps Email password.

    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • PIN: The user's static Personal Identification Number (PIN).
    • KB Question: The user's Knowledge-based Questions (e.g. “In what city did you grow up?”).
    • KB Answer: The user's Knowledge-based Answers (e.g. Chicago, IL).
    • Cert Serial Number: A certificate that is generated by SecureAuth IdP and stored in the directory.
    • Cert Reset Date: The certificate revocation date. Certificates that are delivered before this date are invalidated
    • Certificate Count: How many certificates the user has stored in the profile. The maximum amount of certificates allowed per user can be configured in the Workflow tab.
    • Mobile Reset Date: The Mobile cookie revocation date. Cookies that are delivered before this date are invalidated.
    • Mobile Count: How many Mobile cookies the user has stored in the profile.
    • Ext. Sync Password Date: The date on which the Google Apps and enterprise directory passwords need to synchronize.
  • Enable (Reg Methods - Facebook / Google / Windows Live / LinkedIn)

    Enable the use of a Facebook / Google / Windows Live / LinkedIn account for an additional point of authentication.

    • On: Enable Facebook / Google / Windows Live / LinkedIn account as second factor.
    • Off: Do not enable Facebook / Google / Windows Live / LinkedIn account as second factor.
  • Enable / Disable User

    Enable administrators to disable active user accounts, or enable disabled user accounts from the Help Desk page.

    • Show: Enable administrators to disable / enable user accounts.
    • Hide: Do not enable administrators to disable / enable user accounts.
  • Enable API for This Realm

    Enable the use of the Authentication and Identity Management (IdM) API, which leverages SecureAuth IdP functionality in a custom's application's interface.

  • Enable Authentication API

    Enable the use of the Authentication API, which leverages SecureAuth IdP authentication functionality (2-Factor Authentication methods, Device Recognition, Adaptive Authentication, Behavioral Biometrics, etc.) in a custom's application's interface.

  • Enable FBA WebService

    Enable or disable the appliance calling the SecureAuth Web Services to gather information.

    • True: Enable FBA WebService.
    • False: Do not enable FBA WebService.
  • Enable Geo-velocity

    Check to enable Geo-velocity, which analyzes the user's location based on the initial and subsequent IP Addresses and computes physical speed calculated from the difference between the two IP Address locations.

    For example, if a user logs in from New York and then logs in an hour later from China, SecureAuth IdP automatically responds with an appropriate Failure Action if the calculated velocity is greater than the MPH Limit.

  • Enable IP / Country Restriction

    Check to enable IP Restriction or IP / Country Restriction, which allows or denies specific IP Addresses or country codes from accessing the realm.

  • Enable IP Blocking

    Block IP Addresses by country by using the Configure IP Blocking setting.

    • True: Enable IP Blocking by countries.
    • False: Do not enable IP Blocking by countries.
  • Enable IP Reputation / Threat Data

    Check to enable IP Risk Factor, which utilizes threat intelligence system to detect risk, sent in a Risk Level Score.

  • Enable Multi App

    Enable the integration of multiple native mobile applications in a single realm with the same workflow, directory integration, registration methods, etc.

    • True: Enable the integration of multiple native mobile applications in a single realm.
    • False: Enable the integration of only one native mobile application in a single realm.
  • Enable Multi App Group Check

    Enable SecureAuth IdP to check user groups to allow or deny access to the multiple native mobile applications, as defined in the Custom URL Schemes section (Enable Multi App must be set True to enable this feature).

    • True: Enable group check to restrict access to multiple native mobile apps.
    • False: Do not enable group check, and allow all users access into multiple native mobile apps.
  • Enable User / Group Restriction

    Check to enable User / Group Restriction, which allows or denies users or user groups access to the realm.

  • Enable User Consent Storage

    Enable the storage of the consent granted to a client as an encrypted and compressed string value in the attribute specified in the Consent Storage Attribute field.

    • True: Store the consent granted to a client as an encrypted and compressed string value in the attribute.
    • False: Do not store the consent granted to a client as an encrypted and compressed string value in the attribute.
  • Enable User Risk

    Check to enable User Risk, which analyzes the user account to assess risk.

  • Enabled (Post Authentication - Mobile App Store)

    Enable or disable applications that display on the Mobile App Store.

  • Enabled (Post Authentication - OpenID Connect / OAuth 2.0 Settings)

    OpenID Connect / OAuth 2.0 endpoints are always working; however, admission can be enabled or disabled to allow or deny users from accessing the endpoints.

    • True: Enable access to endpoints.
    • False: Disable access to endpoints.
  • Enabled (Post Authentication - OpenID Connect / OAuth 2.0 Client Details)

    Enable the use of a client. No matter the response, the client can still make requests; however, an access code may not be supplied.

    • True: The client is enabled and requests will generate an access token.
    • False: The client is not enabled; and though it can still make requests, no access token will be generated.
  • Encode to Base64

    Enable Base64 encoding of the username. This is necessary if the SP requires it.

    • True: Encode username in Base64.
    • False: Do not encode username in Base64.
  • Encrypt Password (Java Only)

    For Java products only. When users enter their passwords, the passwords are encrypted using the Java Applet and sent to the SecureAuth IdP server as an encrypted string rather than as plain text.

    • True: Encrypt passwords with Java Applet.
    • False: Do not encrypt passwords with Java Applet.
  • Encrypt SAML Assertion

    For additional security, enable SecureAuth IdP to encrypt the SAML assertion that is sent to the SP.

    • True: Encrypt SAML Assertion.
    • False: Do not encrypt SAML Assertion.
  • Encrypt Token

    Encrypt the token sent from SecureAuth IdP to the application that contains the authenticated user ID and other profile attributes. Applicable for single and multi app integrations.

    • True: Encrypt the token.
    • False: Do not encrypt the token.
  • Encryption Cert

    The public key provided by the SP. The SP keeps and maintains the private key.

  • English Lowercase

    The minimum number of lowercase letters required in each password (may not be required depending on the value set for the Must contain how many of the following field).

  • English Uppercase

    The minimum number of uppercase letters required in each password (may not be required depending on the value set for the Must contain how many of the following field).

  • Error Logs

    Check the box to enable the selected error log. Error logs record all warnings and errors during the authentication workflow, and can be reviewed to check for any inconsistencies.

  • EULA

    The URL for the company's end-user license agreement.

  • Expiration Period

    The number of seconds during which the LTPA Token is valid, provided by the SP.

  • Expired Certificate Warning

    Click Configure Email Notification to enable email notifications that warn users that their certificates will expire.

  • Extended Attribute Format

    The format in which the Extended Attribute is delivered to the SP.

    The SP expects the Extended Attribute to be delivered a certain way to provide the appropriate response.

    • Basic: Send Extended Attribute in Basic format.
    • URI: Send Extended Attribute in URI format.
    • Unspecified: The format is unspecified.
  • Extended Attribute Name

    The specific name of the Extended Attribute. The SP specifies which attributes are required, and the name must match the name specified by the SP.

  • Extreme / High / Medium / Low Risk

    For IP Reputation / Threat Data analysis, select specific Failure Actions for each risk level, based on the generated risk score.

    • Hard Stop: Immediately stop the user from continuing further in the login process.
    • Redirect: Redirect the user to a different site, provided in the Redirect URL field.
    • 2-Factor: Send the user through 2-Factor Authentication, where the identity can be confirmed, or an attacker can be stopped.
    • Step Up Auth: Require additional authentication from the user, on top of what is configured in the realm.
    • Step Down Auth: Do not require authentication from the user, if configured in the realm.
    • Resume Auth: Continue the user through the configured workflow.
    • Post Auth: Send user straight to the post-authentication target, bypassing any additional workflow requirements.
  • Failover

    Enable SecureAuth IdP to respond if there is a failure.

    • True: Enable Failover.
    • False: Do not enable Failover.
  • Failure Action

    What happens automatically when the user does not pass the specific Adaptive Authentication analysis.

    • Hard Stop: Immediately stop the user from continuing further in the login process.
    • Redirect: Redirect the user to a different site, provided in the Redirect URL field.
    • 2-Factor: Send the user through 2-Factor Authentication, where the identity can be confirmed, or an attacker can be stopped.
    • Step Up Auth: Require additional authentication from the user, on top of what is configured in the realm.
    • Step Down Auth: Do not require authentication from the user, if configured in the realm.
    • Resume Auth: Continue the user through the configured workflow.
    • Post Auth: Send user straight to the post-authentication target, bypassing any additional workflow requirements.
  • FBA WebService Password

    The password associated to the FBA WebService UserName. SecureAuth recommends to change this from the default.

  • FBA WebService Username

    The username used to access the FBA WebService. SecureAuth recommends to change this from the default.

  • Federated OpenID

    Define the identifying claim that is used for OpenID.

    • ClaimID: Use the ClaimID for OpenID.
    • Email: Use the Email for OpenID.
  • FF JRE Download

    The Firefox Java Runtime Environment (JRE) Plugin URL.

  • FF Plugin Download

    The Firefox Plugin URL.

  • Field

    The field from the enterprise data store where the requested properties are located. SecureAuth IdP includes some common out-of-the-box Active Directory values; however, the data may be located in different fields.

  • Field Count

    How many of the Show Enabled fields are required to be filled out by the user on the Self-service Account Update page.

    • 0 - 10: 0 - 10 fields are required to be filled out by the user.
  • File

    The application file used to download the app from the Mobile App Store.

  • First Name (Post Authentication - Create User)

    The user's first name based on the mapping in Profile Fields within the Data tab of the console.

    • Hide: This field will not show on the page.
    • Show: The field is shown and can be edited, but edits are not required.
    • Require: The field is shown and it must be edited.
  • First Name (Post Authentication - Help Desk)

    The user's first name based on the mapping in Profile Fields within the Data tab of the console.

    • Hide: This field will not show on the page.
    • Show Enabled: The field is shown and can be edited, but edits are not required.
    • Show Disabled: The field is shown, but cannot be edited.
  • First Name (Post Authentication - Self-service Account Update)

    The user's first name based on the mapping in Profile Fields within the Data tab of the console.

    • Hide: This field will not show on the page.
    • Show Disabled: The field is shown, but cannot be edited.
    • Show Enabled: The field is shown and can be edited, but edits are not required.
    • Show Required: The field is shown and it must be edited.
  • Folder

    The name of the folder where the account resides ("root" by default).

  • Force Frame Breakout

    If a web page is utilizing an iFrame, then enable the SecureAuth IdP webpages to break out into its own page rather than staying within the first web page.

    • True: Enable force frame break out.
    • False: Do not enable force frame break out.
  • Forgot Password URL

    A client-side link that takes users to the Forgot / Reset Password realm, which can be configured in the Post Authentication tab. Here, users can retrieve lost passwords securely.

  • Forgot Username URL

    A client-side link that takes users to the Forgot Username realm, which can be configured in the Post Authentication tab. Here, users can retrieve lost usernames securely.

  • Format

    The format in which the attribute will be delivered to the SP. This information is provided by the SP as it expects the attribute to be delivered a certain way.

    • Basic: Send the Attribute in Basic format.
    • URI: Send the Attribute in URI format.
    • Unspecified: The format is unspecified.
    • Base64 Encoded: Send the Attribute in Base64 Encoded format.
    • Group List: Send the Attribute in Group List format.
  • Forwarding Email Address

    Select the SecureAuth IdP Property that is mapped to the alternate email address field to which the mail is forwarded. The field must contain the entire email address.

    • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.
    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
    • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com.

      These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

  • FP Expiration Length

    The number of days the fingerprint is valid.

    For example, if this field is set to 10 days, then the user's fingerprint expires in 10 days, no matter how often it is used.

  • FP Expiration Since Last Access

    The number of days the fingerprint is valid since last usage.

    For example, if this field is set to 10 days, then the user's fingerprint expires if it is not used during the 10 days since it was last employed.

  • FP Mode (Workflow - Digital Fingerprinting - Normal Browser Settings)

    Elect whether to deliver a cookie to the browser that corresponds to the fingerprint (FP) in the data store.

    • No Cookie: Do not deliver a cookie to the browser.
    • Cookie: Deliver a cookie to the browser.
  • FP Mode (Workflow - Digital Fingerprinting - Mobile Settings)

    Elect whether to deliver a cookie to the device or browser, or to pull unique IDs from the mobile devices using the SecureAuth Device Recognition App (iOS and Android mobile app) and deliver them to match the fingerprint (FP) ID in the directory.

    • Cookie: Deliver a cookie to the device.
    • Mobile App: Deliver the UDID (pre-iOS 5) or the Advertiser ID (iOS 5+) for iOS; or the Device ID and a combination of the Model Name and OS Version for Android (requires the Device Recognition App).
  • FP's Access Records Max Count

    The number of Fingerprint (FP) entries to save to each stored fingerprint profile.

  • Full Name Attribute

    To enable the client application to access the user's full name, select the SecureAuth IdP Property that is mapped to the directory field containing the information.

    • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.
    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user’s mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
    • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com.
    • These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

    • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.
    • Full Group DN List: The full groups list with Distinguished Names (DNs) to which a user belongs.
    • Custom Token Value: The custom token configured in the Custom Token Fields in the Custom Front End section (Workflow tab), which appear after selecting this option.
  •  
     
  • Gender Attribute

    To enable the client application to access the user's gender, select the SecureAuth IdP Property that is mapped to the directory field containing the information.

    • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.
    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
    • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com.

      These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

    • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.
    • Full Group DN List: The full groups list with Distinguished Names (DNs) to which a user belongs.
    • Custom Token Value: The custom token configured in the Custom Token Fields in the Custom Front End section (Workflow tab), which appear after selecting this option.
  • Generate Credentials

    Click to generate unique values to enable communication between a custom application and SecureAuth's Authentication API.

  • Generate New Keys

    Click to generate new validation and decryption keys. If using SSO between other SecureAuth IdP realms, do not click Generate New Keys; instead, use the same Validation Key and Decryption Key values for each realm utilizing SSO.

  • Generate Profile with Cert

    Generate a certificate for the profile if the connection requires it.

    • True: Generate certificate with profile.
    • False: Do not generate certificate with profile.
  • Generate SP Meta File

    Click to generate a metadata file that can then be used for SAML attribute consumption from a third-party Identity Provider.

  • Generate Unique Assertion ID

    Generate a Unique Assertion ID (GUID) to pass to the SP, which is required by some applications.

    • True: Generate GUID.
    • False: Do not generate GUID.
  • Get Profile Relative URL

    The endpoint used to get user profiles that is appended (relative) to the Base URL.

  • Get Profile SP

    The Get Profile Stored Procedure (SP) name in the database.

  • Get Shared Secret (1 - 223)

    The Shared Secret that is sent to SecureAuth IdP, which is provided by the Service Provider (SP).

  • Get User SP

    The Get User Stored Procedure (SP) name in the database.

  • Global Cert Limit

    Limit the number of certificates that a user can have active in the directory. Once the user has surpassed the limit, the user needs to call Help Desk to resolve the issue.

  • Global Mobile Limit

    Limit the number of mobile cookies that a user can have that are active in the directory. Once the user has surpassed the limit, the user needs to call Help Desk to resolve the issue. Applicable for Mobile Enrollment and Validation realms.

  • Google Apps Domain Name

    The domain name that is provided by Google in the URL.

  • Group

    The groups to which the user belongs.

    • Hide: This field will not show on the page.
    • Show: This field is shown on the page.
  • Group Filter Expression (Post Authentication - SAML Attributes)

    Further filter the attribute by including groups that start a certain way, such as "sp-*". Instead of sending over all of the group names, this RegEx enables SecureAuth IdP to send over only those that are necessary.

  • Group Filter Expression (Post Authentication - Extended SAML Attributes)

    Filter the Extended Attribute value(s) by including groups that match the specified regular expression, such as "sp-*". Instead of sending over all of the group names, this RegEx enables SecureAuth IdP to send over only those that match the pattern.

  • Group List (Workflow - Adaptive Authentication - User / Group Restriction)

    The list of user groups that are either allowed or denied based on the selection made from the dropdown, comma separated.

    • Allow: Only the list of user groups provided can access the realm.
    • Deny: The list of user groups provided cannot access the realm.
  • Group List (Post Authentication - Create User)

    The list of groups to which the user belongs, comma-delimited.

  • Group Name(s)

    The list of user groups that are allowed or denied access based on the selection from the Validation Type field. Applicable for multi app and multi app groups check integrations only.

  • Groups Field

    The field in the directory that corresponds to a user’s groups.

  •  
     
  • Help Desk (Post Authentication - Identity Management)

    Click Configure Help Desk Page to configure the settings for the Help Desk Post Authentication page. This includes what is shown on the page and what can be edited.

  • Help Desk 1

    Enable or disable the use of the first help desk option for 2-Factor Authentication.

    Users can call the help desk, verify their identity, and then the help desk will provide a one-time password that can be used as the second factor.

    • Enabled: Enable the help desk mechanism (option 1) for 2-Factor Authentication.
    • Disabled: Disable the help desk mechanism (option 1) for 2-Factor Authentication.
  • Help Desk 2

    Enable or disable the use of the second help desk option for 2-Factor Authentication.

    Users can call the help desk, verify their identity, and then the help desk will provide a one-time password that can be used as the second factor.

    • Enabled: Enable the help desk mechanism (option 2) for 2-Factor Authentication.
    • Disabled: Disable the help desk mechanism (option 2) for 2-Factor Authentication.
  • Help Desk Challenge

    The challenge question asked to the user when using the Help Desk 2-Factor Authentication mechanism.

    • Hide: This field will not show on the page.
    • Show Disabled: The field is shown, but cannot be edited.
    • Show Enabled: The field is shown and can be edited, but edits are not required.
    • Show Required: The field is shown and it must be edited.
  • High Risk

    The risk score range that classifies as high risk.

    • To: The range is from the set amount to infinity.
    • From: Set the range threshold.
  • Host (Post Authentication - IPSec Profile / Host Pairs)

    The Cisco IPSec IP Address in the Profile / Host Pair.

  • Host (Post Authentication - Profile / Host Pairs)

    Review the Cisco IPSec IP Address set as part of the Profile / Host Pair. Create the Profile / Host Pairs in the IPSec Profile section.

  • Host Name

    The base DNS address for the public SecureAuth IdP URL.

  • HTTP Headers

    The components of HTTP Headers that factor into the fingerprint. Set the weight values for each HTTP Header component and for the System Components to equal a total of 100%.

    • User-Agent: The user agent string (identification) of the user agent.
    • Accept: The Content-Types that are acceptable for the response.
    • Accept CharSet: The character sets that are acceptable.
    • Accept Encoding: The list of acceptable encodings.
    • Accept Language: The list of acceptable human languages for response.
  • Hybrid

    The workflow that is a combination of the and Implicit workflows that allows to request a combination of identity token, access token and code via the front channel using either a fragment encoded redirect (native and JS based clients) or a form post (server-based web applications).

    • True: Allow the Hybrid workflow.
    • False: Do not allow the Hybrid workflow.
  •  
     
  • Identity Provider Name

    A friendly name that appears in the Web Admin for future reference.

  • Idle Timeout Length

    Set the boundaries within which a user needs to interact with the site before the session is expired and needs to be re-authenticated.

  • IE / PFX / Java Cert Type

    The certificate types based on the selection from the Client Side Control field.

    • 1024-bit Public Key: A public key with a key size of 1024-bit.
    • 2048-bit Public Key: A public key with a key size of 2048-bit.
    • Personal Certificate Only (1024-bit Public Key): A user certificate only with a key size of 1024-bit.
    • Machine and Personal Certificates (1024-bit Public Key): User and device certificates with key sizes of 1024-bit.
    • Personal Certificates Only (2048-bit Public Key): A user certificate only with a key size of 2048-bit.
    • Machine and Personal Certificates Only (2048-bit Public Key): User and device certificates with key sizes of 2048-bit.
  • IE ActiveX

    The Internet Explorer (IE) ActiveX version number.

  • IE JRE Download

    The Internet Explorer Java Runtime Environment (JRE) Plugin URL.

  • If Mobile, Redirect To

    Redirect users to different realms if SecureAuth IdP detects a mobile or a web browser.

    • Select Realm: Select the SecureAuth IdP Realm configured specifically for mobile browsers to where users are redirected if using mobile devices.
  • Implicit

    The workflow that enables SecureAuth IdP to generate an access token immediately after user authentication (without an authorization code) that is given to the client application.

    • True: Allow the Implicit workflow.
    • False: Do not allow the Implicit workflow.
  • Inbound SCEP Request

    Enable SecureAuth IdP to provide certificates that are requested by an application, e.g. MobileIron VSP. If only using Outbound SCEP, select False.

    • True: Enable SecureAuth IdP to provide certificates requested by applications.
    • False: Do not enable SecureAuth IdP to provide certificates requested by applications.
  • Include SAML Conditions

    Enable SecureAuth IdP to include SAML conditions in the SAML assertion. The SP requests this if it is necessary.

    • True: Include SAML Conditions in Assertion.
    • False: Do not include SAML Conditions in Assertion.
  • Initial Catalog (Data - SQL / ODBC / ASP.NET)

    The database name when the connection is opened.

  • Initial Catalog (Logs - Logs Database)

    The name of the logging database.

  • Inline Initialization

    Redirect users to the self-service page to provide missing information, and then redirect them back to the Post Authentication action once the data has been provided.

    Check the options for which Inline Initialization is enabled:

    • Missing Phone: Enable Inline Initialization for Missing Phone number.
    • Missing Email: Enable Inline Initialization for Missing Email address.
    • Missing KB Answers: Enable Inline Initialization for Missing Knowledge-based Answers.
    • Missing PIN: Enable Inline Initialization for Missing PIN.
  • Inline Password Change

    Elect whether users can change their expired passwords during the workflow.

    • Enabled: Users can change their password during login and be redirected back to the target resource after the password is changed.
    • Disabled: Users cannot log in until they change their password in the self-service password reset realm.
    • Password Settings: Customize the password reset settings for the realm.
  • Integrated Security (Data - SQL / ODBC / ASP.NET)

    Enable the use of the IIS app pool's service account for connection to the database and is a part of the connection string.

    • True: Enable Integrated Security.
    • False: Do not enable Integrated Security.
  • Integrated Security (Logs - Log Database)

    Enable the use of the webpage's ID for connection to the database and is a part of the Connection String.

    • True: Enable Integrated Security.
    • False: Do not enable Integrated Security.
  • Integration Method

    The device limitation and functionality of the client.

    • Certificate Enrollment and Validation: Used for standard web-based user workflows.
    • Certificate Enrollment Only: Used for X.509 Certificate Enrollment, when a certificate must be provisioned on a user's device.
    • Mobile Enrollment and Validation: Designed for legacy browser support on all devices, e.g. IE 6 and below.
  • Introspection

    The workflow in which a previously-issued access token (from SecureAuth IdP) is sent to the Introspection endpoint at which SecureAuth IdP states whether it is still valid, along with expiration and scope information.

    • True: Allow the Introspection workflow.
    • False: Do not allow the Introspection workflow.
  • Invalid Persistent Token Redirect

    To where users are redirected if their persistent token is invalid, e.g. another realm.

  • IP Address Rule

    Create a list of allowed IP Addresses or denied IP Addresses.

    • Allow: Only the IP Addresses listed in the IP Addresses field are allowed.
    • Deny: The IP Addresses listed in the IP Addresses field are denied.
  • IP Addresses

    List of the allowed or denied IP Addresses that is based on the IP Address Rule selected.

  • IP Blocking URL

    The IP Blocking URL that is auto-populated if using WSE 3.0, but must be set if using WS 2.0 with SSL.

  • IP Blocking Use WSE 3.0

    Whether SecureAuth IdP utilizes the message-level security (WSE 3.0 / WCF) or the transport-level security (WS 2.0 with SSL) to make a web service call to retrieve IP-to-Country data.

    • True: Use WSE 3.0 / WCF.
    • False: Use WS 2.0 with SSL.
  • IP HTTP Header Field Name

    The HTTP header field name that corresponds to the user's IP Address.

  • IP List

    The list of IP Addresses that are either allowed or denied based on the selection made from the dropdown, comma separated.

    • Allow: Only the list of IP Addresses provided can access the realm.
    • Deny: The list of IP Addresses provided cannot access the realm.
    • IP List can be in one of the following formats, separated by comma:

      • Specific IP, for example: 72.32.245.182
      • CIDR Notation, for example: 72.32.245.0/24
      • IP range, for example: 72.32.245.1-72.32.245.254

      The final IP List can be: 72.32.245.182,72.32.245.0/24,72.32.245.1-72.32.245.254

  • IPSec Profile Update

    Enable IPSec Profile Update to add IPSec Profile / Host Pairs.

    • Enabled: Enable IPSec Profile Update.
    • Disabled: Do not enable IPSec Profile Update.
  • Issued Cert SN

    The certificate serial number provided by Symantec.

    • Test: Click to check that the web service SSL communication. When the Success message displays, then the Symantec VIP certificate is setup correctly.
  • IssueInstant Valid Time

    The number of hours during which the SAML assertion to SecureAuth IdP is valid. Applicable if not enabling SAML Conditions.

  • Issuer

    The name of issuer that must be unique and is commonly in a URL format. This name displays in the iss claim within the JSON Web Token (JWT).

  •  
     
  • Java Applet

    The Java Applet version number.

  • Java Applet for JRE 7

    The Java Applet for Java Runtime Environment (JRE) 7 version number.

  • Java Applet for JRE 8

    The Java Applet for Java Runtime Environment (JRE) 8 version number.

  • Java Applet Load Failure Fallback

    Applicable when SecureAuth IdP fails to launch the Java Applet. From here, elect whether the user falls back to Public Mode, Universal Browser Credential Mode, Cookie Mode, or the user is denied access.

    • True - Public Mode: The user goes through an out-of-band one-time password.
    • True - UBC: The Universal Browser Credential (UBC) is used instead.
    • True - Cookie: A cookie is used instead.
    • False: The user is denied access and is asked to contact Help Desk.
  • Java Applet Wait

    How long SecureAuth IdP waits for the Java Applet to initiate.

  • Java Detection

    Enable SecureAuth IdP to check for Java presence.

    • True: SecureAuth IdP checks for Java presence.
    • False: Does not check for Java presence – select if not using Java.
  • Java Security Mode

    Set the security level for the certificate storage. If set to zero (0), then a certificate can be transferred from one system to another; if set to four (4), then the certificate cannot be copied at all.

  • Java Timeout

    Add time to wait for Java to respond. If no Timeout is set, or if Java does not respond during the allowed time period, then an error is presented.

  • JRE 7 Version

    The Java Runtime Environment (JRE) 7 version number.

  • JRE Install Path

    The Java Runtime Environment (JRE) Installation path, where SecureAuth IdP looks to retrieve the JRE if it is not already on the client machine.

  • JRE Install Path

    The Java Runtime Environment (JRE) version number.

  • JSON Web Encryption

    Enable the encryption of JSON Web Tokens (JWTs). This feature requires that the client requesting the encrypted JWTs to provide the X.509 public key via a JSON Web Key URI.

    • Enabled: Encrypt the JWT.
    • Disabled: Do not encrypt the JWT.
  • JSON Web Key URI

    The URL at which the JSON document that is published with the public key information can be accessed. Applicable if Enabled is selected from the JSON Web Encryption field.

  •  
     
  • KB Conversion

    Enable SecureAuth IdP to convert KBQs to certificate-based encryption from Base64 encoding.

    • True: Convert to certificate-based encryption.
    • False: Do not convert to certificate-based encryption.
  • KB Format

    How the knowledge-based questions and answers are formatted and stored in the directory.

    • Base64: This method allows the binary data to be stored as text. This can be easily decoded back.
    • Encryption: This method allows the encrypted data to be stored as text. This setting is more secure since requires decryption to decode the data.
  • KB Questions

    Enable or disable the use of knowledge-based questions (KBQs) for 2-Factor Authentication.

    • Enabled: Enable KBQ for 2-Factor Authentication.
    • Disabled: Disable KBQ for 2-Factor Authentication.
  • KBQ - KBA (Post Authentication - Create User)

    The user's knowledge-based questions and answers used for 2-Factor Authentication.

    • Hide: This field will not show on the page.
    • Show: The field is shown and can be edited, but edits are not required.
  • KBQ - KBA (Post Authentication - Self-service Account Update)

    The user's knowledge-based questions and answers used for 2-Factor Authentication.

    • Hide: This field will not show on the page.
    • Show Disabled: The field is shown, but cannot be edited.
    • Show Enabled: The field is shown and can be edited, but edits are not required.
    • Show Required: The field is shown and it must be edited.
  • KBQ Count (Post Authentication - Create User)

    The number of knowledge-based questions to display.

    • 1 - 6: Display 1 - 6 knowledge-based questions.
  • KBQ Count (Post Authentication - Self-service Account Update)

    The number of knowledge-based questions to display. The user is not required to answer all; the required field are set in the Number of Answers field.

    • 1 - 6: Display 1 - 6 knowledge-based questions.
  • Key Generation

    Click View and Configure FormsAuth key / SSO token to configure the token / cookie settings of the realm, and to set the tokens for SSO.

  • Key Value

    The shared secret for the encryption key that enables communication between SecureAuth IdP and the SP. The Key Value must match on both sides.

  •  
     
  • Language Attribute

    To enable the client application to access the user's language, select the SecureAuth IdP Property that is mapped to the directory field containing the information.

    • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.
    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
    • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com.

      These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

    • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.
    • Full Group DN List: The full groups list with Distinguished Names (DNs) to which a user belongs.
    • Custom Token Value: The custom token configured in the Custom Token Fields in the Custom Front End section (Workflow tab), which appear after selecting this option.
  • Last Name (Post Authentication - Create User)

    The user's last name based on the mapping in Profile Fields within the Data tab of the console.

    • Hide: This field will not show on the page.
    • Show: The field is shown and can be edited, but edits are not required.
    • Require: The field is shown and it must be edited.
  • Last Name (Post Authentication - Help Desk)

    The user's last name based on the mapping in Profile Fields within the Data tab of the console.

    • Hide: This field will not show on the page.
    • Show Enabled: The field is shown and can be edited, but edits are not required.
    • Show Disabled: The field is shown, but cannot be edited.
  • Last Name (Post Authentication - Self-service Account Update)

    The user's last name based on the mapping in Profile Fields within the Data tab of the console.

    • Hide: This field will not show on the page.
    • Show Disabled: The field is shown, but cannot be edited.
    • Show Enabled: The field is shown and can be edited, but edits are not required.
    • Show Required: The field is shown and it must be edited.
  • Link Function / Behavior

    For the Native Certificate Enrollment Page, select the action to be taken after the enrollment is finalized.

    • Custom URL: The user is redirected to a custom URL that is provided in the Link URL field.
    • Close All Browsers: The default mode that closes all browser windows after completion. This may require browser plug-ins.
  • Link URL

    The URL link for the Enrollment Complete Page if Custom URL is selected from the Link Function / Behavior field.

  • Links Shown on Portal Page

    Select the realms to which the Portal Page points. SecureAuth IdP then creates hyperlinks for the realms that are checked to be displayed on the Portal Page.

  • Live Domain Name

    If True is selected from the Append Domain Name field, then supply the domain name for the user ID here.

  • Live Site ID

    The Live Site ID provided by Microsoft in the welcome email.

  • Live Site URL

    Where the user lands after authentication.

    Possible destinations are:

    • http://home.live.com/default.aspx?wa=wsignin1.0&lc=1033
    • http://workspace.office.live.com
    • http://spaces.live.com/?lc=1033
    • http://skydrive.live.com/home.aspx?provision=1

  • Location (Overview - Displayed Name)

    Determine whether the username is to be shown on the page, and where.

    • Show in Header: Username displays in top header of the page.
    • Not Shown: No username is displayed on the page.
  • Location (Overview - Forgot Password URL)

    The location of the Forgot Password link.

    • Under Input Field: The link is located below the main content.
    • Page Footer: The link is located in the footer of the page.
  • Location (Overview - Forgot Username URL)

    The location of the Forgot Username link.

    • Under Input Field: The link is located below the main content.
    • Page Footer: The link is located in the footer of the page.
  • Location (Overview - Restart Login URL)

    The location of the Restart Login link.

    • Not Shown: The link is not displayed on the page.
    • Header: The link displays in top header of the page.
    • Footer: The link is located in the footer of the page.
    • Dynamic: The link changes location as users progress through the login workflow. The link starts in the footer on the login page, and then moves to the header after the user has logged in.
  • Lock User (after max attempts)

    Lock user accounts upon reaching the maximum number of failed authentication attempts.

    • True: Lock user accounts after max failed login attempts.
    • False: Do not lock user accounts after max failed login attempts.
  • Lock User SP

    The Lock User Stored Procedure (SP) name in the database.

  • Log Instance ID

    Used to mark log sets that are associated with this realm. Typically, it is the same name as the realm (SecureAuth1, SecureAuth2, etc.).

  • Login Request Timeout

    For how long the Push-to-Accept login request is valid for the user to accept or deny.

    • 1 Minute - 5 Minutes: Choose between 1 and 5 minutes.
  • Login Seconds

    The number of seconds allowed between the SecureAuth IdP authentication session and the Live@Edu session. It is defaulted to 5 seconds.

  • Login URL

    The page where the user is sent when the token has expired and a new one needs to be created, e.g. another SecureAuth IdP realm.

  • Logo (Post Authentication - Mobile App Store)

    The logo of the application. This displays with the Application Name in the Mobile App Store.

  • Logo (Overview - Email Settings)

    Upload a logo that will be used in the SecureAuth IdP emails. By default, the SecureAuth logo is employed.

  • Low Risk

    The risk score range that classifies as low risk.

    • To: The range is from the set amount to the Medium Risk From amount.
    • From: Set the range threshold.
  • LTPA Token Name

    The name of the Lightweight Third-Party Authentication (LTPA) Token, used for access into Domino and Lotus Notes. The SP provides the Token Name.

  •  
  • Mail Forwarding

    Enable mail forwarding to another email address.

    • Not Set: No mail forwarding.
    • Enabled: Enable mail forwarding to the email address Property selected in the Forwarding Email Address field.
    • Disabled: No mail forwarding, or previously enabled mail forwarding now disabled.
  • Mask Password

    Elect to hide the password.

    • True: Do not show password.
    • False: Show password.
  • Match FP ID in Cookie

    Require the fingerprint ID from the cookie to be presented and then matched to a fingerprint ID in the directory, with an acceptable Authentication Threshold score.

    • True: The cookie must match the FP ID in the directory.
    • False: The cookie is not required to match the FP ID in the directory.
  • Max Device Count

    Limit the number of devices that can receive Push Notifications and Push-to-Accept login requests. For no limit, set to -1.

  • Max Invalid Password Attempts

    The maximum number of failed password entries a user is allowed before the account is locked.

  • Max Length for KBA

    The maximum number of characters of which the knowledge-based answers can be composed.

  • Max Length for OTP

    The maximum number of digits of which a one-time passcode can be composed.

  • Max Length for Password

    The maximum number of characters of which a password can be composed.

  • Max Length for User ID

    The maximum number of characters of which a user ID / username can be composed.

  • Medium Risk

    The risk score range that classifies as medium risk.

    • To: The range is from the set amount to the High Risk From amount.
    • From: Set the range threshold.
  • Metadata File

    Download the SAML Metadata File to upload it to the SP for automated configuration. The Metadata File is essentially what makes SAML work, and enables the secure transaction between SecureAuth IdP and the SP.

  • Mobile Credential Length

    The amount of hours during which the Mobile certificate is valid. Applicable for Mobile Enrollment and Validation realms.

  • Mobile Identifiers

    Common keywords that are used to identify mobile devices and browsers. SecureAuth IdP searches for these values in headers and would then redirect the user to realm selected from the Web / Mobile Transfer Site field.

    NOTE: The IIS URL rewrite located in the IIS Management Console can also be utilized to configure this function.

  • Mobile Rev

    Revoke mobile tokens / cookies stored in a user's profile.

    • Hide: The revocation option will not show on the page.
    • Show: The revocation option will show on the page, but action is not required.
  • Multi-workflow Realms

    The multi-workflow realms created by the information provided, and is auto-populated.

  • Multiple Certs per User

    Enable the email notifications to notify users of all certificates.

    • True: Notify users of all certificate expirations.
    • False: Notify users of only one certificate expirations.
  • Must Change Password

    Require the user to change the password entered in the previous field on next login.

    • True: Require the user to change password.
    • False: Do not require the user to change password.
  • Must Change Password at Next Login

    Select whether the user must change the password on the next attempted login. This is useful when using Administrative Password Reset to change it from the randomized password to one that the user selects.

    • True: Require the user to change password at next login.
    • False: Do not require the user to change password at next login.
  • Must Contain How Many of the Following

    Using the remaining Password Complexity section fields, specify which character sets must be used to create passwords.

    For example, if 2 is set, then the password must contain at least one (depending on the requirements listed in each of the fields) digit, symbol, uppercase letter, or lowercase letter, and at least one (1) of the characters not used for the first requirement, e.g. P@SSWORD (at least one uppercase letter and one symbol); if 4 is set, then the password must contain at least one (depending on the requirements listed in each of the fields) digit, symbol, uppercase letter, and lowercase letter, e.g. P@ssW0rd (at least one uppercase letter, one symbol, one lowercase letter, and one digit).

  • Name (Post Authentication - SAML Attributes)

    The specific name of the attribute. The SP requests which attributes are required and the exact names.

    For WS-Federation integrations (IdP versions 8.0 and below), use Attribute 10 and set the Name to the end of the schema name (e.g. privatepersonalidentifier).

  • Name (Post Authentication - Mobile Browser Token)

    The name of the Mobile Browser Token, which can be set to anything. When a user is logging in from a mobile browser, SecureAuth IdP searches for the name entered here.

  • Name (Post Authentication - Forms Authentication)

    The name of the token.

  • Name (Post Authentication - OpenID Connect / OAuth 2.0 Scopes)

    A user-friendly title for the scope that displays on the client-side consent page.

  • Name (Post Authentication - OpenID Connect / OAuth 2.0 Client Details)

    The title of the client.

  • Name (Logs - Log Database)

    An auto-populated name generated by SecureAuth IdP.

  • Name Attributes

    Send the First Name and Last Name attributes in the token (and query string) to the application.

    • True: Send the specified name attribute to the application.
    • False: Do not send the specified name attribute to the application.
  • Name ID Format

    Metadata that describes the format in which the content contained in the User ID Mapping field is being asserted by SecureAuth IdP, specified by the SP.

    • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: The application fully handles the user ID. This is most commonly utilized.
    • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: Tells the SP to parse the user ID as an email address.
    • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos: Enables Windows to correctly identify the node, which can be username, first name, or something else.
    • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent: Tells the SP that the user ID will be in a persistent format.
    • urn:oasis:names:tc:SAML:2.0:nameid-format:transient: Tells the SP that the user ID will be in a transient format.
    • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName: Tells the SP that the user ID will be a Windows Domain Qualified Name.
    • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName: Tells the SP that the user ID will be in the field of X.509 Subject Name.
  • Namespace (1.1)

    Communicate to the SP which attribute is being sent over, and is in the form of a URL. The SP should provide the exact Namespace if it is required.

  • Nick Name Attribute

    To enable the client application to access the user's nickname, select the SecureAuth IdP Property that is mapped to the directory field containing the information.

    • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.
    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
    • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com.
    • These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

    • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.
    • Full Group DN List: The full groups list with Distinguished Names (DNs) to which a user belongs.
    • Custom Token Value: The custom token configured in the Custom Token Fields in the Custom Front End section (Workflow tab), which appear after selecting this option.
  • No Score Returned

    The user profile / risk score information is not found in the User Risk integration database.

  • Notification Interval

    How often the email notifications are sent.

    • Hourly: An email is sent once every hour during the Warning Period.
    • Daily: An email is sent once every day during the Warning Period.
  • Notification Start Time

    The time of day at which the notifications start.

  • Number of Answers

    The number of knowledge-based questions the user must answer on the page. The value set here must be less than or equal to the KBQ Count selection.

    • 1 - 6: 1 - 6 knowledge-based questions must be answered.
  • Number of Past Passwords Remembered

    How many passwords SecureAuth IdP remembers to ensure that the new password is not the same.

  • Number of Questions

    The number of knowledge-based questions asked during the 2-Factor Authentication login process.

    • 1 - 6: 1 - 6 knowledge-based questions must be answered for 2-Factor Authentication.
  • OATH OTP Devices (Post Authentication - Help Desk)

    Revoke the OATH OTP enrolled devices to use OATH Tokens stored in a user's profile.

    • Hide: The field will not show on the page.
    • Show Enabled: The field is shown and revocations can be made, but are not required.
    • Show Disabled: The field is shown, but revocations cannot be made.
  • OATH OTP Devices (Post Authentication - Self-service Account Update)

    Revoke the OATH OTP enrolled devices to use OATH Tokens stored in a user's profile.

    • Hide: The field will not show on the page.
    • Show Enabled: The field is shown and revocations can be made, but are not required.
    • Show Disabled: The field is shown, but revocations cannot be made.
  • OATH Seed (Post Authentication - Help Desk)

    The stored OATH Seed value mapped to the SecureAuth IdP Property.

    • Hide: The field will not show on the page.
    • Show Enabled: The field is shown and edits can be made, but are not required.
    • Show Disabled: The field is shown, but edits cannot be made.
  • OATH Seed (Post Authentication - Self-service Account Update)

    The stored OATH Seed value mapped to the SecureAuth IdP Property.

    • Hide: The field will not show on the page.
    • Show Enabled: The field is shown and edits can be made, but are not required.
    • Show Disabled: The field is shown, but edits cannot be made.
    • Show Required: The field is shown and edits must be made.
  • OATH Seed or Token

    The type of App Enrollment / OATH provisioning utilized by the application(s).

    • OATH Seed (Single): Generate a single OATH seed that is utilized by all devices for all realms.
    • OATH Token (Multi): Generate an OATH Token that contains the unique OATH seed and the device ID for each individual enrollment. Using OATH Tokens, end-users can provision their devices against diverse SecureAuth IdP appliances and / or enterprise directories to create distinct tokens that ensure that the associated OATH seed can only work with that device.
  • Object

    The unique identifier name for the account.

  • One Time Provisioning

    Whether SecureAuth IdP generates a new seed for every provisioned device. If set to true, this disables the OATH usage on the previously provisioned device. If set to false, this enables SecureAuth IdP to reuse the same seed for each provisioned device and enables the use of multiple devices simultaneously.

    • True – Generate new seed: Enable the use of only one device at a time per user.
    • False – Reuse same seed: Enable the use of multiple devices at a time per user.
  • One Time Use

    Enable a one-time use PIN that is immediately cleared from the user directory once it is used for 2-Factor Authentication. New users commonly use this for self-service 2-Factor enrollment.

    • True: Enable one-time use PINs.
    • False: Do not enable one-time use PINs.
  • Only 1 FP Cookie per Browser

    Whether only one fingerprint (FP) cookie is allowed per browser.

    • True: Only one fingerprint cookie is allowed per browser.
    • False: More than one fingerprint cookie is allowed per browser.
  • Open PIN

    Enable the user's PIN to be displayed in the directory as plain text.

    • True: Show PIN in plain text.
    • False: Encrypt PIN.
  • or SSL Cert Address

    Provide a Fully Qualified Domain Name (FQDN) or IP Address to retrieve the SSL Certificate instead of the SSL Termination Cert. This is typically the Load Balancer address where the SSL connection is being terminated.

  • OTP Format

    Select what user information is validated.

    • OTP Only: Validate only the one-time passcode.
    • OTP + Password: Validate the one-time passcode, then the user's password.
    • Password + OTP: Validate the user's password, then the one-time passcode.
  • OTP Length

    The number of digits used in one-time passwords (OTPs) for 2-Factor Authentication.

    • 4, 5, or 6: Choose from 4 to 6 digits for an OTP.
  • p12 Password

    The password that corresponds to the p12 file obtained from the Google Apps Client ID creation (provided by Google).

  • Page Header

    The title that displays at the top of the client-side webpages, and is typically the same as the Document Title.

  • Passcode Change Interval

    The number of seconds during which the Time-based Passcode is valid. After the provided amount of seconds has passed, that OTP no longer works for the 2-Factor Authentication session.

  • Passcode Length

    How many digits the Time-based Passcode is for 2-Factor Authentication.

    • 6: OTP is 6 digits.
    • 8: OTP is 8 digits.
  • Passcode Offset

    A rolling time-frame window of minutes during which the OTP is valid, which allows for time differences between devices and servers.

  • Password (Overview - SMTP)

    The password associated to the SMTP username.

    • Hidden: Hide the password (********), or show it here in the console by unchecking the box (password).
  • Password (Data - Membership Connection Settings - LDAP)

    The password of the Service Account.

    • Hidden: Hide the password (********), or show it here in the console by unchecking the box (password).
  • Password (Data - Membership Connection Settings - SQL / ODBC / ASP.NET)

    The password associated to the SQL / ODBC / ASPNETDB database User ID.

  • Password (Data - Web Service Multi-Data Store)

    The password provided by SecureAuth IdP for the Web Service Data Store. It is strongly recommended to change this from the default password.

    To change the password, alter it here and in the FBA WebService Password field in the Workflow tab, under FBA Web Services. The two passwords must match.

  • Password (Data - Azure AD)

    The password for the Username of the Azure AD administrator service account.

  • Password (Data - Membership Connection Settings - WebAdmin)

    The password associated to the username used to access the SecureAuth IdP Web Admin remotely.

  • Password (Data - Profile Connection Settings - REST API)

    The password associated with the User Risk integration service account Username.

  • Password (Post Authentication - Create User)

    How the first password is generated for the new user.

    • Enter Manually: Enter the password for the user.
    • Generate Automatically: Generate a random password.
  • Password (Logs - Log Database)

    The password associated with the database log's User ID.

  • Password Expired Days

    The number of days from the last password change that the password is valid. Surpassing this amount, the password expires.

  • Password Field

    The SecureAuth IdP Property that is mapped to the attribute that contains the Google Apps Email password.

    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • PIN: The user's static Personal Identification Number (PIN).
    • KB Questions: The user's Knowledge-based Questions (e.g. "In which city did you grow up?").
    • KB Answers: The user's Knowledge-based Answers (e.g. Chicago, IL).
    • Cert Serial Number: A certificate that is generated by SecureAuth IdP and stored in the directory.
    • Cert Reset Date: The certificate revocation date. Certificates that are delivered before this date are invalidated
    • Certificate Count: How many certificates the user has stored in the profile. The maximum amount of certificates allowed per user can be configured in the Workflow tab.
    • Mobile Reset Date: The Mobile cookie revocation date. Cookies that are delivered before this date are invalidated.
    • Mobile Count: How many Mobile cookies the user has stored in the profile.
    • Ext. Sync Password Date: The date on which the Google Apps and enterprise directory passwords need to synchronize.
  • Password Format (Data - Membership Connection Settings - SQL)

    How the SQL Database password is stored in the directory.

    • Clear: Store the password in clear text.
    • Hashed: Hash the password.
    • Encrypted: Encrypt the password.
  • Password Format (Data - Membership Connection Settings - Oracle)

    How the password is stored. This selection also dictates which Password Stored Procedure (SP) to use.

    • Clear: Password is stored in clear text (uses the Validate Password SP).
    • SHA1: Password is stored using the SHA1 hash algorithm (uses the Get Password SP and compared server side).
    • SHA2: Password is stored using the SHA2 hash algorithm (uses the Get Password SP and compared server side).
    • MD5: Password is stored using the MD5 hash algorithm (uses the Get Password SP and compared server side).
  • Password Length Greater Than

    The minimum length of characters passwords must be.

  • Password Reset (Post Authentication - Password Reset)

    Click Configure password reset page to customize the password and password reset settings.

  • Password Reset (Post Authentication - Help Desk)

    Enable administrators to reset user passwords from the Help Desk page.

    • Show: Enable administrators to reset user passwords.
    • Hide: Do not enable administrators to reset user passwords.
  • Password Reset Mode

    The mode in which users can reset their passwords.

    • Enforce Password Change Requirements: Require users to follow all enforcements from the directory.
    • Administrative Password Reset: Bypass history check enforcements.
    • Administrative Reset with History Check: Create History Check with password reset to check the last password change date.
  • Password Salt

    A unique string of text to append to passwords before they are hashed. Not applicable if Clear is selected in the Password Format field.

  • Password Syncing

    The type of password being synchronized to the iOS device(s) for provisioning.

    • Random Password: A random password that is sent to the device that is unknown by the user.
    • User Password: The user's Google Apps Email password.
  • Password Warn Days

    The amount of days before expiration during which users are warned about their password expiration. Applicable for the Inline Password Change feature.

  • Persist Security Info (Data - SQL / ODBC / ASP.NET)

    Allow access to username and password information once the connection is open, and is part of the connection string.

    • True: Enable access to username and password information.
    • False: Do not enable access to username and password information.
  • Persist Security Info (Logs - Log Database)

    Allow access to username and password information once the connection is open, and is part of the connection string.

    • True: Enable access to username and password information.
    • False: Do not enable access to username and password information.
  • Persistent

    Set the timeout of the token.

    • True – Expires after Timeout: The token expires after the timeout regardless of the session.
    • False – Session Cookie: The token is good for the entire web session and expires as soon as the browser closes.
  • Phone

    The phone number for the help desk (option 1 or 2).

  • Phone / SMS Selected

    This setting is only effective if Voice and SMS / Text is selected from the Phone Field 1 - Phone Field 4 dropdowns. This sets the default selection that displays on the client-side login screen.

    • Voice: Voice (telephony OTP) is the default selection.
    • SMS / Text: SMS / Text is the default selection.
  • Phone / SMS Visible

    Elect to show both Voice and SMS / Text options even if they are not both available for authentication use.

    • True: Show both options.
    • False: Only show available option.
  • Phone 1 - Phone 4 (Post Authentication - Create User)

    The SecureAuth IdP Phone Properties that are mapped to directory fields containing user's phone information.

    • Hide: This field will not show on the page.
    • Show: The field is shown and can be edited, but edits are not required.
    • Require: The field is shown and must be edited.
  • Phone 1 - Phone 4 (Post Authentication - Help Desk)

    The SecureAuth IdP Phone Properties that are mapped to directory fields containing user's phone information.

    • Hide: This field will not show on the page.
    • Show Enabled: The field is shown and can be edited, but edits are not required.
    • Show Disabled: The field is shown, but cannot be edited.
  • Phone 1 - Phone 4 (Post Authentication - Self-service Account Update)

    The SecureAuth IdP Phone Properties that are mapped to directory fields containing user's phone information.

    • Hide: This field will not show on the page.
    • Show Disabled: The field is shown, but cannot be edited.
    • Show Enabled: The field is shown and can be edited, but edits are not required.
    • Show Required: The field is shown and it must be edited.
  • Phone Attributes

    Send the Phone 1 - Phone 4 attributes in the token (and query string) to the application.

    • True: Send the specified phone attribute to the application.
    • False: Do not send the specified phone attribute to the application.
  • Phone Field 1 - Phone Field 4

    Select the type of authentication option(s) available for use for the phone numbers mapped to the Phone 1 - Phone 4 Properties in the Data tab.

    • Voice and SMS / Text: Enable the user to select either a phone call or a text message to receive the one-time passcode (OTP) for 2-Factor Authentication.
    • Voice Only: Enable only a phone call to the specified phone option to deliver the one-time password (OTP) for 2-Factor Authentication.
    • SMS / Text Only: Enable only a text message to the specified phone option to deliver the one-time password (OTP) for 2-Factor Authentication.
    • Disabled: The phone option with this choice selected is not used for any one-time password (OTP) delivery for 2-Factor Authentication.
  • Phone Mask (Regex)

    Modify how much of the phone number is masked. By default, SecureAuth IdP displays phone numbers in the following way: xxx-xxx-1234.

  • PIN (Post Authentication - Create User)

    The user's static Personal Identification Number (PIN).

    • Hide: This field will not show on the page.
    • Show: The field is shown and can be edited, but edits are not required.
    • Require: The field is shown and it must be edited.
  • PIN (Post Authentication - Help Desk)

    The user's static Personal Identification Number (PIN).

    • Hidden: This field will not show on the page.
    • Read Only: The field is shown and cannot be edited.
    • Enabled: The field is shown and can be edited, but edits are not required.
  • PIN (Post Authentication - Self-service Account Update)

    The user’s static Personal Identification Number (PIN).

    • Hide: This field will not show on the page.
    • Show Enabled: The field is shown and can be edited, but edits are not required.
    • Show Required: The field is shown and it must be edited.
  • PIN Field

    Enable users to utilize a Personal Identification Number (PIN) for 2-Factor Authentication.

    • Enabled: Enable PIN for 2-Factor Authentication.
    • Disabled: Do not enable PIN for 2-Factor Authentication.
  • Place Groups in QueryString

    Return the users' profile attributes to the application in a query string, in addition to the token sent.

    • True: Return users' groups to application in query string.
    • False: Do not return users' groups to application in query string.
  • Place Profile Attributes in QueryString

    Return the users' groups to the application in a query string, in addition to the token sent.

    • True: Return users' profile attributes to application in query string.
    • False: Do not return users' profile attributes to application in query string.
  • Port

    The SMTP's required port, and by default, it is set to Port 25. This field is required.

  • Portal Page

    Click View and Configure the portal page to configure the Secure Portal for SSO from a single landing page.

  • Portal Page Authorization

    Select if and how the Portal Page is accessible.

    • Not Available: The Portal Page is not available for use.
    • Token Required: Users must authenticate before reaching the Portal Page.
    • NO Token: Users can access the Portal Page without authentication; however, they will need to validate their identities with the applications after clicking the links.
    • GAE: The Portal Page requires a token from a Google Apps Engine (GAE) SecureAuth instance.
  • Post Data

    The Form Post information created from the URL and Create Post information.

    • Remove: Select an item in the Post Data field, and click Remove to delete.
  • Post-Auth Cookie

    The cookie that communicates to SecureAuth IdP that the user has been authenticated. This can be set to point to a specific realm so that the administrator knows where the user's identity was validated. Single Sign-on (SSO) is achieved with this cookie.

  • Postal Code Attribute

    To enable the client application to access the user's postal code, select the SecureAuth IdP Property that is mapped to the directory field containing the information.

    • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.
    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
    • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com.

      These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

    • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.
    • Full Group DN List: The full groups list with Distinguished Names (DNs) to which a user belongs.
    • Custom Token Value: The custom token configured in the Custom Token Fields in the Custom Front End section (Workflow tab), which appear after selecting this option.
  • PostAuth WebService URL

    A generic URL for any Post Authentication module to use if an additional web service call is required to complete the Post Authentication action.

  • Pre-Auth Cookie

    The cookie generated from a Begin Site. SecureAuth IdP checks to see if there is a Pre-Auth Cookie present; and if there is, then SecureAuth IdP extracts the user ID from the token and proceeds with the login process. If the Pre-Auth Cookie is not present and Require Begin Site is set to True, then SecureAuth IdP sends the user back to the Begin Site to acquire the Pre-Auth Cookie.

  • Private Enterprise Number (PEN)

    The Private Enterprise Number (PEN) of the Syslog server.

  • Private Key Setting

    Which password is used to protect the profile for the iDevices and for Android device keys.

    • User Password: The user's data store password.
    • Static Password: A static password set by administrator.
    • No Password: No password is required.
  • Private Mode Cert Length

    If Private Mode is selected during the login workflow, this field determines the number of days during which the private mode certificate is valid.

  • Profile (Post Authentication - IPSec Profile / Host Pairs)

    The Cisco IPSec Profile name associated with this Profile / Host Pair.

  • Profile (Post Authentication - Profile / Host Pairs)

    Review the Cisco IPSec Profile name set as part of the Profile / Host Pair. Create the Profile / Host Pairs in the IPSec Profile section.

  • Profile Field

    The SecureAuth IdP Profile Property that contains that user's User Risk Score (written to by the User Risk integration).

    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
  • Profile Missing Redirect

    To where users are redirected if their profile is missing, e.g. profilemissing.aspx.

  • Profile Property (Post Authentication - OpenID Connect / OAuth 2.0 Claims / Custom Claims)

    SecureAuth IdP pulls the claim information from the mapped Profile Property to include in the JSON Web Token (JWT) assertion.

    • -Unmapped-: Claim is not included in JWT assertion.
    • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.
    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
    • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com.

      These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

    • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.
    • Full Group DN List: The full groups list with Distinguished Names (DNs) to which a user belongs.
  • Profiles

    Select Click Here to Add Profile / Host Pairs to add IPSec Profile / Host Pairs.

  • Property

    The properties used by SecureAuth IdP. Based on the responses provided, SecureAuth IdP pulls and sends the information that corresponds to the directory fields for authentication and assertion purposes.

    The administrator can dictate what data is paired with which property, but SecureAuth IdP includes some out-of-the-box AD examples based on common practices.

  • Provider Name

    An auto-populated name generated by SecureAuth IdP.

  • Proxy IP List

    The IP Addresses of load balancers, gateways, proxies, or other devices in between the user and SecureAuth IdP to enable the appliance to identify the device to read the header (comma separated).

  • Proxy Password

    The Password associated to the Proxy Username of the proxy account required only if the proxy requires authentication.

  • Proxy Server Address

    The IP Address or the Fully Qualified Domain Name (FQDN) of the Proxy Server.

  • Proxy Server Port

    The TCP Port on which the proxy server is configured to respond.

  • Proxy Username

    The Username of the proxy account required only if the proxy requires authentication.

  • Public / Private Mode

    The options provided to users on the page when logging in.

    • Private and Public Mode: Enable users to select Private or Public Mode for login. Private is used for known devices, whereas Public is chosen on unknown or untrusted devices.
    • Public Mode Only: Public mode is automatically selected for login. This is for any device, prompts for authentication, and SecureAuth IdP does not store a credential on the browser.
    • Private Mode Only: Private mode is automatically selected for login. This is for trusted devices, and SecureAuth IdP stores a credential on the browser.
  • Public IP Address

    The Public IP Address if the Network Address Translation (NAT) is used to change the SecureAuth IdP IP Address to a Public IP Address.

  • Public Mode Cert Length

    If Public Mode is selected during the login workflow, then this field sets the number of hours during which the certificate is valid. Applicable for Certificate Enrollment Only realms.

  • Push Notification Devices

    Revoke the Push-to-Accept and Push Notification enrolled devices stored in a user's profile.

    • Hide: The field will not show on the page.
    • Show Enabled: The field is shown and revocations can be made, but are not required.
    • Show Disabled: The field is shown, but revocations cannot be made.
  • Push Notification Tokens

    Revoke the Push-to-Accept and Push Notification enrolled devices stored in a user's profile.

    • Hide: The field will not show on the page.
    • Show Enabled: The field is shown and revocations can be made, but are not required.
    • Show Disabled: The field is shown, but revocations cannot be made.
  • Push URL

    The Push URL that is auto-populated if using WSE 3.0, but must be set if using WS 2.0 with SSL.

  • Push Use WSE 3.0

    Whether SecureAuth IdP utilizes the message-level security (WSE 3.0 / WCF) or the transport-level security (WS 2.0 with SSL) to make a web service call to make a Push Notification request. Select False if using a Proxy.

    • True: Use WSE 3.0 / WCF.
    • False: Use WS 2.0 with SSL.
  • Realm Description

    The realm description is for internal use only. Administrators can write notes here to provide instructions or to briefly describe the purpose of the realm.

    This displays in the left-side menu, under the Document Title.

  • Realm Name

    A realm is a distinct authentication workflow. Each realm can be configured uniquely depending on the target (application, self-service page, help desk), the user accessing it, and how they are accessing it (registration methods).

    The realm name is automatically assigned to each new realm, starting with SecureAuth0, which is the Admin Realm, and increasing sequentially with each new realm creation (SecureAuth1, SecureAuth2, etc.).

  • Receive Token

    For company's own login pages or if company is using Windows SSO. Elect the type of token received from the site.

    • None: No token will be received, so a Begin Site (below) will be required.
    • Token: SecureAuth IdP expects to receive information, which could be anything; and SecureAuth IdP does not have to send the same information.
    • Clear Text Query String: User ID will be in a Clear Text Query String.
    • XOR / Base64 Query String: User ID will be in an XOR / Base64 Query String.
    • Send Token Only: SecureAuth IdP only sends a token (Begin Site is not required).
    • Send XOR / Base64 Only: User ID is encoded.
    • Receive Token Only: SecureAuth IdP sends the same token that it received.
  • Redirect

    Redirect users to a different page after saving self-services updates.

    • Do Not Redirect: Do not redirect users.
    • Show Redirect Link: Show the redirect URL link for users to click.
    • Redirect Automatically: Redirect users immediately after updates have been saved.
  • Redirect To

    The auto-populated URL that is created by authenticated user redirect choice or selection. If Use Custom Redirect is selected, then the field needs to be set to where users are redirected after authentication.

  • Refresh Token

    The workflow that enables a refresh token to be provided during authorization that can be used to get a new access token.

    • True: Allow the Refresh Token workflow.
    • False: Do not allow the Refresh Token workflow.
  • Refresh Token Lifetime

    When an Access Token expires, it can be refreshed for an extended period of time without requiring a new login. This Lifetime is longer than the Access Token Lifetime value.

  • Remember User Selection

    Enable SecureAuth IdP to automatically enable Private or Public Mode based on the previous selection on that device.

    • True: SecureAuth IdP automatically enables last selection.
    • False: SecureAuth IdP reverts to the default mode determined in the Default Public / Private field selection.
  • Remove Realm

    To remove a realm, click on the realm in the Domain List and click Remove Realm.

  • Renew Persistent Token (after validation)

    Enable SecureAuth IdP to provide a new persistent token after the previous one has been validated.

    • True: Renew Persistent Token after Validation.
    • False: Do not renew Persistent Token after Validation.
  • Replace in Order by (Workflow - Digital Fingerprinting)

    If fingerprint replacement is enabled, then select how the fingerprints are replaced.

    • Created Time: Replace the oldest enrolled fingerprint with the new one.
    • Last Access Time: Replace the least recently used fingerprint with the new one.
  • Replace in Order by (Reg Methods - Mobile Login Requests)

    If Push device replacement is enabled, then select how the enrolled devices are replaced.

    • Created Time: Replace the oldest enrolled device with the new one.
    • Last Access Time: Replace the least recently used enrolled device with the new one.
  • Reports

    Click to review log reports from this realm.

  • Request Blocking Enabled

    Block WS-Trust requests via a blocking engine in the WS-Trust Security Token Services (STS).

    • True: Enable Request Blocking.
    • False: Do not enable Request Blocking.
  • Request Type

    Select which Mobile Login Requests are available for 2-Factor Authentication use in the realm.

    • Disabled: Disable the use of Mobile Login Requests for 2-Factor Authentication.
    • Passcode (OTP): Enable Push Notifications as an available 2-Factor Authentication method.
    • Accept / Deny: Enable Push-to-Accept login requests as an available 2-Factor Authentication method.
    • Passcode (OTP) + Accept / Deny: Enable Push Notifications and Push-to-Accept login requests as available 2-Factor Authentication methods.
  • Require Begin Site

    Whether a Begin Site is required for this realm or not. A begin site is a site on which users land before the SecureAuth IdP login pages.

    • True: Require Begin Site.
    • False: Do not require Begin Site.
  • Require Current Password

    Whether the current password is required to reset a user's password. SecureAuth IdP's self-service password reset enables password reset with 2-Factor Authentication.

    • True: Require current password.
    • False: Do not require current password.
  • Require OATH PIN

    Whether to require a static PIN to unlock the app / extension to generate OATH One-Time Passwords (OTPs).

    • True: Require PIN to access OTP.
    • False: Do not require PIN to access OTP.
  • Require SSL

    Whether SSL is required to view the token.

    • True: Require SSL.
    • False: Do not require SSL.
  • Reset Complete URL (Return to)

    To where users are redirected once they reset their passwords.

  • Reset Password SP

    The Reset Password Stored Procedure (SP) name in the database.

  • Resource Owner

    During the request, the client application will send its credentials (Client ID and Client Secret) along with the user's credentials (which are validated against the directory) to gain access. The user is not required to authenticate and no authorization code is required.

    • True: Allow the Resource Owner workflow.
    • False: Do not allow the Resource Owner workflow.
  • Restart Login URL

    A client-side link that takes users back to the first page of the login process of that specific realm.

  • Restriction Type (Workflow - Adaptive Authentication - IP / Country Restriction)

    Select whether the realm restricts login attempts by IP Addresses or Country Codes.

    • IP Restriction: Restrict the realm by IP Addresses.
    • Country Restriction: Restrict the realm by Country Codes.
  • Restriction Type (Workflow - Adaptive Authentication - User / Group Restriction)

    Select whether the realm restricts login attempts by specific users or user groups.

    • User Restriction: Restrict the realm by specific user accounts.
    • Group Restriction: Restrict the realm by user groups.
  • Revocation

    The workflow in which a previously-issued OAuth access token (from SecureAuth IdP) is explicitly revoked.

    • True: Allow the Revocation workflow.
    • False: Do not allow the Revocation workflow.
  • Safari Plugin

    The Safari Plugin version number.

  • Safe

    The name of the Access Control (Safe) where credentials are stored.

  • Same as Above

    Copy and use the data store integration from the Membership Connection Settings section for membership and profile information, or use a different data store from which to pull profile information.

    • True: Copy the membership data store information to pull profile information.
    • False: Do not copy the membership data store, and a different data store integration handles the profile information.
  • SAML Audience (Workflow)

    The base domain of the Identity Provider from which SecureAuth IdP accepts the SAML assertion.

  • SAML Audience (Post Authentication)

    An optional value that is provided by the SP, and is the base domain of the application.

  • SAML Conditions

    Check to enable SecureAuth IdP to utilize the NotBefore and NotOnOrAfter SAML conditions to produce a validity period of the SAML assertion to SecureAuth IdP.

  • SAML Consumer URL

    The URL provided by the SP used to accept a SAML assertion.

  • SAML Data Encryption Method

    The method (algorithm) used to encrypt the SAML Assertion, if True is selected from the Encrypt SAML Assertion field.

  • SAML Issuer

    The unique SAML ID from the third-party Identity Provider.

  • SAML Key Encryption Method

    The method (algorithm) used to encrypt the SAML Key.

  • SAML Offset Minutes

    The number of minutes that SecureAuth IdP subtracts from the NotBefore SAML attribute to account for any time difference between SecureAuth IdP and the SP.

  • SAML Recipient

    Identifiable information of the SAML recipient, which usually maps to the SAML Consumer URL. This is an optional field; but required for some SPs, such as Salesforce.

    The value is typically the same as the SAML Consumer URL.

  • SAML Response InResponseTo

    Enable SecureAuth IdP to include the SAML Response InResponseTo in the SAML Assertion. The SP requests this if it is necessary.

    This response is used in SP-initiated instances, and it enables SecureAuth IdP to communicate to the SP that it has received the user ID sent by the SP.

    • True: Include SAML Response InResponseTo in Assertion.
    • False: Do not include SAML Response InResponseTo in Assertion.
  • SAML Valid Hours

    The time period during which the SAML assertion is valid. Choose a value from 1 to 48 to specify the NotOnOrAfter SAML attribute.

  • SAN

    The Subject Alternative Name properties, which can be Default or customized.

    • Default: Use default settings.
    • Custom: Customize SAN properties in certificate.
  • Save to All Realms

    Save the logging information from this realm to all existing realms on the appliance.

  • SCEP / NDES URL

    The exposed URL for accepting SCEP requests by SCEP / NDES server.

  • SCEP Web Service URL

    The local web service URL to accept SCEP requests, which typically will not need to change.

  • Scope (Post Authentication - OpenID Connect / OAuth 2.0 Scopes)

    The name that is passed to the client. The client requests this URL-safe value from SecureAuth IdP (the authorization server).

  • Scope (Post Authentication - OpenID Connect / OAuth 2.0 Client Scope Restrictions)

    The name of the scope, which is what the client application requires to access in the user profile. A user will need to consent to the client accessing their user profile data before proceeding.

  • Search Attribute

    The ID that SecureAuth IdP uses to search the directory for the user.

  • Search Filter

    Tell SecureAuth IdP what field is expected for the username. It is auto populated by clicking Generate Search Filter. The user supplies the attribute that equals %v to log into realms.

  • SecureAuth Version

    The version of the SecureAuth IdP appliance.

  • Select CSS File to Load and Edit the Theme

    The SecureAuth IdP appliance includes multiple themes, which dictates how the client-side webpages will appear. The 2016 Light Theme is selected by default.

  • Select Extended Attribute

    The drop-down includes the current Extended Attributes that were created using the Add Extended SAML Attribute button. Select the created Extended Attribute from the list and provide the remaining information.

  • Select Language File

    Select the default language file that will be used for the target resource.

  • Send Email

    Send a generic email to the user after successful updates have been completed.

    • Do Not Send: Do not send an email.
    • Send to Email 1 - Email 4: Send an email to the email address mapped to the Email 1 - Email 4 Property.
  • Sender Address

    The sender's email address that displays in the From field. For example, do-not-reply@company.com.

  • Sender Name

    The alias name for the email address that displays in the From field. For example, SecureAuth Support.

  • Server Address

    The address of the SMTP server through which OTP SecureAuth IdP emails (2-Factor Authentication, account update, password reset, etc.) are sent. This field is required.

  • Service Account (Data - Membership Connection Settings - LDAP)

    An LDAP account that has read or write access to user accounts that SecureAuth IdP will authenticate.

    • @: Typically the name of the Domain (above), but can be different.
  • Service Cert Serial Nbr

    The certificate serial number of the hosted facility used to facilitate the WSE 3.0 / WCF web service.

    • Select Certificate: Select the certificate from the appliance's certificate store.
  • Service Email

    The EMAIL ADDRESS value from the Google Apps Service Account, e.g. XXXX@developer.gserviceaccount.com.

  • Session State Name

    The name of the session state, which is defaulted to a value by SecureAuth IdP, but can be customized to act in a particular way.

  • Set Shared Secret (1 - 223)

    Set the Shared Secret that SecureAuth IdP sends.

  • Set Velocity Limit

    Set the maximum speed in Miles Per Hour users may have traveled between authentications. This speed is calculated based on the difference between the initial and subsequent IP Address locations and the recorded times when authentications occurred.

  • Shared Secret

    The Shared Secret (password) that is provided by the SP. This must match with the SP for the communication to be successful.

  • Show Exception on Page

    Display a page listing the reasons why a user's password fails validation checking.

    • True: Show why the password change fails.
    • False: Do not show why the password change fails.
  • Show OTP on Enrollment Page

    Display the one-time passcode (OTP) on the page after a user has successfully provisioned their account for Time-based Passcodes. This is especially useful for Browser Time-based Passcode usage to enable immediate access to the OTP to authenticate into another realm.

    • True: Show OTP on page.
    • False: Do not show OTP on page.
  • Show Password Complexity Rules

    Display the configured password complexity requirements on the password reset page.

    • True: Display all configured password complexity field rules on page.
    • False: Do not show any password complexity rules.
  • Show PIN Screen after

    The number of seconds allowed for the application to remain idle before requiring the PIN to unlock the application.

    • 30 - 300 (seconds): Choose between 30 and 300 seconds.
  • Show Third-party App Support

    Display the necessary information to provision a third-party app that generates Time-based Passcodes (Google Authenticator).

    • Yes: Display the information.
    • No: Do not display the information.
  • Show UserID Textbox

    For Certificate Enrollment Only and Cisco ASA integrations, elect whether to show the User ID Textbox for users to provide their user ID if Cisco ASA does not send the user ID to SecureAuth IdP.

    • True: Show User ID Textbox to enable users to provide their user ID if not sent by Cisco ASA.
    • False: Do not show User ID Textbox to enable users to provide their user ID if not sent by Cisco ASA.
  • Show When Empty

    Elect to show the one-time use PIN option on the 2-Factor Authentication login screen, even though it is not available.

    • True: Show the one-time PIN as a 2-Factor Authentication option after initial use.
    • False: Do not show the one-time PIN as a 2-Factor Authentication option after initial use.
  • Sign SAML Assertion

    Enable SecureAuth IdP to sign the SAML Assertion that is being sent over to the SP. This is a "stamp of approval" from SecureAuth IdP in the form of a certificate stating the user is trusted, and the SP informs the administrator if the assertion needs to be signed or not.

    • True: Sign SAML Assertion.
    • False: Do not sign SAML Assertion.
  • Sign SAML Message

    Enable SecureAuth IdP to sign the SAML Message, which is the entire message including the SAML assertion that is sent to the SP. This is a "stamp of approval" from SecureAuth IdP in the form of a certificate stating the user is trusted, and the SP informs the administrator if the assertion needs to be signed or not.

    • True: Sign SAML Message.
    • False: Do not sign SAML Message.
  • Signing Algorithm

    The signing algorithm used for signing JSON web tokens.

  • RSA SHA256: Use the X.509 certificated selected as the Signing Cert.
  • HMAC SHA256: Use the client secret for signing.
  • Signing Cert

    The certificate used for signing the JSON Web Token (JWT) (the private key). The public key will then need to be exported and provided to the client application.

    • Select Certificate: Select the certificate from the appliance's certificate store.
  • Signing Cert Serial Number

    The certificate for the SAML Assertion.

    • Select Certificate: Click to select the certificate that contains the Signing Cert Serial Number. A list of certificates that are stored in the SecureAuth IdP environment are provided from which to choose the appropriate certificate.
  • Single App Redirect

    If only one native mobile application integration is present in a single realm, then provide the custom URL scheme to ensure that users will always be redirected from SecureAuth IdP to the application, e.g. app1:/.

  • Skip IP Match

    Elect to skip matching the IP Address of the device to the IP Address recorded in the fingerprint (FP) ID in the user's data store profile.

  • Skip UserID View

    Whether there is a UserID view (user ID textbox / page), which usually is selected for VPN enrollments as the UserID is received from the VPN.

    • True: Skip the UserID View.
    • False: Do not skip the UserID View.
  • Sliding Expiration

    Enable the token to be valid as long as the user is interacting with the page.

    • True: The cookie does not expire as long as there is user interaction.
    • False: The cookie expires once it surpasses the Timeout (set in the Timeout field in the same section).
  • SMS URL

    The SMS URL that is auto-populated if using WSE 3.0, but must be set if using WS 2.0 with SSL.

  • SMS Use WSE 3.0

    Whether SecureAuth IdP utilizes the message-level security (WSE 3.0 / WCF) or the transport-level security (WS 2.0 with SSL) to make a web service call to make an OTP text message request. Select False if using a Proxy.

    • True: Use WSE 3.0 / WCF.
    • False: Use WS 2.0 with SSL.
  • Source

    Select from which directory integration SecureAuth IdP can pull the profile information for authentication and assertion purposes.

    • Default Provider: The data store selected as the Default Profile Provider in the Profile Provider Settings section.
    • Directory Server: The directory server (AD, LDAP, Tivoli, Lotus Domino, etc.) data store configured as an additional profile provider in the Profile Connection Settings section.
    • SQL Server: The SQL Server data store configured as an additional profile provider in the Profile Connection Settings section.
    • ODBC: The ODBC data store configured as an additional profile provider in the Profile Connection Settings section.
    • ASPNETDB: The ASP.NET data store configured as an additional profile provider in the Profile Connection Settings section.
    • Web Service: The Web Service (Multi-data Store) configured as an additional profile provider in the Profile Connection Settings section.
    • Oracle: The Oracle data store configured as an additional profile provider in the Profile Connection Settings section.
    • Azure AD: The Azure AD data store configured as an additional profile provider in the Profile Connection Settings section.
  • SP Start URL

    The Service Provider's (SP) Start URL, where users log into the application. For SP-initiated Post Authentication integrations, this tells SecureAuth IdP to redirect users to the SP Start URL when landing on the SecureAuth IdP realm first in order to initiate the login process. This also assists SecureAuth IdP in accurately redirecting users for SSO.

  • Spec Format

    The type of format used for RFC3164.

    • None Specifiec: Use normal RFC3164 fomatting (typical).
    • LEEF: Use for IBM Security QRadar SIEM only.
    • CEF: Use for HP ArcSight SIEM only.
  • SSL

    Secure Socket Layer that acts as an encrypted tunnel through which emails are sent.

    • True: Use Secure Socket Layer to send emails.
    • False: Do not use Secure Socket Layer to send emails.
  • SSL Termination Cert

    Used when not using SecureAuth IdP as the termination point. For bi-lateral authentication, a certificate is required here as the trusted SSL Certificate.

  • SSL Termination Point

    The Fully Qualified Domain Name (FQDN) of where the SSL cert is terminated. This communicates to SecureAuth IdP where the certificate has been terminated, enabling IdP to validate the information.

  • Static OP Server URL

    The URL for the OpenID Provider.

  • Static Post Data

    The Form Post information created from the Create Static Post information.

    • Remove: Select an item in the Static Post Data field, and click Remove to delete.
  • Store Facebook ID at

    The Property in which SecureAuth IdP stores the user's Facebook ID for 2-Factor Authentication.

    • Aux ID 1 - Aux ID 10: Choose between the Auxiliary IDs 1 - 10.
  • Store Google ID at

    The Property in which SecureAuth IdP stores the user's Google ID for 2-Factor Authentication.

    • Aux ID 1 - Aux ID 10: Choose between the Auxiliary IDs 1 - 10.
  • Store LinkedIn ID at

    The Property in which SecureAuth IdP stores the user's LinkedIn ID for 2-Factor Authentication.

    • Aux ID 1 - Aux ID 10: Choose between the Auxiliary IDs 1 - 10.
  • Store Windows Live ID at

    The Property in which SecureAuth IdP stores the user's Windows Live ID for 2-Factor Authentication.

    • Aux ID 1 - Aux ID 10: Choose between the Auxiliary IDs 1 - 10.
  • Subject

    The subject text of the emails sent by SecureAuth IdP. For example, SecureAuth One-time Registration Code.

    • Show passcode in subject line: Display the one-time passcode in the Subject line and in the message body for quick reference.
  • SubjectConfirmationData Not Before

    Enable SecureAuth IdP to include the SubjectConfirmationData Not Before in the SAML Assertion. The SP requests this if it is necessary.

    This communicates that the SubjectConfirmationData will not be valid before the timestamp.

    • True: Include SubjectConfirmationData in the Assertion.
    • False: Do not include SubjectConfirmationData in the Assertion.
  • Submit Form Post Page

    Click View and Configure Submit Form Post Page to customize the form post options.

  • Supported Languages

    Select which languages that the SecureAuth IdP appliance supports. SecureAuth IdP alters the language selection based on the user’s browser settings.

  • Symantec VIP Field

    Enable the client-side use of Symantec VIP for 2-Factor Authentication.

    • Enabled: Enable the use of Symantec VIP for 2-Factor Authentication.
    • Disabled: Do not enable the use of Symantec VIP for 2-Factor Authentication.
  • Symantec VIP Integration

    Permit the use of Symantec VIP tokens for 2-Factor Authentication.

    • Enabled: Allow the use of Symantec VIP for 2-Factor Authentication.
    • Disabled: Do not allow the use of Symantec VIP for 2-Factor Authentication.
  • Symbols (!, @, #, $, %, &, *, etc.)

    The minimum number of symbols required in each password (may not be required depending on the value set for the Must contain how many of the following field).

  • Sync Password

    Conduct a one-way synchronization of the user's AD password to Google.

    • Enabled: Sync password to Google.
    • Disabled: Do not sync password to Google.
  • Sync Password Every Time

    Synchronize the passwords every time from Google Apps to iOS devices. If set to True, then only one device can be used at a time.

    • True: Synchronize passwords every time to enable use of one iOS device at a time.
    • False: Do not synchronize passwords every time to enable the use of multiple iOS devices at a time.
  • Syslog Port

    The port on which the Syslog Server listens.

  • Syslog RFC Spec

    The required spec, provided by Syslog.

    • (none): None specified.
    • RFC3164: Use RFC3164.
    • RFC5424: Use RFC5424.
  • Syslog Server

    The IP Address or the Fully Qualified Domain Name (FQDN) of the Syslog Server.

  • System Components

    The system components that factor into the fingerprint. Set the weight values for each System Component and for the HTTP Headers components to equal a total of 100%.

    • Weight for plugin list: The list of plugins on the user's browser.
    • Weight for flash font: The fonts inside of a flash application.
    • Hostaddress/IP: The Host address or IP address.
    • Require exact match: Elect to require an exact match of the address. If enabled, then the user will have to perform a different 2-Factor Authentication without an exact match, even if the Authentication Threshold percentage is met.
    • Timezone: The time zone of the user's browser.
    • Screen Resolution: The screen resolution of the device / browser.
    • HTML5 localstorage: The HTML5 local storage.
    • HTML5 sessionstorage: The HTML5 session storage.
    • IE userdata support: The Internet Explorer (IE) user data support.
    • Cookie enabled/disabled: Based on the user's settings, whether cookies are enabled or disabled.
  • Telephony URL

    The Telephony URL that is auto-populated if using WSE 3.0, but must be set if using WS 2.0 with SSL.

  • Telephony Use WSE 3.0

    Whether SecureAuth IdP utilizes the message-level security (WSE 3.0 / WCF) or the transport-level security (WS 2.0 with SSL) to make a web service call to make an OTP telephony call. Select False if using a Proxy.

    • True: Use WSE 3.0 / WCF.
    • False: Use WS 2.0 with SSL.
  • Template

    Select the template to use for SecureAuth IdP emails. OTPEmailTemplate is the default.

  • Tenant Domain

    The Domain Name of the Azure Directory.

  • Test

    Click to test that the web services communication is working and that certificates are valid.

  • Test Connection (Data)

    Click to test that the directory integration was successful.

  • Test Connection (Logs - Log Database)

    Click to verify the connection and to ensure successful integration.

  • Theme

    The SecureAuth IdP appliance includes multiple themes, which dictates how the client-side webpages will appear. The 2016 Light Theme is selected by default.

  • Time Zone Attribute

    To enable the client application to access the user's time zone, select the SecureAuth IdP Property that is mapped to the directory field containing the information.

    • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.
    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user’s work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
    • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com.

      These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

    • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.
    • Full Group DN List: The full groups list with Distinguished Names (DNs) to which a user belongs.
    • Custom Token Value: The custom token configured in the Custom Token Fields in the Custom Front End section (Workflow tab), which appear after selecting this option.
  • Time-based Passcodes

    Enable or disable the use of Time-based Passcodes (OATH OTPs) for 2-Factor Authentication.

    • Enabled: Enable the Time-based Passcode mechanism for 2-Factor Authentication.
    • Disabled: Disable the Time-based Passcode mechanism for 2-Factor Authentication.
  • Timeout

    The number of minutes during which a cookie is valid.

  • Token Data Type (Receive)

    Tell SecureAuth IdP where the user ID is in the received token.

    • Name: The user ID will be in the Name Field.
    • User Data: The user ID will be in the User Data section.
  • Token Data Type (Send)

    Tell SP where the user ID is in the sent token.

    • User ID: The user's username.
    • Password: The user's password.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Custom Token Value: The custom token configured in the Custom Token Fields in the Custom Front End section (Workflow tab), which appear after selecting this option.
    • Token Settings: Customize the token settings for the realm.
  • Token Missing Redirect

    To where users are redirected if their token is missing, e.g. enrollment / provisioning realm. This is used for Near Field Communications (NFC).

  • Token Name

    A name for the token that is shared with the application, e.g. UserID.

  • Total FP Max Count

    The maximum amount of fingerprint (FP) IDs that can be stored in a user's profile at the same time. Set to -1 for no maximum count.

  • Transport Method

    How the encrypted user information is sent to the SP.

    • Query String: Send it as a Query String.
    • Cookie: Send it as a Cookie.
    • Header: Send it as a form post (dynamically posted as user types on the page).
  • Transport Name

    The name of the value that is used to send the user information.

  • Trx Log Disable Code

    The code provided by SecureAuth support to temporarily disable the Transaction web service calls.

  • Trx Log Mode Code

    The code that is automatically assigned to the appliance during the build process and indicates whether it is intended for Transaction logging model or User based model.

  • Trx Log Service URL

    The Transaction Log URL that is auto-populated if using WSE 3.0, but must be set if using WS 2.0 with SSL.

  • Trx Use WSE 3.0

    Whether SecureAuth IdP utilizes the message-level security (WSE 3.0 / WCF) or the transport-level security (WS 2.0 with SSL) to make a web service call to track transactions. Select False if using a Proxy.

    • True: Use WSE 3.0 / WCF.
    • False: Use WS 2.0 with SSL.
  • Type

    Select the company's enterprise data store from the options in the dropdown.

    • Active Directory (sAMAccountName): Active Directory (AD) is a Microsoft directory service that was developed for Windows domain networks. This uses the sAMAccountName attribute for the logon name.
    • Active Directory (UPN): Active Directory (AD) is a Microsoft directory service that was developed for Windows domain networks. This uses the userPrincipalName (UPN) attribute, which is an internet-style logon name.
    • Lightweight Directory Services (AD-LDS): Active Directory Lightweight Directory Services (AD LDS) is a Microsoft directory service that is designed for use with directory-enabled applications.
    • Lotus Domino: Lotus Domino (IBM Domino) hosts social business applications.
    • Novell eDirectory: Novell eDirectory (NetIQ Directory) is an X.500 compatible directory service.
    • Sun ONE: Sun Open Net Environment (Sun ONE, also known as Sun Java System Directory Server) is the Sun Microsystems' LDAP directory server.
    • Tivoli Directory: Tivoli Directory (IBM Security Directory Server) is IBM's implementation of the Lightweight Directory Access Protocol (LDAP).
    • OpenLDAP: OpenLDAP is an open source implementation of the Lightweight Directory Access Protocol (LDAP).
    • Other LDAP: Other Lightweight Directory Access Protocol (LDAP) implementations.
    • SQL Server: A SQL Server is a database server that utilizes the Structured Query Language (SQL).
    • Custom: The administrator can customize the configuration if the company's directory is not listed in the dropdown (requires SecureAuth assistance).
    • ODBC: Open Database Connectivity (ODBC) is a standard programming language middleware API used to access database management systems.
    • ASPNETDB: ASPNETDB is the default database when using ASP.NET Application Servers.
    • Web Service (Multi-Data Store): The SecureAuth Web Service that is used to search multiple data stores to find a user profile. Using this data store enables one workflow that utilizes multiple data stores to pull authentication information.
    • Oracle Database: Oracle's object-relational database management system.
    • Microsoft Azure AD: Microsoft's multi-tenant cloud based directory and identity management service.
    • Web Admin: For SecureAuth0 (Admin Realm) only (username and password external access).
    • No Data Store: Allows access to each user.
  • Unlock User

    Enable administrators to unlock locked user accounts from the Help Desk page.

    • Show: Enable administrators to unlock user accounts.
    • Hide: Do not enable administrators to unlock user accounts.
  • Unlock User Account

    Whether a user's account is unlocked upon password reset, or administrative action.

    • Automatically: Unlock user account when password is reset.
    • Do Not Unlock: Resetting the password will not unlock the account, and administrative action is required.
    • Show Button: Provide the option for users to unlock their accounts after password reset.
  • Unlock User SP

    The Unlock User Stored Procedure (SP) name in the database.

  • Upload a Page

    Upload a page to change the look and feel of the target action of the realm.

    • Download Customized Pages: Select a customized page that comes out-of-the-box with SecureAuth IdP. These can be used for specific realms.
  • Update Profile SP

    The Update Profile Stored Procedure (SP) name in the database.

  • Update Threshold

    The percentage that the user's fingerprint (FP) ID must be higher than to merge with the existing FP ID.

    If the user's FP ID is lower than the Authentication Threshold, but higher than the Update Threshold, then SecureAuth IdP will merge the new FP ID with the previous one after a successful 2-Factor Authentication via another method. If the FP ID is lower than the Update Threshold, SecureAuth IdP will create an entirely new FP ID to store in the user's profile to use for subsequent authentications.

    This is typically set between 80 - 90%, and must be lower than the Authentication Threshold.

  • Update User SP

    The Update User Stored Procedure (SP) name in the database.

  • Upload New 2.0 Template

    Click Browse to upload a new 2.0 mobile template to use in provisioning realms.

  • Upload New 3.0+ Template

    Click Browse to upload a new 3.0+ mobile template to use in provisioning realms.

  • UPN Mapping

    The SecureAuth IdP Property that contains the userPrincipalName (UPN).

    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
  • URI

    The URI link of the white-listed page to where the client can be redirected to capture the SecureAuth IdP response.

  • URL (Post Authentication - URL Redirect)

    To where users are redirected once the Post Authentication processing is complete.

  • URL (Post Authentication - Post Data)

    The data is sent to this URL.

  • Use CyberArk Vault for Credentials

    Check to enable CyberArk Vault to provide the password of the directory service account to SecureAuth IdP rather than providing the service account username and password in the Web Admin.

  • Use Proxy Server

    Enable the use of a Proxy Service, which routes communication in this realm through a web proxy.

    • True: Enable Proxy Server.
    • False: Do not enable Proxy Server.
  • Use SCEP

    Enable SecureAuth IdP to use an existing Certificate Authority (CA) to issue certificates via SCEP. By default, it is set to false as SecureAuth IdP employs its own, hosted CA to issue the certificates.

    • True: Enable existing CA to issue certificates via SCEP.
    • False: Enable SecureAuth IdP’s hosted CA to issue certificates.
  • User Agent Rule

    Create a list of allowed user agents or denied user agents (devices, browsers, etc.).

    • Allow: Only the user agents listed in the User Agents field are allowed.
    • Deny: The user agents listed in the User Agents field are denied.
  • User Agents

    A list of the allowed or denied user agents that is based on the User Agent Rule selected.

  • User and Group Association

    Check to enable the tool that associates existing users and groups within the LDAP data store using SecureAuth's IdM API.

  • User Group Check Type

    Create a list of allowed or denied user groups.

    • Allow Access: Only the user groups listed are allowed access.
    • Deny Access: The user groups listed are denied access.
  • User Groups

    A list of the allowed groups or denied groups based on the selection made from the User Group Check Type dropdown.

    • Include Nested Groups: Enable SecureAuth IdP to look within main groups to find subgroups (nested groups) for easier configuration.

      For example, main group A includes nested groups 1, 2, and 3. Rather than enabling or disabling access to groups 1, 2, and 3 separately, the administrator can allow or deny the three groups by checking the box and enabling or disabling access to group A.

  • User ID (Data - SQL / ODBC / ASPNETDB)

    The user ID of the account that has read and/or write access to the SQL / ODBC / ASPNETDB database.

  • User ID (Logs - Log Database)

    The User ID to access the database logs.

  • User ID Mapping

    The user ID that is asserted to the target resource.

    • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.
    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user's last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
    • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com.

      These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

    • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.
    • Full Group DN List: The full groups list with Distinguished Names (DNs) to which a user belongs.
    • Custom Token Value: The custom token configured in the Custom Token Fields in the Custom Front End section (Workflow tab), which appear after selecting this option.
    • Transformation Engine: Click to configure on-the-fly attribute modifications / additions that will be asserted to the Service Provider (SP).
  • User Impersonation

    Enable the SecureAuth IdP realm to run under a user or under a service name when using Integrated Windows Authentication (Kerberos).

    • True: Run realm under username.
    • False: Run realm under service name.
  • User List

    The list of user accounts that are either allowed or denied based on the selection made from the dropdown, comma separated.

    • Allow: Only the list of user accounts provided can access the realm.
    • Deny: The list of user accounts provided cannot access the realm.
  • User Management

    Check to enable the tool that adds new user profiles, and retrieves and updates existing user profiles using SecureAuth's IdM API.

  • User Self-service Password Change

    Check to enable the tool that enables the end-user change the current password with a new password using SecureAuth's IdM API.

  • UserID Check

    For Cisco ASA integrations to check for a "Cisco-specific" user ID.

    • True: Check for User ID.
    • False: Do not check for User ID.
  • Username (Overview - SMTP)

    The username of the SMTP account that has the rights to send emails.

  • Username (Data - CyberArk Credentials)

    The username (service account) of the directory to be scanned by AIM to access the password information.

  • Username (Data - Web Service Multi-Data Store)

    The username provided by SecureAuth IdP for the Web Service Data Store. It is strongly recommended to change this from the default username.

    To change the username, alter it here and in the FBA WebService Username field in the Workflow tab, under FBA Web Services. The two usernames must match.

  • Username (Data - Azure AD)

    The username of the Azure AD administrator service account.

  • Username (Data - WebAdmin)

    The username used to access the SecureAuth IdP Web Admin (SecureAuth0) remotely.

  • Username (Data - Profile Connection Settings - REST API)

    The username of the User Risk integration service account that is enabled to retrieve user profile information.

  • Username Delivery Option

    How the username is delivered to the user in Forgot Username realm.

    • Display on Page: After a successful authentication, the username will display on the page.
    • Send in Email: The username is sent to the email address associated to the user.
  • Username Textbox

    Select to change / unlock only the user's personal password / account, or to provide a username textbox in which a username can be entered. The user's profile can then be modified as allowed in the realm configuration.

    • Enabled - change other passwords: Enable personal and non-personal password change / account unlock.
    • Disabled - change own password: Enable only personal password change / account unlock.
  • Using iOS Provisioning with Google Apps

    Whether the iOS password provisioning with Google Apps (synchronization of password changes from Google Apps to iOS devices) is being used. This setting is configured in the Post Authentication tab.

    • True: Enable iOS Provisioning with Google Apps.
    • False: Do not enable iOS Provisioning with Google Apps.
  • Validate / Get Password SP

    The Validate Password or Get Password Stored Procedure (SP) name in the database (depending on which SP is being used).

  • Validate Password Complexity

    Enable SecureAuth IdP to check the complexity of the password based on the directory password requirements. Configure the settings in the Password Complexity section to display the requirements on the page.

    • True: Validate password complexity.
    • False: Do not validate password complexity.
  • Validate Persistent Token

    Check whether the persistent token (Java, UBC, cookie, certificate, etc.) is still valid.

    • True: Check that token is valid.
    • False: Do not check that token is valid.
  • Validate User Type

    How SecureAuth IdP validates the user from the directory information.

    • Search: SecureAuth IdP uses the search function to check if username and password are correct (slower search).
    • Bind: SecureAuth IdP makes a direct call to the directory to check if the username and password are correct (faster search).
  • Validate Yubikey

    Enable or disable the use of Yubikeys for 2-Factor Authentication.

    • True: Enable Yubikey validation for 2-Factor Authentication.
    • False: Do not enable Yubikey validation for 2-Factor Authentication.
  • Validation

    How to encrypt the cookie. The web configuration file specifies which format to use.

  • Validation Key

    The Validation Key is stored in the web configuration file and must match the validation key on the client application for SSO.

  • Validation Mode

    What is being sent in a form post to be validated.

    • No User Validation: No user information is posted.
    • Validate User ID: The User ID is posted.
    • Validate User ID + Shared Secret: The User ID and Shared Secret are posted.
    • Validate User ID + Password: The User ID and Password are posted.
    • Validate User ID + Password + Shared Secret: The User ID, Password, and Shared Secret are posted.
  • Validation Realm

    Redirect users to a different realm if SecureAuth IdP detects that they are using an iPhone or iPad.

    • Select Realm: Select the SecureAuth IdP realm specifically configured for iPhone or iPads.
  • Validation Type

    The type of restriction being placed on the native mobile application using the current Custom URL Scheme. Applicable for multi app and multi app groups check integrations only.

    • Allow All: All user groups are allowed access.
    • Allow: Only the user groups defined in the Group Name(s) field are allowed access.
    • Deny: The user groups defined in the Group Name(s) field are denied access.
  • Value

    The SecureAuth IdP Property that includes the attribute required. The options are values from the Data tab, which point to fields in the directory. This information is provided by the SP as it expects the attribute to be delivered a certain way.

    • Authenticated User ID: The asserted identity determined by the searchFilter value in the Data tab of the Web Admin.
    • First Name: The user's first name, e.g. givenName in Active Directory.
    • Last Name: The user’s last name, e.g. sn in Active Directory.
    • Phone 1: Typically the user's work number.
    • Phone 2: Typically the user's mobile number.
    • Phone 3 - Phone 4: Additional telephone options available to use.
    • Email 1: Typically the corporate email address.
    • Email 2 - Email 4: Additional email options available to use.
    • Aux ID 1 - Aux ID 10: The Auxiliary fields can be filled in with any information that a company would like to send to the target resource.
    • Global Aux ID 1 - Global Aux ID 5: Global attributes that apply to all users, set in the Data tab.
    • Email 1 (User Name Only) - Email 4 (User Name Only): Displays the email address username, but without the domain, e.g. jsmith instead of jsmith@company.com.
    • These correspond to the values of Email 1 - Email 4 in the Profile Fields section of the Data tab.

    • GroupList: The groups to which a user belongs, e.g. memberOf in Active Directory.
    • Full Group DN List: The full groups list with Distinguished Names (DNs) to which a user belongs.
    • Custom Token Value: The custom token configured in the Custom Token Fields in the Custom Front End section (Workflow tab), which appear after selecting this option.
  • Version Number

    The version number of the token, provided by the SP.

  • Warning Period (Days)

    The amount of days before expiration that a user is notified.

  • Web / Mobile Transfer Site

    Redirect users to different realms if SecureAuth IdP detects a mobile or a web browser.

    • Select Realm: Select the SecureAuth IdP Realm configured specifically for mobile browsers to where users are redirected if using mobile devices.
  • Web Config Backups

    Select Click to view Web Config Backups to access web.config file backups to review changes made in the realms and to revert to older versions of the configurations.

  • Web Config Editor

    Select Click to edit Web Config file to edit the source code of the realm directly.

  • When Exceeding Max Count (Workflow - Digital Fingerprinting)

    The action taken when a user surpasses the fingerprint (FP) limit set in the Total FP Max Count field.

    • Not Allowed to Replace: A user cannot replace the fingerprint.
    • Allowed to Replace: A user can replace the fingerprint.
  • When Exceeding Max Count (Reg Methods - Mobile Login Requests)

    The action taken when a user surpasses the Push device limit set in the Device Max Count field.

    • Not Allowed to Replace: A user cannot replace the enrolled device.
    • Allowed to Replace: A user can replace the enrolled device.
  • Windows Authentication

    Enable users to bypass the login process with Windows, as it uses a Kerberos ticket for the username and password (Windows Desktop SSO).

    • True: Enable Windows Authentication.
    • False: Do not enable Windows Authentication.
  • Windows FF2

    The Windows Firefox 2 version number.

  • Windows FF3

    The Windows Firefox 3 version number.

  • Windows FF4

    The Windows Firefox 4 version number.

  • Windows FF5

    The Windows Firefox 5 version number.

  • Wipe OATH Seed

    Remove the stored OATH Seed from the user's profile upon enrolling for a new OATH Token. This option is especially useful for companies transitioning from OATH Seed use to OATH Token as they can choose to keep the provisioned OATH Seed, or start fresh.

    • True: Remove OATH Seed from user's profile.
    • False: Do not remove OATH Seed from user's profile.
  • Wipe Provisioned Data after

    Lock the OTP application after 1-10 failed PIN attempts. If provisioned data is wiped, then the user needs to re-provision that device / browser for OATH tokens / Time-based Passcodes.

    • 1 - 10: Choose from 1 to 10 failed attempts before wiping the data.
  • Workflow Options

    Enter the realm names (SecureAuth1, SecureAuth 2, etc.) that have distinct workflow options.

    • Create with Mobile Realm: Create an additional mobile-friendly realm.
    • Create without Mobile Realm: Do not create an additional mobile-friendly realm.
  • Writable

    If this is checked, then changes can be made in the directory through SecureAuth IdP. A service account with write access is required.

    For example, any self-service modifications that are enabled need to be checked "writable," otherwise the user will not be able to make the appropriate changes on the self-services page(s), and the directory will not be updated with the latest information.

  • WS-Fed Signing Algorithm

    The algorithm used for the assertion signature.

    • SHA 1: Use 128 bytes in the signature, which is typically used for Office 365, Outlook Web Access, and others.
    • SHA 2: Use 256 bytes in the signature, which is typically used for modern, custom applications that support WS-Federation and SHA 2 signing algorithm.
  • WS-Fed Version

    The WS-Federation version that is asserted from post authentication.

    • 1.2: Version 1.2, which is typically used for Office 365, Outlook Web Access, and others.
    • 1.3: Version 1.3, which is typically used for modern, custom apps that support WS-Federation.
  • WS-Trust Endpoints

    Click View and Configure WS-Trust endpoints to configure the endpoints used in a WS-Trust integration (e.g. Outlook).

  • WSFed / SAML Issuer

    The SAML ID of the Identity Provider (IdP). This can be any value as long as it's consistent on both sides, as the Issuer must match on the IdP and SP side exactly.

  • WSFed / SAML Issuer

    The SAML ID of the Identity Provider (IdP). This can be any value as long as it's consistent on both sides, as the Issuer must match on the IdP and SP side exactly.

  • WSFed Reply To / SAML Target URL

    The absolute URL of the target resource. The user is redirected to this URL after authentication.

  • YubiKey Provision Page

    The page where users can provision their YubiKey devices. This should direct users to the YubiKey Provisioning realm, which is configured in the Post Authentication tab.