Documentation

Table of Contents


Other Resources


Introduction

The System Info tab provides details about SecureAuth IdP's connection to cloud services, certificate authorities, and proxies. This tab does not need to be configured unless a proxy is integrated with SecureAuth IdP, SCEP is used in the environment, or specific preferences require edits to be made.

 


What's new in SecureAuth IdP version 9.3

The Click to edit Web Config file. link is removed from the Links section for greater security on the SecureAuth IdP appliance. To edit the web.config file, go to D:\SecureAuth\SecureAuth1 on the appliance.

 


Prerequisites

On the New Experience user interface in version 9.3, you can configure an Active Directory integration or SQL Server integration to be applied to applications made from App onboarding library templates. Configure the remaining components – for example, Workflow, Multi-Factor Methods, and Adaptive Authentication tabs – on the Classic Experience user interface.

For a proxy server to be integrated with SecureAuth IdP

  • Established proxy server up and running.

For SCEP

  • The Issuing CA (Certificate Authority) is running on Windows 2008 R2 Enterprise Edition (or later) to enable SCEP / NDES functionality.
  • The Certification Authority's (root and intermediates) certificate distribution point is available to all clients (internal and / or external) to allow access to the AIA and CDP files (CRT and CRL files).
  • The SCEP / NDES (Network Device Enrollment Service) service is already pre-installed and functional.
  • The SCEP / NDES Listener URL is obtained.

 


SecureAuth IdP Web Admin - Classic Experience

System Info tab

Steps 1 - 3: Review / configure System Info and Plugin Info sections 

1. In the System Info section, the SecureAuth Version number is provided for reference.

2. If necessary, click Decrypt to view the web.config file in its entirety.

3. Plugin information is provided for reference, and no configuration is necessary unless a specific version is required (not typical).

Steps 4 - 6: Complete WSE 3.0 / WCF Configuration section

 If a proxy server is not used...

4. For SecureAuth IdP to not use the message encryption endpoint to make a web service call to issue a certificate, select False from these dropdowns and retain the URLs for SecureAuth IdP (recommended):

  • Certificate Use WSE 3.0
  • Telephony Use WSE 3.0
  • SMS Use WSE 3.0
  • Push Use WSE 3.0
  • Geo-Location Use WSE 3.0
  • SecureAuth Threat Service Use WSE 3.0

To use message-level security (WSE 3.0 / WCF) to make a web service call to issue a certificate (default), select True from the dropdowns and modify the URLs to end in /msg

5. Select False from the Trx Use WSE 3.0 dropdown for SecureAuth IdP to not use the message encryption endpoint to make a web service call to issue a certificate (default). In this scenario, transport encryption via TLS is used instead of WSE 3.0.

To use the WSE 3.0 message encryption endpoint to make a web service call to issue a certificate, select True and modify the URL to end in /msg

6. Click Test to ensure the connection is working properly.

Configure / update these URLs as necessary if using any of these features on this realm:

URLSecureAuth IdP Feature

Link-to-Accept URL

SecureAuth Link-to-Accept Multi-Factor Authentication Method
Phone Fraud Service URLPhone Number Profiling Service
Geo-Location URLAdaptive Authentication
SecureAuth Threat Service URLAdaptive Authentication

 Proxy server integration (if using a proxy server)...

4. Select False from the following dropdowns:

  • Certificate Use WSE 3.0
  • Telephony Use WSE 3.0
  • SMS Use WSE 3.0
  • Push Use WSE 3.0
  • Geo-Location Use WSE 3.0
  • SecureAuth Threat Service Use WSE 3.0
  • Trx Use WSE 3.0

5. Set the corresponding URLs as follows:

a. Certificate URL to https://cloud.secureauth.com/certservice/cert.svc

b. Telephony URL to https://cloud.secureauth.com/telephonyservice/telephony.svc

c. SMS URL to https://cloud.secureauth.com/smsservice/sms.svc

d. Push URL to https://cloud.secureauth.com/pushservice/push.svc

e. Geo-Location URL to https://cloud.secureauth.com/ipservice/ipgeolocation.svc

f. SecureAuth Threat Service URL to https://cloud.secureauth.com/ipservice/ipevaluation.svc

g. Trx Log Service URL to https://cloud.secureauth.com/trxservice/trx.svc

(no step 6)

Step 7: Complete SCEP Configuration section

 If SCEP is not used...

7. Select False from the Use SCEP dropdown and keep the default values.

 SCEP configuration (if SCEP is used)...

7a. Select True from the Use SCEP dropdown.

7b. Leave the SCEP Web Service URL as the default unless the web service is hosted in a different location.

7c. Set the SCEP / NDES URL as the SCEP / NDES Listener URL.

7d. Select False from the Inbound SCEP Request dropdown.

Or select True for SecureAuth IdP to receive inbound SCEP calls from MobileIron.

Refer to Outbound SCEP configuration guide or Inbound SCEP from MobileIron VSP configuration guide for full instructions.

Step 8: Complete Proxy Server Configuration section

 If a proxy server is not used...

8. Select False from the Use Proxy Server dropdown and keep the default values. 

 Acceptable IP address formats...

IP addresses are accepted in following formats, with multiple entries separated by a comma:

  • Specific IP address – example: 72.32.245.182

  • CIDR Notation – example: 72.32.245.0/24

  • IP range – example: 72.32.245.1-72.32.245.254

Multiple formats can be used on same line

The following example entry is valid:

72.32.245.182,72.32.245.0/24,72.32.245.1-72.32.245.254

 Proxy integration configuration (if using a proxy server)...

8a. Select True from the Use Proxy Server dropdown.

8b. Set the Proxy Server Address to the proxy's IP Address or FQDN.

8c. Set the Proxy Server Port to the TCP port on which the web proxy server is configured to respond – example: 8080

8d. Provide the Proxy Username and Proxy Password if the proxy requires authentication.

 Acceptable IP address formats...

IP addresses are accepted in following formats, with multiple entries separated by a comma:

  • Specific IP address – example: 72.32.245.182

  • CIDR Notation – example: 72.32.245.0/24

  • IP range – example: 72.32.245.1-72.32.245.254

Multiple formats can be used on same line

The following example entry is valid:

72.32.245.182,72.32.245.0/24,72.32.245.1-72.32.245.254

Steps 9 - 11: Complete IP Configuration section

 If a proxy server is not used...

9. Provide the Public IP Address if NAT is used to alter the SecureAuth IdP IP Address to a Public IP Address.

10. Provide the Proxy IP List of addresses used between end-user devices and SecureAuth IdP (proxy, load balancer, gateway, etc.) – separating entries in this list by commas.

11. Leave the IP Http Header Field Name as default unless a different Field Name is required.

 Proxy integration configuration (if using a proxy server)...
9. List the proxy IP Address in the Proxy IP List field.

(no steps 10 - 11)

Steps 12 - 23: Review / configure remaining sections

License Info section

12. No configuration is required. The Cert Serial Nbr is typically the same as the Client Cert Serial Nbr in the WSE 3.0 / WCF Configuration section.

Certificate Properties section

13. Select Default from the SAN, DC 1, and DC 2 dropdowns to use the default certificate settings.

Select Custom to customize a SAN, DC 1, or DC 2 property in a certificate.

14. Select No DC 3 from the DC 3 dropdown to eliminate the DC 3 property from the certificate.

Select Hard drive serial number hash to include the DC 3 property as the hard drive serial number hash.

15. Select the hashing algorithm to be used for certificate signing requests from the Certificate Key Identifier dropdown.

Advanced Configuration section

16. Select True from the Force Frame Break Out dropdown to enable SecureAuth IdP pages to break out of iFrame web pages.

User Input Restriction section

NOTE: This section applies only to SQL, ODBC, and Oracle data stores.

17. Set the Max Length for User ID (number of characters).

18. Set the Max Length for Password (number of characters).

19. Set the Max Length for OTP (number of digits).

20. Set the Max Length for KBA (number of characters). If no limit, set to 0 (default).

21. Create a list of Disallowed Keywords, comma separated.

22. Click Save.

23. Click Click to view Web Config Backups to view backups and see modifications that have been made.

Configuration Back Up Files page

23a. View configuration changes and open backup files.

23b. Use the back arrow on the browser to return to the Links section.

If using a proxy server...

 Proxy integration configuration...

23c. On the Web Config Editor page, search for wse3IP; you should find 2 lines. Set the values as follows:

  • <add key="wse3IP" value="False" />
  • <add key="wse3IPEvaluation" value="False" />

23d. Click Save.


 


Related documentation

Web proxy server configuration guide

SecureAuth cloud services