Documentation

Table of Contents


Integration Guides and Other Resources


7.x Integration Guides

Knowledge Base Articles

This document contains specific information for SecureAuth IdP version 7.x. If using a different version of SecureAuth IdP, refer to the 8.x, 9.0.x, or 9.1 - 9.2 space accordingly.

Introduction

Use this guide to configure the Workflow tab in the Web Admin for each SecureAuth IdP realm.

This includes authentication modes, custom tokens, adaptive authentication (risk analysis), and certificate / token properties.

See Sample Workflow Configuration Guides for assistance.

Prerequisites

1. Create a New Realm for the target resource for which the configuration settings will apply, or open an existing realm for which configurations have already been started.

2. Configure the User Interface and the Data Store tabs in the Web Admin before configuring the Workflow tab.

Workflow Configuration Steps
Product Configuration

 

1. In the Product Configuration section, select the Integration Method from the dropdown

The selection made here will alter the options for Client Side Control and IE / PFX / Java Cert Type

  • Select Certification Enrollment and Validation for web-based authentication (used most frequently for majority of application integrations)
  • Select Certificate Enrollment Only for X.509 VPN authentication
  • Select Mobile Enrollment and Validation for mobile browser authentication or enrollment (e.g. native mobile apps, OATH enrollment)
 If Certification Enrollment and Validation is selected
Product Configuration

 

2. Select the Client Side Control option from the dropdown

The selection made here will alter the options for IE / PFX / Java Cert Type, and may require additional configuration steps

  • Select Java Applet to store the SecureAuth IdP X.509 certificate in the JRE managed code file set
  • Select Browser Plug-ins to store the certificate in the native key store
  • Select Universal Browser Credential (UBC) to store a difficult-to-remove cookie in multiple places on the client
  • Select Device / Browser Fingerprinting to enable SecureAuth IdP's Fingerprinting mode, which pulls unique characteristics from the device or browser and stores them as a value in the user directory rather than storing a cookie or certificate on the client
 If Java Applet is selected
Product Configuration

3. Select 1024-bit Public Key or 2048-bit Public Key from the IE / PFX / Java Cert Type dropdown

This is based on the security preference

 If Browser Plug-ins is selected
Product Configuration

 

3. Select the IE / PFX / Java Cert Type from the dropdown

This is based on the security preference

 If Universal Browser Credential (UBC) is selected
Product Configuration

 

3. Select 1024-bit Public Key or 2048-bit Public Key from the IE / PFX / Java Cert Type dropdown

This is based on the security preference

 If Device / Browser Fingerprinting is selected

Additional configuration steps are required, and a new section will appear at the bottom of the Workflow page

Browser/Mobile Device Digital Fingerprinting

 

3. Set the Weights of FP Components to emphasize significance of specific device / browser characteristics

The HTTP Headers and the System Components weights together must equal 100%

4. In the Normal Browser Settings section, select Cookie from the FP Mode dropdown if a cookie will be delivered to the browser that will correspond with the Fingerprint

This will enhance the recognition of the Fingerprint during SecureAuth IdP authentication

5. Provide a Cookie name prefix, which can be anything

6. Set the amount of hours for which the delivered cookie will be valid in the Cookie length field

7. Select True from the Match FP ID in cookie dropdown if SecureAuth IdP will verify the Cookie Name Prefix (Fingerprint ID) in the cookie

8. Set the Authentication Threshold to the acceptable percentage above which the Fingerprint can be the second factor during authentication  

This is typically between 90-100%

9. Set the Update Threshold to the acceptable percentage above which the stored Fingerprint will be updated with the changes rather than having a new one created

This is typically between 80-90%, and must be below the Authentication Threshold

10. In the Mobile Settings section, select Cookie from the FP Mode dropdown

11. Provide a Cookie name prefix, which can be anything

12. Set the amount of hours for which the delivered cookie will be valid in the Cookie length field

13. Select True from the Match FP ID in cookie dropdown if SecureAuth IdP will verify the Cookie Name Prefix (Fingerprint ID) in the cookie

14. Select True from the Skip IP Match dropdown if the IP Address on the device is not required to match the IP Address recorded in the Fingerprint

15. Set the Authentication Threshold to the acceptable percentage above which the Fingerprint can be the second factor during authentication

This is typically between 90-100%

16. Set the Update Threshold to the acceptable percentage above which the stored Fingerprint will be updated with the changes rather than having a new one created  

This is typically between 80-90%, and must be below the Authentication Threshold

17. Set for how many total days the Fingerprint will be valid; set the FP expiration length to zero if there is no expiration

18. Set for how many days the Fingerprint will be valid since the user's last access; set the FP expiration since last access to zero if there is no expiration

19. Select True from the Only 1 FP per browser dropdown if multiple Fingerprints for a browser are not allowed

20. Set the Total FP max count to limit the number of Fingerprints that can be stored in a user's profile

Set this to -1 if there is no limit

21. Select Allow to Replace from the When exceeding max count dropdown if a Fingerprint can be replaced by a new one once the limit has been reached

Selecting Not Allow to Replace would require administrative action to remove the Fingerprint(s)

22. Select Created Time from the Replace in order by dropdown to replace the oldest created Fingerprint with a new one

Select Last Access Time to replace the least recently used Fingerprint with a new one

23. Set the FP's access record max count to the number of Fingerprint access histories that will be stored in the directory

 If Certificate Enrollment Only is selected
Product Configuration

 

2. The Client Side Control will be set to Browser Plug-ins (no other option)

3. Select the IE / PFX / Java Cert Type from the dropdown

This is based on the security preference

 If Mobile Enrollment and Validation is selected
Product Configuration


2. Select the Client Side Control option from the dropdown

The selection made here will alter the options for IE / PFX / Java Cert Type, and may require additional configuration steps

  • Select Browser Credential to store a cookie in the browser
  • Select Universal Browser Credential (UBC) to store a difficult-to-remove cookie in multiple places on the client
  • Select Device / Browser Fingerprinting to enable SecureAuth IdP's Fingerprinting mode, which pulls unique characteristics from the device or browser and stores them as a value in the user directory rather than storing a cookie or certificate on the client
 If Browser Credential is selected
Product Configuration

 

3. Select 1024-bit Public Key or 2048-bit Public Key from the IE / PFX / Java Cert Type dropdown

This is based on the security preference

 If Universal Browser Credential (UBC) is selected
Product Configuration

 

3. Select 1024-bit Public Key or 2048-bit Public Key from the IE / PFX / Java Cert Type dropdown

This is based on the security preference

 If Device / Browser Fingerprinting is selected

Additional configuration steps are required, and a new section will appear at the bottom of the Workflow page

Browser/Mobile Device Digital Fingerprinting

 

3. Set the Weights of FP Components to emphasize significance of specific device / browser characteristics

The HTTP Headers and the System Components weights together must equal 100%

4. In the Normal Browser Settings section, select Cookie from the FP Mode dropdown if a cookie will be delivered to the browser that will correspond with the Fingerprint

This will enhance the recognition of the Fingerprint during SecureAuth IdP authentication

5. Provide a Cookie name prefix, which can be anything

6. Set the amount of hours for which the delivered cookie will be valid in the Cookie length field

7. Select True from the Match FP ID in cookie dropdown if SecureAuth IdP will verify the Cookie Name Prefix (Fingerprint ID) in the cookie

8. Set the Authentication Threshold to the acceptable percentage above which the Fingerprint can be the second factor during authentication  

This is typically between 90-100%

9. Set the Update Threshold to the acceptable percentage above which the stored Fingerprint will be updated with the changes rather than having a new one created

This is typically between 80-90%, and must be below the Authentication Threshold

10. In the Mobile Settings section, select Cookie from the FP Mode dropdown

11. Provide a Cookie name prefix, which can be anything

12. Set the amount of hours for which the delivered cookie will be valid in the Cookie length field

13. Select True from the Match FP ID in cookie dropdown if SecureAuth IdP will verify the Cookie Name Prefix (Fingerprint ID) in the cookie

14. Select True from the Skip IP Match dropdown if the IP Address on the device is not required to match the IP Address recorded in the Fingerprint

15. Set the Authentication Threshold to the acceptable percentage above which the Fingerprint can be the second factor during authentication

This is typically between 90-100%

16. Set the Update Threshold to the acceptable percentage above which the stored Fingerprint will be updated with the changes rather than having a new one created  

This is typically between 80-90%, and must be below the Authentication Threshold

17. Set for how many total days the Fingerprint will be valid; set the FP expiration length to zero if there is no expiration

18. Set for how many days the Fingerprint will be valid since the user's last access; set the FP expiration since last access to zero if there is no expiration

19. Select True from the Only 1 FP per browser dropdown if multiple Fingerprints for a browser are not allowed

20. Set the Total FP max count to limit the number of Fingerprints that can be stored in a user's profile

Set this to -1 if there is no limit

21. Select Allow to Replace from the When exceeding max count dropdown if a Fingerprint can be replaced by a new one once the limit has been reached

Selecting Not Allow to Replace would require administrative action to remove the Fingerprint(s)

22. Select Created Time from the Replace in order by dropdown to replace the oldest created Fingerprint with a new one

Select Last Access Time to replace the least recently used Fingerprint with a new one

23. Set the FP's access record max count to the number of Fingerprint access histories that will be stored in the directory

Multi-Domain Configuration


 4. Click View and Configure Multi-Store/Workflow only if this realm will enable multiple data store integrations that lead to distinct workflows (optional)

 To configure Multi-Domain
Multi-Domain Configuration

 

Refer to Configuring Multi-Domain Support for the configuration steps of this feature

Click Save once the configurations have been completed and before leaving the Multiple Domain(s) Configuration page to avoid losing changes

Workflow

 

5. Select Private and Public Mode from the Public/Private Mode dropdown to enable both modes during the login process

If the end-user selects Private Mode on the login page, then SecureAuth IdP will check for a certificate / token / Fingerprint, or will deliver a certificate / token to the browser or pull information to create a Fingerprint for subsequent access attempts

6. Select which option will be selected by default (if Private and Public Mode is enabled) on the end-user login page from the Default Public / Private dropdown

7. Select True from the Remember User Selection dropdown if the user's last Private / Public Mode selection will be defaulted for subsequent access attempts

8. Select the Authentication Mode, which is the workflow through which users will go to obtain access

 Standard (User / 2nd Factor / Password)

This option will require configuration and the enablement of at least one registration method in the Registration Methods tab

 Second Factor Only

This option will require configuration and the enablement of at least one registration method in the Registration Methods tab

 User/Password on 1st Page (+2nd factor)

This option will require configuration and the enablement of at least one registration method in the Registration Methods tab

 Valid Persistent Token + Registration Code

This option will require a different realm in which the Client Side Control token/certificate/fingerprint is generated to use on this realm, and configuration and the enablement of at least one registration method in the Registration Methods tab

 Valid Persistent Token + Reg Code + Password

This option will require a different realm in which the Client Side Control token/certificate/fingerprint is generated to use on this realm, and configuration and the enablement of at least one registration method in the Registration Methods tab

 Valid Persistent Token + Password

This option will require a different realm in which the Client Side Control token/certificate/fingerprint is generated to use on this realm

 User/Password Only (On separate pages)

No special configuration is required for this option 

 User/Password on 1st page (no 2nd factor)

No special configuration is required for this option 

 UserName Only

No special configuration is required for this option 

 Validate Persistent Token Only

This option will require a different realm in which the Client Side Control token/certificate/fingerprint is generated to use on this realm

9. Select Enabled from the Inline Password Change dropdown to redirect users back into the workflow after their passwords have been changed

10. Select True from the Validate Cert dropdown if SecureAuth IdP is to check the validity of the persistent token during the authentication process

11. Select True from the Renew Cert (After Validation) if the persistent token is to be renewed after SecureAuth IdP checks the validity (step 12)

12. Select True from the User Impersonation dropdown if this realm will run under a user's account rather than the service account

13. Select False from the Windows Authentication dropdown

Select True if this realm will utilize Windows Desktop SSO

14. Select the action that will occur if the Java Applet fails to launch from the Allow Fall Back dropdown

15. Select False from the Allow Transparent SSO dropdown

Select True if this realm will utilize SecureAuth IdP SSO, and will enable SP-initiated or Secure Portal SSO

No configuration is necessary for the other fields, unless required for the customer's environment

The following sections require no configuration unless this realm has specific needs for them (noted in section titles)

 Custom Front End Configuration (if using a Begin Site or if SP requires it)
Custom Front End

 

Refer to the specific Begin Site Configuration Guide or the specific Integration Guide to view the distinct configuration steps

 Custom Integration Type Configuration
Custom Integration Type

 

If the SecureAuth IdP appliance will be integrated with Office 365, select Office 365 here.

 User Access Configuration (if session timeout will occur automatically after a set period of time)
User Access

 

1. Set the Session State Name or leave it as the default value

2. Set the number of minutes after which the session will be expired in the Idle Timeout Length field

3. Select the action to take after the session has been expired from the Display TimeOut Message dropdown

 Open ID Configuration (if using Open ID)
Open ID

 

1. Provide the Open ID Provider URL in the Static OP Server URL field

2. Select the type of identifying claim that will be used in Open ID from the Federated OpenID dropdown

 SAML 2.0 Service Provider (if SecureAuth IdP is accepting a SAML assertion from one or multiple Identity Providers)
SAML 2.0 Service Provider
 Form Post Configuration (if SecureAuth IdP is accepting a Form Post)
Form Post

 

Select what user information is being sent in the Form Post from the Validation Mode dropdown

 iPhone / iPad Handling Configuration (if users are to be redirected to a different realm when using an iPhone or iPad)
iPhone / iPad Handling

 

Select the SecureAuth IdP realm to which iPhone / iPad users will be redirected from the Validation Realm dropdown

 IP Blocking Configuration (if blocking IP addresses from specific countries)
IP Blocking

 

1. Select True from the Enable IP Blocking dropdown

2. Click Block IP Configuration to configure the restrictions

Block IPs by Country

 

3. Select any countries from which SecureAuth IdP will not accept IP addresses

 FBA WebService Configuration (if using multi-data store web services and if required by SP)
FBA WebService

 

1. Select True from the Enable FBA WebService dropdown

2. Provide the FBA WebService UserName, which would be the same as the Webservice Username in the Data tab

3. Provide the FBA WebService Password that corresponds to the username

The Certificate / Token Properties and the Browser / Mobile Device Digital Fingerprinting sections' configuration steps can be found in Product Configuration at the top of this page

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

  • No labels