Documentation
Introduction

Use this guide as a reference to configure a SecureAuth IdP realm that utilizes Valid Persistent Tokens and 2-Factor Authentication registration codes.

Valid Persistent Tokens are generated by SecureAuth IdP as a Java certificate, device / browser fingerprint, UBC, or browser plug-in; and can be validated as a means of 2-Factor Authentication.

This can be applied to any realm to access web, SaaS, mobile, or network applications and devices, and SecureAuth IdP out-of-the-box Identity Management (IdM) tools via 2-Factor Authentication.

SecureAuth IdP Configuration Steps

This configuration requires steps to be taken in two (2) distinct realms (Realm A and Realm B)

Realm A can be configured as preferred as long as the steps below are included

Realm A
Workflow

 

1. In the Product Configuration section, select Certification Enrollment and Validation from the Integration Method dropdown

2. Select Device/Browser Fingerprinting from the Client Side Control dropdown

See additional Fingerprinting configuration steps below in the Realm B Configuration Steps

Be sure to map a directory field to the SecureAuth IdP Fingerprints Property

 Fingerprints property requirements

If using a different directory than LDAP, a stored procedure must be created to contain the Fingerprints

For LDAP data stores, the audio field is typically mapped to the Fingerprints Property in the Data tab

The Fingerprints Property can be stored as Plain Binary or in JSON format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection

For Plain Binary, these requirements must be met for the directory field that contains the fingerprint information:

  • Length: 8 kB minimum per Fingerprint Record; and if the Total FP Max Count is set to -1, then the size must be unlimited
  • Data Type: Octet string (bytes)
  • Multi-valued

For JSON, these requirements must be met for the directory field that contains the fingerprint information:

  • Length: No limit / undefined
  • Data Type: DirectoryString
  • Multi-valued

 

 

Workflow

 

3. Select Private and Public Mode or Private Mode Only from the Public/Private Mode dropdown

When the realm is in Private Mode, a persistent token is generated

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Realm B
Workflow

 

4. In the Product Configuration section of Realm B, select Certification Enrollment and Validation from the Integration Method dropdown

5. Select Device/Browser Fingerprinting from the Client Side Control dropdown

Be sure to map a directory field to the SecureAuth IdP Fingerprints Property (see image example in step 2)

Workflow

 

6. Select Valid Persistent Token + Registration Code or Valid Persistent Token + Reg Code + Password from the Authentication Mode dropdown

7. Private Mode Only will automatically be selected from the Public/Private Mode dropdown

8. Default Private will automatically be selected from the Default Public/Private dropdown

9. Select True from the Remember User Selection dropdown

10. Leave the rest as Default

Custom Front End

 

11. Select Send Token Only from the Receive Token dropdown

12. Select False from the Require Begin Site dropdown

13. Leave the rest as Default

Certificate / Token Properties

 

14. Select Private Mode Cert Length from the Certificate Expiration dropdown

15. Select Cert Expiration Date from the Certificate Valid Until dropdown

16. Set the Private Mode Cert Length to the amount of days during which the certificate will be valid, e.g. 180 Days

17. Set the Public Mode Cert Length to the amount of hours during which the public certificate will be valid, e.g. 4320 Hours

18. Select Disabled from the Check CRL dropdown

Browser / Mobile Device Digital Fingerprinting

These configuration steps should be completed in Realm A and Realm B

 

19. Set the Weights of each component to add or subtract significance to or from specific characteristics that will combine to create the fingerprint

The HTTP Headers and System Components weights must equal 100%

Typical configuration is shown in the image, or defaulted in the SecureAuth IdP Web Admin

20. In the Normal Browser Settings section, select No Cookie from the FP Mode dropdown

21. Leave the Cookie name prefix and Cookie length fields default or blank

22. Select False from the Match FP in cookie dropdown

23. Set the Authentication Threshold to 90-100% based on preference

24. Set the Update Threshold to 80-90% based on preference

The Update Threshold must be less than the Authentication Threshold

25. In the Mobile Settings section, select Cookie from the FP Modedropdown

26. Leave the Cookie name prefix as the default, or set it to a preferred name

27. Set the Cookie Length to the amount of hours during which the cookie will be valid, e.g. 72 Hours

28. Select True from the Match FP in cookie dropdown

29. Select True from the Skip IP Match dropdown

30. Set the Authentication Threshold to 90-100% based on preference

31. Set the Update Threshold to 80-90% based on preference

The Update Threshold must be less than the Authentication Threshold

32. Set the FP expiration length to 0, unless there will be an expiration on the fingerprint

33. Set the FP expiration since last access to 0, unless there will be an expiration on the fingerprint based on usage

34. Set the Total FP max count to -1, unless there is a maximum amount of fingerprints that can be stored at a given time

If a maximum is to be set, a typical configuration would limit fingerprint storage to 5-8

35. Select Allow to replace from the When exceeding max count dropdown if a maximum is set in step 20

Otherwise, leave as default

36. Select Created Time from the Replace in order by dropdown if a maximum is set in step 20

Otherwise, leave as default

37. Set the FP's access records max count to 5

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Registration Methods

 

38. In the Registration Configuration section, ensure that at least one registration method is enabled for use in this realm

Click Save once the configurations have been completed and before leaving the Registration Methods page to avoid losing changes

System Info

This configuration step should be completed in Realm A and Realm B

 

39. In the Plugin Info section, select False from the Java Detection dropdown

Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes

End-user Experience