Documentation

Introduction

Use this guide as a reference to configure a SecureAuth IdP realm that utilizes Valid Persistent Tokens without additional Second Factor Authentication methods.

Valid Persistent Tokens are generated by SecureAuth IdP as a Java certificate, device / browser fingerprint, UBC, or browser plug-in; and can be validated as a means of Multi-Factor Authentication.

This can be applied to any realm to access web, SaaS, mobile, or network applications and devices, and SecureAuth IdP out-of-the-box Identity Management (IdM) tools via Multi-Factor Authentication.

NOTE: The configuration steps vary from SecureAuth IdP 9.0.x versions. Select either 9.0.0 or 9.0.1+ to view the appropriate guidelines.

SecureAuth IdP Configuration Steps

This configuration requires steps to be taken in two (2) distinct realms (Realm A and Realm B)

Realm A can be configured as preferred as long as the steps below are included

Realm A
Workflow

 

1. In the Product Configuration section, select Certification Enrollment and Validation from the Integration Method dropdown

2. Select Device/Browser Fingerprinting from the Client Side Control dropdown

See additional Fingerprinting configuration steps below in the Realm B Configuration Steps

Be sure to map a directory field to the SecureAuth IdP Fingerprints Property

 Fingerprints property requirements...

If using a different directory than LDAP, a stored procedure must be created to contain the Fingerprints

For LDAP data stores, the audio field is typically mapped to the Fingerprints Property in the Data tab

The Fingerprints Property can be stored as Plain Binary or in JSON format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection

For Plain Binary, these requirements must be met for the directory field that contains the fingerprint information:

  • Length: 8 kB minimum per Fingerprint Record; and if the Total FP Max Count is set to -1, then the size must be unlimited
  • Data Type: Octet string (bytes)
  • Multi-valued

For JSON, these requirements must be met for the directory field that contains the fingerprint information:

  • Length: No limit / undefined
  • Data Type: DirectoryString
  • Multi-valued

Workflow

 

3. Select Private and Public Mode or Private Mode Only from the Public / Private Mode dropdown

When the realm is in Private Mode, a persistent token is generated

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Realm B
Workflow

 

4. In the Product Configuration section of Realm B, select Certification Enrollment and Validation from the Integration Method dropdown

5. Select Device/Browser Fingerprinting from the Client Side Control dropdown

Be sure to map a directory field to the SecureAuth IdP Fingerprints Property (see image example in step 2)

Workflow

 

6. Select Valid Persistent Token + Password or Validate Persistent Token Only from the Authentication Mode dropdown

7. Select Private Mode Only from the Public / Private Mode dropdown

8. Default Private will automatically be selected from the Default Public / Private dropdown

9. Select True from the Remember User Selection dropdown

10. Set the Invalid Persistent Token Redirect to Realm A URL to enable end-users to reenroll for a persistent token to access this realm

11. Leave the rest as Default

Custom Front End

 

12. Select Send Token Only from the Receive Token dropdown

13. Select False from the Require Begin Site dropdown

14. Leave the rest as Default

Certificate / Token Properties

 

15. Select Private Mode Cert Length from the Certificate Expiration dropdown

16. Select Cert Expiration Date from the Certificate Valid Until dropdown

17. Set the Private Mode Cert Length to the amount of days during which the certificate will be valid, e.g. 180 Days

18. Set the Public Mode Cert Length to the amount of hours during which the public certificate will be valid, e.g. 4320 Hours

19. Select Disabled from the Check CRL dropdown

Browser / Mobile Device Digital Fingerprinting

These configuration steps should be completed in Realm A and Realm B

 

20. Set the Weights of each component to add or subtract significance to or from specific characteristics that will combine to create the fingerprint

The HTTP Headers and System Components weights must equal 100%

Typical configuration is shown in the image, or defaulted in the SecureAuth IdP Web Admin

21. In the Normal Browser Settings section, select No Cookie from the FP Mode dropdown

22. Leave the Cookie name prefix and Cookie length fields default or blank

23. Select False from the Match FP in cookie dropdown

24. Set the Authentication Threshold to 90-100% based on preference

25. Set the Update Threshold to 80-90% based on preference

The Update Threshold must be less than the Authentication Threshold

26. In the Mobile Settings section, select Cookie from the FP Mode dropdown

27. Leave the Cookie name prefix as the default, or set it to a preferred name

28. Set the Cookie Length to the amount of hours during which the cookie will be valid, e.g. 72 Hours

29. Select True from the Match FP in cookie dropdown

30. Select True from the Skip IP Match dropdown

31. Set the Authentication Threshold to 90-100% based on preference

32. Set the Update Threshold to 80-90% based on preference

The Update Threshold must be less than the Authentication Threshold

33. Set the FP expiration length to 0, unless there will be an expiration on the fingerprint

34. Set the FP expiration since last access to 0, unless there will be an expiration on the fingerprint based on usage

35. Set the Total FP max count to -1, unless there is a maximum amount of fingerprints that can be stored at a given time

If a maximum is to be set, a typical configuration would limit fingerprint storage to 5-8

36. Select Allow to replace from the When exceeding max count dropdown if a maximum is set in step 20

Otherwise, leave as default

37. Select Created Time from the Replace in order by dropdown if a maximum is set in step 20

Otherwise, leave as default

38. Set the FP's access records max count to 5

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

System Info

This configuration step should be completed in Realm A and Realm B

 

39. In the Plugin Info section, select False from the Java Detection dropdown 

Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes

Realm A
Workflow

 

1. In the Device Recognition Method section, select Certification Enrollment and Validation from the Integration Method dropdown

2. Select Device / Browser Fingerprinting from the Client Side Control dropdown

See additional Fingerprinting configuration steps below in the Realm B Configuration Steps

Be sure to map a directory field to the SecureAuth IdP Fingerprints Property

 Fingerprints property requirements...

If using a different directory than LDAP, a stored procedure must be created to contain the Fingerprints

For LDAP data stores, the audio field is typically mapped to the Fingerprints Property in the Data tab

The Fingerprints Property can be stored as Plain Binary or in JSON format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection

For Plain Binary, these requirements must be met for the directory field that contains the fingerprint information:

  • Length: 8 kB minimum per Fingerprint Record; and if the Total FP Max Count is set to -1, then the size must be unlimited
  • Data Type: Octet string (bytes)
  • Multi-valued

For JSON, these requirements must be met for the directory field that contains the fingerprint information:

  • Length: No limit / undefined
  • Data Type: DirectoryString
  • Multi-valued

Workflow

 

3. Select Private and Public Mode or Private Mode Only from the Public / Private Mode dropdown

When the realm is in Private Mode, a persistent token is generated

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Realm B
Workflow

 

4. In the Device Recognition Method section of Realm B, select Certification Enrollment and Validation from the Integration Method dropdown

5. Select Device / Browser Fingerprinting from the Client Side Control dropdown

Be sure to map a directory field to the SecureAuth IdP Fingerprints Property (see image example in step 2)

Certificate / Token Properties

 

6. Select Private Mode Cert Length from the Certificate Expiration dropdown

7. Select Cert Expiration Date from the Certificate Valid Until dropdown

8. Set the Private Mode Cert Length to the amount of days during which the certificate will be valid, e.g. 180 Days

9. Set the Public Mode Cert Length to the amount of hours during which the public certificate will be valid, e.g. 4320 Hours

10. Select Disabled from the Check CRL dropdown

Browser / Mobile Device Digital Fingerprinting

These configuration steps should be completed in Realm A and Realm B

 

11. Set the Weights of each component to add or subtract significance to or from specific characteristics that will combine to create the fingerprint

The HTTP Headers and System Components weights must equal 100%

Typical configuration is shown in the image, or defaulted in the SecureAuth IdP Web Admin

12. In the Normal Browser Settings section, select No Cookie from the FP Mode dropdown

13. Leave the Cookie name prefix and Cookie length fields default or blank

14. Select False from the Match FP in cookie dropdown

15. Set the Authentication Threshold to 90-100% based on preference

16. Set the Update Threshold to 80-90% based on preference

The Update Threshold must be less than the Authentication Threshold

17. In the Mobile Settings section, select Cookie from the FP Modedropdown

18. Leave the Cookie name prefix as the default, or set it to a preferred name

19. Set the Cookie Length to the amount of hours during which the cookie will be valid, e.g. 72 Hours

20. Select True from the Match FP in cookie dropdown

21. Select True from the Skip IP Match dropdown

22. Set the Authentication Threshold to 90-100% based on preference

23. Set the Update Threshold to 80-90% based on preference

The Update Threshold must be less than the Authentication Threshold

24. Set the FP expiration length to 0, unless there will be an expiration on the fingerprint

25. Set the FP expiration since last access to 0, unless there will be an expiration on the fingerprint based on usage

26. Set the Total FP max count to -1, unless there is a maximum amount of fingerprints that can be stored at a given time

If a maximum is to be set, a typical configuration would limit fingerprint storage to 5-8

27. Select Allow to replace from the When exceeding max count dropdown if a maximum is set in step 20

Otherwise, leave as default

28. Select Created Time from the Replace in order by dropdown if a maximum is set in step 20

Otherwise, leave as default

29. Set the FP's access records max count to 5

Workflow

 

30. Select (Valid Persistent Token) | Password or (Valid Persistent Token) only from the Default Workflow dropdown

31. Private Mode Only will automatically be selected from the Public / Private Mode dropdown

32. Default Private will automatically be selected from the Default Public / Private dropdown

33. Select True from the Remember User Selection dropdown

34. Set the Invalid Persistent Token Redirect to Realm A URL to enable end-users to reenroll for a persistent token to access this realm

35. Leave the rest as Default

Custom Identity Consumer

 

36. Select Send Token Only from the Receive Token dropdown

37. Select False from the Require Begin Site dropdown

38. Leave the rest as Default

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

System Info

This configuration step should be completed in Realm A and Realm B

 

40. In the Plugin Info section, select False from the Java Detection dropdown

Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes

End-user Experience
Validate Persistent Token Only
Valid Persistent Token + Password