Use this guide to configure the Admin Realm for remote access in the SecureAuth IdP Web Admin.
SecureAuth recommends configuring the Admin Realm first to ensure the security of the appliance and the realms within it.
The Admin Realm (SecureAuth0) can be accessed locally (Remote Desktop Protocol – RDP) or remotely (through web interface). If accessed remotely then no directory integration is required, but the Data tab must be configured to allow external access. It is also recommended to configure the workflow to require Multi-Factor Authentication to increase security.
To enable Multi-Factor Authentication to the Admin Realm (SecureAuth0), an enterprise data store is required with which SecureAuth IdP can integrate.
Admin Realm Configuration Steps
Admin Realm Configuration Steps
1. In the Details section, SecureAuth0 is set as the Realm Name
2. (optional) Provide a Realm Description
Click Save once the configurations have been completed and before leaving the Overview page to avoid losing changes
3. Click Email Settings to configure the SMTP settings
4. Provide the Simple Mail Transfer Protocol (SMTP) Server Address through which SecureAuth IdP will send emails
5. Change the Port from the defaulted 25 if the SMTP server utilizes a different one
6. Provide the Username, Password, and/or Domain if required by the SMTP Relay
If the fields are not required by the SMTP Server, then only the Server Address and Port number need to be set
7. If emails will be sent through a Secure Socket Layer (SSL), then select True from the SSL dropdown
8. (optional) Upload a Logo that will be used in the SecureAuth IdP email messages
9. Provide the Subject of the SecureAuth IdP email messages
10. Provide the Sender Address of the SecureAuth IdP email messages
11. Provide the Sender Name of the SecureAuth IdP email messages
12. Select a Template that will be used for the SecureAuth IdP email messages
Click Save once the configurations have been completed and before leaving the Email Settings page to avoid losing changes
SecureAuth advises configuring access to the SecureAuth0 realm with security best practices in mind. Recommendations are listed below, but it is the customer's responsibility to determine the best settings for their specific deployment. These recommendations do not constitute a guarantee of security.
15. Restrict access to SecureAuth0 to a specific admin group.
In the corporate data store, create an admin user group comprised of only those members who will have access to the Web Admin
In the User Groups (AD/LDAP) or Allowed Groups (SQL) field, enter the name of the admin group
(AD/LDAP) In the User Group Check Type field, select Allow Access
(AD/LDAP) Set the Groups Field field to the LDAP attribute that contains user group information, e.g. memberOf
This section is for LDAP data stores only; refer to the specific directory configuration guide for more information
16. Map the SecureAuth IdP Property to the appropriate data store Field
For example, Groups is located in the memberOf data store Field
17. If another directory is enabled in the Profile Connection Settings section and contains the Property, then change the Source from Default Provider
18. Check Writeable for a Property that will be changed in the data store by SecureAuth IdP
For example, user account information (telephone number) or authentication mechanisms (knowledge-based questions, fingerprints)
The Fields listed are only examples as each data store is organized differently and may have different values for each Property
SecureAuth advises configuring remote access to the SecureAuth0 realm with security best practices in mind. Recommendations are listed below, but it is the customer's responsibility to determine the best settings for their specific deployment. These recommendations do not constitute a guarantee of remote security.
Enforce full authentication requirements for every logon attempt to the Admin realm (SecureAuth0)
20. Set the Default Workflow to Username | Second Factor | Password
21. Set the Public/Private Mode field to Public Mode Only
This forces users to authenticate fully on every logon attempt