Authentication Portal Configuration
Contents
If you have not made any configuration changes yet, please see How to make configuration changes
The installation of the idenprotect Authentication Portal requires some configuration to be done on the idenprotect Core Platform Admin Console in advance. If that has already been done and you are ready to install the idenprotect Authentication Portal, please see Installing with an RPM
Introduction
idenprotect Core Platform can be used to enable Single Sign-On with external Service Providers. The idenprotect Authentication Portal (sometimes referred to as IDP) acts as a gateway to users to allow them to authenticate once and then access any Service Providers which have been set up. This article discusses the configuration of the Authentication Portal.
To set up Service Providers please see Authentication Portal Service Provider Configuration
Settings configured via idenprotect Core Platform
These settings are configured under: -
- Authentication Portal Configuration within Authentication Portal section in the idenprotect Core Platform Admin Console Config Tab
- Server file system in
/etc/idenprotect/idp.properties
Parameter in Config Tab | Parameter in Properties File | Description |
---|---|---|
Key Store
|
idp.keystore
|
The path to your keystore (i.e. /etc/idenprotect/) |
Key Store Password
|
idp.keystore.passphrase
|
The password for the keystore |
Alias
|
idp.alias
|
The name of the entry in the keystore |
Base URL
|
idp.alias
|
Base URL of Authentication Portal (i.e. https://{host}/idp/ ). See here for details about {host} configuration
|
idenprotect External Base URL
|
idp.idenprotect.external.base.url
|
Base URL of iDENprotectserver when accessing from outside the box such as scanning QR code (i.e. https://{host} ). See here for details about {host} configuration
|
Call Back URL
|
idp.base.url
|
The URL the idenprotect Core Platform calls to notify Authentication Portal that authentication has completed |
Entity ID
|
idp.entity.id
|
Identifier to be provided to Service Providers to verify that they are talking to the right place. You can use a URL here if you wish (i.e. https://{host}/idp/ ). See here for details about {host} configuration
|
Compare Endpoints
|
idp.compare.endpoints
|
Check/Uncheck for True/False. Policy if the endpoints should be compared when handling the SAML message |
Expires
|
idp.expires
|
The expiry time of the SAML message (in seconds) |
Push Notifications Automatic?
|
idp.push.automatic
|
Check/Uncheck for True/False. If true, push notification will automatically be sent to user's device to avoid scanning QR code |
Password Allowed
|
idp.password.allowed
|
Check/Uncheck for True/False. If true, a password field will open up when authenticating. The password can be stored in the cache and used for non-SAML sign on |
Verify Password with AD
|
idp.password.verify
|
Check/Uncheck for True/False. If true, the submitted password will be verfied with Active Directory as part of the authentication process |
Password Deletion on Logout
|
idp.password.logout.delete
|
Check/Uncheck for True/False. If true, cached password will be deleted on logout from Authentication Portal |
Active Directory Login Enabled
|
idp.active.directory.login.enabled
|
Check/Uncheck for True/False. Set to true to enable login to Authentication Portal using Active Directory password.
|
OTP Login Enabled
|
idp.otp.login.enabled
|
Check/Uncheck for True/False. Set to true to enable login to Authentication Portal using an OATH One-Time-Passcode from token or mobile device
|
OTP Login Enabled
|
idp.otp.message.enabled
|
Check/Uncheck for True/False. Set to true to enable login to Authentication Portal using an OATH One-Time-Passcode sent to the user my messagee, eg SMS
|
Credentials Cache Expiry Minutes
|
idp.credentials.cache.expiry.minutes
|
How long (in minutes) Credentials will be stored in the Authentication Portal cache before removal |
Advanced | Settings | |
Cookie Name
|
idp.cookie.name
|
The name of the cookie which will be set |
Authentication Status Call Interval
|
idp.authentication.status.call.interval
|
Frequency (in milliseconds) that the Authentication Portal will call idenprotect Core Platform to check if authentication has been completed |
Clock Skew
|
idp.clock.skew
|
The allowed difference between system clocks (in seconds) |
Show Help Image
|
idp.help.image.enabled
|
Check/Uncheck for True/False. Set to false to disable the help image from being shown (this is set to true by default). For information on customising the image shown, see Authentication Portal UI Configuration
|
idenprotect Authentication Portal startup configuration
These settings are configured under: -
- the server file system in
/etc/idenprotect/idp/webserver.properties
Parameter | Description |
---|---|
logging.config
|
The filepath to where the logging configuration can be found |
server.port
|
The port where the Authentication Portal server will deploy (Note that NGINX is expecting Authentication Portal to run on port 8083) |
server.contextPath
|
The context in NGINX where Authentication Portal will run (Note that NGINX is expecting the default to be /idp) |
server.session.timetout
|
Time before the server times out. Preset to 28800 (8 hours) |
node.id
|
Unique Identifier of the Node Authentication Portal is running on (for using multiple instances) |
target.internal.base.url
|
The base URL of idenprotect Core Platform to make API calls (ie. https://localhost:443/) |
target.username
|
The username which Authentication Portal will use when making API calls to idenprotect Core Platform |
target.password
|
The password which Authentication Portal will use when making API calls to idenprotect Core Platform |
test.mode.enabled
|
Check/Uncheck for True/False. If true, SAML messages will be displayed and it also enables API calls to be made using Self Signed Certificates |
ui.data.cach.expiry
|
How frequently Authentication Portal polls Core Platform for updates in configuration to user interface. |
ui.data.cche
|
Time unit for above setting (default is MINUTES) |