Difference between revisions of "Authentication Portal Configuration"

From idenprotect Knowledge Base
Jump to: navigation, search
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
[[Category:Configuration]]
 
[[Category:Configuration]]
[[Category:IDENprotect_Server]]
+
[[Category:Idenprotect_Core_Platform]]
[[Category:IDENprotect_Identity_Provider]]
+
[[Category:Idenprotect_Authentication_Portal]]
 
__TOC__
 
__TOC__
  
 
If you have not made any configuration changes yet, please see '''[[How to make configuration changes]]'''
 
If you have not made any configuration changes yet, please see '''[[How to make configuration changes]]'''
  
The installation of the iDENprotect Identity Provider requires some configuration to be done on the iDENprotect<sup>server</sup> Admin Console in advance. If that has already been done and you are ready to install the iDENprotect Identity Provider, please see '''[[Installing with an RPM]]'''
+
The installation of the idenprotect Authentication Portal requires some configuration to be done on the idenprotect Core Platform Admin Console in advance. If that has already been done and you are ready to install the idenprotect Authentication Portal, please see '''[[Installing with an RPM]]'''
  
 
= Introduction =
 
= Introduction =
  
iDENprotect<sup>server</sup> can be used to enable Single Sign On with external Service Providers. The iDENprotect Identity Provider (sometimes referred to as IDP) acts as a gateway to users to allow them to authenticate once and then access any Service Providers which have been set up. This article discusses the configuration of the IDP.
+
idenprotect Core Platform can be used to enable Single Sign-On with external Service Providers. The idenprotect Authentication Portal (sometimes referred to as IDP) acts as a gateway to users to allow them to authenticate once and then access any Service Providers which have been set up. This article discusses the configuration of the Authentication Portal.
  
To set up Service Providers please see '''[[IDP Service Provider Configuration]]'''  
+
To set up Service Providers please see '''[[Authentication Portal Service Provider Configuration]]'''  
  
  
= Settings configured via iDENprotect<sup>server</sup> =
+
= Settings configured via idenprotect Core Platform =
  
 
These settings are configured under: -
 
These settings are configured under: -
  
* '''IDP Configuration''' within '''IDP''' section in the iDENprotect<sup>server</sup> Admin Console '''Config''' Tab
+
* '''Authentication Portal Configuration''' within '''Authentication Portal''' section in the idenprotect Core Platform Admin Console '''Config''' Tab
 
* Server file system in <code>/etc/idenprotect/idp.properties</code>
 
* Server file system in <code>/etc/idenprotect/idp.properties</code>
  
 
{| class="wikitable"
 
{| class="wikitable"
|+ Parameters for IDP
+
|+ Parameters for Authentication Portal
 
!| Parameter in Config Tab
 
!| Parameter in Config Tab
 
!| Parameter in Properties File
 
!| Parameter in Properties File
Line 39: Line 39:
 
| <code>idp.alias</code>
 
| <code>idp.alias</code>
 
| The name of the entry in the keystore
 
| The name of the entry in the keystore
|-
 
| <code>Cookie Name</code>
 
| <code>idp.cookie.name</code>
 
| The name of the cookie which will be set
 
 
|-
 
|-
 
| <code>Base URL</code>
 
| <code>Base URL</code>
 
| <code>idp.alias</code>
 
| <code>idp.alias</code>
| Base URL of IDP (i.e. <code>https://{host}/idp/</code>). See '''[[Config Configuration|here]]''' for details about '''{host}''' configuration
+
| Base URL of Authentication Portal (i.e. <code>https://{host}/idp/</code>). See '''[[Config Configuration|here]]''' for details about '''{host}''' configuration
 
|-
 
|-
| <code>iDENprotect External Base URL</code>
+
| <code>idenprotect External Base URL</code>
 
| <code>idp.idenprotect.external.base.url</code>
 
| <code>idp.idenprotect.external.base.url</code>
 
| Base URL of iDENprotect<sup>server</sup> when accessing from outside the box such as scanning QR code (i.e. <code>https://{host}</code>). See '''[[Config Configuration|here]]''' for details about '''{host}''' configuration
 
| Base URL of iDENprotect<sup>server</sup> when accessing from outside the box such as scanning QR code (i.e. <code>https://{host}</code>). See '''[[Config Configuration|here]]''' for details about '''{host}''' configuration
Line 54: Line 50:
 
| <code>Call Back URL</code>
 
| <code>Call Back URL</code>
 
| <code>idp.base.url</code>
 
| <code>idp.base.url</code>
| The URL the iDENprotect server calls to notify IDP that authentication has completed
+
| The URL the idenprotect Core Platform calls to notify Authentication Portal that authentication has completed
 
|-
 
|-
 
| <code>Entity ID</code>
 
| <code>Entity ID</code>
Line 63: Line 59:
 
| <code>idp.compare.endpoints</code>
 
| <code>idp.compare.endpoints</code>
 
| Check/Uncheck for True/False. Policy if the endpoints should be compared when handling the SAML message
 
| Check/Uncheck for True/False. Policy if the endpoints should be compared when handling the SAML message
|-
 
| <code>Authentication Status Call Interval</code>
 
| <code>idp.authentication.status.call.interval</code>
 
| Frequency (in milliseconds) that the IDP will call iDENprotect<sup>server</sup> to check if authentication has been completed
 
 
|-
 
|-
 
| <code>Expires</code>
 
| <code>Expires</code>
 
| <code>idp.expires</code>
 
| <code>idp.expires</code>
 
| The expiry time of the SAML message (in seconds)
 
| The expiry time of the SAML message (in seconds)
|-
 
| <code>Clock Skew</code>
 
| <code>idp.clock.skew</code>
 
| The allowed difference between system clocks (in seconds)
 
 
|-
 
|-
 
| <code>Push Notifications Automatic?</code>
 
| <code>Push Notifications Automatic?</code>
Line 83: Line 71:
 
| <code>idp.password.allowed</code>
 
| <code>idp.password.allowed</code>
 
| Check/Uncheck for True/False. If true, a password field will open up when authenticating. The password can be stored in the cache and used for non-SAML sign on
 
| Check/Uncheck for True/False. If true, a password field will open up when authenticating. The password can be stored in the cache and used for non-SAML sign on
 +
|-
 +
| <code>Verify Password with AD</code>
 +
| <code>idp.password.verify</code>
 +
| Check/Uncheck for True/False. If true, the submitted password will be verfied with Active Directory as part of the authentication process
 
|-
 
|-
 
| <code>Password Deletion on Logout</code>
 
| <code>Password Deletion on Logout</code>
 
| <code>idp.password.logout.delete</code>
 
| <code>idp.password.logout.delete</code>
| Check/Uncheck for True/False. If true, cached password will be deleted on logout from IDP
+
| Check/Uncheck for True/False. If true, cached password will be deleted on logout from Authentication Portal
 
|-
 
|-
 
| <code>Active Directory Login Enabled</code>
 
| <code>Active Directory Login Enabled</code>
 
| <code>idp.active.directory.login.enabled</code>
 
| <code>idp.active.directory.login.enabled</code>
| Check/Uncheck for True/False. Set to <code>true</code> to enable login to IDP using Active Directory password. Password allowed must also be set to true
+
| Check/Uncheck for True/False. Set to <code>true</code> to enable login to Authentication Portal using Active Directory password.  
 +
|-
 +
| <code>OTP Login Enabled</code>
 +
| <code>idp.otp.login.enabled</code>
 +
| Check/Uncheck for True/False. Set to <code>true</code> to enable login to Authentication Portal using an OATH One-Time-Passcode from token or mobile device
 +
|-
 +
| <code>OTP Login Enabled</code>
 +
| <code>idp.otp.message.enabled</code>
 +
| Check/Uncheck for True/False. Set to <code>true</code> to enable login to Authentication Portal using an OATH One-Time-Passcode sent to the user my messagee, eg SMS
 
|-
 
|-
 
| <code>Credentials Cache Expiry Minutes</code>
 
| <code>Credentials Cache Expiry Minutes</code>
 
| <code>idp.credentials.cache.expiry.minutes</code>
 
| <code>idp.credentials.cache.expiry.minutes</code>
| How long (in minutes) Credentials will be stored in the IDP cache before removal
+
| How long (in minutes) Credentials will be stored in the Authentication Portal cache before removal
 +
|-
 +
| Advanced
 +
| Settings
 +
|
 +
|-
 +
| <code>Cookie Name</code>
 +
| <code>idp.cookie.name</code>
 +
| The name of the cookie which will be set
 +
|-
 +
| <code>Authentication Status Call Interval</code>
 +
| <code>idp.authentication.status.call.interval</code>
 +
| Frequency (in milliseconds) that the Authentication Portal will call idenprotect Core Platform to check if authentication has been completed
 +
|-
 +
| <code>Clock Skew</code>
 +
| <code>idp.clock.skew</code>
 +
| The allowed difference between system clocks (in seconds)
 
|}
 
|}
  
 
+
= idenprotect Authentication Portal startup configuration =
= iDENprotect Identity Provider startup configuration =
 
  
 
These settings are configured under: -
 
These settings are configured under: -
Line 105: Line 120:
  
 
{| class="wikitable"
 
{| class="wikitable"
|+ Parameters for IDP
+
|+ Parameters for Authentication Portal
 
!| Parameter
 
!| Parameter
 
!| Description
 
!| Description
Line 113: Line 128:
 
|-
 
|-
 
| <code>server.port</code>
 
| <code>server.port</code>
| The port where the IDP server will deploy (Note that NGINX is expecting IDP to run on port 8083)
+
| The port where the Authentication Portal server will deploy (Note that NGINX is expecting Authentication Portal to run on port 8083)
 
|-
 
|-
 
| <code>server.contextPath</code>
 
| <code>server.contextPath</code>
| The context in NGINX where IDP will run (Note that NGINX is expecting the default to be /idp)
+
| The context in NGINX where Authentication Portal will run (Note that NGINX is expecting the default to be /idp)
 
|-
 
|-
 
| <code>server.session.timetout</code>
 
| <code>server.session.timetout</code>
Line 122: Line 137:
 
|-
 
|-
 
| <code>node.id</code>
 
| <code>node.id</code>
| Unique Identifier of the Node IDP is running on (for using multiple instances)
+
| Unique Identifier of the Node Authentication Portal is running on (for using multiple instances)
 
|-
 
|-
 
| <code>target.internal.base.url</code>
 
| <code>target.internal.base.url</code>
| The base URL of iDENprotect<sup>server</sup> to make API calls (ie. https://localhost:443/)
+
| The base URL of idenprotect Core Platform to make API calls (ie. https://localhost:443/)
 
|-
 
|-
 
| <code>target.username</code>
 
| <code>target.username</code>
| The username which IDP will use when making API calls to iDENprotect<sup>server</sup>
+
| The username which Authentication Portal will use when making API calls to idenprotect Core Platform
 
|-
 
|-
 
| <code>target.password</code>
 
| <code>target.password</code>
| The password which IDP will use when making API calls to iDENprotect<sup>server</sup>
+
| The password which Authentication Portal will use when making API calls to idenprotect Core Platform
 
|-
 
|-
 
| <code>test.mode.enabled</code>
 
| <code>test.mode.enabled</code>
 
| Check/Uncheck for True/False. If true, SAML messages will be displayed and it also enables API calls to be made using Self Signed Certificates
 
| Check/Uncheck for True/False. If true, SAML messages will be displayed and it also enables API calls to be made using Self Signed Certificates
 +
|-
 +
| <code>ui.data.cach.expiry</code>
 +
| How frequently Authentication Portal polls Core Platform for updates in configuration to user interface.
 +
|-
 +
| <code>ui.data.cche</code>
 +
| Time unit for above setting (default is MINUTES)
 
|}
 
|}

Revision as of 15:12, 22 May 2020

If you have not made any configuration changes yet, please see How to make configuration changes

The installation of the idenprotect Authentication Portal requires some configuration to be done on the idenprotect Core Platform Admin Console in advance. If that has already been done and you are ready to install the idenprotect Authentication Portal, please see Installing with an RPM

Introduction

idenprotect Core Platform can be used to enable Single Sign-On with external Service Providers. The idenprotect Authentication Portal (sometimes referred to as IDP) acts as a gateway to users to allow them to authenticate once and then access any Service Providers which have been set up. This article discusses the configuration of the Authentication Portal.

To set up Service Providers please see Authentication Portal Service Provider Configuration


Settings configured via idenprotect Core Platform

These settings are configured under: -

  • Authentication Portal Configuration within Authentication Portal section in the idenprotect Core Platform Admin Console Config Tab
  • Server file system in /etc/idenprotect/idp.properties
Parameters for Authentication Portal
Parameter in Config Tab Parameter in Properties File Description
Key Store idp.keystore The path to your keystore (i.e. /etc/idenprotect/)
Key Store Password idp.keystore.passphrase The password for the keystore
Alias idp.alias The name of the entry in the keystore
Base URL idp.alias Base URL of Authentication Portal (i.e. https://{host}/idp/). See here for details about {host} configuration
idenprotect External Base URL idp.idenprotect.external.base.url Base URL of iDENprotectserver when accessing from outside the box such as scanning QR code (i.e. https://{host}). See here for details about {host} configuration
Call Back URL idp.base.url The URL the idenprotect Core Platform calls to notify Authentication Portal that authentication has completed
Entity ID idp.entity.id Identifier to be provided to Service Providers to verify that they are talking to the right place. You can use a URL here if you wish (i.e. https://{host}/idp/). See here for details about {host} configuration
Compare Endpoints idp.compare.endpoints Check/Uncheck for True/False. Policy if the endpoints should be compared when handling the SAML message
Expires idp.expires The expiry time of the SAML message (in seconds)
Push Notifications Automatic? idp.push.automatic Check/Uncheck for True/False. If true, push notification will automatically be sent to user's device to avoid scanning QR code
Password Allowed idp.password.allowed Check/Uncheck for True/False. If true, a password field will open up when authenticating. The password can be stored in the cache and used for non-SAML sign on
Verify Password with AD idp.password.verify Check/Uncheck for True/False. If true, the submitted password will be verfied with Active Directory as part of the authentication process
Password Deletion on Logout idp.password.logout.delete Check/Uncheck for True/False. If true, cached password will be deleted on logout from Authentication Portal
Active Directory Login Enabled idp.active.directory.login.enabled Check/Uncheck for True/False. Set to true to enable login to Authentication Portal using Active Directory password.
OTP Login Enabled idp.otp.login.enabled Check/Uncheck for True/False. Set to true to enable login to Authentication Portal using an OATH One-Time-Passcode from token or mobile device
OTP Login Enabled idp.otp.message.enabled Check/Uncheck for True/False. Set to true to enable login to Authentication Portal using an OATH One-Time-Passcode sent to the user my messagee, eg SMS
Credentials Cache Expiry Minutes idp.credentials.cache.expiry.minutes How long (in minutes) Credentials will be stored in the Authentication Portal cache before removal
Advanced Settings
Cookie Name idp.cookie.name The name of the cookie which will be set
Authentication Status Call Interval idp.authentication.status.call.interval Frequency (in milliseconds) that the Authentication Portal will call idenprotect Core Platform to check if authentication has been completed
Clock Skew idp.clock.skew The allowed difference between system clocks (in seconds)

idenprotect Authentication Portal startup configuration

These settings are configured under: -

  • the server file system in /etc/idenprotect/idp/webserver.properties
Parameters for Authentication Portal
Parameter Description
logging.config The filepath to where the logging configuration can be found
server.port The port where the Authentication Portal server will deploy (Note that NGINX is expecting Authentication Portal to run on port 8083)
server.contextPath The context in NGINX where Authentication Portal will run (Note that NGINX is expecting the default to be /idp)
server.session.timetout Time before the server times out. Preset to 28800 (8 hours)
node.id Unique Identifier of the Node Authentication Portal is running on (for using multiple instances)
target.internal.base.url The base URL of idenprotect Core Platform to make API calls (ie. https://localhost:443/)
target.username The username which Authentication Portal will use when making API calls to idenprotect Core Platform
target.password The password which Authentication Portal will use when making API calls to idenprotect Core Platform
test.mode.enabled Check/Uncheck for True/False. If true, SAML messages will be displayed and it also enables API calls to be made using Self Signed Certificates
ui.data.cach.expiry How frequently Authentication Portal polls Core Platform for updates in configuration to user interface.
ui.data.cche Time unit for above setting (default is MINUTES)