Difference between revisions of "Authentication Portal Configuration"

From idenprotect Knowledge Base
Jump to: navigation, search
(One intermediate revision by the same user not shown)
(No difference)

Revision as of 15:12, 22 May 2020

If you have not made any configuration changes yet, please see How to make configuration changes

The installation of the idenprotect Authentication Portal requires some configuration to be done on the idenprotect Core Platform Admin Console in advance. If that has already been done and you are ready to install the idenprotect Authentication Portal, please see Installing with an RPM

Introduction

idenprotect Core Platform can be used to enable Single Sign-On with external Service Providers. The idenprotect Authentication Portal (sometimes referred to as IDP) acts as a gateway to users to allow them to authenticate once and then access any Service Providers which have been set up. This article discusses the configuration of the Authentication Portal.

To set up Service Providers please see Authentication Portal Service Provider Configuration


Settings configured via idenprotect Core Platform

These settings are configured under: -

  • Authentication Portal Configuration within Authentication Portal section in the idenprotect Core Platform Admin Console Config Tab
  • Server file system in /etc/idenprotect/idp.properties
Parameters for Authentication Portal
Parameter in Config Tab Parameter in Properties File Description
Key Store idp.keystore The path to your keystore (i.e. /etc/idenprotect/)
Key Store Password idp.keystore.passphrase The password for the keystore
Alias idp.alias The name of the entry in the keystore
Base URL idp.alias Base URL of Authentication Portal (i.e. https://{host}/idp/). See here for details about {host} configuration
idenprotect External Base URL idp.idenprotect.external.base.url Base URL of iDENprotectserver when accessing from outside the box such as scanning QR code (i.e. https://{host}). See here for details about {host} configuration
Call Back URL idp.base.url The URL the idenprotect Core Platform calls to notify Authentication Portal that authentication has completed
Entity ID idp.entity.id Identifier to be provided to Service Providers to verify that they are talking to the right place. You can use a URL here if you wish (i.e. https://{host}/idp/). See here for details about {host} configuration
Compare Endpoints idp.compare.endpoints Check/Uncheck for True/False. Policy if the endpoints should be compared when handling the SAML message
Expires idp.expires The expiry time of the SAML message (in seconds)
Push Notifications Automatic? idp.push.automatic Check/Uncheck for True/False. If true, push notification will automatically be sent to user's device to avoid scanning QR code
Password Allowed idp.password.allowed Check/Uncheck for True/False. If true, a password field will open up when authenticating. The password can be stored in the cache and used for non-SAML sign on
Verify Password with AD idp.password.verify Check/Uncheck for True/False. If true, the submitted password will be verfied with Active Directory as part of the authentication process
Password Deletion on Logout idp.password.logout.delete Check/Uncheck for True/False. If true, cached password will be deleted on logout from Authentication Portal
Active Directory Login Enabled idp.active.directory.login.enabled Check/Uncheck for True/False. Set to true to enable login to Authentication Portal using Active Directory password.
OTP Login Enabled idp.otp.login.enabled Check/Uncheck for True/False. Set to true to enable login to Authentication Portal using an OATH One-Time-Passcode from token or mobile device
OTP Login Enabled idp.otp.message.enabled Check/Uncheck for True/False. Set to true to enable login to Authentication Portal using an OATH One-Time-Passcode sent to the user my messagee, eg SMS
Credentials Cache Expiry Minutes idp.credentials.cache.expiry.minutes How long (in minutes) Credentials will be stored in the Authentication Portal cache before removal
Advanced Settings
Cookie Name idp.cookie.name The name of the cookie which will be set
Authentication Status Call Interval idp.authentication.status.call.interval Frequency (in milliseconds) that the Authentication Portal will call idenprotect Core Platform to check if authentication has been completed
Clock Skew idp.clock.skew The allowed difference between system clocks (in seconds)

idenprotect Authentication Portal startup configuration

These settings are configured under: -

  • the server file system in /etc/idenprotect/idp/webserver.properties
Parameters for Authentication Portal
Parameter Description
logging.config The filepath to where the logging configuration can be found
server.port The port where the Authentication Portal server will deploy (Note that NGINX is expecting Authentication Portal to run on port 8083)
server.contextPath The context in NGINX where Authentication Portal will run (Note that NGINX is expecting the default to be /idp)
server.session.timetout Time before the server times out. Preset to 28800 (8 hours)
node.id Unique Identifier of the Node Authentication Portal is running on (for using multiple instances)
target.internal.base.url The base URL of idenprotect Core Platform to make API calls (ie. https://localhost:443/)
target.username The username which Authentication Portal will use when making API calls to idenprotect Core Platform
target.password The password which Authentication Portal will use when making API calls to idenprotect Core Platform
test.mode.enabled Check/Uncheck for True/False. If true, SAML messages will be displayed and it also enables API calls to be made using Self Signed Certificates
ui.data.cach.expiry How frequently Authentication Portal polls Core Platform for updates in configuration to user interface.
ui.data.cche Time unit for above setting (default is MINUTES)