Authentication Portal Configuration

From idenprotect Knowledge Base
Revision as of 10:54, 13 December 2019 by GrahamSant (talk | contribs)

Jump to: navigation, search

If you have not made any configuration changes yet, please see How to make configuration changes

The installation of the iDENprotect Identity Provider requires some configuration to be done on the iDENprotectserver Admin Console in advance. If that has already been done and you are ready to install the iDENprotect Identity Provider, please see Installing with an RPM

Introduction

iDENprotectserver can be used to enable Single Sign On with external Service Providers. The iDENprotect Identity Provider (sometimes referred to as IDP) acts as a gateway to users to allow them to authenticate once and then access any Service Providers which have been set up. This article discusses the configuration of the IDP.

To set up Service Providers please see IDP Service Provider Configuration


Settings configured via iDENprotectserver

These settings are configured under: -

  • IDP Configuration within IDP section in the iDENprotectserver Admin Console Config Tab
  • Server file system in /etc/idenprotect/idp.properties
Parameters for IDP
Parameter in Config Tab Parameter in Properties File Description
Key Store idp.keystore The path to your keystore (i.e. /etc/idenprotect/)
Key Store Password idp.keystore.passphrase The password for the keystore
Alias idp.alias The name of the entry in the keystore
Cookie Name idp.cookie.name The name of the cookie which will be set
Base URL idp.alias Base URL of IDP (i.e. https://{host}/idp/). See here for details about {host} configuration
iDENprotect External Base URL idp.idenprotect.external.base.url Base URL of iDENprotectserver when accessing from outside the box such as scanning QR code (i.e. https://{host}). See here for details about {host} configuration
Call Back URL idp.base.url The URL the iDENprotect server calls to notify IDP that authentication has completed
Entity ID idp.entity.id Identifier to be provided to Service Providers to verify that they are talking to the right place. You can use a URL here if you wish (i.e. https://{host}/idp/). See here for details about {host} configuration
Compare Endpoints idp.compare.endpoints Check/Uncheck for True/False. Policy if the endpoints should be compared when handling the SAML message
Authentication Status Call Interval idp.authentication.status.call.interval Frequency (in milliseconds) that the IDP will call iDENprotectserver to check if authentication has been completed
Expires idp.expires The expiry time of the SAML message (in seconds)
Clock Skew idp.clock.skew The allowed difference between system clocks (in seconds)
Push Notifications Automatic? idp.push.automatic Check/Uncheck for True/False. If true, push notification will automatically be sent to user's device to avoid scanning QR code
Password Allowed idp.password.allowed Check/Uncheck for True/False. If true, a password field will open up when authenticating. The password can be stored in the cache and used for non-SAML sign on
Password Deletion on Logout idp.password.logout.delete Check/Uncheck for True/False. If true, cached password will be deleted on logout from IDP
Active Directory Login Enabled idp.active.directory.login.enabled Check/Uncheck for True/False. Set to true to enable login to IDP using Active Directory password. Password allowed must also be set to true
Credentials Cache Expiry Minutes idp.credentials.cache.expiry.minutes How long (in minutes) Credentials will be stored in the IDP cache before removal


iDENprotect Identity Provider startup configuration

These settings are configured under: -

  • the server file system in /etc/idenprotect/idp/webserver.properties
Parameters for IDP
Parameter Description
logging.config The filepath to where the logging configuration can be found
server.port The port where the IDP server will deploy (Note that NGINX is expecting IDP to run on port 8083)
server.contextPath The context in NGINX where IDP will run (Note that NGINX is expecting the default to be /idp)
server.session.timetout Time before the server times out. Preset to 28800 (8 hours)
node.id Unique Identifier of the Node IDP is running on (for using multiple instances)
target.internal.base.url The base URL of iDENprotectserver to make API calls (ie. https://localhost:443/)
target.username The username which IDP will use when making API calls to iDENprotectserver
target.password The password which IDP will use when making API calls to iDENprotectserver
test.mode.enabled Check/Uncheck for True/False. If true, SAML messages will be displayed and it also enables API calls to be made using Self Signed Certificates