Use this guide as a reference to configure a SecureAuth IdP realm that utilizes Valid Persistent Tokens and Second Factor Authentication methods.
Valid Persistent Tokens are generated by SecureAuth IdP as a Java certificate, device / browser fingerprint, UBC, or browser plug-in; and can be validated as a means of Multi-Factor Authentication.
This can be applied to any realm to access web, SaaS, mobile, or network applications and devices, and SecureAuth IdP out-of-the-box Identity Management (IdM) tools via Multi-Factor Authentication.
NOTE: The configuration steps vary from SecureAuth IdP 9.0.x versions. Select either 9.0.0 or 9.0.1+ to view the appropriate guidelines.
This configuration requires steps to be taken in two (2) distinct realms (Realm A and Realm B)
Realm A can be configured as preferred as long as the steps below are included
1. In the Product Configuration section, select Certification Enrollment and Validation from the Integration Method dropdown
2. Select Device/Browser Fingerprinting from the Client Side Control dropdown
See additional Fingerprinting configuration steps below in the Realm B Configuration Steps
Be sure to map a directory field to the SecureAuth IdP Fingerprints Property
If using a different directory than LDAP, then a stored procedure must be created to contain the Fingerprints
For LDAP data stores, the audio field is typically mapped to the Fingerprints Property in the Data tab
The Fingerprints Property can be stored as Plain Binary or in JSON format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection
For Plain Binary, these requirements must be met for the directory field that contains the fingerprint information:
- Length: 8 kB minimum per Fingerprint Record; and if the Total FP Max Count is set to -1, then the size must be unlimited
- Data Type: Octet string (bytes)
- Multi-valued
For JSON, these requirements must be met for the directory field that contains the fingerprint information:
- Length: No limit / undefined
- Data Type: DirectoryString
- Multi-valued
3. Select Private and Public Mode or Private Mode Only from the Public/Private Mode dropdown
When the realm is in Private Mode, a persistent token is generated
Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes
4. In the Product Configuration section of Realm B, select Certification Enrollment and Validation from the Integration Method dropdown
5. Select Device/Browser Fingerprinting from the Client Side Control dropdown
Be sure to map a directory field to the SecureAuth IdP Fingerprints Property (see image example in step 2)
6. Select Valid Persistent Token + Registration Code or Valid Persistent Token + Reg Code + Password from the Authentication Mode dropdown
7. Private Mode Only will automatically be selected from the Public/Private Mode dropdown
8. Default Private will automatically be selected from the Default Public/Private dropdown
9. Select True from the Remember User Selection dropdown
10. Set the Invalid Persistent Token Redirect to Realm A URL to enable end-users to reenroll for a persistent token to access this realm
11. Leave the rest as Default
12. Select Send Token Only from the Receive Token dropdown
13. Select False from the Require Begin Site dropdown
14. Leave the rest as Default
15. Select Private Mode Cert Length from the Certificate Expiration dropdown
16. Select Cert Expiration Date from the Certificate Valid Until dropdown
17. Set the Private Mode Cert Length to the amount of days during which the certificate will be valid, e.g. 180 Days
18. Set the Public Mode Cert Length to the amount of hours during which the public certificate will be valid, e.g. 4320 Hours
19. Select Disabled from the Check CRL dropdown
These configuration steps should be completed in Realm A and Realm B
20. Set the Weights of each component to add or subtract significance to or from specific characteristics that will combine to create the fingerprint
The HTTP Headers and System Components weights must equal 100%
Typical configuration is shown in the image, or defaulted in the SecureAuth IdP Web Admin
21. In the Normal Browser Settings section, select No Cookie from the FP Mode dropdown
22. Leave the Cookie name prefix and Cookie length fields default or blank
23. Select False from the Match FP in cookie dropdown
24. Set the Authentication Threshold to 90-100% based on preference
25. Set the Update Threshold to 80-90% based on preference
The Update Threshold must be less than the Authentication Threshold
26. In the Mobile Settings section, select Cookie from the FP Modedropdown
27. Leave the Cookie name prefix as the default, or set it to a preferred name
28. Set the Cookie Length to the amount of hours during which the cookie will be valid, e.g. 72 Hours
29. Select True from the Match FP in cookie dropdown
30. Select True from the Skip IP Match dropdown
31. Set the Authentication Threshold to 90-100% based on preference
32. Set the Update Threshold to 80-90% based on preference
The Update Threshold must be less than the Authentication Threshold
33. Set the FP expiration length to 0, unless there will be an expiration on the fingerprint
34. Set the FP expiration since last access to 0, unless there will be an expiration on the fingerprint based on usage
35. Set the Total FP max count to -1, unless there is a maximum amount of fingerprints that can be stored at a given time
If a maximum is to be set, a typical configuration would limit fingerprint storage to 5-8
36. Select Allow to replace from the When exceeding max count dropdown if a maximum is set in step 20
Otherwise, leave as default
37. Select Created Time from the Replace in order by dropdown if a maximum is set in step 20
Otherwise, leave as default
38. Set the FP's access records max count to 5
Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes
39. In the Registration Configuration section, ensure that at least one registration method is enabled for use in this realm
Click Save once the configurations have been completed and before leaving the Registration Methods page to avoid losing changes
This configuration step should be completed in Realm A and Realm B
40. In the Plugin Info section, select False from the Java Detection dropdown
Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes
1. In the Device Recognition Method section, select Certification Enrollment and Validation from the Integration Method dropdown
2. Select Device / Browser Fingerprinting from the Client Side Control dropdown
See additional Fingerprinting configuration steps below in the Realm B Configuration Steps
Be sure to map a directory field to the SecureAuth IdP Fingerprints Property
If using a different directory than LDAP, then a stored procedure must be created to contain the Fingerprints
For LDAP data stores, the audio field is typically mapped to the Fingerprints Property in the Data tab
The Fingerprints Property can be stored as Plain Binary or in JSON format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection
For Plain Binary, these requirements must be met for the directory field that contains the fingerprint information:
- Length: 8 kB minimum per Fingerprint Record; and if the Total FP Max Count is set to -1, then the size must be unlimited
- Data Type: Octet string (bytes)
- Multi-valued
For JSON, these requirements must be met for the directory field that contains the fingerprint information:
- Length: No limit / undefined
- Data Type: DirectoryString
- Multi-valued
3. Select Private and Public Mode or Private Mode Only from the Public / Private Mode dropdown
When the realm is in Private Mode, a persistent token is generated
Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes
4. In the Device Recognition Method section of Realm B, select Certification Enrollment and Validation from the Integration Method dropdown
5. Select Device / Browser Fingerprinting from the Client Side Control dropdown
Be sure to map a directory field to the SecureAuth IdP Fingerprints Property (see image example in step 2)
6. Select Private Mode Cert Length from the Certificate Expiration dropdown
7. Select Cert Expiration Date from the Certificate Valid Until dropdown
8. Set the Private Mode Cert Length to the amount of days during which the certificate will be valid, e.g. 180 Days
9. Set the Public Mode Cert Length to the amount of hours during which the public certificate will be valid, e.g. 4320 Hours
10. Select Disabled from the Check CRL dropdown
These configuration steps should be completed in Realm A and Realm B
11. Set the Weights of each component to add or subtract significance to or from specific characteristics that will combine to create the fingerprint
The HTTP Headers and System Components weights must equal 100%
Typical configuration is shown in the image, or defaulted in the SecureAuth IdP Web Admin
12. In the Normal Browser Settings section, select No Cookie from the FP Mode dropdown
13. Leave the Cookie name prefix and Cookie length fields default or blank
14. Select False from the Match FP in cookie dropdown
15. Set the Authentication Threshold to 90-100% based on preference
16. Set the Update Threshold to 80-90% based on preference
The Update Threshold must be less than the Authentication Threshold
17. In the Mobile Settings section, select Cookie from the FP Modedropdown
18. Leave the Cookie name prefix as the default, or set it to a preferred name
19. Set the Cookie Length to the amount of hours during which the cookie will be valid, e.g. 72 Hours
20. Select True from the Match FP in cookie dropdown
21. Select True from the Skip IP Match dropdown
22. Set the Authentication Threshold to 90-100% based on preference
23. Set the Update Threshold to 80-90% based on preference
The Update Threshold must be less than the Authentication Threshold
24. Set the FP expiration length to 0, unless there will be an expiration on the fingerprint
25. Set the FP expiration since last access to 0, unless there will be an expiration on the fingerprint based on usage
26. Set the Total FP max count to -1, unless there is a maximum amount of fingerprints that can be stored at a given time
If a maximum is to be set, a typical configuration would limit fingerprint storage to 5-8
27. Select Allow to replace from the When exceeding max count dropdown if a maximum is set in step 20
Otherwise, leave as default
28. Select Created Time from the Replace in order by dropdown if a maximum is set in step 20
Otherwise, leave as default
29. Set the FP's access records max count to 5
30. Select (Valid Persistent Token) | Second Factor or (Valid Persistent Token) | Second Factor | Password from the Default Workflow dropdown
31. Private Mode Only will automatically be selected from the Public / Private Mode dropdown
32. Default Private will automatically be selected from the Default Public / Private dropdown
33. Select True from the Remember User Selection dropdown
34. Set the Invalid Persistent Token Redirect to Realm A URL to enable end-users to reenroll for a persistent token to access this realm
35. Leave the rest as Default
36. Select Send Token Only from the Receive Token dropdown
37. Select False from the Require Begin Site dropdown
38. Leave the rest as Default
Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes
39. In the Registration Configuration section, ensure that at least one registration method is enabled for use in this realm
Click Save once the configurations have been completed and before leaving the Multi-Factor Methods page to avoid losing changes
This configuration step should be completed in Realm A and Realm B
40. In the Plugin Info section, select False from the Java Detection dropdown
Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes