Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
This article describes authentication profiles in Smart ID Identity Manager and how to configure them. Authentication profiles are used to define how users can gain access to Identity Manager and what they gain access to.
Authentication is done in two steps:
- Authentication: login in with a certain user credential. The user will be extracted from the credential depending on the authentication type.
- Authorization: after successful authentication the assigned roles for the user are determined depending on the authentication type.
The following authentication profiles are available:
Authentication profile | Authentication / Login mechanism | User / Principal | Authorization / Roles / Permissions |
---|---|---|---|
Internal In the runtime system (Identity Manager Operator and Smart ID Self-Service), this profile type is not recommended for production. Usually, the administrator of Identity Manager Admin has an internal account. | Login with username and password based on internal user table | Username | Roles from internal roles table |
LDAP | External login mechanism based on LDAP | DN from LDAP configuration | Group membership in LDAP directory is mapped to internal roles |
LDAP Core Object | External login mechanism based on LDAP | DN from LDAP configuration | Internal roles mapped to core objects |
Client Certificate and LDAP | Client certificate login based on LDAP | Configured attribute in certificate | Group membership in LDAP directory is mapped to internal roles |
Client Certificate Internal In the runtime system (Identity Manager Operator and Smart ID Self-Service), this profile type is not recommended for production. | Client certificate login based on internal user | Configured attribute in certificate | Roles from internal roles table |
Client Certificate Core Object | Client certificate login based on Core Objects | Configured attribute in certificate | Internal roles mapped to core objects |
Smart Card and Core Object This authentication profile is deprecated, but can still be used for older versions of Identity Manager. From PRIME 3.9, use Client Certificate Core Object. | Smart card certificate | Configured attribute in certificate | Internal roles mapped to core objects |
Username and Password Core Object | Login with username and password based on core objects | Username | Internal roles mapped to core objects |
SAML SSO Core Object | External login with SAML SSO | Configured attribute in SAML token | Internal roles mapped to core objects |
SAML SSO LDAP | External login with SAML SSO. | Configured attribute in SAML token | Group membership in LDAP directory is mapped to internal roles |
SAML SSO Group | External login with SAML SSO. | Configured attribute in SAML token | Configured attribute in SAML token |
Prerequisites
Expand | ||
---|---|---|
| ||
The following prerequisites apply:
|
Step-by-step instruction
Expand | ||
---|---|---|
| ||
To set up an authentication profile:
|
Configure profile types
The configuration of authentication profiles differs according to the different profile types.
Find your selected authentication profile type below and follow the instruction to set up the configuration.
Expand | ||
---|---|---|
| ||
No further configuration required. |
Expand | ||
---|---|---|
| ||
|
Expand | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||
|
Expand | |||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||
|
Expand | ||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||
|
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
|
Expand | ||
---|---|---|
| ||
|
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
|
Expand | |||||||
---|---|---|---|---|---|---|---|
| |||||||
|
Expand | ||
---|---|---|
| ||
|
Expand | |||||
---|---|---|---|---|---|
| |||||
This authentication profile analyzes the SAML response only to determine the user's roles after a successful login. The administrator has to configure the attribute which will be read/parsed from the SAML response.
|
Configure post-login process
Expand | ||
---|---|---|
| ||
In order for a process to be started after you login in Identity Manager Operator and Self-Service (if applicable), the process must end with the service task "Login - Finalize post-login process", see Login - Standard service tasks in Identity Manager. The post-login process is available for all authentication profiles.
When you configure a post-login process for an authentication profile which is core object based (that is: Username with Password Core Object, Client Certificate Core Object, LDAP Core Object and SAML SSO Core Object), add the process for each core template with which it should be used, as additional command.
|
Tenant ID settings
Expand | ||
---|---|---|
| ||
Using the correct URL, the desired authentication method can be called directly. You need to give a valid tenant ID (language will depend on browser language). Read more under headings "Login" and "Admin page" in Identity Manager Operator. Authentication method CertificateUse this URL: https://<idmhost>:<idmPort>/<idmApplicationName>/cert/login?tenantId=X (Example: https://localhost:8444/idm-admin/cert/login?tenantId=32768) The port (default is 8444) must be configured in system.properties. Authentication method SAMLUse this URL: https://<idmhost>:<idmPort>/<idmApplicationName>/saml/login?tenantId=X (Example: http://localhost:8080/idm/saml/login?tenantId=1) Validate tenant idYou can use the flag "tenantContextFilter.shouldValidateTenant" in system.properties of Identity Manager for validation of the tenant id:
|
Configure Smart ID Self-Service login page
Expand | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||
Smart ID Self-Service has additional configuration options for the login page. You can enable or disable the different login mechanism in config.json, see this table:
|
Configure Identity Manager Operator login page
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
|
Expand | ||
---|---|---|
| ||
|