Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated for Smart ID 23.10.5.
Info
This article includes updates for Smart ID 23.04.13.

This article describes authentication profiles in Smart ID Identity Manager and how to configure the profiles. Authentication profiles are used to define how users can gain access to Identity Manager and what they gain access to. 

Authentication is done in two steps:

  1. Authentication: login in with a certain user credential. The user will be extracted from the credential depending on the authentication type.
  2. Authorization: after successful authentication the assigned roles for the user are determined depending on the authentication type.

The following authentication profiles are available:

...

Authentication / Login mechanism

...

Authorization / Roles / Permissions

...

Internal

In the runtime system (Identity Manager Operator and Smart ID Self-Service), this profile type is not recommended for production. Usually, the administrator of Identity Manager Admin has an internal account.

...

External login mechanism based on LDAP

...

Client Certificate and LDAP

...

Client Certificate Internal

In the runtime system (Identity Manager Operator and Smart ID Self-Service), this profile type is not recommended for production.  

...

Client Certificate Core Object

...

Internal roles mapped to core objects

...

Smart Card and Core Object

This authentication profile is deprecated, but can still be used for older versions of Identity Manager. From PRIME 3.9, use Client Certificate Core Object.

...

Internal roles mapped to core objects

...

Internal roles mapped to core objects

...

SAML SSO Core Object (*)

...

Configured attribute in SAML token

...

Internal roles mapped to core objects

...

Configured attribute in SAML token

...

Configured attribute in SAML token

...

(*) For SAML, an extra layer of security is added by limiting the role assignment based on authentication method. For more information, see the instructions for SAML SSO Core Object, SAML SSO LDAP, and SAML SSO Group profiles below.

Prerequisites

...

titlePrerequisites

...

For SAML authentication, it is required to have an identity provider, such as Smart ID Digital Access component (Hybrid Access Gateway), with the correct configuration for Identity Manager authentication. For information and examples with Digital Access, see Enable two-factor authentication to Identity Manager clients via SAML federation.

Step-by-step instruction

...

titleSet up authentication profile

To set up an authentication profile:

...

Select a Profile type:
Image Removed

Note

The Internal profile is not available for selection, since it is created by default in any Identity Manager installation and only one internal profile is allowed.

...

Configure profile types

The configuration of authentication profiles differs according to the different profile types. Find your selected authentication profile type below and follow the instruction to set up the configuration.  

...

titleConfigure Internal profile

The system will lock internal users after too many failed logins. The users can be unlocked automatically after a certain amount of time. To configure this, follow the instructions below.

Administrator

In Identity Manager Admin, do the following:

...

Tenant

 In Identity Manager Tenant, do the following:

  1. Open the tenant application and navigate to the icon next to the info button. A dialog appears.
  2. Define the Maximum failed login count.
  3. Optional: Enable the Automatic unlock mechanism and set the Blocked user wait time in seconds.
  4. Click Save.
Expand
titleConfigure internal profile with client certificate

In Client Certificate Configuration: select the method which extracts the information from the certificate used to identify the user:

  • User Principal Name (UPN)
  • SAN Email (RFC822Name)
  • Subject CN
  • Subject Email
  • Object Security Identifier (objectSid)
Configure LDAP
Expand
title
Info

This article includes updates for Smart ID 23.10.5.

This article describes authentication profiles in Smart ID Identity Manager and how to configure the profiles. Authentication profiles are used to define how users can gain access to Identity Manager and what they gain access to. 

Authentication is done in two steps:

  1. Authentication: login in with a certain user credential. The user will be extracted from the credential depending on the authentication type.

  2. Authorization: after successful authentication the assigned roles for the user are determined depending on the authentication type.

The following authentication profiles are available:

Authentication profile

Authentication / Login mechanism

User / Principal

Authorization / Roles / Permissions

Internal

In the runtime system (Identity Manager Operator and Smart ID Self-Service), this profile type is not recommended for production. Usually, the administrator of Identity Manager Admin has an internal account.

Login with username and password based on internal user table

Username

Roles from internal roles table

LDAP

External login mechanism based on LDAP

DN from LDAP configuration

Group membership in LDAP directory is mapped to internal roles

LDAP Core Object

External login mechanism based on LDAP

DN from LDAP configuration

Internal roles mapped to core objects

Client Certificate and LDAP

Client certificate login based on LDAP

Configured attribute in certificate

Group membership in LDAP directory is mapped to internal roles

Client Certificate Internal

In the runtime system (Identity Manager Operator and Smart ID Self-Service), this profile type is not recommended for production.  

Client certificate login based on internal user

Configured attribute in certificate

Roles from internal roles table

Client Certificate Core Object

Client certificate login based on Core Objects

Configured attribute in certificate

Internal roles mapped to core objects

Smart Card and Core Object

This authentication profile is deprecated, but can still be used for older versions of Identity Manager. From PRIME 3.9, use Client Certificate Core Object.

Smart card certificate

Configured attribute in certificate

Internal roles mapped to core objects

Username and Password Core Object

Login with username and password based on core objects

Username

Internal roles mapped to core objects

SAML SSO Core Object (*)

External login with SAML SSO

Configured attribute in SAML token


Internal roles mapped to core objects

SAML SSO LDAP  (*)

External login with SAML SSO. 

Configured attribute in SAML token

Group membership in LDAP directory is mapped to internal roles

SAML SSO Group (*)

External login with SAML SSO. 

Configured attribute in SAML token

Configured attribute in SAML token

(*) For SAML, an extra layer of security is added by limiting the role assignment based on authentication method. For more information, see the instructions for SAML SSO Core Object, SAML SSO LDAP, and SAML SSO Group profiles below.

Prerequisites

Expand
titlePrerequisites

Step-by-step instruction

Expand
titleSet up authentication profile

To set up an authentication profile:

  1. Go to Home > Authentication Profiles.

  2. Click +New to add an authentication profile.

    1. Select a Profile type:
      Image Added

      Note

      The Internal profile is not available for selection, since it is created by default in any Identity Manager installation and only one internal profile is allowed.


    2. For SAML profiles, the Priority will be assigned automatically.

    3. Click Save + Edit.

      A new tab is displayed where the authentication profile is configured. See the following sections for how to configure the authentication profile you have selected.

  3. For all authentication profiles there is a Processes tab. Select from the drop-down list, which process that shall run after a successful login in Identity Manager Operator. Read more in section Set up authentication profile in Identity Manager#Configure post-login process.

  4. To edit an existing identity template, double-click on its name.

Configure profile types

The configuration of authentication profiles differs according to the different profile types. Find your selected authentication profile type below and follow the instruction to set up the configuration.  

Expand
titleConfigure Internal profile

The system will lock internal users after too many failed logins. The users can be unlocked automatically after a certain amount of time. To configure this, follow the instructions below.

Administrator

In Identity Manager Admin, do the following:

  1. In Identity Manager Admin, Go to Home > Authentication Profiles.

  2. Select the profile with an INTERNAL profile type.

  3. Define the Maximum failed login count.

  4. Optional: Enable the Automatic unlock mechanism and set the Blocked user wait time in seconds.

  5. Click Save

Tenant

 In Identity Manager Tenant, do the following:

  1. Open the tenant application and navigate to the icon next to the info button. A dialog appears.

  2. Define the Maximum failed login count.

  3. Optional: Enable the Automatic unlock mechanism and set the Blocked user wait time in seconds.

  4. Click Save.


Expand
titleConfigure internal profile with client certificate

In Client Certificate Configuration: select the method which extracts the information from the certificate used to identify the user:

  • User Principal Name (UPN)

  • SAN Email (RFC822Name)

  • Subject CN

  • Subject Email

  • Object Security Identifier (objectSid)


Expand
titleConfigure LDAP profile
  1. In Connection settings:

    1. In Connection string, enter the URL of the LDAP server and base address in the directory service, for example:

      Panel
      titleExample: Connection string

      Connection string: ldap://localhost:389/ou=NexusEmployees,dc=nexus,dc=local

      where

      ou = organizationalUnitName
      dc = domainComponent

      For more information on LDAP string attributes, see RFC 2253, LDAP (v3): UTF-8 String Representation of Distinguished Names.

    2. In Username and Password, enter the Active Directory domain user name and password. 

  2. In User search:

    1. Select Direct binding or With password comparison. Direct binding attempts to bind to the LDAP with the user entered. With password comparison the data of the LDAP entry is retrieved and the password is compared with the entered password.

    2. Enter a Search pattern. Here are two examples:

      Panel
      titleExample: Search pattern

      Search pattern: (userPrincipalName={0})


      Panel
      titleExample: Search pattern using Distinguished Name (DN) of user

      Search pattern: cn={0},ou=users


    3. If password comparison was selected, enter the Attribute for password used in LDAP and, if applicable, the mechanism that LDAP uses for Password encryption.

  3. In Group search:

    1. In Basis for group search, enter the subpath to the group information in LDAP.
      For example, if you find the group information under ou = groups, dc = myCompany, dc = de, enter the following:

      Panel
      titleExample: Basis for group search
      Basis for group search: ou=groups


    2. In Filter for group search, enter afilter expression, that defines the search starting with the subpath above.

      For example, if the group membership of users is stored in a multi-value attribute member (via the DN), enter the following:

      Panel
      titleExample: Filter for group search

      Filter for group search: (member={0})


    3. In Attribute for group, enter an attribute with unique values to define the group belonging. The groups to which the user belongs are compared in the last step with the assignment to the roles in the system and access to the system is assigned based on the assigned roles.

      For example, enter the following:

      Panel
      titleExample: Attribute for group

      Attribute for group: cn


  4. Group Permissions

    1. Go to the LDAP Group Permissions tab to map the LDAP groups to internal Identity Manager roles.

    2. Click + to add an LDAP group to the Groups list

    3. Select the roles that should be assigned to that LDAP group in the Roleslist.


Configure LDAP Core Object profile
Expand
titleConfigure LDAP Core Object profile
title
  1. In Connection settings:

    1. In Connection string, enter the URL of the LDAP server and base address in the directory service, for example:

      Panel
      titleExample: Connection string

      Connection string: ldap://localhost:389/ou=NexusEmployees,dc=nexus,dc=local

      where

      ou = organizationalUnitName
      dc = domainComponent

      For more information on LDAP string attributes, see RFC 2253, LDAP (v3): UTF-8 String Representation of Distinguished Names.

    2. In Username and Password, enter the Active Directory domain user name and password. 

  2. In User search:

    1. Select Direct binding or With password comparison. Direct binding attempts to bind to the LDAP with the user entered. With password comparison the data of the LDAP entry is retrieved and the password is compared with the entered password.

    2. Enter a Search pattern. Here are two examples:

      Panel
      titleExample: Search pattern

      Search pattern: (userPrincipalName={0})


      Panel
      titleExample: Search pattern using Distinguished Name (DN) of user

      Search pattern: cn={0},ou=users


    3. If password comparison was selected

, enter the Attribute for password used in LDAP and, if applicable, the mechanism that LDAP uses for Password encryption. In Group search:

In Basis for group search, enter the subpath to the group information in LDAP.
For example, if you find the group information under ou = groups, dc = myCompany, dc = de, enter the following:

Panel
titleExample: Basis for group search
Basis for group search: ou=groups
In Filter for group search, enter a filter expression, that defines the search starting with the subpath above.

For example, if the group membership of users is stored in a multi-value attribute member (via the DN), enter the following:

Panel
titleExample: Filter for group search

Filter for group search: (member={0})

In Attribute for group, enter an attribute with unique values to define the group belonging. The groups to which the user belongs are compared in the last step with the assignment to the roles in the system and access to the system is assigned based on the assigned roles.

For example, enter the following:

Panel
titleExample: Attribute for group

Attribute for group: cn

Group Permissions
  • Go to the LDAP Group Permissions tab to map the LDAP groups to internal Identity Manager roles.
  • Click + to add an LDAP group to the Groups list
  • Select the roles that should be assigned to that LDAP group in the Roles list.
    Expand
      1. , enter the Attribute for password used in LDAP and, if applicable, the mechanism that LDAP uses for Password encryption.

    1. Go to the Core Object Configuration tab and do the following settings:

      1. In Identity template, select one or more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used.

      2. In User name field, select the core object field to match the user principal, for example UPN or Email. Identity Manager will use it to search the core object in the selected identity template.

      3. In User display, enter fields in a comma separated list, for example FirstName, LastName. These fields are used to display the logged in user in Identity Manager Operator or Smart ID Self-Service.


  • If password comparison was selected, enter the Attribute for password used in LDAP and, if applicable, the mechanism that LDAP uses for Password encryption.
  • where

    ou = organizationalUnitName
    dc = domainComponent
    For more information on LDAP string attributes, see RFC 2253, LDAP (v3): UTF-8 String Representation of Distinguished Names.
  • In Username and Password, enter the Active Directory domain user name and password. 
  • In User search:

    Enter a Search pattern. Here are two examples:

    Expand
    titleConfigure Client Certificate and LDAP profile


    Note

    If you have, for example, an Apache proxy or F5 proxy in front of Identity Manager which enforces client authentication with TLS, you need to add an SSLValve to your Tomcat server.xml under <SMARTIDHOME>/docker/compose/config/idm-tomcat-server.xml

    <Valve className="org.apache.catalina.valves.SSLValve" />

    See: https://tomcat.apache.org/ for more information.

    1. In Client Certificate Configuration: select the method, which extracts the information from the certificate used to identify the user:

      1. User Principal Name (UPN)

      2. SAN Email (RFC822Name)

      3. Subject CN

      4. Subject Email

      5. Object Security Identifier (objectSid)

    2. In Connection settings:

      1. In Connection string, enter the URL of the LDAP server and base address in the directory service, for example:

        Panel
        titleExample: Connection string

        Connection string: ldap://localhost:389/ou=NexusEmployees,dc=nexus,dc=local

        where

        ou = organizationalUnitName
        dc = domainComponent

        For more information on LDAP string attributes, see RFC 2253, LDAP (v3): UTF-8 String Representation of Distinguished Names.

      2. In Username and Password,

    enter the Active Directory domain user name and password. In User search:
  • Select Direct binding or With password comparison. Direct binding attempts to bind to the LDAP with the user entered. With password comparison the data of the LDAP entry is retrieved and the password is compared with the entered password.
      1. enter the Active Directory domain user name and password. 

    1. In User search:

      1. Enter a Search pattern. Here are two examples:

        Panel
        titleExample: Search pattern

        Search pattern: (userPrincipalName={0})


        Panel
        titleExample: Search pattern using Distinguished
    Name (DN) of user

    Search pattern: cn={0},ou=users

    Insert excerpt
    Copy of Set up authentication profile in Identity ManagerCopy of Set up authentication profile in Identity Manager
    nopaneltrue
    Expand
    titleConfigure Client Certificate and LDAP profile
    Note

    If you have, for example, an Apache proxy or F5 proxy in front of Identity Manager which enforces client authentication with TLS, you need to add an SSLValve to your Tomcat server.xml under <SMARTIDHOME>/docker/compose/config/idm-tomcat-server.xml

    <Valve className="org.apache.catalina.valves.SSLValve" />

    See: https://tomcat.apache.org/ for more information.

  • In Client Certificate Configuration: select the method, which extracts the information from the certificate used to identify the user:
    1. User Principal Name (UPN)
    2. SAN Email (RFC822Name)
    3. Subject CN
    4. Subject Email
    5. Object Security Identifier (objectSid)
  • In Connection settings:In Connection string, enter the URL of the LDAP server and base address in the directory service, for example
      1. Name (DN) of user

        Search pattern: cn={0},ou=users


      2. If password comparison was selected, enter the Attribute for password used in LDAP and, if applicable, the mechanism that LDAP uses for Password encryption.

    1. In Group search:

      1. In Basis for group search, enter the subpath to the group information in LDAP.
        For example, if you find the group information under ou = groups, dc = myCompany, dc = de, enter the following:

        Panel
        titleExample:
    Connection string

    Connection string: ldap://localhost:389/ou=NexusEmployees,dc=nexus,dc=local

    Panel
    titleExample: Search pattern

    Search pattern: (userPrincipalName={0})

    Panel
    titleExample: Search pattern using Distinguished Name (DN) of user

    Search pattern: cn={0},ou=users

  • If password comparison was selected, enter the Attribute for password used in LDAP and, if applicable, the mechanism that LDAP uses for Password encryption.
  • In Group search:

    In Basis for group search, enter the subpath to the group information in LDAP.
    For example, if you find the group information under ou = groups, dc = myCompany, dc = de, enter the following:

    Panel
    titleExample: Basis for group search
    Basis for group search: ou=groups
    In Filter for group search, enter a filter expression, that defines the search starting with the subpath above.

    For example, if the group membership of users is stored in a multi-value attribute member (via the DN), enter the following:

    Panel
    titleExample: Filter for group search

    Filter for group search: (member={0})

    In Attribute for group, enter an attribute with unique values to define the group belonging. The groups to which the user belongs are compared in the last step with the assignment to the roles in the system and access to the system is assigned based on the assigned roles.

    For example, enter the following:

    Panel
    titleExample: Attribute for group

    Attribute for group: cn

  • Group Permissions
    1. Go to the LDAP Group Permissions tab to map the LDAP groups to internal Identity Manager roles.
    2. Click + to add an LDAP group to the Groups list
    3. Select the roles that should be assigned to that LDAP group in the Roles list.
  • Expand
    titleConfigure Client Certificate Core Object profile
    Note

    If you have, for example, an Apache proxy or F5 in front of Identity Manager which enforces client authentication with TLS, you need to add an SSLValve to your Tomcat server.xml under <SMARTIDHOME>/docker/compose/config/idm-tomcat-server.xml

    <Valve className="org.apache.catalina.valves.SSLValve" />

    See: https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/valves/SSLValve.html for more information.

    In Client Certificate Configuration
      1. Basis for group search
        Basis for group search: ou=groups


      2. In Filter for group search, enter a filter expression, that defines the search starting with the subpath above.

        For example, if the group membership of users is stored in a multi-value attribute member (via the DN), enter the following:

        Panel
        titleExample: Filter for group search

        Filter for group search: (member={0})


      3. In Attribute for group, enter an attribute with unique values to define the group belonging. The groups to which the user belongs are compared in the last step with the assignment to the roles in the system and access to the system is assigned based on the assigned roles.

        For example, enter the following:

        Panel
        titleExample: Attribute for group

        Attribute for group: cn


    1. Group Permissions

      1. Go to the LDAP Group Permissions tab to map the LDAP groups to internal Identity Manager roles.

      2. Click + to add an LDAP group to the Groups list

      3. Select the roles that should be assigned to that LDAP group in the Roles list.


    Expand
    titleConfigure Client Certificate Core Object profile


    Note

    If you have, for example, an Apache proxy or F5 in front of Identity Manager which enforces client authentication with TLS, you need to add an SSLValve to your Tomcat server.xml under <SMARTIDHOME>/docker/compose/config/idm-tomcat-server.xml

    <Valve className="org.apache.catalina.valves.SSLValve" />

    See: https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/valves/SSLValve.html for more information.

    1. In Client Certificate Configuration: select the method, which extracts the information from the certificate used to identify the user:

      1. User Principal Name (UPN)

      2. SAN Email (RFC822Name)

      3. Subject CN

      4. Subject Email

      5. Object Security Identifier (objectSid)

    2. Go to the Core Object Configuration tab and do the following settings:

      1. In Identity template, select one or more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used.

      2. In User name field, select the core object field to match the user principal, for example UPN or Email. Identity Manager will use it to search the core object in the selected identity template.

      3. In User display, enter fields in a comma separated list, for example FirstName, LastName. These fields are used to display the logged in user in Identity Manager Operator or Smart ID Self-Service.


    Expand
    titleConfigure Smart Card and Core Object profile


    Note

    This authentication profile is deprecated, but can still be used for older versions of Identity Manager. From PRIME 3.9, use the Client Certificate Core Object profile.

    Note

    This authentication profile is deprecated, but can still be used for older versions of Identity Manager. From PRIME 3.9, use the Client Certificate Core Object profile.

  • In Certificate settings: select the method, which extracts the information from the certificate used to identify the user:
    1. User Principal Name (UPN)
    2. SAN Email (RFC822Name)
    3. Subject CN
    4. Subject Email
    5. Object Security Identifier (objectSid)
  • In User identification: enter details to map the userPrincipalName to a core object.
    In Identity template, select one or more core
    1. In Certificate settings: select the method, which extracts the information from the certificate used to identify the user:

      1. User Principal Name (UPN)

      2. SAN Email (RFC822Name)

      3. Subject CN

      4. Subject Email

      5. Object Security Identifier (objectSid)

    Insert excerpt
    Copy of Set up authentication profile in Identity ManagerCopy of Set up authentication profile in Identity Manager
    nopaneltrue
    Expand
    titleConfigure Smart Card and Core Object profile
    1. In User identification: enter details to map the userPrincipalName to a core object.

      1. In Identity template, select one or more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used.

      2. In User name field, select the core object field to match the user, for example UPN or Email. Identity Manager will use it to search the core object in the selected identity template.

      3. In User display, enter fields in a comma separated list, for example FirstName,LastName. These fields are used to display the logged in user in Identity Manager Operator or Smart ID Self-Service.


    Expand
    titleConfigure Username with Password Core Object profile
    1. Go to the Core Object Configuration tab and do the following settings:

      1. In Identity template, select one or more core object types, for example, Employee

     and 
      1.  and Contractor, on which the core object search will be performed. The first matching template will be used.

      2. In

     
      1. User name field, select

    the
      1. the core object field to match the user principal,

     for example 
      1. for example UPN

     or 
      1. or Email. Identity Manager will use it to search the core object in the selected identity template.

      2. In

     
      1. User display, enter fields in a

     comma
      1. comma separated list, for

    example 
      1. example FirstName, LastName.

     These
      1. These fields

    are
      1. are used to display the logged in user in Identity Manager Operator or Smart ID Self-Service.



        1. Example: Excerpt from a metadata file

    Expand
    titleConfigure Username with Password Core Object profile
    Insert excerpt
    Copy of Set up authentication profile in Identity ManagerCopy of Set up authentication profile in Identity Manager
    nopaneltrue
    Expand
    titleConfigure SAML SSO Core Object profile
    1. Prepare the required SAML configuration files. For file examples, refer to Enable two-factor authentication to Identity Manager clients via SAML federation.

      1. You need one metadata file for each Service Provider, that is, one file for Identity Manager Operator, one file for Smart ID Self-Service and one file for other Service Providers that you configure.

      2. You also need the metadata file of your Identity Provider and a keystore containing all the keys you would like to use for encryption or signing.

    2. Go to the SAML Configuration tab and do the following settings:

      1. In Identity Provider Configuration:

        1. Upload a Configuration file 
          Here you can upload and delete the metadata file for an identity provider. The metadata file must contain only one identity provider configuration and no service provider configurations.

        2. Select an Attribute Type
          This is the identifying element of a SAML response. Despite the name, it can contain other elements than attributes. It can have two values, Name ID and Attribute Statement. Name ID refers to the subject of a SAML response,

     Attribute
        1.  Attribute Statement refers to attributes associated with the subject of a SAML response.

        2. Enter Attribute Name
          This field is only active

    when 
        1. when Attribute Statement

     is
        1.  is selected

    as title
        1. as Attribute Type. It can be any arbitrary value.

      1. In Keystore Configuration:

        1. Upload a Configuration file
          Here you can upload and delete key store file. The key store file must contain the certificates and the private key used for signing and decryption. A key store is mandatory.  When a key store is uploaded, the key store's password must be entered. Objects in the key store, if protected with a password, must have the same password as the key store itself.

        2. Available key aliases
          List of the aliases that mark private keys in the key store.

      2. In Service Provider Configurations:

        1. Click on the + button to add a service provider. 

        2. This view lists the aliases of the service providers. Any arbitrary number of service providers is allowed but at least one service provider is required. An uploaded service provider must use only private keys available in the key store. If you upload a service provider metadata file that violates the SAML metadata schema, this triggers an error message.

      3. In Service Provider Details:

        1. Alias
          In this context, Alias refers to the location and thus the service provider to use when sending the SAML response to the application for processing. An Alias is mandatory.

          This is an example of an excerpt from a typical metadata file that defines the Assertion Consumer Service responsible for processing the SAML response. The Alias in this case is "explorer".


    Code Block
    Code Block
    ...
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://hostname:8080/prime_explorer/saml/SSO/alias/explorer" index="0" isDefault="true"/>
    ...

     

  • Configuration File
    Click on the upload symbol and select the metadata file. 

    This field is mandatory. The metadata file must contain only one service provider configuration and no identity provider configurations. If the file is deleted and re-uploaded, Alias must be reset according to the metadata file.

  • Alias for Signing Key
    The alias from the key store for the private key to use for signing. This field is mandatory.

  • Alias for Encryption Key
    The alias from the key store for the private key to use for encryption purposes. This field is mandatory.

  • excerpt
    1. Go to the Core Object Configuration

    tab
    1. tab and do the following settings:

      1. In Identity template, select one or

    more core
      1. more core object types, for example, Employee and Contractor, on which the core object search will be performed. The first matching template will be used.

      2. In User name field, select

    the title
      1. the core object field to match the user principal, for example UPN or Email. Identity Manager will use it to search the core object in the selected identity template.

      2. In User display, enter fields in a comma separated list, for example FirstName, LastName. These fields are used to display the logged in user in Identity Manager Operator or Smart ID Self-Service.

      Optional:

    1. Go to the Authentication Method tab and do the following settings:

      1. In Authentication Method, click + to add the reference (AuthnContextClassRef) for the authentication method you want to add. You can find the reference in the Identity Provider, or in the SAML response. If a role has no AuthnContextClassRef assigned, the authentication method check will be skipped.

        This is an example of an AuthnContextClassRef snippet in a SAML response. (The value here is: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport):  

    Code Block
      1. Example: SAML response

        Code Block
        <saml:AuthnContext>
         <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef>
        </saml:AuthnContext>


        These AuthnContextClassRef examples are based on OASIS Standard documentation. See https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf for more information.

    Code Blocktitle
      1. Examples: AuthnContextClassRef

        Code Block
        urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
        urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard
        urn:oasis:names:tc:SAML:2.0:ac:classes:X509
        urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
        urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract


        Note

        Custom string can also be configured as an AuthnContextClassRef. See the Identity Provider configuration.


      2. Map the added authentication method to a role by selecting the role you want to use and checking the check box for the authentication method.

        Note

        By mapping authentication methods to roles, you will restrict a user of certain roles depending on the authentication method used to log in. This adds an extra layer of security. If no authentication method is configured, all roles are allowed to be assigned to the user regardless of how the user is authenticated with the Identity Provider.



    1. Go to the SAML Configuration tab.

      1. Do the same settings as described above under heading "Configure SAML SSO Core Object profile".

    2. Go to the LDAP Configuration tab.

      1. If you have already a configured LDAP profile, copy the information to here. See heading "Configure LDAP profile" above.

    Expand
    titleConfigure SAML SSO LDAP profile
    title
    Note

    The Direct binding and With password comparison selection are NOT used for the SAML SSO LDAP profile.


  • Go to the LDAP Group Permissions tab.

    1. See under heading "Configure LDAP profile" above.

      Optional:

  • Go to the Authentication Method tab and do the following settings:

    1. In Authentication Method, click + to add the reference (AuthnContextClassRef) for the authentication method you want to add. You can find the reference in the Identity Provider, or in the SAML response. If a role has no AuthnContextClassRef assigned, the authentication method check will be skipped.

      This is an example of an AuthnContextClassRef snippet in a SAML response. (The value here is: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport): 

  • Code Blocktitle
      1. Example: SAML response

        Code Block
        <saml:AuthnContext>
         <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef>
        </saml:AuthnContext>

        These AuthnContextClassRef examples are based on OASIS Standard documentation. See https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf for more information.

    Code Block

      1. Examples: AuthnContextClassRef

        Code Block
        urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
        urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard
        urn:oasis:names:tc:SAML:2.0:ac:classes:X509
        urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
        urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract


        Note

        Custom string can also be configured as an AuthnContextClassRef. See the Identity Provider configuration.


      2. Map the added authentication method to a role by selecting the role you want to use and checking the check box for the authentication method.

        Note

        By mapping authentication methods to roles, you will restrict a user of certain roles depending on the authentication method used to log in. This adds an extra layer of security. If no authentication method is configured, all roles are allowed to be assigned to the user regardless of how the user is authenticated with the Identity Provider.



    1. Go to the SAML Configuration tab.

      1. Do the same settings as described above under heading "Configure SAML SSO Core Object profile".

    2. Go to the SAML Group Mapping tab

      1. Specify the attribute name in the SAML response which will contain the user's groups.
        Example with "my-groups":

      1. Example SAML response

    Expand
    titleConfigure SAML SSO Group profile

    This authentication profile analyzes the SAML response only to determine the user's roles after a successful login. The administrator has to configure the attribute which will be read/parsed from the SAML response.

    title
    Code Block
    Code Block
    <saml:Attribute Name="my-groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
       <saml:AttributeValue xsi:type="xs:string">examplerole1</saml:AttributeValue>
       <saml:AttributeValue xsi:type="xs:string">another-role-of-your-user</saml:AttributeValue>
    </saml:Attribute>

    For more information see https://www.samltool.com/generic_sso_res.php.

  • (copied from LDAP:)

  • Map the groups from the SAML response to internal Identity Manager roles:

    1. Click + to add a group to the Groups list

    2. Select the roles that should be assigned to that group in the Roles list.

  • Click Save.

    Optional:

  • Go to the Authentication Method tab and do the following settings:

    1. In Authentication Method, click + to add the reference (AuthnContextClassRef) for the authentication method you want to add. You can find the reference in the Identity Provider, or in the SAML response. If a role has no AuthnContextClassRef assigned, the authentication method check will be skipped.

      This is an example of an AuthnContextClassRef snippet in a SAML response. (The value here is: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport): 

  • code
    title
      1. Example: SAML response

        Code Block
        <saml:AuthnContext>
         <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef>
        </saml:AuthnContext>

        These AuthnContextClassRef examples are based on OASIS Standard documentation. See https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf for more information.

    Code Blocktitle
      1. Examples: AuthnContextClassRef

        Code Block
        urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
        urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard
        urn:oasis:names:tc:SAML:2.0:ac:classes:X509
        urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken
        urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract


        Note

        Custom string can also be configured as an AuthnContextClassRef. See the Identity Provider configuration.


      2. Map the added authentication method to a role by selecting the role you want to use and checking the check box for the authentication method.

        Note

        By mapping authentication methods to roles, you will restrict a user of certain roles depending on the authentication method used to log in. This adds an extra layer of security. If no authentication method is configured, all roles are allowed to be assigned to the user regardless of how the user is authenticated with the Identity Provider.


    Configure post-login process

    Expand
    titleConfigure post-login process

    In order for a process to be started after you login in Identity Manager Operator and Self-Service (if applicable), the process must end with the service task "Login - Finalize post-login process", see Login - Standard service tasks in Identity Manager. The post-login process is available for all authentication profiles.

    • A post-login process is automatically executed after successfully authenticating the user.

    • The user will be forwarded to Identity Manager Operator and Self-Service (if applicable) only if the process completed successfully.

    • The post-login process is executed under the internal user named loginProcessUser.

    • Default is to not have a post-login process configured.

    When you configure a post-login process for an authentication profile which is core object based (that is: Username with Password Core Object, Client Certificate Core Object, LDAP Core Object and SAML SSO Core Object), add the process for each core template with which it should be used, as additional command.

    1. In Identity Manager Admin, Go to Home > Authentication Profiles.

    2. Select an authentication profile.

    3. In the Processes tab, select from the drop-down list to the left, which process that shall run after a successful login in:

      1. Identity Manager Operator (if applicable)
        OR

      2. Self-Service (if applicable)
        OR in both.

    4. Click Save.

    5. Go to Home > Process Designer.

    6. Select the same process as in step 3.

    7. In the Task List tab, add the service task "Login: Finalize Post-Login Process" in the Attributes field.

    8. In

    the 
    1. the Permissions

     tab
    1.  tab, add the

    user loginProcessUser to 
    1. user loginProcessUser to Start process

     and
    1.  and to other user tasks, if applicable. If used for SAML authentication in Self-Service, loginProcessUser

     should
    1.  should be added to

    the 
    1. the Show in Self-Service

     permission
    1.  permission as well.

    2. Click Save.

    Tenant ID settings

    Expand
    titleValidate Tenant ID

    To validate the tenant id, use the property tenantContextFilter.shouldValidateTenant in system properties of Identity Manager:

    • If set to true, an error page is shown when the selected tenant (passed in the URL) does not exist.

    • If set to false, the user will be redirected to the login page.

    • Default: tenantContextFilter.shouldValidateTenant=false


    title

    Call authentication method "Certificate" directly

    1. Use this URL: https://<idmhost>:<idmPort>/<idmApplicationName>/cert/login?tenantId=X

    Expand
    titleCall authentication method directly

    If you use the correct URL, the desired authentication method can be called directly. You must give a valid tenant ID, the language will depend on browser language.

    For more information about the authentication methods, see Identity Manager Operator.

    Expand
    Panel
    titleExample

    https://localhost:8444/idm-admin/cert/login?tenantId=32768


  • Configure the port in system properties (default is 8444).

  • expand
    title

    Call authentication method "SAML" directly

    • Use this URL: https://<idmhost>:<idmPort>/<idmApplicationName>/saml/login?tenantId=X
       

      Panel
      titleExample

      http://localhost:8080/idm/saml/login?tenantId=1


    Configure Smart ID Self-Service login page

    Expand
    titleConfigure Smart ID Self-Service login page

    Smart ID Self-Service has additional configuration options for the login page.

    You can enable or disable the different login mechanism in config.json, see this table:

    Property

    Possible Values

    Default

    Graphical user interface

    userPassword.enabled

    true / false

    true

    Image Removed
    Image Added

    saml.enabled

    saml.enforced

    For more information, see Enable two-factor authentication to Identity Manager clients via SAML federation

    true

    true

    Image Removed
    Image Added

    clientCert.enabled

    true / false

    true

    Image Removed
    Image Added


    Configure Identity Manager Operator login page

    See Identity Manager Operatortrue .

    Expand
    titleConfigure Identity Manager Operator login page

    Insert excerpt
    Identity Manager Operatornopanel


    Expand
    titleLog in to Identity Manager Admin
    • Log in to Identity Manager Admin as an admin user.