This article includes updates for Smart ID 23.10.5.

This article describes authentication profiles in Smart ID Identity Manager and how to configure the profiles. Authentication profiles are used to define how users can gain access to Identity Manager and what they gain access to.

Authentication is done in two steps:

Authentication: login in with a certain user credential. The user will be extracted from the credential depending on the authentication type.
Authorization: after successful authentication the assigned roles for the user are determined depending on the authentication type.

The following authentication profiles are available:

Authentication profile	Authentication / Login mechanism	User / Principal	Authorization / Roles / Permissions

Authentication profile	Authentication / Login mechanism	User / Principal	Authorization / Roles / Permissions
Internal In the runtime system (Identity Manager Operator and Smart ID Self-Service), this profile type is not recommended for production. Usually, the administrator of Identity Manager Admin has an internal account.	Login with username and password based on internal user table	Username	Roles from internal roles table
LDAP	External login mechanism based on LDAP	DN from LDAP configuration	Group membership in LDAP directory is mapped to internal roles
LDAP Core Object	External login mechanism based on LDAP	DN from LDAP configuration	Internal roles mapped to core objects
Client Certificate and LDAP	Client certificate login based on LDAP	Configured attribute in certificate	Group membership in LDAP directory is mapped to internal roles
Client Certificate Internal In the runtime system (Identity Manager Operator and Smart ID Self-Service), this profile type is not recommended for production.	Client certificate login based on internal user	Configured attribute in certificate	Roles from internal roles table
Client Certificate Core Object	Client certificate login based on Core Objects	Configured attribute in certificate	Internal roles mapped to core objects
Smart Card and Core Object This authentication profile is deprecated, but can still be used for older versions of Identity Manager. From PRIME 3.9, use Client Certificate Core Object.	Smart card certificate	Configured attribute in certificate	Internal roles mapped to core objects
Username and Password Core Object	Login with username and password based on core objects	Username	Internal roles mapped to core objects
SAML SSO Core Object (*)	External login with SAML SSO	Configured attribute in SAML token	Internal roles mapped to core objects
SAML SSO LDAP (*)	External login with SAML SSO.	Configured attribute in SAML token	Group membership in LDAP directory is mapped to internal roles
SAML SSO Group (*)	External login with SAML SSO.	Configured attribute in SAML token	Configured attribute in SAML token

(*) For SAML, an extra layer of security is added by limiting the role assignment based on authentication method. For more information, see the instructions for SAML SSO Core Object, SAML SSO LDAP, and SAML SSO Group profiles below.

Prerequisites

You must have access to any required external systems, for example LDAP or SAML Identity provider (IDP).
For client certificate authentication, a working HTTPS configuration with client authentication on the Tomcat is required. See Configure https for Tomcat.
For SAML authentication, it is required to have an identity provider, such as Smart ID Digital Access component (Hybrid Access Gateway), with the correct configuration for Identity Manager authentication. For information and examples with Digital Access, see Enable two-factor authentication to Identity Manager clients via SAML federation.

Step-by-step instruction

To set up an authentication profile:

Go to Home > Authentication Profiles.
Click +New to add an authentication profile.
1. Select a Profile type:
2. For SAML profiles, the Priority will be assigned automatically.
3. Click Save + Edit.
  
  A new tab is displayed where the authentication profile is configured. See the following sections for how to configure the authentication profile you have selected.
For all authentication profiles there is a Processes tab. Select from the drop-down list, which process that shall run after a successful login in Identity Manager Operator. Read more in section Set up authentication profile in Identity Manager#Configure post-login process.
To edit an existing identity template, double-click on its name.

Configure profile types

The configuration of authentication profiles differs according to the different profile types. Find your selected authentication profile type below and follow the instruction to set up the configuration.

The system will lock internal users after too many failed logins. The users can be unlocked automatically after a certain amount of time. To configure this, follow the instructions below.

Administrator

In Identity Manager Admin, do the following:

In Identity Manager Admin, Go to Home > Authentication Profiles.
Select the profile with an INTERNAL profile type.
Define the Maximum failed login count.
Optional: Enable the Automatic unlock mechanism and set the Blocked user wait time in seconds.
Click Save.

Tenant

In Identity Manager Tenant, do the following:

Open the tenant application and navigate to the icon next to the info button. A dialog appears.
Define the Maximum failed login count.
Optional: Enable the Automatic unlock mechanism and set the Blocked user wait time in seconds.
Click Save.

In Client Certificate Configuration: select the method which extracts the information from the certificate used to identify the user:

User Principal Name (UPN)
SAN Email (RFC822Name)
Subject CN
Subject Email
Object Security Identifier (objectSid)

In Connection settings:
1. In Connection string, enter the URL of the LDAP server and base address in the directory service, for example:
  where
  ou = organizationalUnitName
  dc = domainComponent
  
  For more information on LDAP string attributes, see RFC 2253, LDAP (v3): UTF-8 String Representation of Distinguished Names.
2. In Username and Password, enter the Active Directory domain user name and password.
In User search:
1. Select Direct binding or With password comparison. Direct binding attempts to bind to the LDAP with the user entered. With password comparison the data of the LDAP entry is retrieved and the password is compared with the entered password.
2. Enter a Search pattern. Here are two examples:
3. If password comparison was selected, enter the Attribute for password used in LDAP and, if applicable, the mechanism that LDAP uses for Password encryption.
In Group search:
1. In Basis for group search, enter the subpath to the group information in LDAP.
  For example, if you find the group information under ou = groups, dc = myCompany, dc = de, enter the following:
2. In Filter for group search, enter a filter expression, that defines the search starting with the subpath above.
  
  For example, if the group membership of users is stored in a multi-value attribute member (via the DN), enter the following:
3. In Attribute for group, enter an attribute with unique values to define the group belonging. The groups to which the user belongs are compared in the last step with the assignment to the roles in the system and access to the system is assigned based on the assigned roles.
  For example, enter the following:
Group Permissions
1. Go to the LDAP Group Permissions tab to map the LDAP groups to internal Identity Manager roles.
2. Click + to add an LDAP group to the Groups list
3. Select the roles that should be assigned to that LDAP group in the Roles list.

Nexus Documentation

Set up authentication profile in Identity Manager

Prerequisites

Step-by-step instruction

Configure profile types

Administrator

Tenant

Configure post-login process

Tenant ID settings

Configure Smart ID Self-Service login page

Configure Identity Manager Operator login page