Document toolboxDocument toolbox

Set up authentication profile in Identity Manager

This article includes updates for Smart ID 23.10.5.

This article describes authentication profiles in Smart ID Identity Manager and how to configure the profiles. Authentication profiles are used to define how users can gain access to Identity Manager and what they gain access to. 

Authentication is done in two steps:

  1. Authentication: login in with a certain user credential. The user will be extracted from the credential depending on the authentication type.

  2. Authorization: after successful authentication the assigned roles for the user are determined depending on the authentication type.

The following authentication profiles are available:

Authentication profile

Authentication / Login mechanism

User / Principal

Authorization / Roles / Permissions

Authentication profile

Authentication / Login mechanism

User / Principal

Authorization / Roles / Permissions

Internal

In the runtime system (Identity Manager Operator and Smart ID Self-Service), this profile type is not recommended for production. Usually, the administrator of Identity Manager Admin has an internal account.

Login with username and password based on internal user table

Username

Roles from internal roles table

LDAP

External login mechanism based on LDAP

DN from LDAP configuration

Group membership in LDAP directory is mapped to internal roles

LDAP Core Object

External login mechanism based on LDAP

DN from LDAP configuration

Internal roles mapped to core objects

Client Certificate and LDAP

Client certificate login based on LDAP

Configured attribute in certificate

Group membership in LDAP directory is mapped to internal roles

Client Certificate Internal

In the runtime system (Identity Manager Operator and Smart ID Self-Service), this profile type is not recommended for production.  

Client certificate login based on internal user

Configured attribute in certificate

Roles from internal roles table

Client Certificate Core Object

Client certificate login based on Core Objects

Configured attribute in certificate

Internal roles mapped to core objects

Smart Card and Core Object

This authentication profile is deprecated, but can still be used for older versions of Identity Manager. From PRIME 3.9, use Client Certificate Core Object.

Smart card certificate

Configured attribute in certificate

Internal roles mapped to core objects

Username and Password Core Object

Login with username and password based on core objects

Username

Internal roles mapped to core objects

SAML SSO Core Object (*)

External login with SAML SSO

Configured attribute in SAML token



Internal roles mapped to core objects

SAML SSO LDAP  (*)

External login with SAML SSO. 

Configured attribute in SAML token

Group membership in LDAP directory is mapped to internal roles

SAML SSO Group (*)

External login with SAML SSO. 

Configured attribute in SAML token

Configured attribute in SAML token

(*) For SAML, an extra layer of security is added by limiting the role assignment based on authentication method. For more information, see the instructions for SAML SSO Core Object, SAML SSO LDAP, and SAML SSO Group profiles below.

Prerequisites

Step-by-step instruction

To set up an authentication profile:

  1. Go to Home > Authentication Profiles.

  2. Click +New to add an authentication profile.

    1. Select a Profile type:



    2. For SAML profiles, the Priority will be assigned automatically.

    3. Click Save + Edit.

      A new tab is displayed where the authentication profile is configured. See the following sections for how to configure the authentication profile you have selected.

  3. For all authentication profiles there is a Processes tab. Select from the drop-down list, which process that shall run after a successful login in Identity Manager Operator. Read more in section Set up authentication profile in Identity Manager#Configure post-login process.

  4. To edit an existing identity template, double-click on its name.

Configure profile types

The configuration of authentication profiles differs according to the different profile types. Find your selected authentication profile type below and follow the instruction to set up the configuration.  

The system will lock internal users after too many failed logins. The users can be unlocked automatically after a certain amount of time. To configure this, follow the instructions below.

Administrator

In Identity Manager Admin, do the following:

  1. In Identity Manager Admin, Go to Home > Authentication Profiles.

  2. Select the profile with an INTERNAL profile type.

  3. Define the Maximum failed login count.

  4. Optional: Enable the Automatic unlock mechanism and set the Blocked user wait time in seconds.

  5. Click Save. 

Tenant

 In Identity Manager Tenant, do the following:

  1. Open the tenant application and navigate to the icon next to the info button. A dialog appears.

  2. Define the Maximum failed login count.

  3. Optional: Enable the Automatic unlock mechanism and set the Blocked user wait time in seconds.

  4. Click Save.



In Client Certificate Configuration: select the method which extracts the information from the certificate used to identify the user:

  • User Principal Name (UPN)

  • SAN Email (RFC822Name)

  • Subject CN

  • Subject Email

  • Object Security Identifier (objectSid)



  1. In Connection settings:

    1. In Connection string, enter the URL of the LDAP server and base address in the directory service, for example:

      where

      ou = organizationalUnitName
      dc = domainComponent

      For more information on LDAP string attributes, see RFC 2253, LDAP (v3): UTF-8 String Representation of Distinguished Names.

    2. In Username and Password, enter the Active Directory domain user name and password. 

  2. In User search:

    1. Select Direct binding or With password comparison. Direct binding attempts to bind to the LDAP with the user entered. With password comparison the data of the LDAP entry is retrieved and the password is compared with the entered password.

    2. Enter a Search pattern. Here are two examples:





    3. If password comparison was selected, enter the Attribute for password used in LDAP and, if applicable, the mechanism that LDAP uses for Password encryption.

  3. In Group search:

    1. In Basis for group search, enter the subpath to the group information in LDAP.
      For example, if you find the group information under ou = groups, dc = myCompany, dc = de, enter the following:



    2. In Filter for group search, enter a filter expression, that defines the search starting with the subpath above.

      For example, if the group membership of users is stored in a multi-value attribute member (via the DN), enter the following:



    3. In Attribute for group, enter an attribute with unique values to define the group belonging. The groups to which the user belongs are compared in the last step with the assignment to the roles in the system and access to the system is assigned based on the assigned roles.

      For example, enter the following:



  4. Group Permissions

    1. Go to the LDAP Group Permissions tab to map the LDAP groups to internal Identity Manager roles.

    2. Click + to add an LDAP group to the Groups list

    3. Select the roles that should be assigned to that LDAP group in the Roles list.


















Configure post-login process

Tenant ID settings



Configure Smart ID Self-Service login page

Configure Identity Manager Operator login page





Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions