Configure the ActivID Identity Provider

This section describes how to configure the ActivID Identity Provider (IDP).

Note: See Customize the User Authentication Process for information about creating customized GUI templates and authentication process templates.

Configure the ActivID IDP for Signed Authentication Requests

By default, the IDP will request signed Authentication Requests. You can disable this option if necessary.

Note: Signature and certificate path validation actions are performed during the authentication process when users submit their credentials, not when the Authentication Requests are received.

  1. Log on to the ActivID Management Console as an administrator.

  2. Select the Configuration tab.

  1. Under Identity Providers, select ActivID Identity Provider.

  2. Select the Require signed authentication requests option and click Save.

Important: To implement this change, you must export the ActivID SAML IDP Metadata again, and import it into the SP.

Configure the Reset Password Option

You can configure the ActivID Authentication Portal to provide a Reset Password option for end users, eliminating the need for users to contact their help desk if they forget their password.

When the user clicks the reset link on the login page, they can choose to receive a temporary password via SMS or email. You can enable one or both channels.

The user then authenticates with the temporary password and is re-directed to the change password workflow in order to set a new password (the original authenticator is set expired to force the password change).

  • The authenticator validity period is updated according to the authentication policy.

  • The consecutive failed or successful authentication counters are reset.

Note: The validity of the user’s authenticator is automatically set as "expired" once the random password has been delivered, forcing the user to change the password.

However, the user’s authenticator will become blocked if they reach the maximum number of incorrect ‘change password’ attempts.

To manually unblock the authenticator in the ActivID Management Console, you can reset a valid "End" date in the authenticator's validity period tab, and then change the password or reset the counters on behalf of the user.

Prerequisites:  

  • The ActivID Authentication Portal GUI template must match at least one Username/Password authentication policy.

  • The Out of Band (OOB) gateways are configured for the email and/or SMS services for the delivery of the temporary passwords, and are assigned to the required authentication policies and channels.

    • For further information, Configure OOB Delivery Gateways.

  • The end user email addresses and/or mobile phone numbers are configured in their user profiles.

Note:  
  • You can customize the design of reset password wizard by editing the ActivID Authentication Portal branding files.

    • For example, you can customize the link label by editing the ai.samlidp.forgotpwd property in the AuthenticationPortal/default/ap/ac-4tress-portal_en.properties file.

    For further information, see Customize the ActivID AS Design.

  • For further information about the end-user experience, refer to the ActivID Self-Service Portal User Guide available in the ActivID Customer Portal.

  1. Log on to the ActivID Management Console as an administrator for the domain.

  2. Select the Configuration tab.

  3. Under Identity Providers, select ActivID Identity Provider.

  4. Go to the Reset Password section.

  5. Select the channel(s) via which the temporary password should be sent to the end user – Email and/or SMS.

    6. You can select one or both.

  6. If necessary, edit the default message in the Email template that will be sent with the temporary password.

    For additional guidelines, see About the Content of the Message Templates.

  7. Select the Use HTML format for email messages if you want to send formatted messages instead of plain text.

    8. It is recommended that you do not enable this setting if users are using email clients that block HTML content.

  8. If necessary, edit the default message in the SMS template that will be sent with the temporary password.

    For additional guidelines, see About the Content of the Message Templates.

  9. If necessary, define the Temporary Password validity period (in minutes).

    10. By default, this is set to 1440 minutes.

    If the end user has not authenticated with the temporary password within this period, they must restart the Reset Password workflow to request a new one.

  10. Click Save.

  11. To configure the Reset Password option for other domains, repeat the above steps for each domain.

Message templates are a set of properties allowing to define messages in multiple languages.

Template properties:

  • MESSAGE[_<locale>] - if the locale is not specified, the default is used (that is, en_US)
  • SUBJECT[_<locale>] - optionally for email messages, you can include an email subject and define the locale

    If it is not specified in the template, the email delivery gateway subject will be used.

The MESSAGE and SUBJECT properties can both be parametrized with variables that will be resolved when sending the message.

Template variables must use the {$variable[, type, style]} format and can be:

  • Predefined variables:
    • secret - the secret code to send
    • usercode - the username
    • temp_pwd_validity_period - the reset password temporary pass code validity period in miliseconds
    • temp_pwd_expiry_date - the reset password temporary pass code expiry date
    • now - the current date
  • User attributes
  • Authentication request parameters

For further information about the supported types and styles, go to https://docs.oracle.com/javase/8/docs/api/java/text/MessageFormat.html and https://docs.oracle.com/javase/8/docs/api/java/text/SimpleDateFormat.html

Guidelines:

  • There is no limitation on the length of the message in ActivID AS.

    However, modern networks limit a single SMS message to 160 characters.

  • Special characters are supported.

    However, ActivID AS applies GSM encoding for SMS messages (by default, GSM-7) which might result in limitations depending on the encoding system.

  • The date style is extended to optionally specify a timezone (default time zone is GMT).

    • For example, {$now, date, dd/M/yyyy hh:mm:ss [Europe/Paris]}

  • The duration style can be used to format a duration expressed in milliseconds (ms) where the y/M/d/H/m/s/S element format corresponds to years/months/days/hours/minutes/seconds/milliseconds.

    • For example, with a validity_period of 139801000 ms:

    MESSAGE=Your temporary password is only valid for {$validity_period, duration ,  m 'Minutes' }.

    Displayed message – Your temporary password is only valid for 2330 minutes.

    MESSAGE=Your temporary password is only valid for {$validity_period, duration ,  d 'Days' H 'Hours' m 'Minutes' s 'Seconds'}.

    Displayed message – Your temporary password is only valid for 1 Days 14 Hours 50 Minutes 1 Seconds.

  • Single quotes should be escaped using a single quote.

    • For example, It can't be changed must be replaced by It can''t be changed.

  • Curly brackets should be enclosed with single quotes.

    • For example, { or } should be escaped must be replaced by '{' or '}' should be escaped.

  • To add a new line, use \r\n. Do not use carriage returns as the message validation will fail.

Example of an email template - text/plain:

MESSAGE=Hello,\r\nYou requested a password reset for ActivID AS. Your temporary password is {$secret}. Your temporary password is only valid for {$temp_pwd_validity_period, duration , d 'Days' H 'Hours' m 'Minutes'}.\r\nPlease enter the temporary password at the reset screen, to set your permanent password.\r\nIf you did not request a password reset, please ignore this email.\r\n\r\nThank you.\r\n\r\nSystem Administration\r\nHID Global\r\n\r\nPlease do not reply to this message.\r\n©{$now, date, yyyy} HID Global Corporation/ASSA ABLOY AB

SUBJECT=ActivID AS – Password Reset

Example of an email template - text/plain in French (fr):

MESSAGE_fr=Bonjour,\r\nVous avez demandé à changer le mot de passe de votre compte ActivID AS. Votre mot de passe temporaire est {$secret}. Ce mot de passe expirera le {$temp_pwd_validity_period, duration , m 'Minutes'}.\r\nEntrez ce mot de passe temporaire pour pouvoir changer de mot de passe.\r\nSi vous n'’avez pas demandé à changer votre mot de passe, ignorez ce message.r\n\r\nMerci.\r\n\r\nAdministration Système\r\nHID Global\r\n\r\nMerci de ne pas répondre à ce message.\r\n©{$now, date, yyyy} HID Global Corporation/ASSA ABLOY AB

SUBJECT_fr=ActivID AS – Changement de mot de passe

Example of an email template - text/HTML:

MESSAGE=Hello,<br>You requested a password reset for the ActivID AS. Your temporary password is <b>{$secret}</b>. Your temporary password is only valid for {$temp_pwd_validity_period, duration , d 'Days' H 'Hours' m 'Minutes'}.<br>Please enter the temporary password at the reset screen, to set your permanent password.<br>If you did not request a password reset, please ignore this email.<br><br>Thank you.<br><br>System Administration<br>HID Global<br><br>Please do not reply to this message.<br>&copy;{$now, date, yyyy} HID Global Corporation/ASSA ABLOY AB

SUBJECT=ActivID AS – Password Reset

Hide the List of Domains

This section explains how to configure the ActivID Authentication Portal so that the list of domains in your deployment is not visible to users in the login page. This configuration will also prevent users from changing the domain name during authentication.

Note: The ActivID Authentication Portal must know to which domain a user belongs before performing the authentication.

Specify the Domain in the URI

The ActivID portals (Authentication Portal, Management Console and Self-Service Portal) accept a domain name as a parameter in the authentication request.

To pass a domain name as parameter, the URI must contain the domain as follows:

https://<YourActivIDASServer>/aiconsole?domain=sha256(<DOMAINNAME>)

For example, for the ONLINEBANK domain:

https://activididas.com/aiconsole?domain=d6ff9b39dbd361944f415668251e28eec3f9286c47754d66d71bf603277a6ff6

When a user accesses the portal logon page with the domain already present as a parameter in the ActivID Authentication Portal’s SingleSignOnService URL:

  • When ActivID AS is configured with optional domain parameter:

    • If the request originates from the ActivID Management Console, the IDP preselects the domain specified in the request in the list of available domains.
    • If the request originates from any other referrer, the domain in the parameter is automatically selected. The list of domains is not displayed, and users simply enter their credentials to authenticate.

  • When ActivID AS is configured with required domain parameter, the IDP never displays the list of available domains. Users simply enter their credentials to authenticate.

For further details, see Enforce the Domain Requirement in the Authentication Request.

Enforce the Domain Requirement in the Authentication Request

You configure the Authentication Portal to make the domain name as either optional or required in the authentication request.

  • If you set the domain name as optional and it is missing from the authentication request, the list of domains is displayed to the user.

  • If you set the domain name as required and it is missing from the authentication request, an error page is displayed to the user.

To configure the ActivID Authentication Portal to make the domain name as either optional or required:

  1. Open the samlidp.properties file in the <ActivID_AS>/applications/resources/ap/ directory for editing.

    • To configure the domain name as optional in the authentication request, set the DomainRequired property to false (this is the default value).
    • To configure the domain name as required in the authentication request, set the DomainRequired property to true.

  2. Save and close the file.

  3. Restart the server.

Export the ActivID SAML IDP Metadata

To configure the ActivID IDP as an IDP for a SAML SP, you must provide the metadata information to the SP.

The IDP metadata is based on the following data:

  • IDP hostname
  • IDP port number
  • Security Domain – the Security Domain name is part of the URIs defined in the metadata.
  • Flag indicating if the IDP accepts only signed requests – this is an optional attribute that indicates a requirement for the <samlp:AuthnRequest> messages received by this IDP to be signed. If omitted, the value is assumed to be false.
  • Alias of the IDP certificates (signing & encryption) stored in the ActivID AS keystore.
  1. Log on to the ActivID Management Console as an administrator.

  2. Select the Configuration tab.

  3. Under the Identity Providers menu, select ActivID Identity Provider.

  4. Under the Authentication Policies mapping list, click Export SAML Metadata.

  5. Save the ACTIVID_IDP_METADATA.xml file to a location of your choice.

Important: The administrator must import this file to the SP server at a later stage. By importing the respective metadata, a link between the ActivID IDP and the Service Provider is created. This enables the SAML authentications. The user who wants to use the Service Provider’s services (such as a travel agency web site) authenticates, and the ActivID IDP performs the authentication on behalf of the SP.

View or Download the ActivID IDP Certificates

  1. Log on to the ActivID Management Console as an administrator for the domain.

  2. Select the Configuration tab.

    Details of the ActivID IDP Signing Certificate and Encryption Certificate are displayed above the configuration options.

  3. Click View for the required certificate.

  4. Click Download for the required certificate to download the certificate (.cer).

Update the ActivID IDP Certificates

There is one SAML IDP signing certificate and one SAML IDP encryption certificate per security domain.

These certificates are stored in the ActivID Authentication server software keystore (<ACTIVID_HOME>/ActivID_AS/config/ActivID.keystore) under the idp_cert_signature_<domain> and idp_cert_ encryption_<domain> aliases.

Note: You can view or download the ActivID IDP certificates in the ActivID Management Console.

Renew SAML IDP (Authentication Portal) Keys and Certificates

  1. As ftadmin, run the following command:

    Copy 
    <ACTIVID_HOME>/ActivID_AS/bin/configureIDPData.sh -c createkeyscerts -d <domain name> -v <validity period (years)>

  2. When prompted, enter the keystore password.

  3. Replicate the keystore changes to all the ActivID AS servers in your deployment.

  4. Restart the server.

  5. Export the IDP metadata and reconfigure the service providers.

Replace the Certificates with CA Signed Certificates

For the the idp_cert_signature_<domain> and idp_cert_ encryption_<domain> keystore entry aliases, as ftadmin, use the following commands:

  1. To load the environmental variable:

    Copy 
    . <ACTIVID_HOME>/ActivID_AS/bin/envdef

  1. To generate the Certificate Signing Request:

    Copy 
    keytool –keystore <the keystore> –certreq –alias <alias> –keyalg rsa 
    –file client.csr -storetype JCEKS

  1. To send the CSR to your Certificate Authority and then import CA certificate into the ActivID AS keystore:

    Copy 
    keytool -import -keystore <the keystore> -file ca-certificate.pem  
    -alias theCARoot -storetype JCEKS

  1. To import the signed certificate in the keystore:

    Copy 
    keytool –import –keystore <the keystore> –file <CA signed IDP certificate> –alias <alias> -storetype JCEKS

  1. Replicate the keystore changes to all the ActivID AS servers in your deployment.

  2. Restart the server.

  3. Export the IDP metadata and reconfigure the service providers.