Configure the ActivID IDP Authentication Policies Mappings

Authentication policies mappings enable you to define the authentication methods used to authenticate a specific SP through the ActivID Authentication Portal. Authentication Policies Mappings establish a link between:

  • Authentication Class URI:

    • Information on which Authentication Class to be used for authentication.
    • It is optionally contained in the SP’s Authentication Request and/or in its metadata file.

  • Authentication Policy

  • GUI(s) template(s) to be displayed by the ActivID Authentication Portal for this authentication process.

For information on the association between the Authentication Policy and the GUI Template, see Supported Authentication Policies.

Note: Based on the authentication context (SAML Authentication request, SAML SP Metadata and the Channel/Authentication assignments), the user might be proposed several authentication methods. The user is prompted to choose from one of the icons directing to the respective authentication methods supported by the IDP for this SAML SP.

Add a New Authentication Policies Mapping

  1. Log on as a configuration manager or administrator.

  2. Navigate to Configuration, Identity Providers and then ActivID Identity Provider.

  3. Go to the Login Pages section and click Add to create new authentication policies mapping.

  4. Enter the Authentication Class URI.

    5. Note: For ActivID Management Console and ActivID Self-Service Portal channels, you can use a customized name (for example, SSP.Myauthenticationpolicy).

  5. From the ActivID Authentication Policy drop-down list, select the authentication policy you want to map.

  6. From the GUI Template drop-down list, select the template you want to map.

  7. Click Next.

  8. Review the new authentication policies mapping, and then click Ok to validate the configuration.

    9. To configure tiered authentication policy mappings, you are prompted to add more mappings. For more information on how to configure tiered authentication policy mappings, see Configure Tiered Authentication Policies Mapping.

  9. Click Save. It might take a few seconds for the changes to take effect.

Edit an Existing Authentication Policies Mapping

  1. Log on as a configuration manager or administrator.

  2. Navigate to Configuration, Identity Providers and then ActivID Identity Provider.

  3. Go to the Login Pages section and click the Authentication Policy Mapping that you want to edit.

  1. Click the Authentication Policy link (in bold) below the Authentication Class field.

  2. Modify the ActivID Authentication Policy or GUI Template as required.

  3. Click Next.

  4. View the new mapping summary, and then click Ok to validate it.

    5. Note: The changes may affect the ability to log on to the channel, so you must review the changes very carefully.

    The list of Authentication Policies mappings is displayed with your changes.

  5. Click Save. It will take a few seconds for the changes to take effect.

Configure Tiered Authentication Policies Mapping

Prerequisites: You must have created and configured tiered authentication policies in the ActivID Management Console. A tiered authentication policy is a policy for which a base authentication policy is defined. The user must authenticate successfully with this base authentication policy before he attempts to authenticate with the tiered authentication policy. An example is available in Configure the FIDO Authentication Policy for Tiered-Authentication.
Note: You must define a GUI template both for the tiered authentication policy and for the base authentication policy.

  1. Log on as a configuration manager or administrator.

  2. Navigate to Configuration, Identity Providers and then ActivID Identity Provider.

  3. Go to the Login Pages section and click Add to create new authentication policies mapping.

  4. Enter the Authentication Class URI.

  5. From the ActivID Authentication Policy drop-down list, select the required policy.

  6. From the GUI Template drop-down list, select the required template.

  7. Click Next. You will be prompted to map the base Authentication Policy to a GUI template.

  8. Select the required Authentication Policy and GUI Template, and then click Next.

  9. To validate the tiered Authentication Policy mapping, click Ok.

    10. The authentication policies mapping is created.

  10. Click Save. It will take a few seconds for the configuration changes to take effect.

Configure Authentication Policies Mappings for the ActivID Management Console

Users can log on to the ActivID Management Console using their Username and password, Question and Answers (Q&A), PKI certificate, their One-time-Password (OTP) or Push Authentication.

This authentication policy mapping is available by default and is displayed as follows in the Authentication Policies mapping table in the ActivID Identity Provider details page:

By default, the Static Login GUI Template is the first one displayed on the ActivID Management Console login page.

To use Questions & Answers, PKI, One-Time-Password or Push Authentication to log on, the user can select the relevant icon at the bottom of the login page. Placing the cursor over the icon displays the icon name.

Note: As a prerequisite, for the Management Console user, you must register either Questions & Answers, PKI, One-Time-Password authentication.

Upon subsequent logins, the last used template is displayed on the login page so that user will not have to select the icon again.

To add additional mappings corresponding to all authentication policies supported by the ActivID Management Console:

  1. Log on as a configuration manager or administrator.

  2. Navigate to Configuration, Identity Providers and then ActivID Identity Provider.

  3. Add the mappings as required.

  4. Save the changes. It might take a few seconds for the changes to take effect.

  5. Log off and, if necessary, go to the login page again.

Important: If you remove a mapping, then you remove the ability to log into the channel using the associated Authentication Policy, so you must take care when removing a mapping from the list.

Configure Authentication Policies Mappings for the ActivID Self-Service Portal

Users can log on to the ActivID Self-Service Portal using their user names and passwords, Question and Answers (Q&A), PKI certificates, LDAP usernames and passwords, OOB One-Time Passwords, regular One-Time Passwords (OTP) or Push Authentication.

These authentication policies mappings are available by default and are displayed as follows in the Authentication Policies mapping table:

You can add additional mappings if required.

Important: If you remove a mapping, then you remove the ability to log into the channel using the associated Authentication Policy, so you must be careful when removing a mapping from the list.

Configure Authentication Policies Mappings for Other Service Providers

Important: To enable interoperability with SAML Service Providers (such as Google Apps), you must create specific authentication policies mappings in the ActivID IDP.

Each Service Provider might support an Authentication Context with particular SAML Authentication classes. You must identify them, verify that they are enabled for the Service Provider, and create the mappings accordingly.

The following table lists several examples (for an OPENSSO Implementation) of mappings that can be used.

SAML Authentication Classes Authentication Policy GUI Template Device Used

Password

Identified when a user authenticates to an IDP by using a password over an unprotected HTTP session

Static Password

Seeded Username Password

none

PasswordProtectedTransport

Identified when a user authenticates to an IDP by using a password over an SSL-protected session

Static Password

Username Password

none

SmartCardPKI

Identified when a user uses a smart card with an enclosed private key and a PIN to authenticate to an IDP

PKI

Public key infrastructure

SmartCard

MobileOneFactorContract*Identified when a mobile user has an identity for which the IDP has vouched

One Time Password

One Time Password

Mobile Soft token without PIN

HID Approve™ container on Smartphone

MobileTwoFactorContract

Identified when a mobile user has an identity for which the IDP has vouched

One Time Password

Challenge Response

Mobile Soft token with PIN

One Time Password

HID Approve container on Smartphone (password protected)

Mobile push-based Logon Validation

TDS Push

HID Approve container on Smartphone (password protected)

Push-Based Authentication

HID Approve container on Smartphone (password protected)

For example, if your SP supports an Authentication Context with the Authentication Classes Password and SmartCardPKI, you can map the ActivID IDP Authentication Policies as follows:

  • Auth Class URI: urn:oasis:names:tc:SAML:2.0:ac:classes:Password

    • Authentication Policy: Customer Static Password
    • GUI Template: Username password

  • Auth Class URI: urn:oasis:names:tc:SAML:2.0:ac:classes:SmartCardPKI

    • Authentication Policy: Customer PKI authentication
    • GUI Template: Public key infrastructure

See also:

Configure Support for FIDO U2F Authentication