Configure the ActivID Identity Provider

This section describes how to configure the ActivID Identity Provider (IdP).

Note: See Customize the User Authentication Process for information about creating customized GUI templates and authentication process templates.

Configure the ActivID IdP for Signed Authentication Requests

By default, the IdP will request signed Authentication Requests. You can disable this option if necessary.

Note: Signature and certificate path validation actions are performed during the authentication process when users submit their credentials, not when the Authentication Requests are received.
  1. Log on to the ActivID Management Console as an administrator.

  2. Select the Configuration tab.

  1. Under Identity Providers, select ActivID Identity Provider.

  2. Select the Require signed authentication requests option and click Save.

Important: To implement this change, you must export the ActivID SAML IdP Metadata again, and import it into the SP.

Configure the Reset Password Option

You can configure the ActivID Authentication Portal to provide a Reset Password option for end users, eliminating the need for users to contact their help desk if they forget their password.

When the user clicks the reset link on the login page, they can choose to receive a temporary password via SMS or email. You can enable one or both channels.

The user then authenticates with the temporary password and is re-directed to the change password workflow in order to set a new password (the original authenticator is set expired to force the password change).

  • The authenticator validity period is updated according to the authentication policy.

  • The consecutive failed or successful authentication counters are reset.

Note: The validity of the user’s authenticator is automatically set as "expired" once the random password has been delivered, forcing the user to change the password.

However, the user’s authenticator will become blocked if they reach the maximum number of incorrect ‘change password’ attempts.

To manually unblock the authenticator in the ActivID Management Console, you can reset a valid "End" date in the authenticator's validity period tab, and then change the password or reset the counters on behalf of the user.

Prerequisites:  
  • The ActivID Authentication Portal GUI template must match at least one Username/Password authentication policy.

  • The Out of Band (OOB) gateways are configured for the email and/or SMS services for the delivery of the temporary passwords, and are assigned to the required authentication policies and channels.

  • For further information, Configure OOB Delivery Gateways.

  • The end user email addresses and/or mobile phone numbers are configured in their user profiles.

Note:  
  • You can customize the design of reset password wizard by editing the ActivID Authentication Portal branding files.
  • For example, you can customize the link label by editing the ai.samlidp.forgotpwd property in the AuthenticationPortal/default/ap/ac-4tress-portal_en.properties file.

    For further information, see Customize the ActivID AS Design.

  • For further information about the end-user experience, refer to the ActivID Self-Service Portal User Guide available in the ActivID Customer Portal.

  1. Log on to the ActivID Management Console as an administrator for the domain.

  2. Select the Configuration tab.

  3. Under Identity Providers, select ActivID Identity Provider.

  4. Go to the Reset Password section.

  5. Select the channel(s) via which the temporary password should be sent to the end user – Email and/or SMS.

  6. You can select one or both.

  7. If necessary, edit the default message in the Email template that will be sent with the temporary password.

    For additional guidelines, see About the Content of the Message Templates.

  8. Select the Use HTML format for email messages if you want to send formatted messages instead of plain text.

  9. It is recommended that you do not enable this setting if users are using email clients that block HTML content.

  10. If necessary, edit the default message in the SMS template that will be sent with the temporary password.

    For additional guidelines, see About the Content of the Message Templates.

  11. If necessary, define the Temporary Password validity period (in minutes).

  12. By default, this is set to 1440 minutes.

    If the end user has not authenticated with the temporary password within this period, they must restart the Reset Password workflow to request a new one.

  13. Click Save.

  14. To configure the Reset Password option for other domains, repeat the above steps for each domain.

Hide the List of Domains

This section explains how to configure the ActivID Authentication Portal so that the list of domains in your deployment is not visible to users in the login page. This configuration will also prevent users from changing the domain name during authentication.

Note: The ActivID Authentication Portal must know to which domain a user belongs before performing the authentication.

Specify the Domain in the URI

The ActivID portals (Authentication Portal, Management Console and Self-Service Portal) accept a domain name as a parameter in the authentication request.

To pass a domain name as parameter, the URI must contain the domain as follows:

https://<YourActivIDASServer>/aiconsole?domain=sha256(<DOMAINNAME>)

For example, for the ONLINEBANK domain:

https://activididas.com/aiconsole?domain=d6ff9b39dbd361944f415668251e28eec3f9286c47754d66d71bf603277a6ff6

When a user accesses the portal logon page with the domain already present as a parameter in the ActivID Authentication Portal’s SingleSignOnService URL:

  • When ActivID AS is configured with optional domain parameter:

    • If the request originates from the ActivID Management Console, the IdP preselects the domain specified in the request in the list of available domains.
    • If the request originates from any other referrer, the domain in the parameter is automatically selected. The list of domains is not displayed, and users simply enter their credentials to authenticate.
  • When ActivID AS is configured with required domain parameter, the IdP never displays the list of available domains. Users simply enter their credentials to authenticate.

For further details, see Enforce the Domain Requirement in the Authentication Request.

Enforce the Domain Requirement in the Authentication Request

You configure the Authentication Portal to make the domain name as either optional or required in the authentication request.

  • If you set the domain name as optional and it is missing from the authentication request, the list of domains is displayed to the user.

  • If you set the domain name as required and it is missing from the authentication request, an error page is displayed to the user.

To configure the ActivID Authentication Portal to make the domain name as either optional or required:

  1. Open the samlidp.properties file in the <ActivID_AS>/applications/resources/ap/ directory for editing.

    • To configure the domain name as optional in the authentication request, set the DomainRequired property to false (this is the default value).
    • To configure the domain name as required in the authentication request, set the DomainRequired property to true.
  2. Save and close the file.

  3. Restart the server.

Export the ActivID SAML IdP Metadata

To configure the ActivID IdP as an IdP for a SAML SP, you must provide the metadata information to the SP.

The IdP metadata is based on the following data:

  • IdP hostname
  • IdP port number
  • Security Domain – the Security Domain name is part of the URIs defined in the metadata.
  • Flag indicating if the IdP accepts only signed requests – this is an optional attribute that indicates a requirement for the <samlp:AuthnRequest> messages received by this IdP to be signed. If omitted, the value is assumed to be false.
  • Alias of the IdP certificates (signing & encryption) stored in the ActivID AS keystore.
  1. Log on to the ActivID Management Console as an administrator.
  2. Select the Configuration tab.

  3. Under the Identity Providers menu, select ActivID Identity Provider.

  4. Under the Authentication Policies mapping list, click Export SAML Metadata.

  5. Save the ACTIVID_IDP_METADATA.xml file to a location of your choice.

Important: The administrator must import this file to the SP server at a later stage. By importing the respective metadata, a link between the ActivID IdP and the Service Provider is created. This enables the SAML authentications. The user who wants to use the Service Provider’s services (such as a travel agency web site) authenticates, and the ActivID IdP performs the authentication on behalf of the SP.

View or Download the ActivID IdP Certificates

  1. Log on to the ActivID Management Console as an administrator for the domain.

  2. Select the Configuration tab.

    Details of the ActivID IdP Signing Certificate and Encryption Certificate are displayed above the configuration options.

  3. Click View for the required certificate.
  4. Click Download for the required certificate to download the certificate (.cer).

Update the ActivID IdP Certificates

There is one SAML IdP signing certificate and one SAML IdP encryption certificate per security domain.

These certificates are stored in the ActivID Authentication server software keystore (<ACTIVID_HOME>/ActivID_AS/config/ActivID.keystore) under the idp_cert_signature_<domain> and idp_cert_ encryption_<domain> aliases.

Note: You can view or download the ActivID IdP certificates in the ActivID Management Console.

Renew SAML IdP (Authentication Portal) Keys and Certificates

  1. As ftadmin, run the following command:

    Copy
    <ACTIVID_HOME>/ActivID_AS/bin/configureIDPData.sh -c createkeyscerts -d <domain name> -v <validity period (years)>
  2. When prompted, enter the keystore password.

  3. Replicate the keystore changes to all the ActivID AS servers in your deployment.

  4. Restart the server.

  5. Export the IdP metadata and reconfigure the service providers.

Replace the Certificates with CA Signed Certificates

For the the idp_cert_signature_<domain> and idp_cert_ encryption_<domain> keystore entry aliases, as ftadmin, use the following commands:

  1. To load the environmental variable:

    Copy
    . <ACTIVID_HOME>/ActivID_AS/bin/envdef
  1. To generate the Certificate Signing Request:

    Copy
    keytool –keystore <the keystore> –certreq –alias <alias> –keyalg rsa 
    –file client.csr -storetype JCEKS
  1. To send the CSR to your Certificate Authority and then import CA certificate into the ActivID AS keystore:

    Copy
    keytool -import -keystore <the keystore> -file ca-certificate.pem  
    -alias theCARoot -storetype JCEKS
  1. To import the signed certificate in the keystore:

    Copy
    keytool –import –keystore <the keystore> –file <CA signed IDP certificate> –alias <alias> -storetype JCEKS
  1. Replicate the keystore changes to all the ActivID AS servers in your deployment.

  2. Restart the server.

  3. Export the IdP metadata and reconfigure the service providers.