Authentication

Definition

Soffid could use different kinds of external authentication sources. These mechanisms could be selectively enabled or disabled.

Screen overview

image-1718117348576.png

image-1718117373011.png

image-1718117395329.png

Standard attributes

Global status

💻 Image

image-1685358837043.png

💻 Image

image-1685358984524.png

💻 Image

image-1712138497760.png

Username and password

Internal

External

Not all the external systems are included, only the ones that have marked the check "Trust password" on the agent. For more information about agents please visit the Agents page.

Once an agent is configured, Soffid will still use its internal tables to authenticate usernames and passwords.

If the password entered by the user does not match, the Soffid core will issue a "ValidatePassword" task for each trusted target system. If any of the trusted target systems accepts the password, it will be hashed and stored in Soffid tables and login will be accepted.

External SAML identity provider 

It should be noted this feature does not depend on the federation addon. That is a feature included by default in the Soffid smart engine to allow you to include in the authentication flow a mechanism to use a third-party SAML system.

Finally, download the Soffid Console and load it into your SAML Identity Provider federation.

If SAML Identity Provider is enabled, as well as username and password, the user will have the chance to select the preferred authentication method. Otherwise, if only SAML is enabled, the user will be automatically redirected to SAML Identity Provider.

💻 Image

image-1685358871521.png

 

💻 Office 365 as External SAML identity provider

Introduction

Steps to configure Office 365 as External SAML identity provider.

Step-by-Step

1. Open a https://portal.azure.com

2. Open Microsoft Entra ID and then select Enterprise applications option

image.png

image.png

 

3. Select All applications and click New Application

image.png

4. Select Create your own application

image.png

5. Type the name of your app and select the "Integrate any other application you don't find in the gallery (Non-gallery)" option

image.png

6. Click on Set up single sign on

image.png

7. Click the SAML option

image.png

8. Enter the Basic SAML Configuration and Save:

  • Identifier: https://<YOUR-SERVER>/soffid-iam-console
  • Reply URL: https://<YOUR-SERVER>/soffid/saml/log/post
  • Sign on URL: https://<YOUR-SERVER>/soffid/
  • Logout URL: https://<YOUR-SERVER>/soffid/saml/slo/post

image.png

image.png

9. Configure Attributes & Claims and change the attributes and claims to send the mailnickname as the user identifier (nameid)

image.png


image.png

10. Copy the App Federation Metadata Url

image.png

11. Configure the External SAML identity Provider in the Soffid Console Authentication page

image.png

12. Optional, enable any user to login

image.png

Webservice authentication

Soffid allows you to configure the way to verify the identity of a user or sysctem accesing to the Soffid Web Service, to ensure that only authorized entities can interact with the service.

Bear in mind that the Identity Provider needs to have enabled the OpenID profile.

Also, the Identity Provider cert must be in the Console cacerts.

💻 Image

image-1718117594526.png

Enable LinOTP integration

Soffid allows you to use an external OTP, LinOTP in this case. If you decide to use LinOTP, Soffid could be configured to request the user to authenticate using a second factor authentication to perform certain actions. In another case, you can use the Soffid OTP.

If you want to configure the Soffid OTP you could visit Two factor authentication (2FA) chapter.

Second Factor Authentication configuration

💻 Example

Request only the OTP for these pages:

image-1691657269637.png

💻 Example

Request OTP for all pages except those containing menu.zul or otp.zul:

image-1691736830460.png

💻 Example

image-1692278416756.png

In both configurations, if OTP is required by the user, a popup requesting the token value is raised to write the OTP value.

Actions

Download metada

Allows you to download an XML file with metadata to load it into your SAML Identity Provider federation when you use an External SAML identity provider

Confirm changes Allows you to save the changes made in the Authentication setup.



Revision #33
Created 18 May 2021 14:12:45 by pgarcia@soffid.com
Updated 23 October 2024 15:50:40 by pgarcia@soffid.com