Authentication

Definition

Soffid consolecould providesuse adifferent granularkinds accessof controlexternal system.authentication Thatsources. granularThese controlmechanisms system allows to administrator user to assign granular permissions to roles.

The roles maycould be createdselectively intoenabled Soffidor application system, but could also be included in any other application system.

Be in mind that some permissions may inherit some other permissions. 

The permissions given to roles and the roles given to users are cached by Soffid. In order to reapply permissions, the user should close its session and log-in againdisabled.

Screen overview

&&TODO&&

Related objects

1. Roles
2. Information system

Standard attributes

Username and password

Internal

• ScopeEnabled: scopethe only enabled by default in the installation of application.
Soffid,
• Name:it nameis the internal username and password authentication mechanism. Therefore, the authentication is made with the username and password of the granularsoffid permission.account.

External

• DescriptionForward authentication requests to trusted target systems: briefis descriptionto use external username and password sources. Therefore, the authentication is made with the username and password of an account of an external system.

Not all the external systems are included, only the ones they have marked the check "Trust password" on the agent. For more information about agents please visit the Agents page.

Once an agent is configured, Soffid will still use its internal tables to authenticate usernames and passwords.

If the password entered by the user does not match, the Soffid core will issue a "ValidatePassword" task for each trusted target system. If any of the granulartrusted permission.target systems accepts the password, it will be hashed and stored in Soffid tables and login will be accepted.

External SAML identity provider 

It should be noted this feature does not depend on the federation addon. That is a feature included by default in the Soffid smart engine to allow you to include in the authentication flow a mechanism to use third party SAML system.

• Enable: check it (select value Yes) to use an external SAML Identity Provider.
• Roles:Soffid roleServer listhost assigned to that granular permission.
• DB: I?Muestra la descripción del Role
• Information system: asset or application, from a functional point of view.
• Domainname: the roleURL isthat limitedwill be used by external IdP. This URL will be resolved by end user's browser in order to thatsend scope.the SAML assertion.
• SAML federation metadata: the URL where federation information can be found. If the Soffid console can fetch federation metadata, the Identity provider drop-down will be filled in with any identity provider found in federation metadata URL.
• Cache limit (seconds): how often the federation information will be refreshed. By default, 10 minutes will be taken.
• Identity provider: Identity Provider to use for authentication.

Finally, download the Soffid Console and load it into your SAML Identity Provider federation.

If SAML Identity Provider is enabled, as well as username and password, the user will have the chance to select the preferred authentication method. Otherwise, if only SAML is enabled, the user will be automatically redirected to SAML Identity Provider

Enable LinOTP integration

Soffid could be configured to request the user to authenticate using a second factor authentication to perform certain actions.

You can visit Two factor authentication (2FA) chapter.

• Enabled: check it (select value Yes) to use an external SAML Identity Provider.
• LinOTP server URL:  URL of your LINOTP service.
• LinOTP admin username: username of the admin account used by Soffid.
• LinOTP admin password: password of the admin account used by Soffid.
• LinOTP users domain: the user's domain for LinOTP authentication. The selected user domain will guess the LinOTP username for any Soffid identity. It is extremely important when LinOTP users do not match Soffid usernames. Please visit the Account naming rules page for more information

By the time being, only LinOTP token manager is accepted. Radius support is in progress.

Second Factor Authentication configuration

This section requires to have the LinOTP integration enabled (previous section)

• Pages that optionally require OTP authentication for users with an enabled token: (Optional) you should include the list of pages to include the two factor only to the users with the token. Therefore, if a URL optionally requires OTP authentication, and the user does not have any LinOTP token (or LinOTP service is down), the access will be granted. Otherwise, if the user has a LinOTP token, the OTP value will be required, and no access will be allowed until the user provides the right token value.
• Pages that require OTP authentication to any user: (Mandatory) you should include the list of pages to always include the second factor to the users with the token. Therefore, if a URL extrictly requires OTP authentication, users with no token won't be allowed to use them.
• Second factor authentication period: number of seconds after that, a new OTP value will be required.

In both configurations, if OTP is required by the user, a popup requesting the token value is raised to write the OTP value.

Actions

Authorization query action

ImportDownload metada

Allows you to uploaddownload a CSVXML file with the authorization datametadata to addload it orinto toyour updateSAML theIdentity granularProvider controlfederation system. If they exist, the values of the csv file will prevail. &&TODO&& si trato de importar para eliminar un role de una authorization no me funciona, me deja el rol que había First,when you needuse toExternal pickSAML upidentity a CSV file, that CSV has to contain a specific configuration. Then you need to check the contents. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button.provider

Download CSV file

Allows you to download a CSV file with the authorization data.

Authorization detail actions

Authentication

Add new	Allows you to add a new role to the authorization. It is mandatory to apply changes to save the roles added.
Delete	Allows you to delete a role from a authorization. It is mandatory apply changes to save the roles deleted.
ApplyConfirm changes	Allows you to updatesave the changes made onin the authorization.
Undo	Allows you to quit without applying any changes.setup.