This page explains the configuration parameters in: Settings > ZTNA > Configurations > Identity Providers of admin portal (portal.safous.com)
This page provides settings for the administrator to manage authentication for the user portal. By default, a local IdP is enabled that keeps all users' databases locally, but you can also add another IdP to allow users to authenticate using a third-party IdP, such as an LDAP server, MS-AD, SAML-based authenticator, etc.
1. Status, in this column you can toggle switch each registered IdP (Identity Provider), whether you want to enable or disable it.
2. Name, this column shows the name of the registered IdP defined by the administrator.
3. IdP Type, this column shows the protocol used by the registered IdP whether local (system default), LDAP, OpenID, or SAML.
4. MFA, this column shows the multi-factor authentication setting for the registered IdP whether mandatory (use system MFA), no MFA (not using MFA), or External MFA (utilize MFA from the registered third-party IdP).
5. Enroll Method, this column shows the enrollment method on the Safous side after a new user registered in the third-party IdP whether Admin rollout (the user needs to be registered manually in Safous not sync automatically with the third-party IdP) or Self enrollment (user can register to Safous right after they registered in the third-party IdP).
6. User Activation, this column shows the user activation method after they have done the enrollment (for Self enrollment) whether Automatic (active right after enrollment) or manual (needs to be activated by the administrator after enrollment).
7. Plus (+) button, this button can be clicked to show the detailed configuration of registered third-party IdP. More details about the configuration's parameters are explained in point 8.
8. New IdP, this button allows you to register a third-party IdP to authenticate users to the user portal. When you click this button, a form will appear for you to fill out.
a) LDAP
a.1) IdP Name, fill this parameter with a suitable name to describe the third-party IdP.
a.2) Status, toggle this switch to disable/enable the third-party IdP.
a.3) Make sure you choose LDAP in this option.
a.4) LDAP Type, choose the type of LDAP whether Active Directory for Microsoft or Open LDAP for open source version.
a.5) Server Address, fill in the LDAP server address.
a.6) Port, define the LDAP port (default is 389).
a.7) Site, choose which site/AppGW has a connection to the LDAP server (you can choose more than one or all of them).
a.8) User's Base, get the relevant information from the LDAP server and make sure the user has the required authority/permission.
a.9) User's DN, get the relevant information from the LDAP server.
a.10) User's Password, fill in the relevant information related to the user information mentioned in point #a.8.
a.11) Use SSL, check this option if you use LDAPS which will allow end users to reset their AD password through Safous. To enable this mode, Active Directory must support LDAPS. See the following article:
also, the port on point #a.6 should be set to 636 (default LDAPS port).
a.12) Username, fill in this parameter with the username attribute from the LDAP server. Usually, the attribute is as shown in the picture.
a.13) Email, fill in this parameter with the email attribute from the LDAP server. Usually, the attribute is as shown in the picture.
a.14) First Name, fill in this parameter with the first name attribute from the LDAP server.
a.15) Last Name, fill in this parameter with the last name attribute from the LDAP server.
a.16) Phone Number, fill in this parameter with the phone number attribute from the LDAP server.
a.17) Personal Desktop, fill in this parameter with the personal desktop attribute from the LDAP server.
a.18) MFA Mode, choose which option you want for the MFA setting whether Mandatory (enforce MFA enrollment by Safous system), No MFA, or External MFA (use the third-party IdP MFA).
a.19) MFA Method, check which MFA option (for Mandatory MFA mode) you want for the IdP whether QR-based, phone number to receive SMS, or Email.
a.20) Request from user when they enroll—Personal Desktop, when this option is checked, the user will be asked for their personal desktop information during the first enrollment.
a.21) Method to enroll users, choose which enrollment method you want for the IdP user whether admin rollout (user needs to be registered manually by the administrator in the system) or self-service enrollment (user automatically registered in the system when they registered in the third-party IdP).
a.22) Domain based check, the purpose is to redirect new users, on their first login attempt, to the relevant IdP by looking at the domain from the username:
-
When “No domain” is checked, this means that users who do not provide a full domain name can enroll via this IdP.
-
When “With Domain” is checked, two tabs are available, one for “Any domain,” and another for “Selected domain.” “Any domain” is defaulted on which means that the user will be able to enroll with this IDP regardless of their user domain. To make the enrollment process more restricted, select “With Domain,” and enter “Specific Domains”.
b) OpenID
b.1) IdP Name, fill this parameter with a suitable name to describe the third-party IdP.
b.2) Status, toggle this switch to disable/enable the third-party IdP.
b.3) Make sure you choose OpenID in this option and several checkboxes will appear. The checkboxes defined what kind of data will be requested from the client by the browser:
- openid: request for OIDC authentication and an ID token.
- email: request for access to the end user’s email.
- profile: request for access to the end user’s profile.
b.4) OpenID Issuer, the issuer URL provided by the third-party IdP.
b.5) ClientID, a public identifier provided by the third-party IdP.
b.6) Client Secret, used by the client to exchange an authorization code for a token provided by the third-party IdP.
b.7, b.8. b.9, b.10, b.11, b.12, atributes need to be mapped from the third-party IdP to this configuration (attributes with * symbol is mandatory).
b.13) MFA Mode, choose which option you want for the MFA setting whether Mandatory (enforce MFA enrollment by Safous system), No MFA, or External MFA (use the third-party IdP MFA).
b.14) MFA Method, check which MFA option (for Mandatory MFA mode) you want for the IdP whether QR-based, phone number to receive SMS, or Email.
b.15) Auto provisioning, an identity management process that ensures user accounts are created, granted proper permissions, modified, disabled, and deleted as needed.
b.16) Request from user when they enroll—Personal Desktop, when this option is checked, the user will be asked for their personal desktop information during the first enrollment.
b.17) Method to enroll users, choose which enrollment method you want for the IdP user whether admin rollout (user needs to be registered manually by the administrator in the system) or self-service enrollment (user automatically registered in the system when they registered in the third-party IdP).
b.18) Domain based check, the purpose is to redirect new users, on their first login attempt, to the relevant IdP by looking at the domain from the username:
-
When “No domain” is checked, this means that users who do not provide a full domain name can enroll via this IdP.
-
When “With Domain” is checked, two tabs are available, one for “Any domain,” and another for “Selected domain.” “Any domain” is defaulted on which means that the user will be able to enroll with this IDP regardless of their user domain. To make the enrollment process more restricted, select “With Domain,” and enter “Specific Domains”.
c) SAML
c.1) SAML, make sure this tab is chosen to determine that SAML will be used to integrate with a third-party IdP.
c.2) Entity Issuer, parameter provided by the third-party IdP usually the identity/name of the application.
c.3) SSO Issuer, a URL that uniquely identifies the SAML of third-party IdP.
c.4) SSO URL, the SSO URL provided by the third-party IdP.
c.5) CA Trsusted Certificate, X.509 Certificate from the third-party IdP.
c.6) Attributes Mapping, atributes need to be mapped from the third-party IdP to this configuration (attributes with * symbol is mandatory).
c.7) MFA Mode, choose which option you want for the MFA setting whether Mandatory (enforce MFA enrollment by Safous system), No MFA, or External MFA (use the third-party IdP MFA).
c.8) MFA Method, check which MFA option (for Mandatory MFA mode) you want for the IdP whether QR-based, phone number to receive SMS, or Email.
c.9) Auto provisioning, an identity management process that ensures user accounts are created, granted proper permissions, modified, disabled, and deleted as needed.
c.10) Settings enroll - Personal Desktop, when this option is checked, the user will be asked for their personal desktop information during the first enrollment.
c.11) Method to enroll users, choose which enrollment method you want for the IdP user whether admin rollout (user needs to be registered manually by the administrator in the system) or self-service enrollment (user automatically registered in the system when they registered in the third-party IdP).
c.12) Domain based check, the purpose is to redirect new users, on their first login attempt, to the relevant IdP by looking at the domain from the username:
-
When “No domain” is checked, this means that users who do not provide a full domain name can enroll via this IdP.
-
When “With Domain” is checked, two tabs are available, one for “Any domain,” and another for “Selected domain.” “Any domain” is defaulted on which means that the user will be able to enroll with this IDP regardless of their user domain. To make the enrollment process more restricted, select “With Domain,” and enter “Specific Domains”.
After you define all parameters, don't forget to click the Save button.