SafeNet IDPrime Virtual Setup

As a prerequisite, you must have a SafeNet IDPrime Virtual server that is up and running on your machine with the required services.

Configuring Active Directory Federation Services (ADFS) as your identity provider in SafeNet IDPrime Virtual requires:

Configuring the Identity Provider Configuration File
Running the IDPV Server and Setting Up the IDPV Tenant

Configuring the Identity Provider Configuration File

Perform the following steps to configure the idp-configuration.json configuration file:

Access the following OIDC discovery URL provided by ADFS and copy the jwks URI: https://<dns_name_name_of_adfs_server>/adfs/discovery/keys
In a Web browser, open jwks URI, copy the values of the following keys, and paste them in a text editor:
- kid
- n
- e
Open the idp-configuration.json file that is placed at the /var/thales/config path and enter the values of the parameters given in the below table:

Parameter	Value
SigningKeys	`IdpPublicKeyModulus`: Enter the value of n key copied from step 1. `IdpPublicKeyExponent`: Enter the value of e key copied from step 1. `IdpKeyId`: Enter the value of kid key copied from step 1.
IdpClientId	Enter the Client ID that is available on the ADFS admin console, refer to Active Directory Federation Services Configuration.
IdpIssuerUrl	Enter the value of the Issuer URL from ./well-known URL.
IdpRedirectUrl	Enter the VALID REDIRECT URL that is configured in client configuration on IDPV server. For executing IDPV client only: URL structure: `https://<server-host>/redirect` For example: `https://www.idpvserver.com/redirect` For executing Self-Service Portal and IDPV client: URL structure: `URL structure: https://<server-host>/redirect` For example: `https://www.idpvserver.com/redirect` Note: This URL is updated per IDPV server host name.
IdentityProvider	Enter a Generic value as the IDP type.
RefreshTokenExpirationDuration	By default, the value is 480.
JwtExpiration	Enter a timeframe (in seconds) to be used by the IDPV client. The IDPV client obtains the access token value during this timeframe preceding the expiration of the access token.
JwtGroupClaim	Enter Groups.
JwtUserClaim	Enter preferred_username.
IDPrimeVirtualAdmin	Enter a list of administrator group names (for example, `IDPrimeVirtualAdmin`).
IDPrimeVirtualUser	Enter a list of user group names (for example, `IDPrimeVirtualUser`). User must be a part of any of the groups mentioned in the `IDPrimeVirtualUser` or `IDPrimeVirtualAdmin` parameter.
OfflineTokenEnabledGroup	Enter a list of group claim name for offline.
IDPrimeVirtualProvisioningAdmin	Enter a list of provisioning admin group.
JwtAdminWhiteList	Contains list of IDPrime Virtual Admin users.
IdpScope	The mandatory scope added in application on ADFS. IdpScope parameter will read the `IdpScope` field of tenant configuration. When the server is upgraded, old tenant will be populated with value as `idpvscope openid offline_access` for the ADFS IDP, if this field is not explicity provided. For new tenant, this field must be configured similar to ADFS client side in the `idp-configuration.json` file.

The JwtAdminWhiteList, OfflineTokenEnableGroup and IDPrimeVirtualProvisioningAdmin are optional parameters and must be provided if the Provisioning and Offline mode functions are enabled.

Sample: idp-configuration.json file for 2.5 release


        {
        "IdpClientId":"1a681eba-9a97-4cf5-a52a-7f2351288b92",
        "IdpIssuerUrl":"https://adfs.idpv.local/adfs",
        "IdpRedirectUrl":"https://www.idpvserver.com/redirect",
        "IdentityProvider":"Generic",
        "RefreshTokenExpirationDuration":"480",
        "JwtExpiration":"0000001e",
        "JwtGroupClaim":"Groups",
        "JwtUserClaim":"preferred_username",
        "JwtAdminWhiteList":"Mohit.kohli@idpv.local",
        "IDPrimeVirtualAdmin":"IDPrimeVirtualAdmin",
        "IDPrimeVirtualUser":"IDPrimeVirtualUser",
        "OfflineTokenEnabledGroup":"IDPrimeVirtualOffline",
        "IDPrimeVirtualProvisioningAdmin":"IDPrimeVirtualProvisioningAdmin",
        "IdpScope":"openid",
        "SigningKeys":[
            {
                "IdpPublicKeyModulus":"xU04IX_aihKbwlHRcC_pWRU8z4TQ2DDXQWD4bQHk5a6rUEagvWplUxvESEfCnGUULZd21Szje6UKyBt8gcwYZSQYVggSEzVDt5-FOY1DnukXMq-uEoIAV4APfUiIXqRhwbD4bR8Vd1eEvilj17mvloO9_HWmv-xGNIDiGaiU554tGjj_wo_9CKhlmORsPwZWs_qTfEhZIIKXvhk4v-ZOT7jjpMzjFp4NrfYeEmQvnURX6pY9tcpLW-c0kGs3z1QZq_AvaVwv1xoX6_9PFcfGOWsfZXSRC06TMIedyiCdHMAgstVldfCM_HCwOBE23r2RoYFOtFWR5w5qeJNK8ZVWLOHUowIRz6vfc0wV0cuwr-G5dJM6D6MGtxQnqrjstCeXbSulRzCbYvQOV5FFKhDLI5deqVLIwiyFDHAYKWonQmdhPSRRdje-2yPdt3dfpvoL83VZCGgvNlwUG631aqA941p2Yqocxp__L5ccxOTsMG5gvEGHV7muXUOUgkV-wEcbVjb54dZHve7_qUPCrgJq-2iy4W-jxFMdPnMWtNzI9tka-HA-AVKf4UPt73r-5VzOSDu-Va_pvI1riNazkEHMcQ9qc1gwMseEP8lwZAHg_WzYtNybVBFU_cA4UcHJwc1vLsowZGIREDccT9Mos1Y7zWduotmMMVaaNmNn0pWWXV0",
                "IdpPublicKeyExponent":"AQAB",
                "IdpKeyId":"gZGXEN_kiY-Vm0NfY5qtQ7kvCGs"
            }
        ]
        }

You can modify the policy-configuration.jsonfile as per your preferred configuration.

Sample of policy-configuration.json file:


        [root@idpv2server config]# cat policy-configuration.json
        {
        "UserPinPolicy": {
        "MaxRetries": 5,
        "IsMustChange": false
        },
        "AdminPinPolicy": {
        "MaxRetries": 5,
        "IsMustChange": false
        },
        "OfflineTokenPolicy": {
        "ValidityDurationInHours": 120,
        "PrivateKeyExportLevel": "All"
        }
        }

Running the IDPV Server and Setting Up the IDPV Tenant

After configuring the SafeNet IDPrime Virtual Server files as mentioned in the SafeNet IDPrime Virtual Solution Guide, you need to perform the following steps to run the IDPV server and set up the IDPV tenant:

Running the IDPV Server

Run the following Docker command to run the SafeNet IDPrime Virtual server:
```
docker run -d --name <container-name> -it -v <configurationdirectory>:/publish/Config/ -v <luna/dpod/KeySecure-configurationdirectory>:/usr/local/hsm/ -p <host-https-port>:5001 <docker image>:<version>
```
Where,
- <container-name> is the name of the Virtual IDPrime Server container. For example, idprimevirtualserver
- <configuration-directory> is the path of the host directory that contains relevant files or certificates. For example, /var/thales/config/
  
  Inside container, this path is referred as /publish/Config.
- <luna/dpod/KeySecure-configuration-directory> is the path of the host directory that contains files for Luna HSM, DPoD, or KeySecure. For example, /var/thales/hsm/
- <docker image>:<version> is the docker image name and its version. For example, idprimevirtual_server:2.5.0
For example,
```
        docker run -d --name idprimevirtualserver -it -v /var/thales/config:/publish/Config/ -v /var/thales/hsm:/usr/local/hsm/ -p 443:5001 idprimevirtual_server:2.5.0.xxx
   
```
Once the command is executed successfully, a 64-character GUID is visible for the container. Run the following command to view the log file: docker logs <container-name> For example, docker logs idprimevirtualserver
Run the following command to enter into the container: docker exec -it <container-name>/bin/sh For example, docker exec –it idprimevirtualserver sh

Setting Up the IDPV Tenant

Run the following command to create a SafeNet IDPrime Virtual (IDPV) tenant:
```
    setuptenant create -i Config/idp-config.json  -p Config/policy-configuration.json -a AKmNHWB53wQ0ZlvbnIiV8CIaqfxFC0kmShasasd -u false -k true -j true -n "adfs-json"
```
Where,
- -i accepts a json file as an IDP configuration file (Mandatory).
- -p accepts a json file as a token policy configuration file (Mandatory).
- -a accepts IDP Client Secret (Mandatory).
- -c not given, the default value is IDPV.
  Use SafeNet IDPrime Virtual (IDPV) or Signature Web Service (SWS) to specify a tenant category. If -c is not given, the default value is IDPV.
- -s accepts a json file as a sws configuration file.
- -n accepts a tenant name.
- -u accepts the setupTenant list. To view the tenant usage details for all tenants, -u is true. To view the tenant usage details for a single tenant,-u is true and you need to specify the tenant ID, -u true -t <TenantId>.
- -k is applicable only for IDPV Server v2.5 onwards.
- -j is applicable only for IDPV Server v2.5 onwards.
IDPV Tenant Example:
```
    setuptenant create -i Config/idp-configuration.json -a bqxiKCDf2T4lDuSQu3bqolYOxqWE_BqGqqoenHrs -p Config/policy-configuration.json -n 'adfs-tenant' -k true -u true -j true
```
After running the above command, a Tenant ID is generated and saved as a text file in the /publish/Tenant/<TenantGUID>.txt directory, and displayed on the console.

Copy the Tenant ID to the machine using the following command:


docker cp idprime-virtual-server-containername:/publish/Tenant/<TenantGUID>.txt <location on host>

Suggest A Change

SafeNet IDPrime Virtual Setup

Configuring the Identity Provider Configuration File

Running the IDPV Server and Setting Up the IDPV Tenant

Running the IDPV Server

Setting Up the IDPV Tenant

On this page