SafeNet IDPrime Virtual Setup

As a prerequisite, you must have a SafeNet IDPrime Virtual server that is up and running on your machine.

Configuring SafeNet Trusted Access as your identity provider in SafeNet IDPrime Virtual requires:

• Configuring the Identity Provider Configuration File
• Running the IDPV Server and Setting Up the IDPV Tenant

Configuring the Identity Provider Configuration File

Perform the following steps to configure the idp-configuration.json configuration file:

1. On the STA console, copy the WELL KNOWN CONFIGURATION URL by clicking on the Copy to Clipboard icon available next to the WELL KNOWN CONFIGURATION URL field.

2. In a browser, open the WELL KNOWN CONFIGURATION URL and copy the values of the following parameters and paste them in a text editor:

   • Issuer URL
   • jwks-uri

3. In a browser, open the jwks_uri URL, and copy the values of the following keys and paste them in the text editor:

   • kid
   • n
   • e

4. Open the idp-configuration.json file that is placed at the /var/thales/config path and enter the values of the parameters given in the below table:

   Parameter	Value
   SigningKeys	IdpPublicKeyModulus: Enter the value of n key copied from step 3. IdpPublicKeyExponent: Enter the value of e key copied from step 3. IdpKeyId: Enter the value of kid key copied from step 3.
   IdpIssuerUrl	Enter the value of the Issuer parameter that you copied from the WELL KNOWN CONFIGURATION URL in step 2.
   IdpClientId	Enter the value of the Client ID that is configured on STA console. On the STA console, you can copy the Client ID by clicking on the Copy to Clipboard icon available next to the CLIENT ID field.
   IdpRedirectUrl	Enter the VALID REDIRECT URL that is configured in client configuration on IDPV server. For executing IDPV client only: URL structure: https://<server-host>/redirect For example: https://www.idpvserver.com/redirect For executing Self-Service Portal and IDPV client: URL structure: https://<server-host>/redirect For example: https://www.idpvserver.com/redirect Note: This URL is updated per IDPV server host name.
   IdentityProvider	Enter STA as the IDP type.
   RefreshTokenExpirationDuration	By default, the value is 480.
   JwtExpiration	Enter a timeframe (in seconds) to be used by the IDPV client. The IDPV client obtains the access token value during this timeframe preceding the expiration of the access token.
   JwtGroupClaim	Enter Groups.
   JwtUserClaim	Enter preferred_username.
   IDPrimeVirtualAdmin	Enter a list of administrator group claim names (for example,IDPrimeVirtualAdmin).
   IDPrimeVirtualUser	Enter a list of user group claim names (for example, IDPrimeVirtualUser). Note: User must be a part of any of the groups mentioned in the IDPrimeVirtualUser or IDPrimeVirtualAdmin parameter.
   JwtAdminWhiteList	Contains list of IDPrime Virtual Admin users.
   IdpScope	The mandatory scope added in application on STA. IdpScope parameter will read the IdpScope field of tenant configuration. When the server is upgraded, old tenant will be populated with value as openid for STA IDP, if this field is not explicity provided. For new tenant, this field must be configured similar to STA client side in the idp-configuration.json file.

The JwtAdminWhiteList, IDPrimeVirtualProvisioningAdmin, and OfflineTokenEnableGroup are optional parameters and must be provided if the Provisioning and Offline mode functions are enabled.

Sample 1: idp-configuration.json file for 2.5 release

    vim idp-configuration.json
    { 
    "SigningKeys": [
    {
    "IdpPublicKeyModulus": "ilNhKqAQBQaXTDWt5ns2G5506-W5-sUgWulUMMv7EPmJTlOymAcHFQwwX3kb6ktPWqfOi1POQiHvAa6vYkDu9N-9W0TZLYWsRaS8xrxyeXhYqpQwuRjrVelITBTQEBrfNxypWbVPCUkMrW9uW1JrcAp4Glg3LjJnkmQ_5WA5MkiqB6HcTdZZh2z4V5aqInKKSlim-_KChEo2Z1i5LngCw5dSGo-1_S6tJ_nzhazVlBYNEkfBlA_81sJ3i98_ZA9s67E9MeZ0h1dQJmPAlnnXaghFVWnxVPEmnMOOGDxJomgOgh1xLKAa_5Irgk1qp-Nsn-cXP6NFoBnRfuV8Pamw-Q",
    "IdpPublicKeyExponent": "AQAB",
    "IdpKeyId": "ohB2F9_d-4xAaQeKtBxmayRuC4PtkDthWliCrLrKJ-Q"
    }
    ],
    "IdpClientId":"878cffb6-gh57a-4df3-a71b-0a8c984b3cee", 
    "IdpIssuerUrl":"https://idp.safenetid.com/auth/realms/2H31DFOIEQ-STA", 
    "IdpRedirectUrl": "https://www.idpvserver.com/redirect", 
    "IdentityProvider": "STA",
    "RefreshTokenExpirationDuration": "480", 
    "JwtExpiration": "0000001e", 
    "JwtGroupClaim":"Groups", 
    "JwtUserClaim":"preferred_username", 
    "JwtAdminWhiteList":"",
    "IDPrimeVirtualAdmin":"IDPrimeVirtualAdmin", 
    "IDPrimeVirtualUser":"IDPrimeVirtualUser", 
    "OfflineTokenEnabledGroup":"IDPrimeVirtualOffline",
    "IDPrimeVirtualProvisioningAdmin": "IDPrimeVirtualProvisioningAdmin",
    "IdpScope": "openid offline_access api://idpv/idpvscope"
    }

   

Sample 2: idp-configuration.json file for 2.4.1 release

vim idp-configuration.json
{ 
"IdpPublicKeyModulus":"ilhngkhsdnfsUgWulUMMv7EPmJTlOymAcHFQwwX3kb6ktPWqfOi1POQi HvAa6vYkDu9N- 9W0TZLYWsRaS8xrxyeXhYqpQwuRjrVelITBTQEBrfNxypWbVPCUkMrW9uW1JrcAp4Glg3LjJnkmQ_ 5WA5MkiqB6HcTdZZh2z4V5aqInKKSlim-_KChEo2Z1i5LngCw5dSGo-1_S6tJ_nzhazVlBYNEkfBlA_ 81sJ3i98_ZA9s67E9MeZ0h1dQJmPAlnnXaghFVWnxVPEmnMOOGDxJomgOgh1xLKAa_5Irgk1qp-Nsn- cXP6NFoBnRfuV8Pamw-Q",
"IdpPublicKeyExponent":"AQAB",
"IdpKeyId":"ohB2F9_d-4xAaQeKtBxJuneuCjulyDthWrilpKJ-Q", 
"IdpClientId":"878cffb6-gh57a-4df3-a71b-0a8c984b3cee", 
"IdpIssuerUrl":"https://idp.safenetid.com/auth/realms/2H31DFOIEQ-STA", 
"IdpRedirectUrl": "https://www.idpvserver.com/redirect", 
"IdentityProvider": "STA",
"RefreshTokenExpirationDuration": "480", 
"JwtExpiration": "0000001e", 
"JwtGroupClaim":"Groups", 
"JwtUserClaim":"preferred_username", 
"JwtAdminWhiteList":"", 
"IDPrimeVirtualAdmin":"IDPrimeVirtualAdmin", 
"IDPrimeVirtualUser":"IDPrimeVirtualUser", 
"OfflineTokenEnabledGroup":"IDPrimeVirtualOffline",
"IDPrimeVirtualProvisioningAdmin": "IDPrimeVirtualProvisioningAdmin"
}

You can modify the policy-configuration.json file as per your preferred configuration.

Sample of policy-configuration.json file:

    {
    "UserPinPolicy": {
    "MaxRetries": 5,
    "IsMustChange": false
    },
    "AdminPinPolicy": {
    "MaxRetries": 5,
    "IsMustChange": false
    },
    "OfflineTokenPolicy": {
    "ValidityDurationInHours": 120,
    "PrivateKeyExportLevel": "All"
    }
    }

Sample of sws-config.json file:

{
  "_comment1": "(Mandatory for SWS API) The commercial name of the remote service. The maximum size of the string is 255 characters.",
  "Name": "Thales Signing Web Service",
  "_comment2": "(Mandatory for SWS API) The ISO 3166-1 [22] Alpha-2 code of the Country where the remote service provider is established (e.g. ES for Spain).",
  "Region": "US",
  "_comment3": "(Mandatory for SWS API) The URI of the image file containing the logo of the remote service which SHALL be published online. The image SHALL be in either JPEG or PNG format
   and not larger than 256x256 pixels.",
  "Logo": "https://example.com/SWSLogo.png",
  "_comment4": "(Mandatory for SWS API) The maximum size of the string is 255 characters.",
  "Description": "The Signing web service (SWS) APIs are based on Cloud Signature Consortium (CSC) standards and it supports web and mobile applications and comply with the most demanding electronic signature regulations in the world.' # (Mandatory for SWS API) The maximum size of the string is 255 characters."
}

Running the IDPV Server and Setting Up the IDPV Tenant

After configuring the SafeNet IDPrime Virtual Server files as mentioned in the SafeNet IDPrime Virtual Solution Guide, you need to perform the following steps to run the IDPV server and set up the IDPV tenant:

Running the IDPV Server

1. Run the following Docker command to run the SafeNet IDPrime Virtual server:

   
   docker run -d --name <container-name> -it -v <configurationdirectory>:/publish/Config/ -v <luna/dpod/KeySecure-configurationdirectory>:/usr/local/hsm/ -p <host-https-port>:5001 <docker image>:<version>
   
   
   

   Where,

   • <container-name> is the name of the Virtual IDPrime Server container. For example, idprimevirtualserver
   • <configuration-directory> is the path of the host directory that contains relevant files or certificates. For example, /var/thales/config/ Inside container, this path is referred as /publish/Config.
   • <luna/dpod/KeySecure-configuration-directory> is the path of the host directory that contains files for Luna HSM, DPoD, or KeySecure. For example, /var/thales/hsm/
   • <docker image>:<version> is the docker image name and its version. For example, idprimevirtual_server:2.4.0

   For example,

   
   docker run -d --name idprimevirtualserver -it -v /var/thales/config:/publish/Config/ -v /var/thales/hsm:/usr/local/hsm/ -p 443:5001 idprimevirtual_server:2.4.0.xxx
   

2. Once the command is executed successfully, a 64-character GUID is visible for the container. Run the following command to view the log file:

   
   docker logs <container-name>
   
   
   

   For example,

   
   docker logs idprimevirtualserver
   

3. Run the following command to enter into the container:

   
   docker exec -it <container-name>/bin/bash
   

   For example,

   
   docker exec –it idprimevirtualserver bash
   

Setting Up the IDPV Tenant

1. Run the following command to create an SafeNet IDPrime Virtual (IDPV) tenant.

   
   SetupTenant create -i <Config/idp-staclassic-redirect.json> -p <Config/policy-configuration.json> -k true (or false)  -a <IDP_client_secret> -k true (or false) -n <tenant_name> -u true (or false) -c <IDPV (or SWS)> -m false (or true) -s <Config/sws-config.json>
   

   Where,

   • -i accepts a json file as an IDP configuration file (Mandatory).
   • -p accepts a json file as a token policy configuration file (Mandatory).
   • -k accepts true or false for the HSM export key flag. It is true by default (Optional). If -k is set to true explicitly, then the tenant is created for the export mode provided, and HSM supports it.
   • -a iaccepts the IDP Client Secret (Mandatory).
   • -c accepts the tenantCategory (Optional). Use SafeNet IDPrime Virtual (IDPV) or Signature Web Service (SWS) to specify a tenant category. If -c is not given, the default value is IDPV.
   • -n accepts a tenant name.
   • -m accepts true or false for the SKS mode flag. The default value is set to false.
   • -s accepts a json file as a sws configuration file.
   • -u accepts true or false. When -u is true, the IDPV Admin needs to provision the smart card for the user by using Connecting on behalf of the user functionality. When -u is false, the user can provision the smart card on his own, by connecting with the IDPV Client.

   IDPV Tenant Example:

   
   SetupTenant create -i Config/idp-staclassic-redirect.json -p Config/policy-configuration.json -k true  -a fd1b4b61-32ba-47b3-a0c9-cf8bda938b4d -n 'Okta-IDPV-Tenant' -u true -c IDPV
   

   SWS Tenant Example:

   
   SetupTenant create -i Config/idp-staclassic-redirect.json -p Config/policy-configuration.json -k true  -a fd1b4b61-32ba-47b3-a0c9-cf8bda938b4d -n 'Okta-SWS-Tenant' -c SWS -m True -s Config/sws-config.json
   

2. After running the above command, a Tenant ID is generated and saved as a text file in the /publish/Tenant/<TenantGUID>.txt directory, and displayed on the console.

3. Copy the Tenant ID to the machine using the following command:

   
   docker cp idprime-virtual-server-containername:/publish/Tenant/<TenantGUID>.txt <location on host>