Configuring the IDP and Token Policy Parameters
This section lists the IDP and Token Policy parameters that must be configured in the idp-configuration.json and policy-configuration.json file available under the /var/thales/config directory.
This document uses /var/thales/config/ and /var/thales/hsm/ directories for placing configuration files. However, based on requirements, you can use different directory names. If you choose different names, use them with discretion in relation to the names mentioned in this document.
Updating Identity Provider Parameters
This section describes the procedure to update the Identity Provider (IDP) parameters. The IdP configuration is maintained and stored at the database level for each tenant.
To update the IdP parameters, refer to below parameters and edit in the sample idp-configuration.json, which has been provided in the delivery package, and placed in the /var/thales/config directory.
For /var/thales/config directory, refer to step 1 of Deploying IDPrime Virtual Server in Kubernetes or step 4 of Deploying IDPrime Virtual Server in Docker depending on the deployment of IDPV server.
-
Go to the URL
https://<idp-hostname>.safenetid.com/auth/realms/[realm ID]STA/protocol/openidconnect/certs.The above URL is for STA IDP. Every IDP has a unique URL to update parameters.
Copy the following key values:
-
kid key value and paste it in the
IdpKeyIdparameter. -
n key value and paste it in the
IdpPublicKeyModulusparameter. -
e key value and paste it in the
IdpPublicKeyExponentparameter.
-
-
Copy the CLIENT ID and WELL KNOWN CONFIGURATION URL values from he respective IDP configuration section:
-
Paste the CLIENT ID value in the
IdpClientIdparameter. -
Open the WELL KNOWN CONFIGURATION URL in browser and copy the of value issuer in the
IdpIssuerUrlparameter.
-
-
Copy the VALID REDIRECT URL value from the respective IDP configuration section:
-
Modify the VALID REDIRECT URL value in the
IdpRedirectUrlparameter. -
Verify values of the USER IDENTITY CLAIMS in Configuring the Identity Provider section, and replace value in the
JwtGroupClaimandJwtUserClaimparameters if required. -
Verify values of the GROUP in Configuring the Identity Provider sections, and replace values in the
IDPrimeVirtualUser,IDPrimeVirtualAdmin,IDPrimeVirtualProvisioningAdminandOfflineTokenEnabledGroupparameters, if required.
-
Refer to the parameters of idp-configuration.json file below, and edit it using an editor (such as Vim). This includes the IDP specific parameters configured in step 1 above. For more information, refer to the table below.
| Parameters | Description | Example |
|---|---|---|
IdentityProvider |
Provide an Identity provider. The IDPV supports the below Identity provider values: > STA – For Safenet Trusted Access > SAS PCE – For SafeNet Authentication Service Private Cloud Edition > Azure – For Azure > Okta – For Okta > PingId – For PingFederate > Generic – For any Identity provider which supports OIDC (Not applicable for Okta IDP). Type: Mandatory Note: We have tested our IDPV solution with mentioned IdPs only. If you are trying to evaluate the IDPV solution with another IdP, use Generic. |
"IdentityProvider": "STA", |
SigningKeys |
Modulus, Exponent, KeyId are parts of the public key. Type: Manadatory |
"SigningKeys": [{"IdpPublicKeyModulus": "ilNhKqAQBQaXTDWt5ns2G5506-W5-sUgWulUMMv7EPmJTlOymAcHFQwwX3kb6ktPWqfOi1POQiHvAa6vYkDu9N-9W0TZLYWsRaS8xrxyeXhYqpQwuRjrVelITBTQEBrfNxypWbVPCUkMrW9uW1JrcAp4Glg3LjJnkmQ_5WA5MkiqB6HcTdZZh2z4V5aqInKKSlim-_KChEo2Z1i5LngCw5dSGo-1_S6tJ_nzhazVlBYNEkfBlA_81sJ3i98_ZA9s67E9MeZ0h1dQJmPAlnnXaghFVWnxVPEmnMOOGDxJomgOgh1xLKAa_5Irgk1qp-Nsn-cXP6NFoBnRfuV8Pamw-Q","IdpPublicKeyExponent": "AQAB","IdpKeyId": "ohB2F9_d-4xAaQeKtBxmayRuC4PtkDthWliCrLrKJ-Q"}] |
IdpIssuerUrl |
Issuer URL of the IDP. Type: Mandatory |
“IdpIssuerUrl”: "https://idp.safenetid.com/auth/realms/2H31DFOIEQ-STA", |
IdpClientId |
Present in IDP application. Type: Mandatory |
“IdpClientId”: “100kmb5y-sq8m-3sj0-z32l-4f3h511b9dsq”, |
IdpRedirectUrl |
Present in IDP application. Type: Mandatory This is the VALID REDIRECT URL that is configured in the client configuration on the IDPV server. Note: This URL is updated as per the IDPV server hostname. |
"https://www.idpvserver.com/redirect", |
JwtAdminWhiteList |
Comma separated list of usernames, which are considered as IDPrime Virtual Admin users during authorization step. Type: Optional (Can be empty) |
“JwtAdminWhiteList”: “dbrown,phawkins”, |
JwtGroupClaim |
Present inside Authorization header and stores the information about the group to which the user belongs. Type: Mandatory |
“JwtGroupClaim”: "Groups", |
JwtUserClaim |
Present inside Authorization header and stores the information pertaining to username. Type: Mandatory |
"JwtUserClaim": "preferred_username", |
JwtExpiration |
A timeframe (in seconds) to be used by the IDPV client. The IDPV client obtains the access token value during this timeframe preceding the expiration of the access token. Type: Mandatory |
"JwtExpiration":"0000001e", |
IDPrimeVirtualAdmin |
List of group names (or asterisk to match all values) considered as Admin groups. Type: Mandatory |
"IDPrimeVirtualAdmin": "Admin,administrator,IDPrimeVirtualAdmin" |
IDPrimeVirtualUser |
List of group names (or asterisk to match all values) considered as User groups. Note: Use of * also implies if the group is absent in the access token then usage is allowed for IDPrimeVirtualUser which gives unrestricted online access to the user.Type: Mandatory |
"IDPrimeVirtualUser": "Users,IDPrimeVirtualUser" |
IDPrimeVirtualProvisioningAdmin |
List of group names who are authorized to generate an APIKey for provisioning. Type: Optional (Can be empty) |
"IDPrimeVirtualProvisioningAdmin": "Admin,Administrator,ProvisioningAdmin" |
OfflineTokenEnabledGroup |
List of groups names with privileges for smart card offline usage. Note: Use of * also implies if the group is absent in the access token then user is given unrestricted offline access. To restrict offline mode access, either assign null value or remove the parameter completely.Type: Optional (Can be empty) |
"OfflineTokenEnabledGroup": "Users,IDPrimeVirtualUser" |
RefreshTokenExpirationDuration |
> Refresh Token is a credential artifact that allows the client application to get a new access token without asking the user to re-login. Duration is the time for which the Refresh token remains valid. > Value is required to provide in minutes. > Value must be equal or less than the configured value on the Identity Provider i.e. Ping or Okta. Type: Mandatory (only if an IdP is Ping or Okta) |
"RefreshTokenExpirationDuration":"480" |
IdpScope |
> Idp Scope is a parameter added in idp-config.json which signifies the token permission and determines the token behavior. > Value provided is IDP specific. Type: Mandatory |
"IdpScope":"openid"for STA |
User Logon (Token Policies)
Refer to the parameters of policy-configuration.json file below and edit them as per the requirement. To download the policy-configuration.json file, refer to the delivery package provided with the IDPV solution.
| Parameters | Description | Example |
|---|---|---|
UserPinPolicy |
User PIN policy parameters set by administrator. MaxRetries: Maximum wrong login attempt after which the user token will be locked. Only the administrator can unlock the token. IsMustChange: If this value is true, Token user pin must be changed on first login attempt. Type: Mandatory |
"UserPinPolicy": {"MaxRetries": 5,"IsMustChange": true}, |
AdministratorPinPolicy |
Admin PIN policy parameters set by administrator. Type: Mandatory |
"AdministratorPinPolicy": {"MaxRetries": 5,"IsMustChange": true}, |
OfflineTokenPolicy |
> Offline token policy parameters are set by the administrator. > This needs to be part of the file if you want to enable the offline token feature for the tenant. If it is not passed, the offline feature gets disabled. > ValidityDurationInHours: Token is allowed to be taken offline for the value (in hours) provided in the field. If the value is 0, tokens cannot be taken offline. > PrivateKeyExportLevel: Currently, only the single value (ALL) is supported. In future versions, the server could segregate imported and generated keys on tokens. Type: Optional NOTE: This policy is not supported in KeySecure. |
"OfflineTokenPolicy": {"ValidityDurationInHours": 120,"PrivateKeyExportLevel": “ALL”}, |
