A realm manages a set of users, credentials, roles, and groups. A realm is isolated from one another and can only manage and authenticate the users under their control.

The realm is configured in two ways:

• Manually configure the realm by populating different UI fields

• Import all required configuration from SafeNetOTPRealm.json

Manual Configuration of the realm

Perform the below steps to configure the realm using the SafeNetOTPRealm.json and the Keycloak Admin UI for SAS PCE and STA Hybrid Access Management Add-On based deployment:

1. Log in to the Keycloak Admin UI as an Administrator user (created in Prerequisites).

2. In the left pane, click Add realm.

   

3. Select the SafeNetOTPRealm.json file using Select file buttom and specify realm name in the Name field, and click Create.

   

4. The realm is created with three SafeNet OTP Authentication Flows: SafeNet OTP Flow, SafeNet OTP UserId Provided Flow and SafeNet LDAP OTP Flow.
   To verify, navigate to the Authentication Setting in the left pane, then validate the three SafeNet Authentication flows that appear in the top left selected list.

   

5. To configure the default authentication flow; SafeNet OTP Flow. In the right side, select Config from the Actions drop-down list. It navigates to the SasAuthenticationConfig configuration page, which is sub-execution of SafeNet OTP Flow Forms.

   

6. Enter the following details.

   

   This configuration is must for all the SafeNet OTP Authentication Flows.

Token Validator URL

http(s)://<sas-ip>:<port>/TokenValidator/TokenValidator.asmx?orgCode=<OrgCode>

1. To find OrgCode details, go to SAS console.

2. Navigate to the Comms tab in the required Virtual Server to get the organization code for the token validator url.

   

   These settings can be found under the Authentication Processing > Authentication Agent Settings.

   

   These settings are only visible on SafeNet Authentication Service PCE v3.13 and above.

Agent BSID Key

Path of Agent.bsidkey file or Content of Agent.bsidkey

1. In the SAS console, navigate to the Comms tab in the required Virtual Server to download the Agent BSID Key.

2. Navigate to the Authentication Processing > Authentication Agent Settings. Click Download to download the agent.bsidkey file.

   

OTP Auto Trigger Enabled (Optional)

Toggle this setting to enable/disable the auto trigger of OTP. If enabled the challenge automatically generates the enrolled token.

User Id Mapper Field (Optional)

This field is used in combination with LDAP User Provider. It is used to send different user attribute as a UserName to SafeNet Authentication Service. The field value is named upon any LDAP Mapper. If the field value is not defined, default UserName from the request is sent to SafeNet Authentication Service.

Configuration with SafeNetOTPRealm.json

Perform the below steps to add configuration values in the json file:

1. Edit SafeNetOtpRealm.json using a text editor.

   1. Search for the agent.bsidkey key.
      Set the path of the agent.bsidkey file to C:\\Downloads\\agent.bsidkey or content of the agent.bsidkey file: <content-of-agent.bsidkey-file>.

      For more details, refer to the agent.bsidkey section.

   2. Search for tokenvalidator.url key.
      Set the value of TokenValidator URL, with organization code. For more details, refer to the Organization Code Details section. tokenvalidator.url: http(s)://<sas-ip>:<port>/TokenValidator/TokenValidator.asmx?orgCode=<OrgCode>

   3. Search for user.id.mapper key.
      Set the value of User Id Mapper with name of defined LDAP Mapper for the required attribute. Refer to the Custom LDAP Mapper section.

   In Windows, while copying the path in json, make sure to use "\\" instead of "\" in the path to adhere to the json syntax. For example, if the path is C:\Agent.bsidkey then use C:\\Agent.bsidkey.

2. Log in to the Keycloak Admin UI as an Administrator user (created in Prerequisites).

   Save the SafeNetOTPRealm.json on a different path, other than the package location (recommended).

3. In the left pane, click Add realm.

   

4. Select the SafeNetOTPRealm.json file using Select file button and specify realm name in the Name field, and click Create.

   

SafeNet Authentication Flow

SafeNet Agent for Keycloak provides SAS Authentication flow. You can select a flow that works best for you.

SafeNet OTP Flow (Default Flow)

Ideal for the integrations, where password or first factor authentication is done at the Service Provider (or Application) and you just need the second factor OTP authentication at the Keycloak Identity Provider.

1. Service Provider (or Application) authenticates Password as first factor with its User or Domain password before reaching to Keycloak.

2. Navigate to User Name form presented by Keycloak. (User Name is auto-filled, from the request, if available).

3. SafeNet Authentication form presented by Keycloak authenticates OTP as second factor with SafeNet Authentication Service. (Follow steps from Realm Configuration section).

   

SafeNet OTP UserId Provided Flow

Ideal for the integrations same as “SafeNet OTP Flow” where you wish to skip User Name prompt at the Keycloak. User Name is extracted from the request and browser request navigates to the final OTP prompt page.

1. Service Provider (or Application) authenticates Password as first factor with its User or Domain password before reaching to Keycloak.

2. SafeNet Authentication Form prompted by Keycloak authenticates OTP as second factor with SafeNet Authentication Service. (Follow steps from Realm Configuration section).

   

SafeNet LDAP OTP Flow

Ideal for the integrations where you want to handle the 2FA (Password + OTP) at the Keycloak Identity Provider.

1. Keycloak LDAP User Federation provider authenticates Password as first factor with Domain password.

2. SafeNet Authentication Form prompted by Keycloak authenticates OTP as second factor with SafeNet Authentication Service. (Follow steps from Realm Configuration section).

   

   Default Authentication Flow changes for realm.

   

   When Custom Federation is configured with SAS User Federation, the LDAP Authentication only works in case the user is synched using Safenet Authentication Service Synchronization Agent with Enable Password Synchronization enabled.

Authentication Flow Overrides

Authentication flow is overridden at the Client level.

Multi-tenant Support

To achieve multi-tenancy in Keycloak, you need to create different realms. Within Multi-tenant support, you can enable user authentication with different SAS tenants. You can perform the same steps as defined above for realm creation for the new tenant and define the configuration details for the Virtual Server respective to SAS.

For each Virtual Server, different Agent BSID Key and Token Validator URL has to be provided.