Realm Creation and Authentication Flow

A realm manages a set of users, credentials, roles, and groups. Each realm is isolated from one another and can only manage and authenticate the users under their control.

The realm is configured in two ways:

• Manually configure the realm by populating different UI fields

• Import all required configuration from SafeNetOTPRealm.json

Manual Configuration of the realm

Perform the steps below to configure the realm using the SafeNetOTPRealm.json and the SafeNet Access Exchange Admin UI for SAS PCE and STA Hybrid Access Management Add-On based deployment:

1. Log in to the SafeNet Access Exchange Admin UI as an Administrator user (created in Installation).

2. In the left pane, click Create realm.

   

3. Browse the required json file, specify the realm name, and click Create.

   The realm is created with four SafeNet OTP Authentication Flows: SafeNet OTP Flow, SafeNet OTP UserId Provided Flow, SafeNet LDAP OTP Flow, and SafeNet OTP LDAP Flow.

4. Navigate to the Authentication setting in the left pane, then verify and validate the flows that appear in the list.

5. Select the SafeNet OTP Flow and click the Setting icon at the bottom-right of the page, as highlighted in the figure below:

   

6. A pop-up is displayed, enter the details and click Save.

   

   This configuration is required for all SafeNet OTP Authentication flows.

Token Validator URL

http(s)://<sas-ip>:<port>/TokenValidator/TokenValidator.asmx?orgCode=<OrgCode>

1. To find OrgCode details, go to the SAS console.

2. Navigate to the Comms tab in the required Virtual Server to get the organization code for the token validator url.

   

   These settings can be found under the Authentication Processing > Authentication Agent Settings.

   

   These settings are only visible on SafeNet Authentication Service PCE v3.13 and above.

Agent BSID Key

Path of Agent.bsidkey file or Content of Agent.bsidkey

1. In the SAS console, navigate to the Comms tab in the required Virtual Server to download the Agent BSID Key.

2. Navigate to the Authentication Processing > Authentication Agent Settings. Click Download to download the agent.bsidkey file.

   

OTP Auto Trigger Enabled (Optional)

Toggle this setting to enable/disable the auto trigger of OTP. If enabled the challenge automatically generates the enrolled token.

User Id Mapper Field (Optional)

This field is used in combination with LDAP User Provider. It is used to send different user attribute as a UserName to SafeNet Authentication Service. The field value is named upon any LDAP Mapper. If the field value is not defined, default UserName from the request is sent to SafeNet Authentication Service.

Configuration with SafeNetOTPRealm.json

Perform the below steps to add configuration values in the json file:

1. Edit SafeNetOtpRealm.json using a text editor.

   1. Search for the agent.bsidkey key.
      Set the path of the agent.bsidkey file to C:\\Downloads\\agent.bsidkey or content of the agent.bsidkey file: <content-of-agent.bsidkey-file>.

      For more details, refer to the agent.bsidkey section.

   2. Search for tokenvalidator.url key.
      Set the value of TokenValidator URL, with organization code. For more details, refer to the Organization Code Details section. tokenvalidator.url: http(s)://<sas-ip>:<port>/TokenValidator/TokenValidator.asmx?orgCode=<OrgCode>

   3. Search for user.id.mapper key.
      Set the value of User Id Mapper with name of defined LDAP Mapper for the required attribute.

   4. For details, refer to the Custom LDAP Mapper section.

   In Windows, while copying the path in json, make sure to use "\\" instead of "\" in the path to adhere to the json syntax. For example, if the path is C:\Agent.bsidkey then use C:\\Agent.bsidkey.

2. Log in to the Access Exchange Admin UI as an Administrator user (created in Installation).

   Save the SafeNetOTPRealm.json on a different path, other than the package location (recommended).

3. In the left pane, click Create realm.

4. Browse the required json file, specify the realm name, and click Create.

SafeNet Authentication Flow

SafeNet Access Exchange provides SAS Authentication flow. You can select a flow that works best for you.

SafeNet OTP Flow (Default Flow)

Ideal for the integrations, where password or first factor authentication is done at the Service Provider (or Application) and you just need the second factor OTP authentication at the Access Exchange Identity Provider.

1. Service Provider (or Application) authenticates Password as first factor with its User or Domain password before reaching to Access Exchange.

2. Navigate to User Name form presented by Access Exchange. (User Name is auto-filled, from the request, if available).

3. SafeNet Authentication form presented by Access Exchange authenticates OTP as second factor with SafeNet Authentication Service. (Follow steps from Realm Configuration section).

   

SafeNet OTP UserId Provided Flow

Ideal for the integrations same as “SafeNet OTP Flow” where you wish to skip User Name prompt at the SafeNet Access Exchange. User Name is extracted from the request and browser request navigates to the final OTP prompt page.

1. Service Provider (or Application) authenticates Password as first factor with its User or Domain password before reaching to SafeNet Access Exchange.

2. SafeNet Authentication Form prompted by SafeNet Access Exchange authenticates OTP as second factor with SafeNet Authentication Service. (Follow steps from Realm Configuration section).

   

SafeNet LDAP OTP Flow

Ideal for the integrations where you want to handle the 2FA (Password + OTP) at the SafeNet Access Exchange Identity Provider.

1. SafeNet Access Exchange LDAP User Federation provider authenticates Password as first factor with Domain password.

2. SafeNet Authentication Form prompted by SafeNet Access Exchange authenticates OTP as second factor with SafeNet Authentication Service. (Follow steps from Realm Configuration section).

   

SafeNet OTP LDAP Flow

Ideal for the integrations where you want to handle the 2FA (OTP + Password ) at the SafeNet Access Exchange Identity Provider.

1. SafeNet Authentication Form prompted by SafeNet Access Exchange authenticates the OTP as first factor with SafeNet Authentication Service. (Follow the steps from Realm Configuration section).

2. SafeNet Access Exchange LDAP User Federation provider authenticates password as second factor with Domain password.

   

For Existing Realms, a new workflow for SafeNet OTP LDAP Flow can be added by following the below steps:

1. Log in to SafeNet Access Exchangek Admin console.

2. In the left pane, select your desired realm.

3. In the left pane, click Authentication and under the Flows tab, select the SafeNet LDAP OTP Flow.

4. From the Action drop-down, select Duplicate to copy the flow.

   

5. In the Duplicate Flow window, enter the relevant details and click Duplicate.

6. In the Authentication Flow details, ensure SafeNet OTP LDAP Flow is selected, click the Add icon.

   The Add step to SafeNet OTP LDAP Flow pop-up window is displayed.

   

7. Search for the Username Form, select it from the provided options, and click Add.

8. Now, manually rearrange /move the Username Form and Username Password Form in the order as shown below:

   

Default Authentication Flow changes for realm

Authentication Flow Overrides

Authentication flow is overridden at the Client level.

Multi-tenant Support

To achieve multi-tenancy in SafeNet Access Exchange, you need to create different realms. Within Multi-tenant support, you can enable user authentication with different SAS tenants. You can perform the same steps as defined above for realm creation for the new tenant and define the configuration details for the Virtual Server respective to SAS.

For each Virtual Server, different Agent BSID Key and Token Validator URL has to be provided.