User Federation Setup

Once the realm is configured, the next step is to configure the users for the realm.

In the SafeNet Access Exchange realm, you can federate multiple LDAP servers. It allows mapping of LDAP user attributes to the the SafeNet Access Exchange common user model. By default, it maps username, email, first name, and last name, but you can configure additional mappings as well.

To configure User Federation setup:

1. Navigate to the SafeNet Access Exchange UI Admin Console.

2. Click User Federation setting in the left pane.

3. The User Federation configuration page is displayed.

4. User Federation can be configured through LDAP User Federation or SAS User Federation. Choose either of the configuration.

Configure LDAP User Federation

SafeNet Access Exchange comes with a built-in LDAP/AD provider. The LDAP provider also supports password validation through LDAP/AD protocols.

System diagram for LDAP User Federation

To configure a federated LDAP:

1. Navigate to the SafeNet Access Exchange UI Admin Console.

2. Click User Federation setting in the left pane.

3. The User Federation configuration page is displayed. Select ldap from the Add Provider drop-down list. The LDAP configuration page opens.

The below example shows the sample of settings for User federation configuration with Active Directory.

If you enable “Import Users” option, the LDAP provider automatically takes care of synchronization of needed LDAP Users. It is important to do the Sync settings. For more details, refer to Sync of LDAP users to SafeNet Access Exchange.

Sync Settings

In SafeNet Access Exchange LDAP federation, the user must exist in SafeNet Access Exchange (through LDAP federation) as well as in SAS.

Custom LDAP Mapper

LDAP Mappers sync additional LDAP user attributes with SafeNet Access Exchange user attributes. SafeNet Access Exchange user attributes can also be utilized for the Authentication flow, to pass them in a different attribute as a User Name or for additional return attributes or mappers for authentication flow.

Configure SAS User Federation

SafeNet Access Exchange can retrieve all user information it requires from the SAS PCE. The user can authenticate with their SAS userid but also with any of the aliases configured in SAS.

System diagram for SAS User Federation

There are two ways to configure SAS User Federation:

1. SafeNet Access Exchange Admin Console UI

2. Realm JSON File (SafeNetOtpRealm.json)

Set up SAS User Federation via SafeNet Access Exchange Admin Console UI

Follow the steps to provide settings from SafeNet Access Exchange Admin Console UI:

1. In the left pane, select User Federation tab and click the Add Sas-user-provider option.

   

   If any other Federation is already configured, the drop-down appears on the left side.

   

2. Enter the required values and click Save. Values for these fields are found using steps provided in next section.

   

Set up SAS User Federation via Realm JSON file

The agent.bsidkey and sas.api.jwt.token should be copied in a file and the file path be provided in the below settings. Since values for agent.bsidkey and sas.api.jwt.token are long and not supported in SafeNet Access Exchange.

For Windows, while copying the file paths in JSON, comply with JSON syntax by using "\" instead of "\" in the path.

1. Provide the values for Agent Bsid Key, Token Validator URL, SAS API Base URL, Org Code, SAS API JWT Token and OTP Auto Trigger Enabled in realm JSON File (SafeNetOtpRealm.json). Values for these fields can be found using steps provided in below section.

   

   otp.autotrigger.enabled is an optional field. If set to true the challenge automatically generates the enrolled token.

2. Use the above realm JSON File (SafeNetOtpRealm.json) to create new realm in SafeNet Access Exchange.

3. Select the saved file SafeNetOtpRealm.json.

4. Provide an appropriate name to the realm and click the Create button to create a new realm.

5. To enable SAS User Federation for this realm, in the left page, select the User Federation tab and click the sas-user-provider option.

6. Click Save to save the settings that are already provided in realm JSON file (SafeNetOtpRealm.json).

   Settings provided on SafeNet Access Exchange Admin UI override the settings from realm JSON file (SafeNetOtpRealm.json).

SAS Configuration Settings used in SafeNet Access Exchange

Follow below steps to find values for Agent BSID Key, Token Validator URL, SAS API Base URL, Org Code, and SAS API JWT Token:

Agent BSID Key and Token Validator URL can be found by the following steps. (These settings are already part of the Administrator Guide)

1. Go to Virtual Server tab > Comms > Authentication Processing > Authentication Agent Settings.

   

2. Click the Download button to download the Agent BSID Key.

   

3. Copy Token Validator URL as shown below.

   

SAS API JWT Token can be found by the following steps. (This setting is not part of the Administrator Guide)

1. Go to System tab → Setup → Agent Communication with JWT token.

   

2. Go to Enable → Generate, copy the generated JWT by clicking Apply.

   

   Org Code is taken from the Token Validator URL as highlighted below.

   

   SAS API Base URL can be prepared as given below:
   http(s)://<SAS IP>/SAS

   <SAS IP> could also be hostname of SAS server.