Realm Configuration
A realm manages a set of users, credentials, roles, and groups. Each realm is isolated from one another and can only manage and authenticate the users under their control.
The realm is configured in two ways:
Manual Configuration of the realm
Perform the steps below to configure the realm using the SafeNetOTPRealm.json and the Keycloak Admin UI for SAS PCE and STA Hybrid Access Management Add-On based deployment:
-
Log in to the Keycloak Admin UI as an Administrator user (created in Prerequisites).
-
In the left pane, click Create realm.
-
Browse the required json file, specify the realm name, and click Create.
The realm is created with four SafeNet OTP Authentication Flows: SafeNet OTP Flow, SafeNet OTP UserId Provided Flow, SafeNet LDAP OTP Flow, and SafeNet OTP LDAP Flow.
-
Navigate to the Authentication setting in the left pane, then verify and validate the flows that appear in the list.
-
Select the SafeNet OTP Flow and click the Setting icon at the bottom-right of the page, as highlighted in the figure below:
-
A pop-up is displayed, enter the details and click Save.
This configuration is required for all SafeNet OTP Authentication flows.
Token Validator URL
http(s)://<sas-ip>:<port>/TokenValidator/TokenValidator.asmx?orgCode=<OrgCode>
-
To find OrgCode details, go to the SAS console.
-
Navigate to the Comms tab in the required Virtual Server to get the organization code for the token validator url.
These settings can be found under the Authentication Processing > Authentication Agent Settings.
These settings are only visible on SafeNet Authentication Service PCE v3.13 and above.
Agent BSID Key
Path of Agent.bsidkey file or Content of Agent.bsidkey
-
In the SAS console, navigate to the Comms tab in the required Virtual Server to download the Agent BSID Key.
-
Navigate to the Authentication Processing > Authentication Agent Settings. Click Download to download the agent.bsidkey file.
OTP Auto Trigger Enabled (Optional)
Toggle this setting to enable/disable the auto trigger of OTP. If enabled the challenge automatically generates the enrolled token.
User Id Mapper Field (Optional)
This field is used in combination with LDAP User Provider. It is used to send different user attribute as a UserName to SafeNet Authentication Service. The field value is named upon any LDAP Mapper. If the field value is not defined, default UserName from the request is sent to SafeNet Authentication Service.
Configuration with SafeNetOTPRealm.json
Perform the below steps to add configuration values in the json file:
-
Edit SafeNetOtpRealm.json using a text editor.
-
Search for the agent.bsidkey key.
Set the path of the agent.bsidkey file to C:\\Downloads\\agent.bsidkey or content of the agent.bsidkey file: <content-of-agent.bsidkey-file>.For more details, refer to the agent.bsidkey section.
-
Search for tokenvalidator.url key.
Set the value of TokenValidator URL, with organization code. For more details, refer to the Organization Code Details section. tokenvalidator.url:http(s)://<sas-ip>:<port>/TokenValidator/TokenValidator.asmx?orgCode=<OrgCode>
-
Search for user.id.mapper key.
Set the value of User Id Mapper with name of defined LDAP Mapper for the required attribute. -
For details, refer to the Custom LDAP Mapper section.
In Windows, while copying the path in json, make sure to use "\\" instead of "\" in the path to adhere to the json syntax. For example, if the path is C:\Agent.bsidkey then use C:\\Agent.bsidkey.
-
-
Log in to the Keycloak Admin UI as an Administrator user (created in Prerequisites).
Save the SafeNetOTPRealm.json on a different path, other than the package location (recommended).
-
In the left pane, click Create realm.
-
Browse the required json file, specify the realm name, and click Create.
SafeNet Authentication Flow
SafeNet Agent for Keycloak provides SAS Authentication flow. You can select a flow that works best for you.
SafeNet OTP Flow (Default Flow)
Ideal for the integrations, where password or first factor authentication is done at the Service Provider (or Application) and you just need the second factor OTP authentication at the Keycloak Identity Provider.
-
Service Provider (or Application) authenticates Password as first factor with its User or Domain password before reaching to Keycloak.
-
Navigate to User Name form presented by Keycloak. (User Name is auto-filled, from the request, if available).
-
SafeNet Authentication form presented by Keycloak authenticates OTP as second factor with SafeNet Authentication Service. (Follow steps from Realm Configuration section).
SafeNet OTP UserId Provided Flow
Ideal for the integrations same as “SafeNet OTP Flow” where you wish to skip User Name prompt at the Keycloak. User Name is extracted from the request and browser request navigates to the final OTP prompt page.
-
Service Provider (or Application) authenticates Password as first factor with its User or Domain password before reaching to Keycloak.
-
SafeNet Authentication Form prompted by Keycloak authenticates OTP as second factor with SafeNet Authentication Service. (Follow steps from Realm Configuration section).
SafeNet LDAP OTP Flow
Ideal for the integrations where you want to handle the 2FA (Password + OTP) at the Keycloak Identity Provider.
-
Keycloak LDAP User Federation provider authenticates Password as first factor with Domain password.
-
SafeNet Authentication Form prompted by Keycloak authenticates OTP as second factor with SafeNet Authentication Service. (Follow steps from Realm Configuration section).
SafeNet OTP LDAP Flow
Ideal for the integrations where you want to handle the 2FA (OTP + Password ) at the Keycloak Identity Provider.
-
SafeNet Authentication Form prompted by Keycloak authenticates the OTP as first factor with SafeNet Authentication Service. (Follow the steps from Realm Configuration section).
-
Keycloak LDAP User Federation provider authenticates password as second factor with Domain password.
For Existing Realms, a new workflow for SafeNet OTP LDAP Flow can be added by following the below steps:
-
Log in to Keycloak Admin console.
-
In the left pane, select your desired realm.
-
In the left pane, click Authentication and under the Flows tab, select the SafeNet LDAP OTP Flow.
-
From the Action drop-down, select Duplicate to copy the flow.
-
In the Duplicate Flow window, enter the relevant details and click Duplicate.
-
In the Authentication Flow details, ensure SafeNet OTP LDAP Flow is selected, click the Add icon.
The Add step to SafeNet OTP LDAP Flow pop-up window is displayed.
-
Search for the Username Form, select it from the provided options, and click Add.
-
Now, manually rearrange /move the Username Form and Username Password Form in the order as shown below:
Default Authentication Flow changes for realm
Note
When Custom Federation is configured with SAS User Federation, the LDAP Authentication only works in case the user is synched using Safenet Authentication Service Synchronization Agent with Enable Password Synchronization enabled.
Authentication Flow Overrides
Authentication flow is overridden at the Client level.
Multi-tenant Support
To achieve multi-tenancy in Keycloak, you need to create different realms. Within Multi-tenant support, you can enable user authentication with different SAS tenants. You can perform the same steps as defined above for realm creation for the new tenant and define the configuration details for the Virtual Server respective to SAS.
For each Virtual Server, different Agent BSID Key and Token Validator URL has to be provided.