IMPORTANT:The HTTPS Options policy is not available in Advanced Authentication as a Service (SaaS) version
In this policy, you can configure settings to ensure that the appliance is safe from security vulnerabilities.
This policy allows you to configure the following settings:
: This option is disabled by default to prevent security vulnerabilities and have secure connection between the server and web portals such as Helpdesk, Self-Service and so on. It is recommended to keep default setting because TLS 1.1 is considered as an unsafe protocol. In some scenarios, you can enable the option to support the older versions of browsers.
: This option allows you to enable the Client SSL to authenticate to any web environment using the details available in the client SSL certificate. This option is used for virtual smartcard support of the PKI method. The Client SSL also ensures privacy of transmitted data to the server.
When this option is set to, user must use the PKI device to authenticate to any device or web service.
When this option is set to, the following settings are displayed:
: This setting allows you to upload the CA certificate that is essential to validate the Client SSL certificate for OAuth 2.0 event authentication.
: This option allows you to enable the auto enrollment of PKI method using the client SSL certificate on the user’s browser.
When this option is set to, the PKI method gets auto-enrolled if following conditions are true:
The PKI method and another authentication method are added to the chain that is associated to theevent and user has enrolled other method that is available in the chain.
A valid client SSL certificate is available in the user’s browser.
When this option is set to, the PKI method does not auto-enroll even though the browser has valid client SSL certificate.
: This setting allows you to define a value that indicates the levels to validate a client certificate during authentication. The verification of the client certificate is to ensure whether the certificate is valid and signed by the trustworthy authority.
For example, if you set theas 2, then the client certificate must pass through two levels of validation by the two different certificate authorities.
: This setting allows some of the domains to load the Advanced Authentication pages in an iFrame. Previously, none of the domains were allowed to load the pages in iFrame. You can specify any number of domain names.
: This setting allows you to configure preferred DH group and SSL cipher suites for exchanging data over a secured connection. Click icon, the following settings are displayed:
: This setting allows you to select a key exchange algorithm that determines the strength of key exchanged between the server and client for a secured connection. The default value is . For more secure the connection select the higher group number.
: This setting allows you to select a cipher suite that provides essential information on how to establish and communicate data over a secured network. The default value is .
The SSL cipher suite is a combination of key exchange, authentication, bulk data encryption, and message authentication code (MAC) algorithms. SSL uses one or more cipher suites to secure the transfer of data between the client and the server.
For example: A cipher suite can contain the following algorithms:
DH: indicates key exchange or agreement
DSA: indicates authentication
Triple DES (3DES): indicates block or stream ciphers
SHA: indicates message authentication
: This setting displays all algorithms of the SSL cipher suite that you have set in . When you modify the algorithm, then the sets to automatically.
WARNING:While customizing cipher suite ensure that the combination of algorithms is valid in a cipher. If a cipher suite contains an invalid combination of algorithms, then Advanced Authentication portals, such as Administration, Helpdesk, and Self-Service portals cannot be accessible.