IMPORTANT:The Public External URLs (Load Balancers) policy is not available in Advanced Authentication as a Service (SaaS) version and a tenant administrator cannot access this policy.
In this policy, you can set the external URLs used for the OOB authentication and methods, such as Smartphone, Voice, and Out-of-band. You can specify multiple server URLs for the different sites, which are callback URLs, for the authentication to happen between the sites.
NOTE:You must specify different public external URLs for the different Advanced Authentication sites. It is not possible to specify a public external URL of a common load balancer for all the sites.
The following work flow describes the working of this policy in a multi-site environment for the Smartphone authentication.
Smartphone app receives and updates the list of callback URLs during enrollment and in the background when the Smartphone app starts.
When a user opens the Smartphone app, the app sends the request get salt to all callback URLs.
Only one callback URL returns the salt to the Smartphone and this is an Advanced Authentication server, which initiated the authentication.
The Smartphone app sends the user's answer (Accept/Reject) only to this Advanced Authentication server.
WARNING:As the Smartphones must be able to communicate to the Public External URL that they know since enrollment, the Public External URL must not be changed in production environments with multiple enrollments.
To test the Public External URL, open the URL with the trailing /smartphone on a user’s smartphone. If you see a message IT WORKS, then the Public External URL policy is configured appropriately.
When the multi-tenancy is enabled, the default site entry with the Public URL is displayed. Also, the tenant_base entry and the base domain that all tenants can use is displayed. The tenant name is set as the host name of the tenant URL followed by the tenant_base.
For example, if the tenant-name is cyberres then the tenant URL is cyberres.aacloud.com, here aacloud.com is tenant_base.
To secure the tenant URL, you must upload the wildcard certificate of base domain (*.aacloud.com) in the Server Options.