13.36 Web Authentication

13.36.1 Configuring the Identity Provider

The Identity provider URL displays the default Public external URL. Also, the tenant_base URL if configured in the Public external URLs policy. If the Identity provider URL is set to default Public external URL, then the users must prefix TENANT\repository\ to the username during login. If you select the URL in the https://tenantName.tenant_base/ format, then the users can access the Advanced Authentication portals using the short username without prefixing the TENANT\repository\. The tenant_base represents the domain name. The domain name is shared among the tenants to generate a unique URL for each tenant.

For example, consider top tenant URL is caf.aacloud.com, here the domain base is aacloud.com. If the name of a new tenant is cyberres then the tenant URL becomes cyberres.aacloud.com.

Multi-Tenancy Mode

When the multi-tenancy is enabled, the Identity provider URL displays the URL configured by the TOP administrator. Also, the tenant_base entry and the base domain that all tenants can use. The tenant name is set as the host name of the tenant URL followed by the tenant_base.

13.36.2 Downloading the Identity Provider SAML Metadata

Click ldP SAML 2.0 Metadata to download SAML 2.0 metadata. You can download the SAML 2.0 metadata file only when the Identity Provider's URL is configured. The downloaded SAML 2.0 metadata file is used to configure the Service Provider.

For more information about SAML 2.0, see SAML 2.0.

13.36.3 Configuring Timeout

Specify the following details to configure timeouts:

  1. Session Timeout: Specify the time in seconds. By default, this value is set to 1200 seconds. This is the timeout value for authenticating to the Web Authentication session. If the session is idle for more than the specified time, then the session expires and the user must authenticate again before any action which requires an authenticated session. This timeout value is applicable for OAuth2 or OpenID Connect and SAML events.

    NOTE:Advanced Authentication user enrollment uses Web Authentication for authenticating users. After the authentication, the OSP session is not in use and Advanced Authentication manages its sessions. An OAuth2 or OpenID Connect application might use the Web Authentication session.

  2. Authorization Code Timeout: Specify the time in seconds. By default, this value is set to 120 seconds. This timeout value indicates how long the authorization code is valid. The request for an Access Token or an ID Token fails if the Authorization Code has expired and is no longer valid. The Authorization code becomes invalid if the client does not request for Token ID from the server within the specified time.

    For security reasons, some OAuth2 or OpenID Connect code flow schemes require that first an Authorization Code be requested. The Authorization Code is then used to request an Access Token and ID Token.

  3. Access Token Timeout: Specify the time in seconds till when the access token is valid. By default, this value is set to 120 seconds. Once the token expires, a new token is required before accessing the protected resources. The application might create a new token by using a Refresh Token and the client secret, or else the user is required to authenticate again.

  4. Refresh Token Timeout: Specify the time in seconds till when the token is valid. Once the token expires it can no longer be used to create a new Access Token. By default, this value is set to 2592000 seconds.

  5. Public Refresh Token Timeout: This timeout value is for refreshing token timeout for public clients. When there are two client types, private and public. By default, this value is set to 3600 seconds.

  6. Session Token Revocation Timeout: Specify the timeout value till when the session-based refresh token revocation entries are retained. Retained entries are removed when the session is properly logged out or after the refresh token expires. By default, this value is set to 172800 seconds.

13.36.4 Disabling the Authentication Chain Selection

The Enable chain selection option is set to ON by default to allow third-party SAML service providers to select a preferred authentication chain. You can set this option to OFF to give users the ability to select the preferred authentication chain.

13.36.5 Customizing Messages and Authentication Method Names for the Web Authentication Events

You can customize the messages and authentication methods name for the Web Authentication events in the Custom Messages policy. Set Use Custom Messages to ON to enable using the custom messages for the OAuth, SAML 2.0, or Open ID Connect events. You must customize the messages in the Custom Messages policy.

13.36.6 Customizing the Login Page of Web Authentication Events

NOTE:For more information about customizing the login page of Web Authentication events from Advanced Authentication 6.3 Service Pack 5 Patch 1 and SaaS 21.8.1 release, see Customizing the Login Page of Web Authentication Events.

You can customize the login page of the OAuth 2.0 or Open ID Connect and SAML 2.0 events. To do this, perform the following steps:

  1. Set Custom Branding to ON.

  2. Click Download Template.

  3. Save the osp-custom-resources.jar file.

  4. Unzip the osp-custom-resources.jar file and in the resources folder open the file that you want to customize as follows:

    • naaf_enduser_custom_resources_<language>.properties - Use this file to customize the text related to the all methods on the login and Chain Selection pages.

      For example, to edit the text on the Authentication Chain Selection page, customize the values of the following parameters in the naaf_enduser_custom_resources_<language>.properties file:

      • NAAFENDUSER.ChainPageHeader: To edit the title

      • NAAFENDUSER.ChainPageSubHeader: To edit the paragraph after the title

      • NAAFENDUSER.ChainSelectChain: To edit the name of chain list drop down

      NOTE:In case, you have customized the messages in the following files:

      • The naaf_enduser_custom_resources_<language>.properties file of osp-custom-resources.jar

      • Policies > Custom Messages

      Depending on the status of Custom Branding, the messages are displayed to end-users as follows:

      • With Use Custom Branding File for Web Authentication set to ON, Web authentication events display the customized messages from the osp-custom-resources.jar file

      • With Use Custom Branding File for Web Authentication is set to OFF, Web authentication events display the messages from Custom Messages policy

    • oidp_enduser_custom_resources_<language>.properties - Use this file to customize css, logo, copyright text and links of the login page.

      For examples, refer to Example of Customizing a Login Page.

      NOTE:Ensure that you edit the attributes in the Login page properties section of the oidp_enduser_custom_resources_<language>.properties file for the custom branding of the login page.

      You must also add your customized .css file in the css folder and required logo to the images folder of the osp-custom-resources.jar file.

  5. After you edit the specific file in the resources folder, zip the file osp-custom-resources.jar.

    NOTE:To avoid the manifest file overwriting, make sure the jar file has been unzipped and zipped instead of opening and closing it with the Java .jar tool. Otherwise use the following command line switch to set the manifest file and make sure the name of the manifest file matches the filename in the template:

    jar -cm <jar file name> <manifest file name>.

  6. Click Browse to upload the osp-custom-resources.jar file in the Web Authentication policy.

  7. Click Save.

The following section describes an example of the customization that you can achieve for the Web authentication.

Example of Customizing a Login Page

To achieve the customized login page in the Figure 13-3 for Acme Group of company, you can perform the following:

Figure 13-3 Customized Page for Acme Group

Adding a Customized CSS for the Login Page

You can add a customized css file to reflect changes for the login pages.

The following sample.css file has been customized for achieving the customized login page in Figure 13-3 for the Acme Group of company.

/* general styles
------------------------------- */
body { 
  margin:0; 
  padding:0; 
  background:#fff url("/osp/TOP/images/login_bg.jpg") no-repeat center center fixed; 
  -webkit-background-size: cover;
  -moz-background-size: cover;
  -o-background-size: cover;
  background-size: cover;
  font-family:Arial, Helvetica, sans-serif; 
}
img { 
  border:none; 
  max-width: 100%;
}
/* login box 
------------------------------- */
div.page-container {
  position:absolute;
  top: 50%;
  left: 0px;
  width:100%;
  margin:-265px auto 0 auto;
}
div.dialog {
  border: 12px solid rgba(255, 255, 255, 0.3);
  border-radius: 2px;
  width: 318px;
  max-width:100%;
  margin:0 auto;
  background-color: transparent;
}
div.dialog-content {
  height:525px;
  padding:0 15px;
  background:url(/osp/TOP/images/acme.png);
  background-color:#414749 ;
  background-position:180px 20px;
  background-repeat:no-repeat;
  font-family: Arial, Helvetica, sans-serif;
  text-align: left;
  }
.dialog-header {
  margin:0; 
  padding: 150px 0 40px 0; 
  color:#48c6e7; 
  font-size:22px; 
  font-weight:100;
  background: none;
}
div.dialog-header-content { 
  display:block; 
  color:#fff; 
  font-weight: 200;
}
p { margin:0; padding:0; }
div.dialog-body {
  padding: 0;
}
.product-name {
  margin: 0;
}
#password, #Ecom_User_ID {
  color: #000 !important;
  background-color: #999; 
  font-size: 13px; 
  line-height: 20px; 
  margin: 0 0 3px 0; 
  padding: 11px 10px 12px; 
  width: 100%; 
  box-sizing: border-box; 
  border: none; 
  border-radius: 0; 
}
.dialog-footer-content {
  display: none;
}
.button-container button, .btn { 
  display: block; 
  text-align: center; 
  color: #fff; 
  font-size: 13px; 
  background-color: #48c6e7; 
  border: none; 
  margin: 30px 0 0 0; 
  padding: 11px 10px 12px; 
  box-sizing: border-box; 
  width: 100%; 
  cursor: pointer; 
  -webkit-appearance: none; 
  text-decoration: none;
}
.button-container button:hover { 
  background-color:#00B4DF;
  border: none;
}
.input-box input {
  box-sizing: border-box;
  background-color: #999;
}
p.error {
    color: #cccccc;
    font-size: 13px;
    margin: 0;
    padding: 0 0 18px;
}
#logoutmsg, #logoutmsgsub { color:#fff; }
.error h1 { padding-bottom:20px; }
.help p { margin:0; padding:20px 0 0 0; font-size:11px; }
.help a { color:#cccccc; text-decoration:none; }
.help a:hover { color:#fff; }
.title {
  display: none;
}
.image-custom-link, .login-custom-link {
  display: inline;
}
.image-custom-link a {
  padding: 0;
}
.image-custom-link a:hover {
  color: #fff;  
  background-color: transparent;
  display: inline;
  padding: 0;
}
.image-custom-link img {
  height: 0;
  width: 0;
}
#loginCustomLink1 {
  float: right;
}
/*------------------------------------*\
    RESPONSIVE
\*------------------------------------*/
@media only screen and (max-width:480px) {
  div.page-container { 
    position: static;
    top: 0;
    margin: 0;
  }
  div.dialog {
    width: auto;
    margin: 0;
  }
}

Perform the following steps to add the sample.css file to the osp-custom-resources.jar file.

  1. Open the osp-custom-resources.jar file.

  2. Upload your .css file to the css folder.

  3. Open the resources folder.

  4. Open the oidp_enduser_custom_resources_en_US.properties file to edit the custom branding of the login pages in the English language.

  5. Uncomment the line OIDPENDUSER.LoginCss=reset.css,uistyles.css,uistyles_loginselect.css by removing the # sign.

    You can add your .css file here. For example, OIDPENDUSER.LoginCss=sample.css.

  6. Save the oidp_enduser_custom_resources_en_US.properties file.

Customizing the Logo of an Enterprise

You can edit the logo displayed on the login page of web authentication event using the parameter OIDPENDUSER.LoginProductImage available in the Login page properties.

For example, to edit the logo of the login page of an OAuth 2.0 event in the English language, perform the following:

  1. Open the oidp_enduser_custom_resources_en_US.properties file and edit the following attribute:

    OIDPENDUSER.LoginProductImage=company_img.png.

    You can also edit the .css file. The following code has been added to the sample.css file to display the logo in the Figure 13-3:

    div.dialog-content {
      height:525px;
      padding:0 15px;
      background:url(/osp/TOP/images/company_img.png);
      background-color:#414749 ;
      background-position:180px 20px;
      background-repeat:no-repeat;
      font-family: Arial, Helvetica, sans-serif;
      text-align: left;
      }
  2. Ensure that you add the image that you want as a logo to the images folder with the name that matches with the attribute value in OIDPENDUSER.LoginProductImage.

    By default the images folder contains the image company_img.

Customizing the Copyrights

You can edit the copyright text displayed on the login page of web authentication event using the parameter OIDPENDUSER.50004 available under the JSP Strings.

For example, to remove the copyright note that is displayed on the login page of an OAuth 2.0 event in the English language:

  1. Open the oidp_enduser_custom_resources_en_US.properties file and search the following parameter:

    #OIDPENDUSER.50004=Copyright [copy] [year] NetIQ[nbsp]Corporation, a Micro[nbsp]Focus company. All rights reserved

  2. Uncomment the following parameter as follows:

    OIDPENDUSER.50004=

    This removes the copyright note from the web authentication event - login page.

Customizing the Branding Text

You can edit the branding text displayed on the login page of web authentication event using the parameter OIDPENDUSER.LoginProductName available in the Login page properties section of the oidp_enduser_custom_resources_en_US.properties file.

For example, to edit the branding of the company to Acme Group, perform the following:

  1. Open the oidp_enduser_custom_resources_en_US.properties file and search the following parameter:

    #OIDPENDUSER.LoginProductName=Company[nbsp]Name[reg]

  2. Edit the following parameter as follows:

    OIDPENDUSER.LoginProductName=Acme[nbsp]Group[reg]

If you want to remove the branding text Acme Group, perform the following:

  1. Open the oidp_enduser_custom_resources_en_US.properties file and search the following parameter:

    #OIDPENDUSER.LoginProductName=Company[nbsp]Name[reg]

  2. Uncomment the following parameter as follows:

    OIDPENDUSER.LoginProductName=

This removes the branding text, Acme Group, from the web authentication event - login page.

Adding Links on the Login Page

You can add links for the login page of the web authentication event.

For example, if you want to add the link Forgotten Password that is displayed on the login page in the English language, add the following:

  1. Open the oidp_enduser_custom_resources_en_US.properties file.

  2. Add the following:

    OIDPENDUSER.50078=Click here if you've forgotten your username or password, or if you need to register.

    NOTE:The hyperlink for the text is taken from Methods > LDAP Password > SSPR URL in the Administration Portal.

13.36.7 Disabling the Authentication Chain Selection for Third-Party Service Providers

The SAML client chain selection is set to ON by default to allow the third-party service providers to select a preferred chain for authenticating to the SAML events.

For example, the third-party service provider can specify the following parameter in the configuration file to select a chain with the Password method:

'AuthnContextClassRef' => array(
'AuthnContextClassRef' => 'urn:uuid:519a6c73-f092-43d3-ab11-8d789ebc2f79?=internal.osp.oidp.aa.chain-name=Password Only')

You can set this option to OFF to prevent the service provider from selecting an authentication chain. In this case, users are allowed to select the chain.

NOTE:With the SAML client chain selection set to ON, the third-party service providers are allowed to select one chain and the chain selection is denied.

13.36.8 Allowing Event Selection for Third-Party Service Providers

You can allow the third-party service providers to select a preferred SAML event that users can access. Set SAML client event selection to ON to allow the service provider to select an event. By default, this option is set to OFF. When set to OFF, the service provider cannot select a preferred event.

The syntax to select a specific event is as follows:

'AuthnContextClassRef' => array( 'AuthnContextClassRef' => 'urn:uuid:519a6c73-f092-43d3-ab11-8d789ebc2f79?=internal.osp.oidp.aa.event-name=<event name>’)

If you configure an incorrect event name and a user tries to authenticate to the event, an error message authentication failed appears.