IMPORTANT:The HTTPS Options policy is not available in Advanced Authentication as a Service (SaaS) version
In this policy, you can configure settings to ensure that the appliance is safe from security vulnerabilities.
This policy allows you to configure the following settings:
Enable TLS 1.0: This option is disabled by default to ensure security vulnerabilities are prevented because TLS 1.0 is considered as an unsafe protocol. In some scenarios, you can enable the option to support the older versions of browsers. For more information on browser support for TLS, see TLS support for web browsers.
Enable TLS 1.1: This option is disabled by default to prevent security vulnerabilities and have secure connection between the server and web portals such as Helpdesk, Self-Service and so on. It is recommended to keep default setting because TLS 1.1 is considered as an unsafe protocol. In some scenarios, you can enable the option to support the older versions of browsers.
Enable TLS 1.2: This option allows administrators to enable TLS 1.2 support for clients to communicate with the server using HTTP protocol.This option is enabled by default to establish a connection between the server and the web portal.
NOTE:The server will support TLS 1.3 version even if this option is enabled or disabled.
Enable Content Security Policy for Webauth Service: This option allows you to add a Content Security Policy (CSP) for the following OSP-related URLs:
New Enrollment UI login
OAuth2/SAML2 Events
The CSP header is a security mechanism implemented through HTTP response headers. It specifies which resources can be loaded from specified URLs.
This option is enabled by default. Enabling this option allows you to add a CSP to the aforementioned URLs to mitigate certain types of attacks such as Cross-Site Scripting (XSS) and clickjacking.
Enable Client SSL for Webauth Service: This option allows you to enable the Client SSL to authenticate to any web environment using the details available in the client SSL certificate. This option is used for virtual smartcard support of the PKI method. The Client SSL also ensures privacy of transmitted data to the server.
When this option is set to OFF, user must use the PKI device to authenticate to any device or web service.
When this option is set to ON, the following settings are displayed:
Client SSL CA Certificate Store: This setting allows you to upload the CA certificate that is essential to validate the Client SSL certificate for OAuth 2.0 event authentication.
Enable Auto Enrollment based on certificate: This option allows you to enable the auto enrollment of PKI method using the client SSL certificate on the user’s browser.
When this option is set to ON, the PKI method gets auto-enrolled if following conditions are true:
The PKI method and another authentication method are added to the chain that is associated to the OAuth 2.0 event and user has enrolled other method that is available in the chain.
A valid client SSL certificate is available in the user’s browser.
When this option is set to OFF, the PKI method does not auto-enroll even though the browser has valid client SSL certificate.
SSL Client Certificate Verify Depth: This setting allows you to define a value that indicates the levels to validate a client certificate during authentication. The verification of the client certificate is to ensure whether the certificate is valid and signed by the trustworthy authority.
For example, if you set the SSL Client Certificate Verify Depth as 2, then the client certificate must pass through two levels of validation by the two different certificate authorities.
Frame Ancestor URLs One URL per line: This setting allows some of the domains to load the Advanced Authentication pages in an iFrame. Previously, none of the domains were allowed to load the pages in iFrame. You can specify any number of domain names.
Advanced SSL Settings: This setting allows you to configure preferred DH group and SSL cipher suites for exchanging data over a secured connection. Click + icon, the following settings are displayed:
Pre-defined DH group: This setting allows you to select a key exchange algorithm that determines the strength of key exchanged between the server and client for a secured connection. The default value is FFDHE2048. For more secure the connection select the higher group number.
Pre-defined SSL ciphersuite: This setting allows you to select a cipher suite that provides essential information on how to establish and communicate data over a secured network. The default value is Less Restrictive Ciphers for backward compatibility.
The SSL cipher suite is a combination of key exchange, authentication, bulk data encryption, and message authentication code (MAC) algorithms. SSL uses one or more cipher suites to secure the transfer of data between the client and the server.
For example: A cipher suite can contain the following algorithms:
DH: indicates key exchange or agreement
DSA: indicates authentication
Triple DES (3DES): indicates block or stream ciphers
SHA: indicates message authentication
SSL ciphersuite: This setting displays all algorithms of the SSL cipher suite that you have set in Pre-defined SSL ciphersuite. When you modify the algorithm, then the Pre-defined SSL ciphersuite sets to Custom automatically.
WARNING:While customizing cipher suite ensure that the combination of algorithms is valid in a cipher. If a cipher suite contains an invalid combination of algorithms, then Advanced Authentication portals, such as Administration, Helpdesk, and Self-Service portals cannot be accessible.