Enable browser-based user authentication on the Security Engine

Browser-based user authentication is configured in the properties of the Security Engine.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Engine.
  2. Right-click a Security Engine, then select Edit <element type>.
  3. Browse to Add-Ons > User Authentication.
  4. Select HTTPS to allow authentication using encrypted HTTPS connections and HTTP to allow authentication using plain HTTP connections.
    CAUTION:
    Plain HTTP connections are unsecured and transfer the user name and password in cleartext. Use encrypted HTTPS connections to avoid loss of sensitive information.
  5. (Optional) Change the port settings if you want to use a different port for the authentication interface.
    You must use the same port settings when you define the IPv4 or IPv6 Access rules that allow the authentication connections.
  6. (Optional) Select Always Use HTTPS if the Security Engine also listens on other ports and you want to redirect the connections to the HTTPS port and enforce the use of HTTPS.
    Example: The Security Engine listens on port 80, but you want to redirect connections to port 443.
  7. (Recommended) To prevent unauthorized access to resources, select the interfaces through which users can authenticate to the Security Engine in the Listen on Interfaces section.
  8. From the User Authentication Page drop-down list, select a User Authentication Page element.
    The User Authentication Page element defines the look of the logon page, challenge page, and status page shown to end users when they authenticate.
  9. (Optional) Select Enable Session Handling to enable cookie-based strict session handling.
    If the option is selected, the end user must keep the status page open. If the status page is closed or cannot be refreshed, the connection is terminated.
  10. (Optional) Select Refresh Status Page Every, then define how often the status page is automatically refreshed.
    • The option is automatically selected when you select Enable Session Handling.
    • If the option is selected, the end user must keep the status page open. If the status page is closed or cannot be refreshed, the connection is terminated.
  11. (Optional) Browse to Advanced Settings > Authentication, then configure advanced settings for browser-based user authentication.

Engine Editor > Add-Ons > User Authentication

Use this branch to enable user authentication. You can configure authentication using HTTP connections or encrypted HTTPS connections.

Option Definition
Authentication Time-Out Defines the length of time after which authentication expires and users must re-authenticate.
Authentication Idle Time-Out Defines an idle timeout for user authentication. If there have been no new connections within the specified time limit after the closing of a user's previous connection, the user is removed from the list of authenticated users.
HTTP When selected, allows authentication using plain HTTP connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 80.
HTTPS When selected, allows authentication using encrypted HTTPS connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 443.

This option is required for client certificate authentication.
HTTPS Settings Opens the Browser-Based User Authentication HTTPS Configuration dialog box.
TLS Profile The TLS Profile element that defines TLS settings for HTTPS connections for authentication, and the trusted certificate authority for client certificate authentication. Click Select to select an element.

This option is required for client certificate authentication.
Use Client Certificates for Authentication When selected, the Security Engine allows users to authenticate using X.509 certificates. Client certificate authentication is supported for browser-based user authentication.
Always Use HTTPS When selected, redirects connections to the HTTPS port and enforces the use of HTTPS if the Security Engine also listens on other ports.
Listen on Interfaces Restricts the interfaces that users can authenticate through.
  • All — Users can authenticate through all interfaces.
  • Selected — Users can only authenticate through the selected interfaces.
User Authentication Page Select the User Authentication Page element that defines the look of the logon, challenge, re-authentication, and status page shown to end users when they authenticate.
Enable Session Handling

(Optional)

 When selected, enables cookie-based strict session handling.
Note: When Enable Session Handling is selected, the Authentication Idle Time-Out option is not available. The Refresh Status Page Every option defines the authentication timeout.
Refresh Status Page Every

(Optional)

 Defines how often the status page is automatically refreshed. When Enable Session Handling is selected, defines the authentication timeout.
Enable SAML When selected, enables SAML authentication for browser-based user authentication.
Note: This feature is only supported for HTTPS connections.
Clock Skew Limit Enter the maximum allowed time difference in seconds between the Service Provider and the Identity Provider.
Add

Click Add to add a row to the table. The table includes the following columns:

Note: To enter details in the row, double-click the field in the column to open the dialog box.
  • Authentication Method: Select the authentication method element to use for the Browser-based SAML authentication. For more details on how to create a SAML Authentication method, refer to the Create a SAML authentication method element topic.
  • Service Entity ID: Enter the Service Provider Entity ID.
    Note: You must configure the Service Entity ID in both the IdP and the Engine. The Service Provider Entity ID that is configured in the IdP must match the Service Provider Entity ID that is configured in the Engine.
  • IdP Metadata: Enter the IdP Metadata details to establish trusted and secure communication with the Identity Provider (IdP). For more details, refer to the Create a SAML authentication method element topic.
    Note: If IdP metadata has already been configured for the selected authentication method and you reconfigure it here, the new IdP metadata will overwrite the existing configuration for that authentication method. This overwrite applies only to browser-based user authentication.
  • ACS URL: Enter the URL where the SAML assertion is sent after login. For example, https://xxy.xxyxyx.com:9443/sso/saml. Wherein, xxy.xxyxyx.com is the hostname of the browser-based authentication and 9443 is the same port that is defined for the browser-based authentication.
    Note:
    • You must configure the ACS URL in both the IdP and the Security Engine. The ACS URL that is configured in the IdP must match the ACS URL that is used in the Engine.
    • The IP Address and the port used in the ACS URL must match the browser-based user authentication interface IP Address and port.
Remove Select a row in the table and then click Remove to remove the row.

Engine Editor > Advanced Settings > Authentication

Use this branch to configure advanced settings for user authentication.

Option Definition
Default User Domain The default LDAP domain from which the Security Engine looks up users.
Note: This setting applies to all user authentication, including browser-based user authentication, VPN clients, and the Application Access Portal.
Allow user lookup from known User Domain matching to client certificate email domain or UPN suffix When selected, the Security Engine looks up the user from the domain specified in the email address or user principal name before looking up the user in the default domain.
Note: This option is ignored when the value of the Client Certificate Identity Field for TLS option is Distinguished Name.
Allow Username Lookup Using Long UserID Attribute When selected, the Security Engine uses the Long UserID to find or match the user in the Active Directory or LDAP Server.
Note: If Short UserID is configured, the engine first attempts to find the user using Short UserID from the domain found by domain part of the login name.
Client Certificate Identity Field for TLS The attribute that is used to look up the user entry from the user domain when using TLS. The Security Engine only uses values from the Active Directory or LDAP server that is associated with the global default LDAP domain or the engine-specific default user domain.
  • User Principal Name — The User Principal Name attribute on the Attributes tab of the Active Directory Server or LDAP Server element is used.
  • Email — The E-mail attribute on the Attributes tab of the Active Directory Server or LDAP Server element is used.
  • Distinguished Name — The specified value in the distinguished name is used.
    Note: If you select Distinguished Name, you must specify the identity search value on the Client Certificate tab of the Active Directory Server or the LDAP Server Properties dialog box.
Root Password Login Select one of the following options:
  • Login Allowed via SSH and Console: The root password login to an engine is allowed via SSH and console.
    Note: By default, this option is selected if the engine is upgraded.
  • Login Allowed via Console Only: The root password login to an engine by using SSH is not allowed. But root password login by using console is allowed.
    Note: By default, this option is selected when we create a new engine.
  • Root Account Disabled (Super User Privileges through sudo): The root password login to an engine is disabled.
Authentication Method Select an authentication method element from the available options:
  • Local Password: Allows authentication using the local password.
  • [Select…]: Select this option to view the available radius authentication method elements.
    Note: The authentication method options are displayed as per the radius authentication server elements that are configured. For more details on how to create a radius authentication server element, refer to the Define Authentication Method elements for external servers topic.
SSH Passwordless Login Select one of the following options:
  • Allow: The SSH password less login is allowed.
  • Deny: The SSH password less login is denied.
Note: This applies only to administrators replicated on the engine. For more details on administrator account replication, refer to the Add administrator accounts topic.