Configure the federated security
Configure the federated security by adding the authentication provider, configuring user claims rules, and specifying the SAML request to the Identity provider signed with a certificate.
-
Navigate to
.
The Federated security dialog box is displayed.
-
The federated security is clear by default. You can enable
Use federated security only when an active authentication provider is
configured.
When Federated security is on, turn off Windows Authentication. To do so, run the Configuration utility and modify the setting. See the Kofax TotalAgility Configuration Utility Guide for more information.
-
To configure an authentication provider, click
.
The Add authentication provider dialog box is displayed.
-
Configure the following settings on the
General tab:
- Enter a display Name for the authentication provider.
- On the Endpoint type list, select the endpoint type to specify whether the endpoint supports WS-Federation or SAML. (Default: WS-Federation)
- On the Endpoint URL list, specify the URL for the WS-Federation or SAML endpoint of the provider.
-
On the
Binding type list, select an authentication request type:
- HTTP-Redirect (default): SAML request is sent as an HTTP request query string parameter.
- HTTP-Post: SAML request is sent in the HTTP request body and the signature is embedded.
The Binding type and Authentication context settings are available only if the Endpoint type is SAML. - On the Authentication context list, select the authentication context to use, such as Password protected transport. (Default: Any)
-
Optional. Specify the
Relying party URL.
If you provide the relying party identifier in the Federated Security provider as https://<servername>/TotalAgility/ for TotalAgility On-Premise / On-Premise Multi-Tenant environments and https://<servername>// for TotalAgility Azure , you need not specify the relying party URL when configuring the federated security in TotalAgility. If you provide a different relying party identifier in the Federated Security provider, make sure that the identifier provided in the Federated Security provider must match the relying party URL specified in TotalAgility. The relying party identifier is for ADFS (Active Directory Federation Services) and APP ID URI is for Azure Active Directory. If you do not specify the relying party identifier in TotalAgility Azure, you must specify the APP ID URI.
-
Specify the
Issuer identity of the provider.
At runtime, this identity helps to verify that any claims passed to TotalAgility are from the correct provider.
-
Specify the
Sign out URL.
When you log off the provider, the specified URL opens.
-
Select either setting to specify the
Logout option:
-
TotalAgility and Provider: Logs you out of the provider as well as TotalAgility.
-
TotalAgility (default): Logs you out of TotalAgility.
-
- To specify that the authentication provider is active, select Active. (Default: Clear)
-
Relay state is used to communicate state when the message is passed to/from the identity provider and service
provider.
- By default, TotalAgility keeps using both the query string parameters and the relay state (depending on whichever works). Relying on query string parameters in the Assertion Consumer Service (ACS) URL can cause issues with providers that require exact match of the ACS URL.
-
If the provider supports only the relay state, you must select the check box for Relay state only. In this case, TotalAgility does not include any query string parameters in the ACS URL and will rely solely on the relay state setting. This is the recommended way to relay data between the application and provider.
The "Relay state only" option is available only if you select "SAML" on the Endpoint type list.
-
To provide response signature verification certificates, do the following:
- Click the Response validation tab.
-
Enter the three different public keys of the provider in
Certificate1,
Certificate2 and
Certificate3 fields.
You must provide at least one certificate.At runtime, all three certificates are used to verify that any claims passed are from the correct provider. If validation is passed at least for one certificate, the response is considered valid.
-
To determine how an existing user is found in
TotalAgility
when you log on using the authentication provider, do the following:
-
Click the
User claims mappings tab.
User claim mappings apply if the user does not exist in TotalAgility.
-
Match the user to the username (default) or email. Select either option for
Match to:
User name
-
By default, the username is taken from the security token.
-
For Name and Email address, select Enter on login to enter the name manually at runtime, or click From security token to take the name from a security token.
Email
-
For User name and Name, click Enter on login to enter the name manually at runtime or click From security token to take the name from a security token.
-
The Email address is taken from the security token (Default).
-
- Click Save.
-
Click the
User claims mappings tab.
-
To define a set of rules for specifying the
TotalAgility
category and groups to which a new user is added after being successfully authenticated with the provider, click the
User claims rules tab, and configure the
Default user claim and
Custom user rules.
If the claims or user claim rules are modified, TotalAgility automatically updates the working group and group membership of the resource.
- Select a Category and Working category.
- Optional. Select a Working group.
-
Select
Use custom user rules and define the rule:
-
Click .
The Add custom user rule dialog box is displayed.
-
Enter a rule Name for the claim.
-
Specify the Claim type and Claim value.
-
To specify the category the user is added to if the custom rule is satisfied, select a Category.
-
To specify the Working category the user is added to if the custom rule is satisfied, select a category.
-
To specify the Working group the user is added to if the custom rule is satisfied, select a group.
Specify at least one of the preceding optional settings for a custom user rule.
-
Optional. To add the resource groups the user is added to if the custom rule is satisfied, click Add for Groups.
The Add associated groups dialog box is displayed.
-
Select the required groups to add and click Done.
The Add custom user rule dialog box is displayed.
The custom user rules take precedence over the default user claim rules.
-
Click Save.
The rule appears in the table with the rule name and claim type details. You can modify or delete the custom rule.
-
-
The Refresh group membership on logon setting allows the group membership for a user to refresh automatically
based on the user claims and user claim rules if either of these has changed since the user has last logged on.
This setting is selected by default. On upgrading from the earlier versions, for the existing federated security providers, this setting is clear.
-
To configure and specify the SAML request to the Identity provider signed with a certificate, do the following:
-
Click the
Signature settings tab.
This tab is available only if the Endpoint type is SAML.
- Browse the certificate (containing private key) you want to upload for signing the SAML request.
- Enter the Password to decrypt the certificate.
-
On the
Algorithm list, select the algorithm you want to use for signing, such as
RSA-SHA1.
The signing algorithm must match the algorithm that the identity provider is configured with.
-
Click
Save.
The SAML request is signed.
-
Click the
Signature settings tab.
- Click Save.
-
Select
Use federated security.
If Federated security is in use on the Azure tenant and is connected to an Integration server, the Integration server will also make use of the same security settings. You must restart the TotalAgility Application pool on the Integration server for the new Azure tenant configuration settings to take effect.
- Click Close.
Launch the TotalAgility Designer using Federated security
Once the authentication provider is added and Federated security is turned on, upon logging on to TotalAgility Designer, the user is redirected to configured authentication provider URL.
If multiple authentication providers are configured, the user can select one and the Authentication Provider Logon page opens.
Once the user is authenticated by the provider, the user gets logged on to TotalAgility:
-
If the user exists in TotalAgility and matches a TotalAgility user using the claims mappings, the user gets logged on to TotalAgility.
-
If the user does not exist in TotalAgility, a user is added based on the user claim rules and then gets logged on to TotalAgility.
Launch the TotalAgility Designer in recovery mode
If the Federated security was configured incorrectly, you can launch the TotalAgility Designer in Recovery mode to modify the Federated security configuration.
- Use the following URL: http://<server name>/TotalAgility/Designer/#/logon/recovery.
-
Specify the
Recovery mode session ID and click
Validate.
The recovery mode session ID is stored in the Web.config from the following setting:
<add key= "RecoveryModeSessionId" value= <recovery mode session ID>/>The recovery mode session ID is unique. With each installation, the value in Web.config is updated with a new ID. -
Enter a valid
Username and
Password and click
Login.
You must have Read/Write or Full control access permissions on the Server to update the configuration. See Access control list.