Page tree
Important notice! This documentation is out of date and refers to Soffid version 2

Soffid 3 documentation is available https://bookstack.soffid.com

Skip to end of metadata
Go to start of metadata

Introduction

Soffid could use different kinds of external authentication sources.

These mechanisms could be selectively enabled or disabled.

Sections

Username and password

Internal

The first option , the only enabled by default in the installation of Soffid, it is the internal username and password authentication mechanism.

Therefore, the authentication is made with the username / password of the soffid account.


External

The second option , it is to use external username and password sources.

Therefore, the authentication is made with the username / password of an account of an external system.

But not all the external systems are included, only the ones they have marked the check "Trust password" on the agent. For more information about agents please check Agents.











Once it's configured, Soffid will still use its internal tables to authenticate usernames and passwords.

Should not the password entered by the user match, Soffid core will issue a "ValidatePassword" task for each trusted target systems.

If any of the trusted target systems accepts the password, it will be hashed and stored in Soffid tables and login will be accepted.

External SAML identity provider

It should be noted that this feature does not depend on federation addon, it is a feature included by default in the smart engine of the Soffid to allow include in the authentication flow a mechanism to use  third party SAML system.

To enable it, you should complete these fields.

  1. Enabled. Mark the  checkbox to use an external SAML Identity Provider.
  2. Soffid Server host name. Enter the URL that will be used by external IdP. This URL will be resolved by end user's browser in order to send the SAML assertion.
  3. SAML federation metadata. Enter the URL where federation information can be found. If Soffid console can fetch federation metadata, the Identity provider drop-down will be filled in with any identity provider found in federation metadata URL.
  4. Cache limit (sedonds). Enter how often the federation information will be refreshed. By default, 10 minutes will be taken.
  5. Identity provider. Select the Identity Provider to use for authentication.

Finally, download the Soffid Console Metadata with the button , and load it into your SAML Identity Provider federation.

If SAML Identity Provider is enabled, as well as username and password, the user will have the chance to select the preferred authentication method. Otherwise, if only SAML is enabled, the user will be automatically redirected to SAML Identity Provider.

image2020-1-8_12-46-50.png

Enable LinOTP integration

Soffid could be configured to request the user to authenticate using a second factor authentication to perform certain actions.

To create your service if Soffid please check Two factor authentication (2FA).

To enable and configure LinOTP service, you should complete these fields.

  1. Enabled. Mark the  checkbox to use an external SAML Identity Provider.
  2. LinOTP server URL. The URL of your LINOTP service.
  3. LinOTP admin username. The username of the admin account used by Soffid.
  4. LinOTP admin password. The password of the admin account used by Soffid.
  5. LinOTP users domian. Select the users domain for LinOTP authentication. The selected user domain will guess the LinOTP username for any Soffid identity. It is extremely important when LinOTP users do not match Soffid usernames. Please check User domains.

By the time being, only LinOTP token manager is accepted. Radius support is in progress.

Second Factor Authentication configuration

This section requires to have the LinOTP integration enabled (previous section).

Optionally

In the first textbox, you should include the list of pages to include the two factor only to the users with token.

Therefore, if a URL optionally requires OTP authentication, and the user does not have any LinOTP token (or LinOTP service is down), the access will be granted.

Otherwise, if the user has a LinOTP token, the OTP value will be required, and no access will be allowed until the user provides the right token value.

Mandatory

In the second textbox, you should include the list of pages to always include the second factor to the users with token.

Therefore, if a URL extrictly requires OTP authentication, users with no token won't be allowed to use them.

Time period

Once the token has been validated, no OTP authentication will be required for a time period.

This time period is configured below the textboxes. 


In both configurations, if OTP is required by the user, a popup requesting the token value is raised.


  • No labels