Configure user authentication

This topic describes how to configure ASMS user authentication, including single sign-on, authentication servers, and LDAP forests.

Best practice: Whenever possible, leverage LDAP/LDAPS for authentication. This enables all ASMS users to log in easily, including change requestors, application owners, auditors, and so on.

Configuring LDAP/LDAPS for ASMS also enables auto-provisioning, which means that users are automatically created and assigned to their appropriate roles based on their LDAP group membership, without any additional configuration.

Configure LDAP in AFA: Watch to learn how to sync AFA with your organization’s LDAP server.

User authentication via authentication servers

The AlgoSec Security Management Suite (ASMS) supports authenticating users via an authentication server in the following ways:

Local

When users attempt to log in, their credentials are authenticated locally.

Note: Beginning with A32.50, user passwords have new requirements. See Password requirements, Configure the Password policy (for local users), and Configure the Account Lockout policy (for local users).

For instructions how to unlock a locked local user account, see Unlock locked local accounts.

LDAP

If your company uses an LDAP (Lightweight Directory Access Protocol) server for authenticating network users (for example, Microsoft Active Directory), you can configure the AlgoSec Suite to authenticate users against the LDAP server. When a user attempts to log in (using the login credentials defined for them on the LDAP server), the AlgoSec Suite sends the entered username and password to the LDAP server. If the entered username exists in the LDAP server, and the password matches the username, then the user is logged in. The user will automatically be added to ASMS, allowing you to manage the user in the ASMS web interface.

If desired, you can configure additional criteria for authentication. For example, you can specify that the LDAP server should only search certain parts of its database for the entered username and password, or that users must belong to a certain LDAP user group.

The AlgoSec Suite additionally supports importing user data, such as permissions and roles, from an LDAP Server. When this is configured, each user is automatically assigned roles based on their LDAP groups.

Note: It is possible to use multiple LDAP servers to authenticate users.

For more details, see Import user data from an LDAP server.

RADIUS

Some companies use a RADIUS (Remote Authentication Dial In User Service) server for authenticating network users. The AlgoSec Security Suite can be configured to use the corporate RADIUS server to authenticate users. When a user attempts to log in (using the login credentials defined on the RADIUS server), ASMS sends the entered username and password to the RADIUS server. If the entered username exists in the RADIUS database, and the password matches the username, then the user is logged in. The user will automatically be added to ASMS, allowing you to manage the user in the ASMS web interface.

The AlgoSec Suite additionally supports importing data from an LDAP server for RADIUS authenticated users. See Import user data from an LDAP server.

Note: Microsoft Active Directory can be configured as a RADIUS server. For information on configuring Active Directory, refer to Microsoft documentation.

By default, the AlgoSec Security Suite uses the local user database to authenticate users. If you want to use a RADIUS server and/or an LDAP server in addition to local authentication, you must configure the desired user authentication method using the following procedure.

Note: When more than one user authentication method is enabled, you can choose which method to use on a per-user basis.

If importing user data from an LDAP server is not configured, you must manually define privileged users in AFA.

Configure user authentication via an authentication server

Do the following:

  1. In the toolbar, click your username.

    A drop-down menu appears.

  2. Select Administration.

    The Administration page appears, displaying the Options tab.

  3. In the Options tab, click the Authentication sub-tab.

    The Authentication page appears.

  4. Choose Authentication Server.

    Note: The Local check box is selected by default and cannot be cleared.

  5. To test connectivity for a defined RADIUS or LDAP server, click Test connectivity for the specific server.

    A message informs you whether AFA connected to the server successfully.

  6. In the Default for new users area, choose the default authentication method for new users.

    Note: You can override the default authentication method to use on a per-user basis.

  7. To set a default mail domain, select Default Mail Domain, and  type the URL.

    When this option is configured, AFA automatically generates an email address for users by attaching the specified email suffix to its username (when an email address is not provided).

  8. Click OK.

Changes to user authentication settings immediately take effect.

Single Sign On (SSO) to ASMS

ASMS supports a SAML 2.0-based Single Sign On (SSO) solution, enabling you to integrate user logins with your SSO Provider.

SSO solutions have the following elements:

A service provider (SP) In our case, AlgoSec is a service provider that provides ASMS.
An identity provider (IdP)

In our case, your SSO Provider provides user identity verification as the identity provider.

When SSO is enabled:

  • ASMS directs users to authenticate against your SSO Provider as the IdP, and then redirects the user back to ASMS.
  • Users already logged in to the SSO Provider are directed directly to ASMS.
  • The Logout button no longer appears in ASMS. Log out by logging out of your SSO Provider only.

For more details, see:

Note: ASMS provides service provider metadata at the following URL:

https://<Algosec URL>/AFA/php/module.php/saml/sp/metadata.php/<SP Identifier>

SSO Provider requirements

As your IdP, your SSO Provider must be aware of the following ASMS services:

Assertion Consumer Service, or the Single Sign On URL

Informs the IdP where ASMS redirects the user for Single Sign On (login) requests.

Configured as:

https://<ASMS URL>/simplesaml/module.php/saml/sp/saml2-acs.php/<SP Identifier>

Single Logout Service

May not be required in all situations. Informs the IdP where ASMS redirects the user for Single Sign Out (logout) requests.

Configured as:

https://<ASMS URL>/simplesaml/module.php/saml/sp/saml2-logout.php/<SP Identifier>

The SSO Provider must inform ASMS about the user performing the authentication. The following data is passed with the returned attributes, post-authentication:

Attribute Content Example
UID

Username

laura
email Email address [email protected]
displayName Name displayed in the user interface Laura Sanchez

Tip: We recommend you configure a customized UID parser. This will solve any potential issues that may arise if your SSO Provider cannot be configured to provide the required data in this format.

For details, see Configure a customized UID parser.

Configure Single Sign On

Tip: If you use LDAP, start by configuring the LDAP by itself and verify that you can connect properly. After LDAP is working, set the SSO.

To configure Single Sign On in ASMS, do the following:

  1. In the AFA Administration area, browse to the OPTIONS > Authentication tab.

  2. Under User Authentication, select Single Sign On, and complete the following fields as needed:

    Service Provider identifier

    The identifier of the AlgoSec SP.

    This identifier must be unique, and it must be added to the list of known SPs in your identity provider's configuration.

    Identity Provider identifier

    The identifier of your installed IdP.

    IdP's Single Sign On service URL

    The URL of the IdP's Login page.

    IdP's Single Sign Out service URL

    The URL of the IdP's Logout page.

  3. Optional: To fetch user data, select the Fetch User Data checkbox and do one of the following:

  4. To set a default mail domain, select Default Mail Domain, and enter the URL.

    When this option is configured, AFA automatically generates an email address for users by attaching the specified email suffix to its username (when an email address is not provided).

  5. At the bottom of the page, click OK. Changes to user authentication settings immediately take effect.

Optionally, do any of the following:

Import user data from an LDAP server

Whether you are authenticating users with an LDAP or RADIUS authentication server, you can configure ASMS to import user data from an LDAP server. Upon each login, ASMS will fetch the user's full name and email address, as well as roles and inherited permissions. All of this information will be updated for the users on the AlgoSec server.

Note: This procedure is only relevant when authenticating with an LDAP or RADIUS authentication server. If you want to fetch data from an LDAP, but authenticate with SSO, see Single Sign On (SSO) to ASMS.

Note: If the system is configured to import user information from an LDAP server, changes to user settings must be made only on the LDAP server (changes made in the AlgoSec Suite may be overridden the next time the user logs in).

Note: The data stored for users who log in infrequently may be outdated. Each user's information is fetched and updated upon login; in addition to name and email, this includes the list of roles the user is assigned, the list of permissions the user inherits, and the list of users assigned the fetched roles.

Do the following:

  1. Configure LDAP or RADIUS user authentication. For details, see User authentication via authentication servers.

    • When authenticating with an LDAP server, select the Fetch user data from LDAP check box and complete the fields in the Fields Mapping area.
    • When authenticating with a RADIUS server, do the following:

      1. Select the Fetch user data from LDAP check box in the RADIUS Authentication fields area.
      2. Additionally define the LDAP, select the Fetch user data from LDAP check box and complete the fields in the Fields Mapping area.

    Note: Many fields in FireFlow appear as options for mapping data. To import an LDAP field that doesn't exist by default, see Manage authentication servers and SSO.

  2. Click OK.

  3. If you selected the Associated Roles option, indicate a correspondence between LDAP groups and AlgoSec Suite roles doing the following:

  4. Add/Edit the user role you want to link with an LDAP group. For details, see Manage users and roles in AFA.
  5. Type the LDAP group name that you want to link with the role in the Role LDAP DN field.

When users log in that are members of this LDAP group, they will automatically be granted the role.

Configure an LDAP forest

If you have multiple LDAP servers with different users defined on each one, you can configure an LDAP forest consisting of these servers. AFA and FireFlow will authenticate LDAP users against the correct LDAP server.

Complete this procedure for each LDAP server you want to include in the forest.

Do the following:

  1. Choose a number to represent the LDAP server.

    Number 1 represents the primary LDAP server, and numbers 2 and 3 represent possible backup servers. If you do not want those servers to be included in the forest, choose a number higher than 3.

  2. In the toolbar, click your username.

    A drop-down menu appears.

  3. Select Administration.

    The Administration page appears, displaying the Options tab.

  4. In the Options tab, click the Advanced Configuration sub-tab.

    The Advanced Configuration page appears.

  5. Add the parameters specified in LDAP Parameters (see LDAP parameters), one at a time, by doing the following:

    1. Click Add.

      The Add New Configuration Parameter dialog is displayed.

    2. In the Name field, type ParamNumber

      Where:

      • Param is the parameter name.
      • Number is the server number selected in the previous step.

      For example, to specify the port number of LDAP server number 4, type LDAP_Port4.

    3. In the Value field, type the parameters value.

    4. Click OK.

    5. Repeat the above steps for each parameter.

    6. Click OK.

LDAP forest example

In the following example, LDAP server 4 is added to the forest:

LDAP_Port4=349

LDAP_Timeout4=120

LDAP_Version4=3

Ldap_Secured_Authentication_Method4=LDAPS

LDAP_Server4=192.164.2.43

LDAP_UseSecured4=no

LDAP_VerifyCert4=no

LDAP_Certificate4=Algosec_CA.pem

LDAP_Domain4=ldomain4

LDAP_Username4=CN=Bob,OU=Algosec,DC=algosec,DC=local

LDAP_Password4=$FOQABRER$27:A3:BD:F2:90:C7:21:5A:3A:F4:F4:AB:R8:20:6F:25

LDAP_Bind_Type4=Regular

LDAP_BaseDN4=dc=algosec,dc=local

LDAP_ExtraFiltering4=(objectClass=*)

DAP_NameAttr4=sAMAccountName

LDAP_MemberAttr4=memberOf

LDAP_GroupDN4=

LDAP_AttrEmail4=mail

LDAP_AttrFullName4=displayName

LDAP_AttrNotes4=description

LDAP_AttrOrganization4=company

LDAP_AttrAddress14=streetAddress

LDAP_AttrCity4=l

LDAP_AttrState4=st

LDAP_AttrZip4=postalCode

LDAP_AttrCountry4=co

LDAP_AttrHomePhone4=homePhone

LDAP_AttrWorkPhone4=telephoneNumber

LDAP_AttrMobilePhone4=mobile

LDAP_AttrPagerPhone4=pager

LDAP_AttrCustom4=group,primaryGroupID;allowDial,msNPAllowDialin;mark,
department

Log in when an LDAP forest is configured

Do the following:

  1. In the AFA or FireFlow Login page, type the following in the Username field:

    LdapDomain\userName

    Where:

    • LdapDomain is the domain name of the LDAP server on which they are defined.
    • userName is the user's LDAP username.

    For example, if Bob is defined on an LDAP server whose domain name is Ldomain4, then he must type "Ldomain4\Bob" in the Username field.

  2. In the Password field, type your LDAP password.

  3. Click Login.

Note: The backup servers will not be consulted, in the event that AFA/FireFlow did not locate the user in the specified LDAP domain.