| Home Prev |  InCenter 2.2.5 On-Premises Administration Guide
|
Next |
|---|
As mentioned previously, Multi Factor Authentication (MFA) can be enabled for user logins. When the user tries to login using the WebUI, they can be redirected to an external Clavister EasyAccess authentication server. This server will use SAML to return the authentication status to InCenter. Depending on how the authentication server is configured, additional factors (such as a code sent to the user's phone) can be requested by the authentication server during the login process.
Enabling MFA
The following steps are needed to enable MFA:For each user in the InCenter user database that are to be authenticated using MFA, the samlUsername property must be set. For example:
admin@InCenter:/> user -update -id=admin -samlUsername=myEAusernameThe samlUsername is the username that is expected by the authentication server when it authenticates the user. It can be the same or different from the standard username property.
In EasyAccess, a SAML Metadata object should be created which specifies that the service provider metadata is downloaded from the following URL:
https://<incenter-server-ip>:8443/saml/mgmtsystem/metadata.xml
A suitable EasyAccess Federation Scenario is then created to authenticate users, possibly using secondary factors such as tokens (any of EasyAccess's MFA features could be used). This Federation Scenario references the SAML Metadata object created above and will also reference a data source of valid users.
Further information about EasyAccess setup can be found in the separate EasyAccess Getting Started Guide.
Using SCP or SFTP, upload the following files in PEM format to InCenter:
The public key file(s) of the identity provider (such as EasyAccess).
The public key file of the service provider (in this case, InCenter).
The private key file of the service provider (in this case, InCenter).
The service provider certificate files must be generated externally using a suitable tool. Also note that any of these files can be alternatively specified in the InCenter CLI as a base64 encoded string.
Using the InCenter CLI, enable the SAML object in Settings and assign values to its properties:
admin@InCenter:/> cc Settings admin@InCenter:/Settings> set SAML Enabled=Yes IdentityProviderCertificates=my_idp.crt LoginUrl=https://<auth-server-ip>:8443/saml/authenticate/samlauth LogoutUrl=https://<auth-server-ip>:8443/saml/authenticate/SLO ServiceProviderCertificate=my_sp_rsa.pem ServiceProviderPrivateKey=my_sp_rsa IdentityProviderType=EasyAccess
Note that the IdentityProviderCertificates property could be assigned a comma separated list of more than one public key file.
In the corresponding EasyAccess federation scenario setup, the LoginUrl corresponds to the scenario's POST SSO URL property and the LogoutUrl corresponds to the POST SLO URL property.
After activate and committing the InCenter configuration changes, MFA is set up.
The MFA Login Sequence
The user login sequence sequence through the WebUI is the following:The user connects to the InCenter server as usual through a web browser.
If MFA has been enabled for the system, a button for EasyAccess login appears at the top of the login dialog.
The user presses the button and is redirected to web pages displayed by the authentication server. The pages displayed and the extra authentication factors required depend on how the authentication server is configured.
After authentication is successful, the browser returns to the InCenter overview page with the user logged in.
Notes on the MFA Feature
The following should be noted about using MFA with InCenter:The MFA option is only available with on-premises InCenter.
MFA can only be enabled and configured using the InCenter CLI, as described above.
Only a single authentication server can be specified for each InCenter server instance.
Logins using MFA can only be done through the WebUI.
The MFA option in the WebUI login dialog will only appear if MFA is enabled.
A login using MFA for a user will fail if their samlUsername property in InCenter is not set. Additionally, the value set must also exist as a username in the authentication server's data source.
Enabling or disabling MFA is applied to all users in the InCenter user database. It cannot be done on a per user basis. Disabling MFA is done with the command:
admin@InCenter:/> cc Settings admin@InCenter:/Settings> set SAML Enabled=No
Note that disabling MFA will not affect any samlUsername values that have already been set.
The access privileges (administrator or auditor) for a user logging in using MFA is determined by the user's entry in the InCenter user database and not by the authentication server.
Clavister has fully tested the MFA feature with Clavister EasyAccess. Other, third-party authentication servers may function correctly but are not officially supported by Clavister.
