Since this connection type handles all the authentication solely in Safewhere Identify, limited configuration is needed.
- Federated session lifetime (minutes): Specifies how long a federated session which is established when a user uses this authentication connection to log in.
There are a whole range of fields that will help you set up a two factor authentication process. Below each of these are explained.
Second factor authentication connection: If you want this Authentication Connection to have a second factor, you must choose this second factor among the different Authentication Connections that have been set up in the system. This includes all the One Time Password Connections.
Two factor identities condition: When using two different Authentication Connections together (which is basically what you are doing when setting up two-factor authentication, then the two may try to Safewhere Identify the incoming user based on two different identity bearing claims. This dropdown is activated when a user has chosen, that the connection will have a second factor. Options in the dropdown are:
- Use the first identity: System will disregard the "Identity bearing claim" value of the second factor and just focus on identifying the user based on the first one.
- Two identities must be the same: The user will not be allowed to log in unless the identity of the user for the first factor is identical to that of the second factor.
Use as second factor only: If you just want the Authentication Connection to be used as the second factor for other connections and not have it offered to users as a primary connection option, then this checkbox must be set to true.
Ignored by second factor roles claim type: If there are subsets of users that you will allow logging in without also having to authenticate using the second factor, you must specify whom these users are based on a rule. The rule states that any users who have a specific value for a specific claim type, will be excluded from the second factor. This setting specifies which claim will be tested. The setting below ("Ignored by second factor roles") states which roles will be ignored. Safewhere Identify will search in both the received assertion and local store.
Ignored by second factor roles: The list of roles (claims type values) that a user must have at least one of in order to avoid having to authenticate via the second factor. You should use colon as seperator for these roles.
Ignore roles check: If you do not want to let anyone log in without also authenticating via the second factor (thus in effect ignoring the two parameters above), you should set this checkbox to true.
Other settings for this authentication connection type:
- Maximum number of allowed authentication attempts before password must be reset: Makes it possible for you to define how many retries are allowed before you will no longer take the chance that this is not an attempt at gaining wrongful access to an account. After user has tried this number of times he must use the "Reset password" page to reset his password.
- Account lockout duration (seconds): specifies the number of seconds that users must wait before their accounts are unlocked. A zero value means the locked accounts will get unlocked next 24 hours. See more detail here.
- Enabled for mobile use: Should be ticked if you also want to allow mobile users to authenticate using this connection.
- IP-based filter for Home Realm Discovery: specifies IP addresses of RPs for the filter.An IP address consists of 4 sections of numbers between 1 and 255. The 4 sections of numbers are seperated by a dot. An IP range consists of two IP addresses separated by a dash. You can enter multiple IP addresses or IP ranges by seperating them with semicolons. E.g.: 192.168.1.1;192.168.1.2;192.168.0.0-192.168.1.255.
- Username is case-sensitive: should be ticked if you want usernames not to be validated on case-sensitive.
- Show the link to return to the selector page: should be ticked if you want to allow user to return to Selector page to select the another authentication connection when being at login page. When this option is enabled, there is a link "Return to login selector page" displayed.
- Custom authentication view: Allow user to select a custom view instead of using the default view.