Setup IdentifyMe
Introduction
This topic describes how to set up and try IdentifyMe out.
How to apply license file
You need to have a license file that allows you to use IdentifyMe's features. In this example, the license file covers IdentifyMe and IdentifyMe reset password features.
For each Identify instance, you must acquire a license file from Safewhere. You then need to drop the license file into the bin folders of your newly created Identify instance. Given that you install Identify installer at the default directory C:\Program Files\Safewhere\ , you need to put the license file to:
- C:\Program Files\Safewhere\Tenants[your_tenant]\admin\bin
- C:\Program Files\Safewhere\Tenants[your_tenant]\runtime\bin
- C:\Program Files\Safewhere\Tenants[your_tenant]\selfservice
The license can also be put in the C:\Windows\System32 folder.
Set up IdentifyMe connection
Firstly, you need to create an OIDC connection for the IdentifyMe application:
After that, you can access https://[IDENTIFY_DOMAIN_NAME]/selfservice
to use the IdentifyMe application.
Session lifetime setting
All actions on IdentifyMe such as resetting passwords, resetting or onboarding WebAuthn and T-OTP authenticators, uploading certificates, and updating user profiles are security critical. Every time a user logs in to IdentifyMe, a login session is established. According to OWASP:
The shorter the session interval is, the lesser the time an attacker has to use the valid session ID. The session expiration timeout values must be set accordingly with the purpose and nature of the web application, and balance security and usability, so that the user can comfortably complete the operations within the web application without his session frequently expiring.
You can control IdentifyMe's session lifetime by using the Token life time (minutes) setting of the IdentifyMe's OIDC connection named "https://tenandomain/selfservice". The setting specifies lifetime of tokens via the exp
claim that Identify returns to IdentifyMe, which IdentifyMe then uses to specify the lifetime of users' login sessions. When a login session expires, IdentifyMe redirects a user to Identify Runtime with the prompt=login
parameter to force the user to re-authenticate even if there is an existing valid session on the Identify side.
Note: All login requests from IdentifyMe to Identify are forced authentication (aka not use SSO) from now on.
The default value of the Token life time (minutes) setting is 60 minutes.
Set up IdentifyMe settings
By default, no features are enabled for IdentifyMe for the sake of security. You can enable them on the System Settings page:
You can learn more about the features that are controlled by the Users can reset their passwords, Users can edit their display names, Users can edit their certificates, and Users can access their profile pages at the User profile page. Similarly, the Manage authenticators page explains the features that the Users can reset or register their WebAuthn authenticators and the Allow users can register or reset their WebAuthn authenticators settings control.
Example setup
The goal of this example is that users can log in to the IdentifyMe application using a local account and try all of its features, presuming that you have created the connection for the IdentifyMe application as described above, enabled all features, and have deployed a valid license file.
Note: by default, the IdentifyMe application can use the default Username & Password connection to log in which should be used for testing purposes only. In reality, it is recommended that you configure an Identity Provider option with a high level of assurance to log in to IdentifyMe.
Create OTP connections
You can refer to this topic to create OTP Identity Provider connections used for T-OTP authenticator and WebAuthn authenticator. Remember to enable them to be used on IdentifyMe.
- T-OTP authenticators
- WebAuthn authenticators
IdentifyMe Login
After logging in to the IdentifyMe application, you can click on one of the cards on the homepage to use: