Setup IdentifyMe

Introduction

This topic describes how to set up and try IdentifyMe out.

How to apply license file

You need to have a license file that allows you to use IdentifyMe's features. In this example, the license file covers IdentifyMe and IdentifyMe reset password features.

identify-license2.png

For each Identify instance, you must acquire a license file from Safewhere. You then need to drop the license file into the bin folders of your newly created Identify instance. Given that you install Identify installer at the default directory C:\Program Files\Safewhere\ , you need to put the license file to:

  • C:\Program Files\Safewhere\Tenants[your_tenant]\admin\bin
  • C:\Program Files\Safewhere\Tenants[your_tenant]\runtime\bin
  • C:\Program Files\Safewhere\Tenants[your_tenant]\selfservice

The license can also be put in the C:\Windows\System32 folder.

Set up IdentifyMe connection

To configure the necessary resources for IdentifyMe, start by clicking the "CONFIGURE" button.

Identifyme-create-connection.png

Once configured, a message will appear confirming that each resource was successfully created.

setup_identifyme_resources_new.png

If any required resources have already been set up, Safewhere Admin will detect and skip these existing resources, only creating the ones that haven't been configured yet.

setup_identifyme_resources_exists.png

After that, you can access https://[IDENTIFY_DOMAIN_NAME]/selfservice to use the IdentifyMe application.

identifMe-url.png

Session lifetime setting

All actions on IdentifyMe such as resetting passwords, resetting or onboarding WebAuthn and T-OTP authenticators, uploading certificates, and updating user profiles are security critical. Every time a user logs in to IdentifyMe, a login session is established. According to OWASP:

The shorter the session interval is, the lesser the time an attacker has to use the valid session ID. The session expiration timeout values must be set accordingly with the purpose and nature of the web application, and balance security and usability, so that the user can comfortably complete the operations within the web application without his session frequently expiring.

You can control IdentifyMe's session lifetime by using the Token life time (minutes) setting of the IdentifyMe's OIDC connection named "https://tenandomain/selfservice". The setting specifies lifetime of tokens via the exp claim that Identify returns to IdentifyMe, which IdentifyMe then uses to specify the lifetime of users' login sessions. When a login session expires, IdentifyMe redirects a user to Identify Runtime with the prompt=login parameter to force the user to re-authenticate even if there is an existing valid session on the Identify side.

Note: All login requests from IdentifyMe to Identify are forced authentication (aka not use SSO) from now on.

The default value of the Token life time (minutes) setting is 60 minutes.

session-timeout-setting.png

Set up IdentifyMe settings

By default, no features are enabled for IdentifyMe for the sake of security. You can enable them on the System Settings page:

identifyMe-settings.png

You can learn more about the features that are controlled by the Users can reset their passwords, Users can edit their display names, Users can edit their certificates, and Users can access their profile pages at the User profile page. Similarly, the Manage authenticators page explains the features that the Users can reset or register their WebAuthn authenticators and the Allow users can register or reset their WebAuthn authenticators settings control.

Example setup

The goal of this example is that users can log in to the IdentifyMe application using a local account and try all of its features, presuming that you have created the connection for the IdentifyMe application as described above, enabled all features, and have deployed a valid license file.

Note: by default, the IdentifyMe application can use the default Username & Password connection to log in which should be used for testing purposes only. In reality, it is recommended that you configure an Identity Provider option with a high level of assurance to log in to IdentifyMe.

Create OTP connections

You can refer to this topic to create OTP Identity Provider connections used for T-OTP authenticator and WebAuthn authenticator. Remember to enable them to be used on IdentifyMe.

  • T-OTP authenticators

TOTP-enable.png

  • WebAuthn authenticators

webauthn-enable.png

IdentifyMe Login

After logging in to the IdentifyMe application, you can click on one of the cards on the homepage to use:

totp-authenticator-homepage.png