Authentication settings
Expand the 'Authentication settings' menu to define user connection on SES8.
Authentication mode
Settings
|
Description
|
Local
|
User information is stored on SES8
|
LDAP
|
Administrators do not have to create a SES8 account for each user. Users can login via their corporate credentials, using LDAP protocol
|
SAML
|
Administrators do not have to create a SES8 account for each user. Users can login via their corporate credentials, using SAML 2.0 protocol
|
SAML settings
If SAML is activated, Administrators can set up the following configuration for connecting SES to the SAML identity provider:
- Identity Provider entrypoint: e.g. https://yourIdpServer.com/adfs/ls/ (will appear as entryPoint: https://yourIdpServer.com/adfs/ls/ in the config file)
- Issuer (string to supply to identity provider): e.g. https://yourSesServer.com:3443 (will appear as issuer:https://yourSesServer.com:3443 in the config file)
- Certificates: Provide in this section the path to the requested certificates
- Identity provider signature public key: path to the IDP key e.g. certificates/idp.cer (cert: certificates/idp.cer in the config file)
- Service signature private key: path to SES signature private key, e.g. certificates/sig.key (privateCert: certificates/sig.key)
- SES Decryption/Encryption private key: e.g. certificates/enc.key (decryptionPvk: certificates/enc.key in the config file)
- SAML Mapping: Provide in this section the information used for the mapping between the SAML identity provider and SES
- Mapping of identifier: e.g. userPrincipalName (id: userPrincipalName in the config file)
- Mapping of Given name: e.g. givenName (givenName: givenName in the config file)
- Mapping of family name: e.g. familyName (familyName: familyName in the config file)
- Additionals
- Accepted Clock Skew: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps (acceptedClockSkewMs: 2000 in the config file)
- Identifier format: Name identifier format to request from identity provider, ex: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress (identifierFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress in the config file)
- Authentication context
- Name Identifier Format: e.g. urn:federation:authentication:windows (authnContext in the config file)
- Do not request a specific authentication context (disableRequestedAuthnContext:false in the config file)
- Force re-authentication: Set to true if Identity provider should force re-authentication of the user (forceAuthn: false in the config file)
- Use form authentication after sign out: Set to true if after a signout, force another Authentication context to avoid automatic re-signin (formAuthAfterSignout: true in the config file)
- Name identifier format for form authentication: Authentication context to use after a signout (authnContextAfterSignout: urn:oasis:names:tc:SAML:2.0:ac:classes:Password in the confif file)