Login settings

You can use the Login Settings page to disable or require Single Sign-On (SSO), enable or disable certificate authentication and to specify client certificate authentication for end users and administrators, enable or disable dual authentication, and set LDAP and SiteMinder authentication levels.

The following topics describe the end-user and administrator login options:

End-user login options

You can use the end-user login options to disable or require end-user Single Sign-On (SSO), enable or disable end-user certificate requirements, set the certificate requirements level, enable or disable dual authentication, and set LDAP and SiteMinder authentication levels.

Note The end-user login options Certificate per protocol, LDAP, and SiteMinder are not available on the SecureTransport Edges.

Disable or require end-user Single Sign-On (SSO)

Use the following procedure to disable or require end-user Single Sign-On (SSO).

  1. Select Authentication > Login Settings.
  2. The Login Settings page is displayed.
  3. Under End-user login options in the SSO drop-down menu, select one of the following values:
    • Disabled - SSO will not be used.
    • Required - Redirection to Identity provider will always be performed. If the authentication with the Identity Provider (IdP) fails, the login will be rejected. This state will override any of the existing authentication methods via HTTP(s) for end-user - Certificate for HTTPS, LDAP with HTTP(s) and SiteMinder.
    • NoteRequires Transaction Manager service restart on back-end.
      NoteSSO login option is applicable only for HTTP(s).
  4. Click Save.
Note In order to configure SSO go to: Server Configuration Files edit page.

For information on editing and updating the server configuration files, refer to Single Sign-On (SSO) and Single Logout (SLO).

Configure end-user certificate requirement and level

The following table describes the settings for Client Certificate Authentication. The settings are the same for the four supported protocols: HTTPS, FTPS, SSH and PeSIT. Each protocol can be configured independently.

Option Description
Disabled The server never asks for a client certificate. The server accepts only a password for client authentication.
Required Client must have a certificate to present to the Server during the SSL handshake. If the certificate is missing, the Server rejects the connection. The SSH server accepts only a key for client authentication.
Optional Client might have a certificate. The server asks for it during the SSL handshake, but allows the connection to proceed if the client does not present a certificate or when authentication with the presented certificate is not successful. The SSH server accepts either a password or a key for client authentication.

Use the following procedure to enable or disable end-user certificate requirements and to set the certificate requirements level.

  1. Select Authentication > Login Settings.
  2. The Login Settings page is displayed.
  3. Under End-user login options, select or deselect Certificate to enable or disable the certificate requirements for end-users.
  4. Disabled - No certificate required.
  5. Enabled - A certificate is always required. The login in this case will be rejected in case no certificate is provided or the provided certificate cannot be associated with an account.
  6. If Certificate is selected or enabled, the Login Settings page with Client Certificate Settings pane visible is displayed.
  7. Under Client Certificate Settings, select one of the three options to set the client certificate for each of the four protocols:
    • Disabled
    • Required
    • Optional
  8. Click Save.
Note After you modify client certificate authentication options, restart the SSH server.
Note The HTTPS Certificate option will be set to Disabled when the end-user SSO login option is set to Required.

Enable or disable end-user dual authentication

Note This option will not be editable when the end-user Certificate option is set to Disabled.

Use the following procedure to enable and disable dual authentication for end-users.

  1. Select Authentication > Login Settings.
  2. The Login Settings page is displayed.
  3. Under End-user login options, select or deselect Dual authentication (certificate and password) required to enable or disable dual authentication for end-users.
  4. Disabled - No password required in addition to certificate authentication option.
  5. Enabled - A password is required in addition to certificate authentication option.
  6. Click Save.

Enable or disable LDAP

Use the following procedure to enable or disable LDAP.

  1. Select Authentication > Login Settings.
  2. The Login Settings page is displayed.
  3. Under End-user login options in the LDAP drop-down menu, select one of the following values:
  4. Disabled - The LDAP will not be used.
  5. Optional - SecureTransport searches the SecureTransport database before it searches the LDAP databases in the default domains. If no such user is found in SecureTransport and LDAP databases, then the login will be rejected.
  6. Required - An LDAP user will be required. If no such user exists, the login will be rejected.
  7. For details, see LDAP logins.
  8. Click Save.
  9. Restart the TM Server.

You must create one or more domains before SecureTransport can use LDAP to authenticate users. For information on creating LDAP domains, refer to Create an LDAP domain.

Enable or disable SiteMinder

Use the following procedure to enable or disable SiteMinder.

  1. Select Authentication > Login Settings.
  2. The Login Settings page is displayed.
  3. Under End-user login options in the SiteMinder drop-down menu, select one of the following values:
  4. Disabled - The SiteMinder configuration will not be used.
  5. Optional - The SiteMinder configuration may be used.
  6. Click Save.

You must configure SiteMinder before you can use SiteMinder to authenticate users. For information on configuring SiteMinder, refer to SiteMinder integration configuration.

Administrator login options

You can use the administrator login options to enable or disable administrator Single Sign-On (SSO) and to enable or disable administrator certificate requirements.

Enable or disable administrator Single Sign-On (SSO)

Use the following procedure to enable or disable administrator Single Sign-On (SSO).

  1. Select Authentication > Login Settings.
  2. The Login Settings page is displayed.
  3. Under Administrator login options in the SSO drop-down menu, select one of the following values:
    • Disabled - SSO will not be used.
    • Required - Redirection to the Identity Provider (IdP) will always be performed. If the authentication with the IdP fails, the login will be rejected.
  4. Click Save.
Note When SSO is set to Required, it is recommended the Client certificates to be set to Disabled. The Client certificates only need to be set to Optional when Central Governance will be integrated with SecureTransport.
Note For more information of how to configure SSO for Administrators, refer to Single Sign-On (SSO) and Single Logout (SLO).

For information on editing and updating the server configuration files, refer to Update server configuration files.

Configure administrator certificate requirement and level

Set the certificate settings to allow administrators to log in by using a client certificate or to use dual authentication with both a certificate and a password. You can enable the ability to login with a client certificate, determine whether the certificate is optional or required, select the certificate issuer, and set the certificate chain limit.

When you want to access the Administration Tool and you have enabled client certificates, you are prompted to select the certificate you are using. Once the certificate is verified, you are logged in unless dual authentication is required. If certificates are optional and you do not select one, the login page is displayed. If SecureTransport cannot verify the certificate, or certificates are required and you did not select one, a connection error displays and you cannot log in.

If you are unable to successfully log in when using a certificate, clear the browser's SSL state, or close the browser and try again with a new browser instance.

  1. Select Authentication > Login Settings.
  2. The Login Settings page is displayed.
  3. Under Administrator login options, select Certificate to allow administrators to log in using client certificates.
  4. The Client Certificate Settings pane and the remaining fields are displayed.
  5. Select either Optional or Mandatory in the Client certificates drop-down menu. If you select Optional, administrators do not need a certificate. If you select Mandatory, each administrator must have a client certificate set up. If certificates are required, all administrators must be mapped to a certificate, and all users must present a valid trusted certificate to gain access to the login page.
  6. Select one of the following choices from the Accept certificates issued by drop-down menu:
    • internal issuer only – The certificate must be issued by the internal CA. See Manage the internal CA.
    • any trusted issuer – The certificate must be issued by a CA that is trusted by one of the CAs listed as a trusted CA. See Manage trusted CAs.
    • issuer file or path – The certificate must be issued by a CA whose certificate is in a file you specify.
  7. If you select issuer file or path, the following fields are displayed:
    • A field that you use to specify the location of the certificate PEM-encoded (.pem) file or a directory that contains the PEM-encoded files.
    • You can type either a fully qualified file or path names or a file or path names relative to <FILEDRIVEHOME>. Do not put the PEM-encoded files in the keystore directory, <FILEDRIVEHOME>/lib/certs/issuers, because the certificates in that directory are regenerated from the database when servers start.
    • A Limit certificate chain depth to field. Type a number that sets the maximum number of levels for SecureTransport to go through in validating the certificate up to a trusted root. For example, if you set the chain depth to 1, then only a certificate issued directly by a trusted root is allowed and a certificate issued by an intermediate CA is rejected.
  8. Click Save.
  9. Restart the Administration Tool server using the stop_admin and start_admin commands. If you are running on Windows, you can also use the Services console to restart the admin service.

If you choose to use certificates for administrator logins, a Certificate DN field displays in the New Administrator and Edit Administrator pages where you must provide the certificate domain name information. For more information, see Add an administrator account.

Note The Client Certificate Settings option will be set to Disabled when administrator SSO login option is set to Required.

Related Links