Add/Edit Provider

This drawer allows you to add or edit authentication providers that users will be authenticated to.

Use this drawer for Configuring Authentication Providers and Configuring SAML Authentication.

How to Get There

  1. In the Core Menu, click Security

  2. Click Providers.

  3. Click Add Provider to add a new authentication provider.

    or

    Click The Show Actions button Show Actions next to any existing authentication provider and click Edit.

Fields

Name
This is the name of the authentication method.
Authentication Method
Before any of your users can log on to Fortra Application Hub, you must specify how to authenticate users. If authentication is not set up or the authentication server is down, only the 'Admin' user will be able to log in to Fortra Application Hub.

Fortra Applcation Hub Authentication allows you to authenticate users to the Fortra Application Hub server itself. Use the parameters to establish criteria for the creation of users.

The following fields are used to set password rules for users being authenticated using Fortra Application Hub authentication:

Time-Based One-Time passwords
Toggle this On to use time-based one-time passwords to increase security for users logging in to Fortra Application Hub. See Configuring Time-Based One-Time passwords for more information.
Authenticator App Display Name
The name shown in the authenticator app to identify Fortra Application Hub. This field is only used if Time-Based One-Time passwords is toggled On.
Required Minimum Password Length
The minimum length the user password can be.
Required Minimum Amount of Upper Case Letters
The minimum number of upper case letters that the user password must have.
Required Minimum Amount of Lower Case Letters
The minimum number of lower case letters that the user password must have.
Required Minimum Amount of Numbers
The minimum number of numbers that the user password must have.
Required Minimum Amount of Special Characters
The minimum number of special characters that the user password must have.
Special Characters Allowed
The individual special characters that are allowed to be used in the user password.

The following fields are used to configure LDAP Authentication:

Create new users on successful first-time log in
Toggle this to On to automatically create users when they log in to Fortra Application Hub for the first time. The user must exist in LDAP.
Time-Based One-Time passwords
Toggle this On to use time-based one-time passwords to increase security for users logging in to Fortra Application Hub. This option is available to use with Fortra Application Hub and LDAP authentication types. See Configuring Time-Based One-Time passwords for more information.
Authenticator App Display Name
The name shown in the authenticator app to identify Fortra Application Hub. This field is only used if Time-Based One-Time passwords is toggled On.
LDAP Host
The name or address of the LDAP Host server.
NOTE:

  • These settings are specific to the Fortra Application Hub module, and do not pertain to Access Authenticator's LDAP settings configured on Access Authenticator's LDAP Settings page.

  • LDAP authentication can be used with Active Directory.
LDAP Port
The LDAP Port used by the LDAP server.
Use SSL with LDAP; Off • On
Switch Use SSL with LDAP to On if a secure sockets layer (SSL) is used with your LDAP server. If your LDAP uses a certificate that is not from a known trusted authority, you must first import the root certificate from the LDAP Host. See To import the root certificate from the LDAP Host.
LDAP Administrator
The administrator must be able to read the LDAP tree.
NOTE: Distinguished Name format is acceptable. For more on Distinguished Names, go to the Microsoft Developer Network website.
Administrator Password • Confirm Password
The password for the specified LDAP administrator.
Default Context
The location to search for users in Distinguished Name format.
User ID Field Name
The Attribute Name to search in for the username.
LDAP Field to Match
The value that matches the "samaccountname" listed for the user on the LDAP server.
Validate LDAP Connection
Use this option to test the information entered above.

The following fields are used to configure IBM i authentication:

Time-Based One-Time passwords
Toggle this On to use time-based one-time passwords to increase security for users logging in to Fortra Application Hub. This option is available to use with Fortra Application Hub and LDAP authentication types. See Configuring Time-Based One-Time passwords for more information.
Address
The name or ip address of the IBM i server you intend to use for authentication.
Use TLS
Toggle this On to use TLS security to encrypt the connection.

Fortra Application Hub allows you to authenticate users against a 3rd party SAML identity provider. Users can be authenticated using Okta, Ping Identity, and Cisco DUO. See Configuring SAML Authentication for additional instructions.

The following fields are used to connect the SAML 3rd party identity provider to Fortra Application Hub. The information for the Identity Provider fields can be found directly from the Okta, Ping Identity, and Cisco DUO setup. See Configuring SAML Authentication for more information.

Identity Provider
Import Metadata
Fortra Application Hub can import the Identity Provider settings, including the Identity Provider certificate, from a SAML Metadata XML file.This option populates all Identity Provider fields, except server time offset. It also includes NameID field under User.
Import/Replace Certificate
The Identity Provider certificate can be imported or replaced here. It is imported with metadata, but can be added ma+nually or replaced.
Entity ID
The ID given to the Identity Provider as the trusted ID.
Binding
The protocol method for the identity provider.

  • HTTP POST: Posts a form that contains the message body.

  • HTTP Redirect: Sends the message body as query parameters

Post URL
The URL used to post authentication requests to. This is only needed if the binding selected is HTTP POST.
Redirect URL
The URL used to send the message body as query parameters. This is only needed if the binding selected is HTTP Redirect.
Server Time Offset
If the Identity Provider and Fortra Application Hub system time are not in sync, you can specify a time offset which will be applied to the assertion's time window (in seconds). This is sometimes necessary when the Identity Provider is not within the same network as Fortra Application Hub and you cannot control the servers time.
Service Provider
Entity ID
The ID given to Fortra Application Hub as the trusted ID. Typically this is the host name defined for Fortra Application Hub (similar to the Site URL). This must match what is put into the Identity Provider setup.
Name Qualifier
The Affiliation ID sent with the AuthnRequest. If the field is left empty, the Name Qualifier is omitted from the AuthnRequest.
Import/Generate Private Key
The Private Key can be imported or generated here.
Require Signed Response
Determines if Fortra Application Hub requires the response to be signed. Typically the response is signed to establish trust between the Identity Provider and Fortra Application Hub.
Require Signed Assertion
Determines if Fortra Application Hub requires the assertion to be signed when it is received. Typically the assertion is signed to establish trust between the Identity Provider and Fortra Application Hub.
Require Encrypted Assertion
Determines if Fortra Application Hub requires the assertion to be encrypted when it is received. Typically the assertion is encrypted when SSL is not used for communication between Fortra Application Hub and Identity Provider.
Force Authentication
When enabled, the identity provider must authenticate the presenter directly, rather than rely on a previous security context.
Authentication Comparison
Specifies the method of comparison used to evaluate the requested Authentication Context. Accepted values include:

  • Exact: The authentication context statement in the assertion must be the exact match of the authentication context specified.

  • Minimum (default): The authentication context statement in the assertion must be, at least, as strong (as deemed by the identity provider) as the authentication context specified.

  • Maximum: The authentication context statement in the assertion must be no stronger than the authentication context specified.

  • Better: The authentication context statement in the assertion must be stronger than the authentication context specified.

Authentication Context
The mechanism for which the Service Provider is asking the Identity Provider to perform authentication.
SSO Response URL
Displays the URL where the Identity Provider posts assertions to.
Logout Redirect URL
The alternate URL to forward the user to when they log out of Fortra Application Hub. By default, Fortra Application Hub directs a user to the login page when they log out.
Export Metadata
Creates an XML file containing the Service Provider settings that can be imported to your Identity Provider.
User
NameID Format
The format of the NameID element within the SAML response. Fortra Application Hub will validate the NameID format before authenticating the SAML assertion. Fortra Application Hub supports the following SAML Core V2.0.
Username Location
Select either NameID or Attribute where the user name is found.
Attribute Name
The attribute name within the assertion XML that identifies the username. This field is only available if Username Location is set to Attribute.
Parse Username Value
When enabled, the value retrieved from the assertion can be parsed using a regular expression pattern.
Username Pattern
Specify a regular expression to parse a username value from the attribute. This value is only needed if Parse Username Value is enabled.