RapidIdentity Product Guide

Settings

The Configuration > General > Settings menu allows administrators to configure global RapidIdentity settings for the RapidIdentity System, its file migration, and proxy settings.  This interface is broken up into subcategories:

General

The Configuration > General > Settings > General page provides high-level system information and Maintenance Mode settings.

Settings_-_General.png
Table 55. General Settings

Field Name

Description

Enable SSL Uploads

A checked box requires strong encryption. This should be left checked unless there are specific reasons to uncheck it. Unchecking this box could have negative security implications.

Google Analytics Account Number

The Google Analytics Account Number can be used to provide information about visits to RapidIdentity browser pages to your Google Analytics account once you specify your Google Analytics Tracking Code.

Icon Proxy URL

This URL specifies a caching proxy that can be used to fetch icons stored on the selected file storage. This is primarily to boost poor S3 performance by fronting it with Amazon CloudFront.

Note

If the CloudFront distribution points to the S3 bucket being used by the idauto cluster, then the proxy URL must include the path to the icons folder and not just the root of the bucket.

Note

If the icons need to be made publicly accessible in S3, either by marking each one individually or by adding a bucket policy, then the necessary information will be similar to what is shown below:

S3_Public_Access_Settings.png

Warning

Do not make your entire bucket publicly accessible or grant the CloudFront distribution full access as that would make all of your RapidIdentity file data publicly accessible!

Enable Maintenance Mode

This puts the RapidIdentity appliance/cluster in maintenance mode, which locks out non-administrative actions. Maintenance is generally a read-only mode as well, meaning that operations which update the state of RapidIdentity are not allowed.

Note

After performing Maintenance Mode, you will need to navigate to your normal URL appended by /ui/configuration or /login in order to log back in to the server.

System Maintenance

This message is displayed to users when RapidIdentity is in Maintenance Mode. This message can be edited once Maintenance Mode is enabled.



Module Access Control

Historically, RapidIdentity supported defining access control for each module (e.g., Files, Dashboard, Requests) at the modular level. For example, if an Administrator wanted to set the Files module to only be accessed by specific users, the configuration would be completed within the Files Module settings. The new Module Access Control feature provides a new configuration option related to the access controls of the individual modules.

Note

If Access Controls are set to None, all active and enabled users across the system will have access to that module. Some users will still have restricted module access based on built-in Role definitions.

In RapidIdentity 2020.0.0, a new configuration and usability feature was added to enable administrators to manage the access control for all modules in a central location instead of having to navigate to each individual module's Settings menu.

Note

This module provides a safeguard for the rare occasions when an administrator can be locked out of a module completely. The Backup Administrator user can now fix that issue from this menu. Contact Identity Automation Support for more information on the Backup Administrator.

The module access control configurations between this menu and individual module settings are synchronized, and both point to the same database configuration. Any changes completed in this menu will be reflected at the individual module level, and any changes completed at the individual module level will be reflected here.

Module_Access_Control.png

The Module Access Control configuration has four display fields:

Table 56. Module Access Control Menu Fields

Field

Description

Module

Portal module that access controls are being applied to

Access Control

Choose whether to use Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC) for this module.

Roles

If RBAC access control method was chosen, the name of the Role(s) will be displayed here

Filter

If ABAC access control method was chosen, the LDAP filter will be displayed here



Assets

The Configuration > General > Settings > Assets menu provides a place for an administrator to determine whether assets should be loaded from the cloud or prevent gzipped assets from being requested. These are managed by the backend RapidIdentity team and are automatically configured for each release.

Enabling Load Assets from the Cloud significantly reduces the load on a RapidIdentity server in a high-traffic environment by having the browser send javascript and css file requests to an AWS CloudFront instead of requiring the RapidIdentity server to process them as well as handle the data traffic.

Choosing Disable Compressed Assets will force the server to command all browsers to request un-compressed assets in situations where zipped assets are causing problems within the production environment.

Assets.jpg
Authentication

The Configuration > General > Settings > Authentication menu is a place for administrators to customize authentication variables and control the built-in administrator account.

Gen_-_Set_-Authentication.jpg
Table 57. Authentication

Field

Description

Authenticated Session Timeout (min)

The maximum number of minutes that an inactive session will remain valid. After the specified number of minutes, the user must re-authenticate.

Authentication Token Cookie Expiration (seconds)

This setting ensures that the authentication token cookie, which is issued after the user authenticates against the LDAP server, does not expire prematurely based on the time settings used by the workstation browser and the RapidIdentity Portal server. Browsers using modern cookie standards should use the default setting of 10 seconds.

Browsers that do not use modern cookie standards may experience an infinite redirect loop because the workstation browser and the RapidIdentity Portal server will not be synchronized. If this scenario is observed, increase the expiration time until the infinite redirect loop is closed. The time limit is configurable up to 1800 seconds.

Enable Built-in Admin Account

This enables/disables use of the internal Backup Administrator account. If this account is disabled and an invalid LDAP configuration is specified it may become impossible for users, including administrators, to login to RapidIdentity Portal. To safeguard against this possibility, it is recommended that the default password for this account is changed and the account left in an enabled state.

Built-in Admin Account Password

This field displays when the built-in Admin account is enabled and the Update Password button is clicked. The provided password is used for authenticating the Backup Administrator account. Contact Identity Automation Support for more information.  It is strongly recommended that this password is changed immediately upon installation.



CORS Configuration

Global CORS configuration for all RapidIdentity instances is stored in the database. These properties only need to be defined in rapididentity.properties if this particular instance of RapidIdentity needs to be configured differently from other instances. If these are defined, they take precedence over those defined globally in the database.

For each of the sections, the default values have been set. To add a new value to a section, simply click the Add button and enter the new desired value into the resulting field. To remove a value, simply click the X next to it.

Allowed Methods

The Allowed Methods section lists HTTP request methods that can be used to access resources using cross-origin requests, and defines the methods to be included in the Access-Control-Allow-Methods header in pre-flight responses.

Default Values: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS

CORS_-_Allowed_Methods.png
Allowed Headers

The Allowed Headers section lists HTTP request headers that can be used when making cross-origin requests. These headers will also be returned in the Access-Control-Allow-Headers header in pre-fight responses.

Default Values: Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, idauto.debug, X-idauto-debug, Authorization

CORS_-_Allowed_Headers.png
Allowed Origins

The Allowed Origins section lists all origins allowed to access resources on the server using cross-origin requests. A value of * indicates that resources are allowed to be accessed from any origin.

Note

* is not secure; Identity Automation recommends including an accurate domain value during initial configuration. If other values are added, make sure to remove the * value from the list; otherwise, it will override any non-* values and they will not save as expected.

Note

If configuring RapidIdentity for SAML authentication against an Identity Provider in a different domain, that domain may require being added as Allowed Origin. The Allowed Origin value should be formatted as https://identity_provider_domain.

Default Value: *

CORS_-_Allowed_Origins.png
Exposed Headers

The Exposed Headers section lists all headers other than simple response headers that browsers will be allowed to access. These are the headers which will be included in the Access-Control-Expose-Headers header in pre-flight responses.

Default Value: [blank]

CORS_-_Exposed_Headers.png
Max Age (seconds)

The Max Age subsection defines the number of seconds a browser is allowed to cache the result of a pre-flight request. This will be included as the Access-Control-Max-Age header in pre-flight responses. A negative value will prevent the header from being included in pre-flight responses.

Default Value: 1800

CORS_-_Max_Age.png
Custom crossdomain.xml

A cross-domain policy file is an XML document that grants a Flash Player client permission to handle data across domains. More information on crossdomain.xml files is available here. To populate this subsection, simply cut and paste the code for the desired cross-domain policy .xml file.

Note

The default crossdomain.xml file served by the RapidIdentity server is constructed from the rest of the CORS configuration as described above. A custom crossdomain.xml value should only be required if the default is not sufficient.

The default crossdomain.xml file can be accessed in a browser at https://[rapididentity_domain]/crossdomain.xml.

Default Value: [blank]

CORS_-_Custom_crossdomain_xml.png

When each subsection has been populated as desired, click Save.

Web Security

The Web Security Configuration menu provides administrators with a powerful interface to configure and define various levels of security for their domains. There are three configuration tabs in this menu:

XFrame Options

The XFrame Options menu is used to define whether or not a browser should be allowed to render a page in a frame. This adds a layer of security ensuring that the content is not embedded in other sites.

Note

These options are only applicable if the Header Enabled checkbox is active, and are only enforced if the user accessing the content is using a browser that supports the X-Frame-Options HTTP header.

When the Header Enabled checkbox is activated, the Header Rules become modifiable.

Note

RapidIdentity evaluates these rules in order from top to bottom. To reorder rules, click the stack icon on the right of the rule and drag up or down within the list.

Drag_to_Reorder.png

For each rule, define a Path Regex (Path Regular Expression) and provide it with a Value. Every HTTP request that comes into RapidIdentity will be evaluated against the list in order. When a match is found, then the server's response will contain the X-Frame-Options header value defined for that path. RapidIdentity ships with some defaults already set for base functionality.

Web_Security_XFrame_Main.png

The default RapidIdentity settings define XFrame Options Header Rules for the Claim My Account, Forgot My Password, and Expired Password functionalities. Others may be added if desired.

Add a New Rule

To add a new rule, scroll down to beneath each of the configured rules and click Add new rule +. Include a new Path Regex and Value.

Add_new_Rule.png
New_Rule_Blank_Box.png

Path Regex is a regular expression that represents the URL path to be displayed within the frame.

Value is a choice of three options to define what the browser does with the content found through the Path Regex.

  • SAMEORIGIN: The page will be displayed in a frame on the same origin as the page itself.

  • DENY: The page will not be displayed in a frame.

  • ALLOW-FROM <uri>: The page will be displayed in a frame on the specified origin. Example: allow-from https://www.example.com.

Content Security Policy

The Content Security Policy, or CSP, adds an extra layer of security against attacks such as Cross-Site Scripting or data injection attacks.

Note

These options are only applicable if the Header Enabled checkbox is active, and are only provided if the user accessing the content is using a browser that supports XFrame Options.

When the Header Enabled checkbox is activated, the Header Rules become editable.

Note

RapidIdentity evaluates these rules in order from top to bottom. To reorder rules, click the stack icon on the right of the rule and drag up or down within the list.

Drag_to_Reorder.png

For each rule, define a Path Regex (Path Regular Expression) and provide it with one or more Values. (This is the only header option that accepts multiple values.) Every HTTP request that comes into RapidIdentity will be evaluated against the list in order. When a match is found, the server's response will contain the Content-Security-Policy header values defined for that path. RapidIdentity ships with some defaults already set for base functionality.

Web_Security_Content_Security_Main.png

The default RapidIdentity settings define Content Security Policy Header Rules for the Claim My Account, Forgot My Password, and Expired Password functionalities. Others may be added as desired. New values may also be added to existing rules by clicking Add within the rule box and adding a new value for that rule.

Note

Once the value is typed in, press the Enter key or click the + on the right to commit the value to the rule.

Add_New_Value.png
Add_New_Value_2.png
Add New Rule

To add a new rule, scroll down to beneath each of the configured rules and click Add new rule +. Include a new Path Regex and Value.

Add_new_Rule.png
New_Rule_Blank_Box.png

Path Regex is a regular expression that represents the URL path to be displayed within the frame.

Value is a choice of options to define the source for the determined policy. This can be one of the following:

  • <host-source>: Internet hosts by name or IP address. May include a URL scheme and/or port number if desired. Asterisks may be used as wild cards for leading URLs or defining ports. Examples of this source include http://*.example.com, mail.example.com:443, https://store.example.com, etc.

  • <scheme-source>: A scheme such as http: or https:. The colon is required, and the scheme should not be quoted. Data schemes can be specified, but this is not recommended.

  • 'self': This refers to the origin from which the protected content is being served, which includes the URL scheme and port number. Single quotes must be included.

    Note

    This setting is recommended for any custom Help links to avoid redirect errors.

  • 'none': No URLs will match. Single quotes must be included.

Strict Transport Security

The Strict Transport Security settings instruct web browsers that the content should only be accessed using HTTPS instead of HTTP.

Note

These options are only applicable if the Header Enabled checkbox is active, and are only provided if the user accessing the content is using a browser that supports this feature.

When the Header Enabled checkbox is activated, the Header Rules become modifiable.

Note

RapidIdentity evaluates these rules in order from top to bottom. To reorder rules, click the stack icon on the right of the rule and drag up or down within the list.

Drag_to_Reorder.png

For each rule, define a Path Regex (Path Regular Expression) and provide it with a Value. Every HTTP request that comes into RapidIdentity will be evaluated against the list in order. When a match is found, the server's response will contain the Strict-Transport-Security header value defined for that path.

Strict_Transport_Security.png

The default RapidIdentity settings do not define any Strict Transport Security Header Rules, allowing browsers to access each portion of the domain via HTTP. To modify the existing rule or add a new one, click the Header Enabled checkbox at the top of the menu and provide a value for the existing rule or add a new rule.

Add a New Rule

To add a new rule, scroll down to beneath the configured rules and click Add new rule +. Include a Path Regex and Value.

Add_new_Rule.png
New_Rule_Blank_Box.png

Path Regex is a regular expression that represents the URL path to be displayed within the frame.

Value is a choice of directives to provide the browser with instructions regarding the content found through the Path Regex. Directives include:

  • max-age=<expire-time>: Defines the number of seconds that the browser should remember to only access the site via HTTPS.

  • includeSubDomains: An optional parameter that applies to all of the site's subdomains as well.

  • preload: An optional parameter that includes certification through various browsers' HTTP Strict Transport Security (HSTS) Preload Lists.

File Storage
Individual Appliances

The Configuration > General > Settings > File Storage subsection localizes File Storage options for the following storage destinations:

  • Individual Appliances

  • CIFS file stores

  • S3 file stores.

This allows file storage used by RapidIdentity Portal and RapidIdentity Connect to be stored in a location other than on the individual appliances to include CIFS and Amazon Web Services (AWS) S3.

To use file storage other than on individual appliances, click the field next to File Storage and choose the storage destination to be configured. Individual Appliances is the default.

This is important when you have a cluster of either application so that all instances of the application will have access to the same set of files. The migration process wipes out any existing files on the destination file store.

File_Management_Main.jpg
CIFS File Stores
  • CIFS is the protocol used by Windows File Sharing and Samba. It is usually the best protocol to use for clusters running outside of AWS.

  • Set the Path and access credentials in this section to access the clusters.

File_Management_CIFS.jpg
S3
  • AWS S3 is a cloud storage platform that provides extreme high-availability. It should generally only be used for clusters hosted in AWS.

    Note

    The Bucket Name for a Region/Endpoint must include the full endpoint URL to function as expected. For example, us-north-1 for an endpoint would not work; you would need to enter s3.us-north-1.domain.com for this setting to save successfully.

  • Even within AWS, you will generally get much better performance with CIFS than with S3, with the trade-off being between high-availability vs performance.

  • AWS IAM Instance Profiles are supported and associated role permissions can be granted to instances when started. When checked, AWS access and secret credentials are hidden from users in the user interface. This security advantage is enhanced since the Instance Profile credentials are temporary and rotated by Amazon, which obviates the need for organizations to manage instance credentials. To leverage AWS IAM Instance Profiles, check the Use Instance IAM Role box.

File_Management_S3.jpg
Local File Server Configuration

RapidIdentity administrators can install an SMB Local File Server through the Command Line Interface.

After installation, the CLI Connection Info  menu option displays the UNC Path and Username, which can be added to the CIFS File Storage as shown below.

The password for the CIFS Local File Server File Storage is the password that was defined during the Local File Server installation process, or the password can be changed when configuring the CIFS File Storage. Click the Update Password button to activate the field where this password can be changed.

Migrate Files

The Configuration > General > Settings > Migrate Files menu gives administrators a way to move files from one file storage location to another.

Migrate_Files.png
Table 58. Migrate Files

Field Name

Description

From

Click the drop-down box and scroll to the file source to migrate.

To

Click the drop-down box and scroll to select the destination for the migrated files.



Proxies

The Configuration > General > Settings > Proxies menu is a simple way to add trusted proxies to the system.

Proxies.jpg
Table 59. Proxies

Field Name

Description

Trusted Proxies (load balancer)

IP addresses and DNS names can be added here. Once saved, the first non-trusted IP address in the X-Forwarded-For HTTP header is assumed to be the client's IP address. Trusted proxies are useful when more than one load balancer or proxy is possible in between a client and the RapidIdentity Federation server.