Configuring authenticated enrollment

Apart from configuring authenticated enrollment using the basic mode, LDAP or SAML, two other options are available. LDAP authentication is identical to what is supported by the Trusted Service Provider (TSP) and can be run in either "password" or "pin" mode.

About this task

  • Configuring Self Service Portal (SSP) for LDAP / TSP authentication

    You must first configure the SSP to require authentication, and then point it to the TSP, which will authenticate the connection.

    Required:
    ssp.bat tag_config 12 auth_type LDAP
ssp.bat tag_config 12 tsp_host foo-tsp.company.com

    If the TSP is not unique per customer, a specific TSP configuration for this tag is not necessary. It inherits it from the master config.yaml setting.

    Optional:
    ssp.bat tag_config 12 auth_header_text "Enter your email address and your password"
ssp.bat tag_config 12 auth_user_label "Email"
ssp.bat tag_config 12 auth_pass_label "Password"
  • SAML Authentication

    SAML Authentication can be used in single tenant environments and any configuration commands that are used during SAML Authentication will, by default, apply to the entire enrollment server. This method might not be the wanted behavior in a multi-tenancy environment.

    When configuring the SSP for SAML authentication in a multi-tenancy environment, change any configuration commands into tag_config commands. By doing so, the commands apply to specific enrollment tags only and do not apply to the entire enrollment server. The Tag ID must be included after the tag_config command, for example:
    ssp.bat config auth_type SAML
    would become:
    ssp.bat tag_config <foo> auth_type SAML
    where foo is the Tag ID.

    In addition, setting up SAML Authentication in a multi-tenant environment requires the use of the auth_enrollment_tag_attribute. This setting specifies the attribute that the SAML identity provider (idP) includes in its response, which contains the authenticated user's enrollment tag.

    If this setting is specified, the enrollment server verifies that the enrollment tag the user is enrolling with is indeed the proper one.
    ssp.bat config auth_enrollment_tag_attribute o