Overview of Authentication Options

Contents

• Layout of configuration options
• Identity asserter configuration
• IFS Database Identity Provider configuration
• Compatibility mode configuration

Layout of configuration options

There are five tabs in the IFS Middleware Server Admin console Security pane. These configure different aspects of user authentication. These pages can be found by navigating to common/security in the IFS Middleware Server Admin Console menu.

• The DEFAULT tab is used to configure the Identity Asserter associated with the DEFAULT application type.
• The B2B tab is used to configure the Identity Asserter associated with the B2B application type.
• The ADMINISTRATION tab is used to configure the Identity Asserter associated with the ADMINISTRATION application type. The amount of configuration that can be done here is limited.
• The DATABASE IDENTITY PROVIDER tab is used to configure the IFS Database Identity Provider. This includes such aspects as redirect URI registrations for IFS Touch Applications and branding options.
• The INTEGRATIONS & COMPATIBILITY tab is used to configure how authentication in compatibility mode works.. NOTE: If an AD-solution is used for OpenID and security checkpoints are needed, LDAP must be configured here.

Identity asserter configuration

These tabs contain settings related to the identity asserters of the associated application types and contain the main bulk of the OAuth2 and OpenID Connect settings. After a fresh installation, all Identity Asserters are configured to use the IFS Database Identity Provider for OpenID Connect authentication (with randomized client IDs and secrets) and Compatibility Mode is set up with LDAP disabled. As such, authentication using the IFS Database as the user registry is functional with no further action required on behalf of the administrator. The client details associated with an identity asserter that relies on the IFS Database Identity Provider can be regenerated should the need arrise (it is reccommended to do this after cloning an environment, both on the clone and the original, to keep the client details unique for the environments).

In case Azure AD or ADFS should be used for one or more of the application types, the identity asserters must be reconfigured to use those external identity providers instead. Refer to the sections about configuring Azure AD and configuring ADFS for more information about what configuration is needed for these identity providers.

IFS Database Identity Provider configuration

This tab contains information and configuration options related to the IFS Database Identity Provider. In order to use IFS Touch Apps, some configuration must be done in this tab. It also provides branding options for the user experience of the login page of the identity provider, enabling customers to replace the IFS look and feel with their own branding. Refer to the section about configuring the IFS Database Identity Provider for more information on the subject.

Compatibility mode configuration

This tab contains the settings related to compatibility mode. After a fresh installation, the IFS database is set up as the user registry of IFS Applications and LDAP is disabled. In this tab, LDAP can be configured and enabled, and the cache used by the compatibility mode database authenticator can be configured. See the section about configuring compatibility mode for more information on the subject.