How to configure and secure a Helpdesk realm accessed via a Secure Portal

SecureAuth IdP Version Affected:  All

Description:  

How to configure a Secure Portal with an Account Management (Helpdesk) realm with access restricted by group membership

Cause: 

The Secure Portal will display or hide destination realms based on the group restrictions set on the destination realms. 

However when using this method for Account Management realms to restrict access to only specific groups, it prevents the lookup of users outside of those groups.  Therefore any users outside of the group membership cannot be managed.

Resolution: 

To allow the Secure Portal to correctly hide the Account Management realm and prevent access for unauthorized users, an intermediate realm can be utilized by following these steps, clicking Save after each step:

This configuration requires 3 realms in total.

• First Realm: Secure Portal realm
• Second Realm: Intermediate realm (used to secure the Helpdesk realm with a group restriction and generate a cookie used to logon to the Helpdesk realm)
• Third Realm: Account Management/Helpdesk realm

1. Create the Portal realm (First realm) according to the standard documentation found here: https://docs.secureauth.com/0902/en/secure-portal-single-sign-on-configuration.html

2. Create 2 copies of the Portal realm.  These will be used for the Second and Third realms.

For the Intermediate realm (Second realm)
3. On the Overview tab, under "Page Header" give the realm a name. This is the name that will be shown in the Portal, e.g. Account Management

4. On the Post Authentication tab, change "Authenticated User Redirect" to "Custom Redirect

5. Change "Redirect To:" to: ../SecureAuthXX/Authorized/ManageAccounts.aspx
Replacing XX with the realm number of the Helpdesk realm (Third realm).

6. On the Post Authentication tab | Forms Auth/SSO Token click "View and Configure FormsAuth keys/SSO token"

7. Under Forms Authentication | Name: Ensure the value here differs from the Secure Portal realm as this will cause the realm to redirect to SecureAuth.aspx and read the Pre-Auth cookie instead of trying, then failing, to read the FormsAuth and PostAuth cookie, causing a redirect to restart.aspx

8. Under Authentication Cookies, copy the Post-Auth Cookie: value from the Secure Portal realm to the Pre-Auth Cookie: on the Intermediate realm

9. If it's desired for users to remain logged into the Secure Portal then set "Clean Up Pre-Auth Cookie:" to False.

10. On the Workflow tab set "Receive Token:" to Token.

11. Set "Require Begin Site:" to True

12. Set "Begin Site URL:" to /SecureAuthXX replacing XX with the realm number of the Secure Portal

13. If an additional factor is required set "Default Workflow:" to Username & Password | Second Factor, otherwise set it to Username & Password

14. Set "Public/Private Mode:" to Private Only

15. On the Data tab set the group restriction on "User Groups", supplying the name of the group that is allowed access to the Helpdesk realm.

For the Helpdesk realm (Third realm)
16. On the Overview tab, name the realm as desired.

17. On the Post Authentication tab set the Authenticated User Redirect" to "Account Management"

18. On the Post Authentication tab | Forms Auth/SSO Token click "View and Configure FormsAuth keys/SSO token"

19. Under Forms Authentication | Name: copy the Post-Auth Cookie: value from the Intermediate realm

20. Under Authentication Cookies, copy the Post-Auth Cookie: value from the Intermediate realm.

21. On the Workflow tab set "Receive Token:" to Token.

22. Set "Allow Transparent SSO:" to True

23. Set "Begin Site URL:" to /SecureAuthXX replacing XX with the realm number of the Intermediate realm

For the Secure Portal realm (First realm)
24. On the portal realm, go to the Post Authentication tab and click "View and Configure the portal page", then tick the checkbox for the Intermediate realm.

User Experience:

User will log on to the Secure Portal going through whatever workflow is desired.

If the user is a member of the group specified on the Data tab of the Intermediate realm then they will be able to see the realm in the portal.

After clicking on the realm the user will go through the workflow configured on the Intermediate realm and then if successful will be taken directly to the post authentication page on the Helpdesk realm.

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.