TrainingSupportCommunity

Advanced settings of an IdP

TLS configuration for an IdP

Select a default or custom cipher suite to be used for TLS client-server handshake before starting a TLS secure communication. It ensures security to all types of identity providers (IdPs).

Enterprise Application Access (EAA) allows users to have a secure network connection using TLS 1.1 or higher to access their IdPs.

You can use the default strong cipher suite or select a custom cipher suite for the TLS handshake between the user's computer and the server (IdP server) before you establish a secure network connection.

After you change your existing IdP, add your default or custom TLS cipher suite before you deploy the IdP. This overrides your latest configuration changes.

  1. In the EAA Management Portal navigation menu, select Identity > Identity providers.
    The Identity providers page appears.

  2. On the identity provider card, click Configure Identity Provider, and select ADVANCED SETTINGS.

  3. In Configure TLS Cipher suite, select one of the following for Cipher suite configuration for the TLS handshake between the user and the application server:

    • Default. Use the default strong cipher suite as recommended by ​Akamai​. Only TLS version 1.2 strong ciphers are supported.

    • Custom. Select a cipher suite from the list. If you select a cipher suite that has a weak cipher, you receive a warning when you deploy the IdP. A weak cipher is one that has any vulnerabilities and the security can be compromised. Custom configuration supports both TLS version 1.1 and TLS version 1.2 ciphers.

  4. Click Save and go to Deployment and deploy the IdP.

Remember your login credentials after you close the IdP login page from the browser

You can make your authentication cookie persistent for multiple sessions. When you set the persistent cookie, the user does not have to enter the credentials after they close and reopen the browser. If the persistent cookie is not set or if it expires, the user is prompted to re-enter their credentials.

  1. In the EAA Management Portal navigation menu, select Identity > Identity providers.
    The Identity providers page appears.

  2. On the identity provider card, click Configure Identity Provider, and select ADVANCED SETTINGS.

  3. Go to Settings > Advanced.

  4. Enable Persistent Cookie to remember your credentials over multiple sessions.

  5. Click Save and go to Deployment and deploy the IdP.

Change the identity provider session settings for users

Change the identity provider (IdP) session settings for an existing IdP. You can revise the session settings for an IdP if you get error messages stating that an IdP object cannot be updated. For example:

'cookie expiry: Maximum session expiry timeout range (in minutes) is 15 to 43200.'

'Force login timeout: Idle timeout range (in minutes) is 60 to 525600.'

  1. In the EAA Management Portal navigation menu, select Identity > Identity providers.
    The Identity providers page appears.

  2. On the identity provider card, click Configure Identity Provider, and select GENERAL.

  3. In Session settings > Session idle expiry, enter the number of minutes after which an idle session should automatically get timed out.
    The default is 120 minutes. The maximum limit is 1440 minutes. If you exceed that number to be more than 43200 minutes, you get an error message and you cannot save the configuration changes.

  4. Select Limit session life to specify the maximum lifetime for an active session.

  5. In Max session duration, enter the number of days after which all authenticated users are forced to authenticate again.
    The default is 7200 minutes (5 days). The recommended limit is 60 minutes and the maximum limit is 525600 minutes (365 days). If your duration is not within that limit you get an error message and you cannot save the configuration changes.

  6. Click Save and exit, or Save and go to Directories.

  7. Deploy the identity provider.

Change the expiry timeout for user sessions

Change the number of minutes in an expiry timeout for user sessions. The default is 120 minutes.

  1. In the EAA Management Portal navigation menu, select Identity > Identity providers.
    The Identity providers page appears.

  2. On the identity provider card, click Configure Identity Provider, and select GENERAL.

  3. In Session settings > Session idle expiry, select the timeout value.

  4. Click Save and exit.

Set temporary lockout for multiple failed login attempts

Some sites allow for multiple login attempts, where you attempt to login with credentials as many times as you want until you are successful. Hackers or bots may try to exploit this by using scripts and dictionary-based force password attacks to gain access to your Enterprise Application Access (EAA) account. To protect your EAA account information, you can limit the number of failed login attempts per user and set a temporary lockout if that threshold is reached.

  1. In the EAA Management Portal navigation menu, select Identity > Identity providers.
    The Identity providers page appears.

  2. On the identity provider card, click Configure Identity Provider, and select ADVANCED SETTINGS.

  3. In Advanced, select Temporary account lockout on login failures.
    This displays the Account lockout failed attempts and the Account lockout duration fields.

  4. In Account lockout failed attempts, enter the number of attempts a user is allowed before they are temporarily locked out. The default attempts setting is five.

  5. In Account lockout duration, enter the number of minutes the user is locked out. If no value is entered, the default duration is set to 15 minutes.

  6. Click Save and exit, or Save and go to Deployment.

  7. Deploy the identity provider.

Updated about 1 year ago