Advanced settings of an IdP

TLS configuration for an IdP

Select a default or custom cipher suite to be used for TLS client-server handshake before starting a TLS secure communication. It ensures security to all types of identity providers (IdPs).

Enterprise Application Access (EAA) allows users to have a secure network connection using TLS 1.1 or higher to access their IdPs.

You can use the default strong cipher suite or select a custom cipher suite for the TLS handshake between the user's computer and the server (IdP server) before you establish a secure network connection.

After you make any changes to your existing IdP, add your default or custom TLS cipher suite before you deploy the IdP. This overrides your latest configuration changes.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

  3. Click the IdP to open it.

  4. Go to Settings > Configure TLS Cipher suite.

  5. Select one of the following for Cipher suite configuration for the TLS handshake between the user and the application server:

    • Default. Use the default strong cipher suite as recommended by Akamai. Only TLS version 1.2 strong ciphers are supported.

    • Custom. Select a cipher suite from the list. If you select a cipher suite that has a weak cipher, you receive a warning when you deploy the IdP. A weak cipher is one that has any vulnerabilities and the security can be compromised. Custom configuration supports both TLS version 1.1 and TLS version 1.2 ciphers.

  6. Click Save and Deploy and deploy the IdP.

Remember your login credentials after you close the IdP login page from the browser

You can make your authentication cookie persistent for multiple sessions. When you set the persistent cookie, the user does not have to enter the credentials after they close and reopen the browser. If the persistent cookie is not set or if it expires, the user is prompted to re-enter their credentials.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

  3. Click the IdP to open it.

  4. Go to Settings > Advanced.

  5. Enable Persistent Cookie to remember your credentials over multiple sessions.

  6. Click Save and Deploy and deploy the IdP.

Change the identity provider session settings for users

Change the identity provider (IdP) session settings for an existing IdP. You can revise the session settings for an IdP if you get error messages stating that an IdP object cannot be updated. For example:

'cookie expiry: Maximum session expiry timeout range (in minutes) is 15 to 43200.'

'Force login timeout: Idle timeout range (in minutes) is 60 to 525600.'
  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

  3. Click the IdP for which you want to configure the session settings.

  4. Go to Settings > Session.

  5. In Session Idle Expiry enter the number of minutes after which an idle session should automatically get timed out.
    The default is 120 minutes. The maximum limit is 1440 minutes. If you exceed that number to be more than 43200 minutes, you get an error message and you cannot save the configuration changes.

  6. Select Limit Session Life to specify the maximum lifetime for an active session.

  7. In Max Session Duration enter the number of days after which all authenticated users are forced to authenticate again.
    The default is 7200 minutes (5 days). The recommended limit is 60 minutes and the maximum limit is 525600 minutes (365 days). If your duration is not within that limit you get an error message and you cannot save the configuration changes.

  8. Click Save and Deploy.

Change the expiry timeout for user sessions

Change the number of minutes in an expiry timeout for user sessions. The default is 120 minutes.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

  3. Select your IdP to open it.

  4. Go to Settings > Session.

  5. In Session idle expiry select the timeout value.

  6. Click Save and Deploy.

Set temporary lockout for multiple failed login attempts

Some sites allow for multiple login attempts, where you attempt to login with credentials as many times as you want until you are successful. Hackers or bots may try to exploit this by using scripts and dictionary-based force password attacks to gain access to your Enterprise Application Access (EAA) account. To protect your EAA account information, you can limit the number of failed login attempts per user and set a temporary lockout if that threshold is reached.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

  3. Select your IdP to open it.

  4. Go to Settings > Advanced.

  5. Select Temporary Account Lockout on Login Failures.

  6. In Account Lockout Failed Attempts enter the number of attempts a user is allowed before they are temporarily locked out. The default attempts setting is five.

  7. In Account Lockout Duration enter the number of minutes the user is locked out. If no value is entered, the default duration is set to 15 minutes.

  8. Click Save and Deploy.

Set authorization failure redirect options

When an authenticated end-user logs in to the login portal, and tries to access an application he is not authorized to access, the admin can configure redirect options for the On Authorization failure.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

  3. Select your IdP to open it.

  4. Go to Settings > Advanced.

  5. Set On Authorization Failure to any of these redirect options:

a. My Apps Portal. (default) End-user is taken to the My Apps Portal page:

Apps Page PreviewApps Page Preview

b. Access Denied Page. End-user is taken to the default EAA Access Denied page:

c. Custom URL. Add a custom URL for Authorization Failure Redirect URL, if you have your own authorization failure page.

  1. Click Save and Deploy to deploy the identity provider.

Set logout redirect options

When an end-user logs out of an application secured by EAA, by default, he is taken to the IdP login page to enter the credentials. You can override by setting redirect options for On Logout.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Identity Providers.

  3. Select your IdP to open it.

  4. Go to Settings > Advanced.

  5. Set On Logout to any of these redirect options:

a. Login Page. (default) End-user is taken to the username/password page of the IdP login portal:

Login Page PreviewLogin Page Preview

b. Logout Page. End-user is taken to the default EAA Logout page:

c. Custom URL. Add a custom URL for Logout Redirect URL, if you have your own logout page.

  1. Click Save and Deploy to deploy the identity provider.