RapidIdentity Product Guides - 2019 Rolling Release

Settings

The Settings interface allows administrators to configure global RapidIdentity settings for the RapidIdentity System, its file migration, and proxy settings.  

Legacy_New_Old_General_-_Settings.png
Table 227. Settings Fields

Field Name

Description

Authenticated Session Timeout (min)

The maximum number of minutes that an inactive session will remain valid. After the specified number of minutes, the user must re-authenticate.

Authentication Token Cookie Expiration (seconds)

This setting ensures that the authentication token cookie, which is issued after the user authenticates against the LDAP server, does not expire prematurely based on the time settings used by the workstation browser and the RapidIdentity Portal server. Browsers using modern cookie standards should use the default setting of 10 seconds.

Browsers that do not use modern cookie standards may experience an infinite redirect loop because the workstation browser and the RapidIdentity Portal server will not be synchronized. If this scenario is observed, increase the expiration time until the infinite redirect loop is closed. The time limit is configurable up to 1800 seconds.

Enable Built-in Admin Account (idauto::admin)

This enables/disables use of the internal idauto::admin account. If this account is disabled and an invalid LDAP configuration is specified it may become impossible for users, including administrators, to login to RapidIdentity Portal. To safeguard against this possibility, it is recommended that the default password for this account is changed and the account left in an enabled state.

Built-in Admin Account Password

This field displays when the built-in Admin account is enabled and the Update Password button is clicked. The provided password is used for authenticating the idauto::admin account. The default value is idautoAdmin.  It is strongly recommended that this password is changed immediately upon installation.

Confirm Built-in Admin Account Password

Confirm the password in this field.

Require Strong Encryption (256 bit AES)

A checked box requires strong encryption.

Enable SSL Uploads

A checked box requires strong encryption.

Google Analytics Account Number

The Google Analytics Account Number can be used to obtain more information about visits to RapidIdentity browser pages.

Icon Proxy URL

This URL specifies a caching proxy that can be used to fetch icons stored on the selected file storage. This is primarily to boost poor S3 performance by fronting it with Amazon CloudFront.

Note

If the CloudFront distribution points to the S3 bucket being used by the idauto cluster, then the proxy URL must include the path to the icons folder and not just the root of the bucket.

Note

If the icons need to be made publicly accessible in S3, either by marking each one individually or by adding a bucket policy, then the necessary information will be required.

Do not make your entire bucket publicly accessible or grant the CloudFront distribution full access as that would make all of your RapidIdentity file data publicly accessible!

Enable Maintenance Mode

This puts the RapidIdentity appliance/cluster in maintenance mode, which locks out non-administrative actions.

System Maintenance

This message is displayed to users when RapidIdentity is in Maintenance Mode. This message can be edited once Maintenance Mode is enabled.

File Storage

This allows file storage used by RapidIdentity Portal and RapidIdentity Connect to be stored in a location other than on the individual appliances to include CIFS and Amazon Web Services (AWS) S3. This is important when you have a cluster of either application so that all instances of the application will have access to the same set of files. The migration process wipes out any existing files on the destination file store.

  • CIFS

    • CIFS is the protocol used by Windows File Sharing and Samba. It is usually the best protocol to use for clusters running outside of AWS.

  • S3

    • AWS S3 is a cloud storage platform that provides extreme high-availability. It should generally only be used for clusters hosted in AWS.

      • Even within AWS, you will generally get much better performance with CIFS than with S3, with the trade-off being between high-availability vs performance.

      • AWS IAM Instance Profiles are supported and associated role permissions can be granted to instances when started. When checked, AWS access and secret credentials are hidden from users in the user interface. This security advantage is enhanced since the Instance Profile credentials are temporary and rotated by Amazon, which obviates the need for organizations to manage instance credentials. To leverage AWS IAM Instance Profiles, check the Use Instance IAM Role box.



Local File Server Configuration

Beginning with RapidIdentity Rolling Release version 2018.5.2, administrators can install an SMB Local File Server through the Command Line Interface

After installation, the CLI Connection Info menu option displays the UNC Path and Username, which can be added to the CIFS File Storage as shown below.

The password for the CIFS Local File Server File Storage is the password that was defined during the Local File Server installation process, or the password can be changed when configuring the CIFS File Storage.

The example below is representative of a CIFS Local File Server where the administrator decided to update the password.  

Legacy_Old_New_Settings_2.png
Table 228. Migrate Files Settings

Field Name

Description

From

Click the drop-down box and scroll to the file source to migrate.

To

Click the drop-down box and scroll to select the destination for the migrated files.



Table 229. Proxy Settings

Field Name

Description

Trusted Proxies (load balancer)

IP addresses and DNS names can be added. Once saved, the first non-trusted IP address in the X-Forwarded-For HTTP header is assumed to be the client's IP address. Trusted proxies are useful when more than one load balancer or proxy is possible in between a client and the RapidIdentity Federation server.



In this section: