RapidIdentity Product Guides - 2019 Rolling Release

System

Systems allow administrators to configure global RapidIdentity settings.

Legacy_Systems_Main.png

Beginning with RapidIdentity Rolling Release Version 2018.5.2, the option to Require Strong Encryption (AES 256-bit) is deprecated and no longer accessible in the user interface.

Table 194. System Fields

Field Name

Description

Authenticated Session Timeout (min)

The maximum number of minutes that an inactive session will remain valid.

After the specified number of minutes, the user must re-authenticate.

Authentication Token Cookie Expiration (seconds)

This setting ensures that the authentication token cookie, which is issued after the user authenticates against the LDAP server, does not expire prematurely based on the time settings used by the workstation browser and the RapidIdentity Portal server. Browsers using modern cookie standards should use the default setting of 10 seconds.

Browsers that do not use modern cookie standards may experience an infinite redirect loop because the workstation browser and the RapidIdentity Portal server will not be synchronized. If this scenario is observed, increase the expiration time until the infinite redirect loop is closed. The time limit is configurable up to 1800 seconds.

Enable Build-in Admin Account (idauto::admin)

This enables/disables use of the internal idauto::admin account. If this account is disabled and an invalid LDAP configuration is specified it may become impossible for users, including administrators, to login to RapidIdentity Portal. To safeguard against this possibility, it is recommended that the default password for this account is changed and the account left in an enabled state.

Built-in Admin Account Password

The provided password is used for authenticating the idauto::admin account. The default value is idautoAdmin. It is strongly recommended that this password is changed immediately upon installation.

Confirm Built-in Admin Account Password

Confirm the password in this field.

Enable SSL Uploads

A checked box requires strong encryption.

Google Analytics Account Number

The Google Analytics Account Number can be used to obtain more information about visits to RapidIdentity browser pages.

Enable Maintenance Mode

This enables file uploads to the RapidIdentity Portal Files module to be performed over a secure HTTP connection. This is disabled by default due to Flash Player limitations that could cause extremely large file uploads over SSL to crash or hang the browser.

System Maintenance

This puts the RapidIdentity appliance/cluster in maintenance mode, which locks out non-administrative actions.

File Storage

This allows file storage used by RapidIdentity Portal and RapidIdentity Connect to be stored in a location other than on the individual appliances. This is important when you have a cluster of either application so that all instances of the application will have access to the same set of files.

  • CIFS

    • CIFS is the protocol used by Windows File Sharing and Samba. It is usually the best protocol to use for clusters running outside of AWS.

  • 53

    • Amazon S3 is a cloud storage platform that provides extreme high-availability. It should generally only be used for clusters hosted in AWS.

      • Even within AWS, you will generally get much better performance with CIFS than with S3, with the trade-off being between high-availability vs performance.

      • AWS IAM Instance Profiles are supported and associated role permissions can be granted to instances when started. When checked, AWS access and secret credentials are hidden from users in the user interface. This security advantage is enhanced since the Instance Profile credentials are temporary and rotated by Amazon, which obviates the need for organizations to manage instance credentials. To leverage AWS IAM Instance Profiles, check the Use Instance IAM Role box.

Migration

Migration enables file migration between CIFS, S3, and the individual appliance file systems.

Migration wipes out any existing files on the destination file store.

Icon Proxy URL

This URL specifies a caching proxy that can be used to fetch icons stored on the selected file storage. This is primarily to boost poor S3 performance by fronting it with Amazon CloudFront.

Note

If the CloudFront distribution points to the S3 bucket being used by the idauto cluster, then the proxy URL must include the path to the icons folder and not just the root of the bucket.

Note

If the icons need to be made publicly accessible in S3, either by marking each one individually or by adding a bucket policy, then provide the necessary information.

Do not make your entire bucket publicly accessible or grant the CloudFront distribution full access as that would make all of your RapidIdentity file data publicly accessible!

Trusted Proxies (load balancer)

IP addresses and DNS names can be added. Once saved, the first non-trusted IP address in the X-Forwarded-For HTTP header is assumed to be the client's IP address. Trusted proxies are useful when more than one load balancer or proxy is possible in between a client and the RapidIdentity Federation server.



In this section: