For each IdP type there are a number of specific settings.
LD AP (& LDAP certificate) Provider
Complete all the fields for the this type of provider:
Hostnames or IP Addresses
You can enter more than one host. Appgate SDP will choose one at random and use that each time. This provides load balancing and fail-over capability. It is assumed that all the remaining settings will be common across the LDAP hosts.
Port
Typically, 389 for LDAP, 636 for LDAP over SSL or 1812 for RADIUS
Enable SSL
Use of SSL (LDAPS) is strongly recommended.To use SSL - an X.509 public key certificate should be uploaded to Trusted Certificates.
Service Account DN
We recommend that the Service account should have the minimum rights required to read the tree below base DN. Example "CN=Administrator, OU=Admins, OU=Users, DC=corp, DC=yourdomain, DC=com"
Service Account Password
This is the password for the service account user. It is important to configure the IdP to minimize LDAP look up times. Please refer to authentication services for advice on using some of the following fields to the best effect.
Base DN
Distinguished Name of user search base. Limits the scope of the user search in order to improve performance (avoids search covering the whole directory).
User Filter
LDAP filter can be used to include/exclude specific groups (of user accounts). User Filter provides a powerful way to write expressions which can be used include/exclude specific groups of users; for instance, 'All disabled user objects' or 'All users with "Password Never Expires" set'. There are some good examples here: https://social.technet.microsoft.com
Object Class (deprecated)
Class name of user accounts. Deprecated. Use User Filter instead.
NOTE
Do not use User Filter and Object Class together or the results will be concatenated together.
Username Attribute
Attribute name of username field. Defaults to sAMAccountName in ActiveDirectory.
Membership Filter
The filter to use while retrieving nested groups of the user in Active Directory. Defaults to (objectCategory=group).
Membership Base DN
Distinguished Name of group search base in Active Directory. Limits the scope of the membership query in order to improve performance. Defaults to the Base DN setting.
LDAP Provider
Enable Password Warning
When configuring Active Directory, enabling this will warn users when their passwords are about to expire.
Threshold (days)
Number of days prior to expiration that the warning will be displayed to the user.
Message
The given message will be displayed to the user. Use this field to guide the users on how to change their passwords. The expiration time will displayed on the client on a separate section.
The Password Warning Message supports HTML so your message might be:
Your Company Domain password is about to expire </br><a href="https://iam-passwd.corp.company.com">Click here to update it.</a>
A system user-claim is provided (ag.passwordWarning); this can be used in a Condition to allow extra network access while the warning is active. This in turn would allow remote (from the network) users sufficient access rights to be able to reset their passwords without having to come into the office. Below are two possible methods for doing password renewals:
WebAccess expired password reset option available on Windows Server 2012R2 or Server 2016 - see https://social.technet.microsoft.com/wiki/contents/articles/10755.windows-server-2012-rds-enabling-the-rd-webaccess-expired-password-reset-option.aspx
On Windows, if sufficient network access rights are allowed (see Allowing full 'network like' access), then the reset password option should work when a user does CTRL ALT DEL.
LDAP Certificate Provider
User Certificate Priorities
An exact match on the Template and/or the Issuer field can be used to set the order the Certificates are shown in the Client. Certain CAs issue Certificates that include an Issuer and a Certificate Template Information field. Enter one or more exact values (as found in these certificate fields) and then order the list. You can mix the two types of field. Valid to date will be used afterwards, with the furthest away being prioritized.
CA Certificates
The CA certificates to verify client certificates. If the client certificate is signed by an intermediate CA, the whole chain must be uploaded. If the client certificate includes valid AIA extension, the root certificate suffices.
NOTE
When any certificates are approaching their expiration, then the Controller will issue a warning in the dashboard 30 days prior.
Skip X.509 external checks
When enabled the Controller WILL NOT contact the endpoints on the certificate extensions in order to verify revocation status and pull the intermediate CA certificates. NOT RECOMMENDED.
Certificate User Attribute
The Subject Alternative Name field is required to verify the username. Enter the LDAP attribute which maps to this name so the Appgate system can harvest all the users LDAP attributes.
Verify Certificate on LDAP
Upon successful authentication, the Controller gets the public certificate from the Client. This can be compared to the certificate on LDAP. If they are not the same, the authentication will fail. This optional check fetches the user's certificate from LDAP and then performs an additional binary comparison of the two certificates.
Attribute
Enter the LDAP Attribute that points to the users' certificates on LDAP. In Active Directory this is normally 'userCertificate'.
OIDC Provider
Complete the fields for the this type of provider. See System Configuration for more information about how OIDC has been implemented in Appgate SDP. OIDC works differently from SAML, so you can use the same IdP configuration for Client, Portal and Admin UI. Look in https://myidp/.well-known/openid-configuration if you are having issues finding these fields in the IdP configuration screens.
Issuer
The base URL provided by the IdP - used when authorizing with the OIDC IdP.
Audience/Client ID
Enter the unique Client ID from the configuration in your OIDC IdP.
Scope
Each scope added here returns a set of user attributes. By default 3 are included.
Google OIDC Configuration
Google's implementation of OIDC requires some specific settings for it to work correctly.
Client Secret
Enter the Client Secret that must be used for PKCE.
Enable Refresh Token
Make the refresh token part of the OIDC request (instead of being part of the OIDC scope).
RADIUS Provider
Complete all the fields for the this type of provider.
Hostnames or IP Addresses
You can enter more than one host. Appgate SDP will choose one at random and use that each time. This provides load balancing and fail-over capability. It is assumed that all the remaining settings will be common across the LDAP hosts.
Port
Typically, 389 for LDAP, 636 for LDAP over SSL or 1812 for RADIUS
Shared Secret
The shared secret for the specific RADIUS server.
Authentication Protocol
Authentication protocol used to login to the RADIUS server, such as CHAP or PAP. Use CHAP if you have a choice.
SAML Provider
Complete all the fields for the this type of provider. See System Configuration for more information about how SAML has been implemented in Appgate SDP. SAML has been implemented differently for the Client, Portal, and admin UI, so you will have to configure SAML once for each.
Use XML Metadata file
You may upload the Metadata XML file from the SAML provider to configure this provider. It will fill in the Single Sign-On URL, Issuer, and Public Certificate fields.
This is the recommended way to complete this form as it avoids needing to match fields between the SAML provider and Appgate SDP. Most SAML providers provide a facility for downloading the metadata in their UI (or there may be a special URL you need to use for getting the matadata).
The only field left to complete is Audience (and the optional Decryption key field).
Manually complete the following fields:
Audience
The Audience URI - this attribute must match exactly the value entered in your SAML identity provider settings.
ForceAuthn
Enables ForceAuthn flag in the SAML Request. If the SAML Provider supports this flag, it will require user to enter their credentials every time Client requires SAML authentication.
Public Certificate
X509 public key certificate that you downloaded from your identity provider. It is used to verify the SAML assertion is signed by the provider. Copy and paste the contents of the certificate into the dialog box or click "Choose a file" and browse to the file.
NOTE
When any certificates are approaching their expiration, then the Controller will issue a warning in the dashboard 30 days prior.
Decryption Key
Optional. Private PEM key used to decrypt encrypted assertions.