Configuring Adapter by Using the Wizard

CA Adapter Windows Installation Guide › Performing Adapter Configuration Using the Wizard › Configuring Adapter by Using the Wizard

Configuring Adapter by Using the Wizard

Perform the following steps to configure the Adapter components:

From the end-user's system, access the following URL:
```
http[s]://host_name:port_number/ArcotAFMWizard/index.html
```
The AFM Profiles page opens.
Click the Create new Profile link.
The AFM Profile Configuration page opens.
Configure the parameters on the AFM Profile Configuration page.
The following table describes the fields available on the AFM Profile Configuration page.

Section	Field	Description
AFM Profile Configuration	AFM Profile Name	Specify a name for the AFM profile. Note: You can enter a maximum of 16-digit alphanumeric characters in this field. Ensure that there are no special characters and blank space in your profile name.
AFM Profile Configuration	Integration Type	Select the type of integration that this profile should handle. The possible options are: SiteMinder SAML SSL VPN IPSec VPN Note: You can select multiple integration types by pressing the Ctrl key and selecting the required integration type.
Primary Authentication Configuration	Primary Authentication	Select a primary authentication mechanism to use with this profile. The primary authentication mechanism you can configure depends on the integration type you selected in the Integration Type field. SiteMinder supports the following types of primary authentication mechanisms: – ArcotID – LDAP – ArcotOTP on Browser – ArcotOTP on Mobile Device – OATH – LDAP + ArcotID SAML and SSL VPN supports the following types of primary authentication mechanisms: – ArcotID – LDAP – ArcotOTP on Browser – ArcotOTP on Mobile Device – OATH IPSec VPN supports only ArcotID as the primary authentication mechanism. Note: If you have selected all integration types, then ArcotID would become the default primary authentication mechanism.
WebFort Organization Name	WebFort Organization Name	Specify the AuthMinder organization name. If the specified organization does not exist in AuthMinder, then you must create it before testing the integrated solution. Select "This organization is mapped to enterprise LDAP" option, if the AuthMinder organization you specified is configured to use the LDAP repository. See appendix, "Additional Configurations to Support LDAP Repository in AuthMinder" for information about additional configurations to support LDAP repository in AuthMinder.

Click Next.
Note: If you have not specified any organization name in the Organization Name field, then AuthMinder’s default organization is used with this profile. A prompt opens asking whether the default organization is mapped with LDAP, if it is, then you must Cancel the prompt and select "This organization is mapped to enterprise LDAP" option before proceeding.

Depending on the type of the Primary Authentication mechanism you selected in Step 3, the wizard will show you the configurable parameters applicable for that authentication mechanism. These parameters are grouped under various sections. The following table lists the configuration sections that you will see depending on the type of authentication mechanism you selected.

Primary Authentication	Configurable Section
ArcotID	Risk Assessment Configuration General Configuration ArcotID Configuration Secondary Authentication Mechanism Issuance Profile Configuration Authentication Policy Configuration
LDAP	Risk Assessment Configuration General Configuration Secondary Authentication Mechanism Issuance Profile Configuration Authentication Policy Configuration
ArcotOTP on Browser	Risk Assessment Configuration General Configuration ArcotOTP Configuration Secondary Authentication Mechanism Issuance Profile Configuration Authentication Policy Configuration
ArcotOTP on Mobile Device	General Configuration ArcotOTP Configuration Secondary Authentication Mechanism Issuance Profile Configuration Authentication Policy Configuration
OATH	General Configuration Issuance Profile Configuration Authentication Policy Configuration
LDAP + ArcotID (SiteMinder only)	General Configuration ArcotID Configuration Secondary Authentication Mechanism Issuance Profile Configuration Authentication Policy Configuration The following table describes the field available in the Risk Assessment Configuration section.
Field	Description
Perform Risk Assessment	Select this option to perform the risk assessment along with the selected primary authentication mechanism. If selected, then the following two options are made available: Pre-Authentication: If this option is selected, the risk assessment is performed before the primary authentication. Post-Authentication: If this option is selected, the risk assessment is performed after the primary authentication. Note: If ArcotID is selected as the primary authentication mechanism, then by default the risk assessment is performed before ArcotID authentication. The following table describes the fields available in the General Configuration section.
Field	Description
Perform enrollment using an activation code	This option specifies the mechanism of sending the activation code to the user during enrollment. AFM performs enrollment on successful authentication of the activation code. By default this option is selected, you can select the mode of communication, which is email or SMS. This configuration is optional if the LDAP organization is selected as the AuthMinder organization. Note: If you choose to send the activation code through email, then you must configure the parameters in the "Email Server Configuration" section.
Log user into the system after successful enrollment	If selected, AFM considers the enrollment as authenticated and no explicit user authentication is required. If this option is not selected, users must authenticate themselves after enrollment.
Collect first name, middle name and last name details during enrollment	If selected, users must enter their first, middle, and last names during enrollment. This configuration is not applicable if the configured organization is an LDAP organization.
Support for user-defined questions	Select this option to allow the user to add their own question that is not available in the existing list of out-of-the-box questions.
Enable email notification	If selected, AFM sends a notification email for different scenarios, such as successful enrollment, roaming download of ArcotID PKI, password change, ArcotOTP on Mobile, ArcotOTP on Browser and updates to security questions, user details, and ArcotID PKI password. Note: If you choose to send the notification email, then you must configure the parameters in the "Email Server Configuration" section.
Prompt user to accept cookies	Select this option to ask the user for permission to store cookies on their system.
Prompt user to enter his personal assurance message	Select this option to enable the user to enter a personal assurance message during enrollment. This message is presented to the user to assure them that they are interacting with the correct and legitimate server.
Prompt user to select personal assurance image	Select this option to enable the user to select an image during enrollment. This image is presented to the user to assure them that they are interacting with the correct and legitimate server.

The following table describes the fields available in the ArcotID Configuration section.

Field	Description
Allow users to be able to renew their ArcotID on expiry	Select this option to allow users to renew their impending ArcotID PKI.
Generate new ArcotID while renewal	Select this option if a new ArcotID PKI should be generated instead of renewing the existing ArcotID PKI.
ArcotID Renewal time period (in months)	Specify the time period for which the issued ArcotID PKI will be valid. Note: You cannot configure this field if Generate new ArcotID while renewal option is selected.
ArcotID Client Type and Preference	Select the ArcotID PKI Client type to be used for authentication. If you select more than one option, then you can specify the order of preference for the ArcotID PKI Client to be used. For example, if Flash is the first option in the list followed by JavaScript, then AFM checks for the availability of Flash in the user's browser. If AFM cannot detect Flash, it uses JavaScript as the client type for authentication. Possible options are: JavaScript Flash Native Note: If you want to select Native as the preferred client type, then you must select Native in the list and click Up to move Native to the top of the list.

Click Next.
Depending on the type of primary authentication mechanism you selected, you might see any or all of the following configuration sections.

The following table describes the field available in the Secondary Authentication Mechanism section.

Section Name	Description
Secondary Authentication Mechanism	Select one or more of the secondary authentication mechanisms, such as Security Question, OTP by Email, OTP by SMS, and ArcotOTP on Mobile for different scenarios, such as RiskFort Advice Increase Auth, Forgot Your Password, ArcotID Expiry, and ArcotID Roaming. The default secondary authentication method is Security Questions. Secondary authentication is performed during roaming download, forgot password, and increase authentication scenarios. AFM allows you to select multiple secondary authentication mechanisms. Note: If you select the OTP by Email mechanism for secondary authentication, then you must configure the parameters in the "Email Server Configuration" section. If you select the OTP by SMS mechanism for secondary authentication, then you must configure the parameters in the "Clickatell SMS Service Configuration" section.

Section Name

Description

Secondary Authentication Mechanism

Select one or more of the secondary authentication mechanisms, such as Security Question, OTP by Email, OTP by SMS, and ArcotOTP on Mobile for different scenarios, such as RiskFort Advice Increase Auth, Forgot Your Password, ArcotID Expiry, and ArcotID Roaming.

The default secondary authentication method is Security Questions. Secondary authentication is performed during roaming download, forgot password, and increase authentication scenarios. AFM allows you to select multiple secondary authentication mechanisms.

Note: If you select the OTP by Email mechanism for secondary authentication, then you must configure the parameters in the "Email Server Configuration" section.
If you select the OTP by SMS mechanism for secondary authentication, then you must configure the parameters in the "Clickatell SMS Service Configuration" section.

The following table describes the fields available in the Issuance Profile Configuration section.

Field	Description
ArcotID Profile Name	The name of the ArcotID PKI profile created in AuthMinder that should be used at the time of creating or updating user credential.
Security Questions Profile Name	The name of the Security Question and Answer profile created in AuthMinder that should be used at the time of creating or updating the user credential.
OTP Profile Name for Secondary Authentication	The name of the OTP profile created in AuthMinder that should be used at the time of creating or updating the user credential.
ArcotOTP Profile Name	The name of the ArcotID OTP profile created in AuthMinder that should be used at the time of creating or updating the user credential.
OTP Profile Name for Enrollment Activation Code	The name of the OTP profile created in AuthMinder that should be used at the time of creating or updating user credential.

The following table describes the fields available in the Authentication Policy Configuration section.

Field	Description
ArcotID Policy Name	The name of the ArcotID PKI policy created in AuthMinder that should be used during authentication.
Security Questions Policy Name	The name of the Security Question and Answer policy created in AuthMinder that should be used during authentication.
OTP Policy Name for Secondary Authentication	The name of the OTP policy created in AuthMinder that should be used during authentication.
ArcotOTP Policy Name	The name of the ArcotID OTP policy created in AuthMinder that should be used during authentication.
OTP Policy Name for Enrollment Activation Code	The name of the OTP policy created in AuthMinder that should be used during authentication.

The following table describes the fields available in the ArcotOTP Configuration section.

Field	Description
Allow users to be able to renew their ArcotOTP on expiry	Select this option to allow users to renew their impending ArcotID OTP.
Generate new ArcotOTP while renewal	Select this option if a new ArcotID OTP should be generated instead of renewing the existing ArcotID OTP.
ArcotOTP Renewal time period (in months)	Specify the time period for which the issued ArcotID OTP will be valid.

Click Create.
The new profile details are saved and the profile name opens in the AFM Profiles page.
Click Configure Global Settings.
The WebFort and RiskFort Configuration page opens.

Note: The RiskFort configuration section is displayed only if you enabled risk assessment when configuring the AFM profile.

The following table describes the fields available in the WebFort and RiskFort Configuration page.

Section	Field	Description
WebFort Server Configuration	Authentication Host Name	Specify the Fully Qualified Distinguished Name (FQDN) of AuthMinder Server.
	Authentication Port	Specify the port at which AuthMinder Server is available. Default value: 9742
	Issuance Host Name	Specify the FQDN of the server hosting the AuthMinder Issuance service.
	Issuance Port	Specify the port at which the server hosting the AuthMinder Issuance service is available. Default value: 9744
RiskFort Server Configuration	DeviceID Storage Type	Select a mode to store the user’s device ID information. The available options are: HTTP Cookie Flash Cookie
	Host Name	Specify the FQDN of RiskMinder Server.
	Port	Specify the port at which RiskMinder Server is available. Default value: 7680

Note: If you are using secondary AuthMinder and RiskMinder servers, then specify the secondary servers details in the corresponding fields.

Click Next.
The Arcot UDS Configuration page opens.

The following table describes the fields available in the Arcot UDS Configuration page.

Section	Field	Description
Arcot UDS Configurations	Protocol	Specify the protocol for connecting to UDS. The available options are: HTTP HTTPS
	Host Name	Specify the IP address or the FQDN of UDS.
	Port	Specify the port at which UDS is available.
	User Management Service URL pattern	Specify the URL pattern for UDS. Default value: arcotuds/services/ArcotUserRegistrySvc
Email Server Configuration	SMTP Host Name	Specify the FQDN or IP address of the server hosting the SMTP email service.
	SMTP Username	Specify the user name to access the SMTP email service.
	SMTP Password/ Confirm SMTP Password	Specify the password to access the SMTP email service.
Clickatell SMS Service Configuration	Clickatell Service URL	Specify the URL where Clickatell SMS service is available. Default value: http://api.clickatell.com/http/sendmsg?
	Clickatell API ID	Specify the unique identifier of the API that handle the SMS request.
	Clickatell Username	Specify the user name to access the Clickatell SMS service.
	Clickatell Password/ Confirm Clickatell Password	Specify the password to access the Clickatell SMS service.

Click Next.
The Arcot State Manager Configuration page opens.

The following table describes the fields available in the Arcot State Manager Configuration page.

Section	Field	Description
Arcot State Manager Configuration	Protocol	Select the protocol for State Manager Server. Note: If you select HTTPS, then you must configure your application server for SSL communication. For more information about configuring SSL in Apache Tomcat, see appendix, "Configuring SSL and Redirection in Apache Tomcat".
	Host Name	Specify the FQDN of State Manager Server.
	Port	Specify the port at which the application server hosting State Manager is available.
	Database Type	Specify the type of database to use with State Manager. Possible options are: MS SQL Server MySQL Oracle
	Application Server	Select the application server on which State Manager is deployed. Possible options are: Apache Tomcat Oracle WebLogic IBM WebSphere JBoss
	Primary JNDI Name	Specify the JNDI name given to the primary database connection pool setup for the Sate Manager database.
	Secondary JNDI Name	Specify the JNDI name given to the secondary database connection pool setup for the Sate Manager database.

Click Next.
The SiteMinder Shim Configuration page opens.

The following table describes the fields available in the SiteMinder Shim Configuration page.

Section	Field	Description
SiteMinder Web Agent Configuration	Protocol	Select the protocol for the Web server hosting SiteMinder Web Agent.
	Host Name	Specify the FQDN of the Web server where you have deployed the FCC pages.
	Port	Specify the port at which the Web server hosting SiteMinder Web Agent is available.
	FCC Virtual Directory	Specify the virtual directory name (for example, arcotlogin) created for deploying the FCC pages.
Application Server Configuration for AFM	Protocol	Select the protocol for the application server hosting the Arcot AFM application.
	Host Name	Specify the FQDN of the application server hosting the Arcot AFM application.
	Port	Specify the port at which the application server hosting the Arcot AFM application is available.

Click Next.
The SAML Configuration page opens.

The following table describes the fields available in the SAML Configuration page.

Note: In the SAML Request Verification Configuration section, you can either configure the Certificate or the Truststore details.

Section	Field	Description
SAML Request Verification Configuration	Certificate Location	Specify the absolute path of the X.509 certificate of the Service Provider. This is used to verify the signed SAML requests from the Service Provider. The corresponding key store must be used by the SAML sample application for signing the SAML request. Note: The certificate must be in .DER format.
	Truststore Location	Specify the absolute path of the trust store file of the Service Provider. This file has a certificate that is used to verify the signed SAML requests from the Service Provider. The corresponding key store must be used by the SAML sample application for signing the SAML request.
	Truststore Alias	Specify the alias with which the certificate is stored in the truststore of the Service Provider.
	Truststore Password	Specify the password for the truststore of the Service Provider.
SAML Response Signing Configuration	Keystore Location	Specify the absolute or relative path of the Identity Provider’s keystore file on the file system. This file has both the private key and certificate that are used for signing the SAML response. Note: Ensure that the public-private key pair is generated using "RSA" as the key algorithm and "SHA1withRSA" as the signing algorithm.
	Keystore Alias	Specify an alias of the private key and certificate stored in the Identity Provider's keystore.
	Keystore Password	Specify the password for the keystore of the Identity Provider.

Click Next.
The Verify Input page opens.

Review the information on this screen, and if you need to change a previous selection, then click Previous to do so. After making the required changes, click Next to come back to the Verify Input page.
Click Save
The wizard saves your settings and creates the configuration files at the following location:
```
AFM_HOME\conf\afm
```
Note: AFM_HOME is the environment variable that stores the Adapter install location. By default, Adapter is installed in the System_Drive\Program Files\Arcot Systems directory.

Integration Type	Properties Files Generated
SAML	arcotafm.properties Contains the AFM configurations. saml_config.properties Contains configurations for the SAML integration. samlsampleapp.properties Contains the SAML sample application\xE2\x80\x99s configurations. arcotsm.properties Contains the State Manager configurations.
SiteMinder	arcotafm.properties Contains the AFM configurations. adaptershim.ini Contains the Authentication Shim-related configurations. arcotsm.properties Contains the State Manager configurations.
VPN	arcotafm.properties Contains the AFM configurations. In addition to the above file, the following file will be created when AOTP on Browser is selected as the primary authentication mechanism: arcotsm.properties Contains the State Manager configurations.
All	arcotafm.properties Contains the AFM configurations. saml_config.properties Contains configurations for the SAML integration. samlsampleapp.properties Contains the SAML sample application configurations and the custom application configurations. adaptershim.ini Contains the Authentication Shim-related configurations. arcotsm.properties Contains the State Manager configurations. customapp.properties Contains the custom application-related configurations.