Configure the federated security

  1. Navigate to System > System settings > Logon and authentication > Federated security.
    The Federated security dialog box is displayed.
  2. The federated security is clear by default. You can enable Use federated security only when an active authentication provider is configured.

    Note When Federated security is on, turn off Windows Authentication. To do so, run the Configuration utility and modify the setting. See the Kofax TotalAgility Configuration Utility Guide for more information.

  3. To configure an authentication provider, click .

    The Add authentication provider dialog box is displayed.

  4. Configure the following settings on the General tab:
    1. Enter a display Name for the authentication provider.
    2. On the Endpoint type list, select the endpoint type to specify whether the endpoint supports WS-Federation or SAML. (Default: WS-Federation)
    3. On the Endpoint URL list, specify the URL for the WS-Federation or SAML endpoint of the provider.
    4. On the Binding type list, select an authentication request type:
      • HTTP-Redirect (default): SAML request is sent as a http request query string parameter.
      • HTTP-Post: SAML request is sent in http request body and the signature is embedded.
      Note The Binding type and Authentication context settings are available only if the Endpoint type is SAML.
    5. On the Authentication context list, select the authentication context to use, such as Password protected transport. (Default: Any)
    6. Optional. Specify the Relying party URL.

      Note If you provide the relying party identifier or APP ID URI in the Federated Security Provider as https://<servername>/TotalAgility/, you need not specify the relying party URL when configuring the federated security in TotalAgility. If you provide a different relying party identifier in the Federated Security Provider, ensure that the identifier provided in the Federated Security Provider must match with the relying party URL specified in TotalAgility. The relying party identifier is for ADFS, and APP ID URI is for Azure AD.

    7. Specify the Issuer identity of the provider.

      At runtime, this identity helps to verify that any claims passed to TotalAgility are from the correct provider.

    8. Specify the Sign out URL.

      When you log off the provider, the specified URL opens.

    9. Select either setting to specify the Logout option:
      • TotalAgility and Provider: Logs you out of the provider as well as TotalAgility.

      • TotalAgility (default): Logs you out of TotalAgility.

    10. To specify that the authentication provider is active, select Active. (Default: Clear)
  5. To provide response signature verification certificates, do the following:
    1. Click the Response validation tab.
    2. Enter the three different public keys of the provider in the Certificate1, Certificate2 and Certificate3 fields.
      Note You must provide at least one certificate.
      At runtime, all the three certificates are used to verify that any claims passed are from the correct provider. If validation is passed at least for one certificate, the response is considered as valid.
  6. To determine how an existing user is found in TotalAgility when you log on using the authentication provider, do the following:
    1. Click the User claims mappings tab.

      User claim mappings apply if the user does not exist in TotalAgility.

    2. Match the user to username (default) or email. Select either option for Match to:

      Username

      1. By default, Username is taken From security token.

      2. For Name and Email address, select Enter on login to enter the name manually at runtime, or click From security token to take the name from a security token.

      Email

      1. For Username and Name, click Enter on login to enter the name manually at runtime, or click From security token to take the name from a security token.

      2. The Email address is taken From security token (Default).

    3. Click Save.
  7. To define a set of rules for specifying the TotalAgility category and groups to which a new user is added after being successfully authenticated with the provider, click the User claims rules tab and configure the Default user claim and Custom user rules.
    Note If the claims or user claim rules are modified, TotalAgility automatically updates the working group and group membership of the resource.
    1. Select a Category and Working category.
    2. Optional. Select a Working group.
    3. Select Use custom user rules and define the rule:
      1. Click .

        The Add custom user rule dialog box is displayed.

      2. Enter a rule Name for the claim.

      3. Specify the Claim type and Claim value.

      4. To specify the category the user is added to if the custom rule is satisfied, select a Category.

      5. To specify the Working category the user is added to if the custom rule is satisfied, select a category.

      6. To specify the Working group the user is added to if the custom rule is satisfied, select a group.

        Note Specify at least one of the preceding optional settings for a custom user rule.
      7. Optional. To add the resource groups the user is added to if the custom rule is satisfied, click Add for Groups.

        The Add associated groups dialog box is displayed.

      8. Select the required groups to add and click Done.

        The Add custom user rule dialog box is displayed.

        Note The custom user rules take precedence over the default user claim rules.
      9. Click Save.

        The rule appears in the table with rule name and claim type details. You can modify or delete the custom rule.

  8. To configure and specify the SAML request to the Identity provider signed with a certificate, do the following:
    1. Click the Signature settings tab.
      Note This tab is available only if the Endpoint type is SAML.
    2. Browse the certificate (containing private key) you want to upload for signing the SAML request.
    3. Enter the Password to decrypt the certificate.
    4. On the Algorithm list, select the algorithm you want to use for signing, such as RSA-SHA1.
      Note The signing algorithm must match the algorithm that the identity provider is configured with.
    5. Click Save.
      The SAML request is signed.
  9. Click Save.
  10. Select Use federated security.
    Note
    • For TotalAgility on-premise, restart the services for the Federated security settings to take effect.
    • For TotalAgility in on-premise multi-tenant and Azure environments, restart of services is not required.
    • If Federated security is in use on the Azure tenant and is connected to an Integration server, the Integration server will also make use of the same security settings. You must restart the TotalAgility Application pool on the Integration server for the new Azure tenant configuration settings to take effect.
  11. Click Close.

Launch the TotalAgility Designer using Federated security

Once the authentication provider is added and Federated security is turned on, upon logging on to TotalAgility Designer, the user is redirected to configured authentication provider URL.

If multiple authentication providers are configured, the user can select one and the Authentication Provider Logon page opens.

Once the user is authenticated by the provider, the user gets logged on to TotalAgility:

  • If the user exists in TotalAgility and matches a TotalAgility user using the claims mappings, the user gets logged on to TotalAgility.

  • If the user does not exist in TotalAgility, user is added based on the user claim rules and then gets logged on to TotalAgility.

Launch the TotalAgility Designer in recovery mode

If the Federated security was configured incorrectly, you can launch the TotalAgility Designer in Recovery mode to modify the Federated security configuration.

  1. Use the following URL: http://<server name>/TotalAgility/Designer/#/logon/recovery.
  2. Specify the Recovery mode session ID and click Validate.

    The recovery mode session ID is stored in the Web.config from the following setting:

    <add key= "RecoveryModeSessionId" value= <recovery mode session ID>/>
    Note The recovery mode session ID is unique. With each installation, the value in Web.config is updated with a new ID.
  3. Enter a valid Username and Password and click Login.

    Note You must have Read/Write or Full control access permissions on the Server to update the configuration. See Access control list.