📄️ Configuring local applications
The core purpose of the Secfense Broker is protecting web applications. A simple setup was already explained in the Quick Start section of this document. The next sections of this guide will perform a deep dive into more detailed tweaking and adjusting of the configuration. This will help not only in the manual configuration of the rare cases where automated learning could not identify proper settings, but will also enhance user experience and provide more security to your environment.
📄️ Configuring remote applications
This document provides step-by-step instructions for connecting applications (Service Providers, SPs) to Secfense IdP using the SAML protocol. The SAML integration gives control over identity verification to Secfense IdP and ensures secure Single Sign-On (SSO) functionality, allowing users to authenticate via the IdP and access various SPs without re-entering credentials.
📄️ Protecting Single-Sign-On applications
Kerberos
📄️ Create bypass codes
A bypass code is used to allow users to log in to an application if they lose access to their second factor.
📄️ Deleting the application
The Delete Application button appears in the "Main Configuration" tab once you click on the details of a particular Application Representation.
📄️ Backup and Restore
Secfense Broker uses zip files for configuration backups, with configurations saved as archived JSON files.
📄️ Adding roles for users
A role is a set of privileges that can be assigned to a user. It consists of a name and application rights, which are either Admin or Support. Each role can be additionally limited to particular applications.
📄️ Adding Administrator or Support users
In Broker terminology, an Administrator is an operator who can view and edit certain parts of the Broker configuration. The first user created during initial configuration is "admin" with the assigned role of "Superadmin." All Superadmins have the rights to create other users.
📄️ Adding third party identity providers
Both RADIUS and OIDC can be used as second factors in all applications. To enable these factors, third-party providers need to be configured within the Broker configuration.
📄️ Password reset
All passwords can be changed from any Superadmin account in the Administration section of the configuration.
📄️ Adding another 2FA (user perspective)
IMPORTANT! Secfense Broker only supports combining strong (FIDO2/WebAuthn compliant) second factors. This means a user can add multiple U2F keys or combine a U2F key with Secfense Authenticator. However, users cannot mix strong authentication with weaker 2FA methods, such as TOTP codes or SMS.
📄️ Using REST API
REST API is typically used to automate certain tasks through carefully crafted URLs. JSON Web Tokens (JWTs) are used to ensure that such requests are secure and authorized.
📄️ Using SMS and Email gateways
Even though Secfense User Access Security Broker does allow you to use emails and short text messages as a mean to deliver second factor codes it does not act as an email client or a cellphone.
📄️ Email Converter
Features like Full Site Protection will stop users from enrolling in a standard way as they will not have any option to enter their credentials without providing their second factor first.
📄️ Generating Support Pack
The Secfense support team might ask you to provide a support pack to streamline an investigation. Although you can create the support pack from the CLI, it is advised to use the GUI for this purpose.
📄️ Whitelisting Secfense Authenticator
Secfense Authenticator is an application for Android and iOS that provides a second authentication factor compliant with FIDO2 specifications.
📄️ Using non-standard TCP Ports
By default, Secfense Broker listens on ports 80 and 443, which are commonly used for HTTP traffic. To use non-standard TCP ports, additional configuration steps are required.
📄️ Connecting IdP
To support applications that cannot be covered by reverse-proxy based technologies, we use identity federation standards, particularly SAML.