Authentication Policies Setup

Authentication Policies in Cross Identity are designed to facilitate multiple authentication methods across domains, including authentication for individual users. These policies enable authentication across a range of channels, including Cross Identity Store, Active Directory, and Identity Provider, allowing users to be authenticated using a variety of methods.

If there is no authentication policy setup, authentication occurs in Cross Identity by default.

This section covers:

• Add an Authentication policy

• Validating Authentication Policy

Authentication Policy with Authentication Mechanism as a Username/Password

1. Go to Security > Add Authentication Policy.

   

2. Enter a name for your authentication policy in the Authentication Policy Name field.

   

3. Select the Authentication Mechanism as Username/Password.

4. Set the Priority and enter the Description.

   Note:

   Priority cannot be the same for the two policies.

5. Click Save.

Target

1. Click Target to define the users for which the authentication policy will apply across multiple network ranges.

   

2. Select the radio button Authentication users with attributes to authenticate users with attributes.

3. Select an attribute and enter a condition with its corresponding value, such as Location and the value set to Bangalore. This ensures that when a user logs into Cross Identity, the system checks if the user belongs to Bangalore before applying this authentication policy.

4. To add multiple conditions to a policy, select +.

5. Choosing Match all Conditions instructs the system to employ an AND query between attributes, requiring all conditions to be satisfied for the policy to take effect.

   If this option is not selected, the system will apply Or query between the attributes, meaning that the policy will be applicable if any of these conditions are met.

6. To authenticate users based on their roles, select Authenticate users having membership in the Roles box.

7. Click Add Roles and select the roles.

8. Click Save.

Repository

1. Go to Repository to define the authentication rule for the user.

2. You can choose CI Identity Store, Directory or Identity Provider.

   

   Repository	Description
   CI Identity Store	It validates the user’s information against the Cross Identity database. The user credentials or authentication are against CI credentials stored in the Cross Identity database.
   Directory	It validates against the credentials stored in the Directory.
   Identity Provider	It verifies the users’ information against the selected application.

   Note:

   On selecting CI Identity Store, there is no option to add an Identity Store.

3. Add Directory/Add Identity Provider option is available if you select Directory/Identity Provider.

4. Search and select a directory/identity provider and click Add.

   

   Note:

   All the directories configured in the identity sources menu are feasible for selection. Also, you can select only one directory at a time.

5. Add a network range for authentication by clicking Add Network.

   

6. Select a network range and click Add.

7. Click Save.

Authentication Policy with Authentication Mechanism as Password Policy

1. Go to Security > Add Authentication Policy.

   

2. Enter the name for your authentication policy in the Authentication Policy Name field.

   

3. Select the Authentication Mechanism as Passwordless Authentication.

4. Set the Priority and enter the Description.

5. Click Save.

Target

1. On the Target tab, enter the user's name to whom the passwordless authentication policy should apply.

   

2. You can also choose to authenticate users based on their roles. For this, you need to check the Authenticate users having membership in the Roles box. Click Add Roles to add functions for authentication.

3. Select Match all Conditions, and it applies And queries between the attributes, and if it is not selected, it applies Or query between the attributes.

4. Click Save.

Repository

1. Click Repository. It will always be Passwordless Authentication.

   

2. Add a network range by clicking Add Network.

   

3. Select a network range and ADD to complete the authentication.

4. Click Save.

Authentication Policy with Authentication Mechanism as Multi-Factor Authentication

1. Go to Security > Add Authentication Policy.

   

2. Enter the name for your authentication policy in the Authentication Policy Name field.

   

3. Select the Authentication Mechanism as Multi-factor Authentication.

4. Set the Priority and enter the Description.

5. Click Save.

Target

1. On the Target tab, enter the user's name to whom the MFA policy should apply.

   

2. You can also choose to authenticate users based on their roles. For this, you need to check the Authenticate users having membership in the Roles box. Click Add Roles to add functions for authentication.

3. Select Match all Conditions, and it applies And queries between the attributes, and if it is not selected, it applies Or query between the attributes.

4. Click Save.

Repository

1. Click Repository.

   

2. Here, enable the preferred MFA method. Once enabled, the user will be prompted to go through authentication as chosen here.

   

3. Click Enable Callback and enter the URL.

   If enabled, the user will be logged in to the application.

   If not enabled, the user will be redirected to the launchpad.

   

4. Click Save.

   Validating Authentication Policy:

   When validating a user imported from Active Directory, it is a part of the Cross Identity user group and should be validated against Active Directory. It will authenticate the user against the Active Directory data stored with the specified user name and password rather than the credentials configured in the Cross Identity.