Use the Authentication Configuration page to configure authentication within MRI for the Web.
Note
You must have System Settings permissions to access this page. Refer to Adding and Maintaining Users and Access Rights for more information.
To configure authentication, follow these steps:
1. Go to Settings.
2. Click Authentication Configuration.
Note
The Environment ID is automatically populated and cannot be edited.
3. Review the Primary Certificate and Secondary Certificate information if necessary.
4. Expand the MRI Authentication section, and then complete the following fields:
▪ Use Embedded IDP—Select this check box if you are using MRI Identity Provider.
▪ Use Embedded Federation Gateway—Select this check box if this MRI for the Web installation should use an embedded identity provider (IdP) as a Federation Gateway (EFG). After selecting this check box, you must complete the fields in the Identity Provider section to finish configuring your federated identity provider.
▪ Base Web URL—Enter the public URL of your MRI for the Web installation, based on how you installed MRI to your web server. This field is required when using MRI Identity Provider or the Report Gateway product.
Caution!
You must include the forward slash at the end of the URL.
The URL that you enter is the URL that your users must use in their browsers when accessing MRI for the Web.
Example
If your web server is named WebServer1, and your internal active directory DNS domain is named CompanyName.local, you would enter https://WebServer1.CompanyName.local/MRIWeb/.
If your MRI web environment is reachable from the Internet, you must use your Internet DNS domain URL. If your Internet DNS domain URL is MRI.CompanyName.com, you would enter https://MRI.CompanyName.com/MRIWeb/.
These examples assume an HTTPS (TLS) web protocol. If you do not secure your MRI environment with HTTPS, then your URL will begin with HTTP
Note
The External Client ID and External Client Secret are automatically populated after you click Generate Secrets. These fields are used to configure the Report Gateway product. For more information, refer to the Report Gateway Installation Guide.
For more information about the Download MRI Metadata buttons, refer to the System Administration Guide.
▪ Unsecured—Select this check box if you are using HTTP for your MRI web environment.
▪ SSL—Select this check box if you are using HTTPS for your MRI web environment.
▪ SSL With Offload—Select this check box if your MRI web environment is hosted behind a load balancer that uses SSL termination.
5. Expand the Identity Provider section. The fields in this section can only be configured if you have selected the Use Embedded Federation Gateway check box in the MRI Authentication section. If you are using a federated IdP such as Okta, complete the following fields:
▪ Embedded Federation Gateway URI—Enter the URI of the federated identity provider.
▪ Seconds Between Timeout and Deep Logout—Enter the number of seconds the system should wait after timing out before it triggers a deep logout.
▪ Tracing Level—Select the level of detail that should be sent to the tracing system:
▪ Off—No tracing is performed. However, 3rd party libraries may ignore this setting and perform their own tracing.
▪ Warning—Only warnings and critical errors are traced.
▪ Information—Warnings and critical errors are traced, including information about all user actions.
▪ Verbose—Warnings and critical errors are traced, including information about all user actions and transport logs. MRI recommends that this setting be used only for troubleshooting configuration issues, as logs will become more difficult to read.
▪ Store Password for API Password Reset—Select if you are using an external IdP and have Access 24/7 or Resident Connect users, to manually manage portal passwords for users from the User Manager view.
Note
This check box is only available if the Use Embedded IDP check box is cleared.
Changing a user’s portal password will not update their MRI password.
▪ Use Single Realm—Select if you are using an external identity provider (IdP), for improved compatibility.
▪ Force Deep Logout—If this check box is selected, users who log out of an application are always logged out of the entire IdP rather than just out of the application.
▪ Allow Local Logins—If this check box is selected, users can log in with their username and password for the MRI system database.
▪ Federated Identity Providers—Select the identity provider you want to configure from the list. To add a new identity provider, click Add and enter a name for it in the Short Name field. After selecting the IdP you want to configure, complete the following fields and options:
▪ Navigation Hint—Enter the text that should identify this IdP to users when they are presented with the choice of multiple identity providers. For example, if the IdP is Okta, this field might say "Log in with Okta".
▪ Protocol—Select either WS-Federation or OpenID Connect to use as your authentication protocol.
▪ Federated IdP Parameter Name—For identity providers using the OpenID Connect protocol that support federating to other identity providers, this value will be used as the parameter name when providing the login hint. The default value is idp.
▪ Federate Idps from HomeRealm Service—For identity providers using the OpenID Connect protocol that support federating to other identity providers, selecting this check box loads the federated identity providers from the service specified by the HomeRealm entry in tb_System_AuthenticationConfiguration. This setting only applies for single-client system databases.
▪ Client ID—Enter the client ID given by your identity provider.
▪ Client Secret—Enter the client secret given by your identity provider.
▪ Issuer—Enter the authority URL of the identity provider.
▪ Enabled—Select this check box to enable the identity provider.
▪ From Legacy Configuration—For identity providers using the WS-Federation protocol, selecting this check box to pull federation metadata from a legacy configuration.
▪ Use Proxy—For identity providers using the OpenID Connect protocol that support proxy authentication and logout URLs, select this check box to enable a proxy. If this setting is enabled, the following three fields are required:
▪ Proxy Forward URL—Enter the URL to use when users are sent for authentication.
▪ Proxy Redirect URL—Enter the URL to use when users are redirected.
▪ Proxy Forward Logout URL—Enter the URL to use when users are sent for logout.
6. If you plan to use the Report Gateway product, expand the Report Gateway Authentication section, and then complete the Reporting Base URL, Reporting Client ID, and Reporting Client Secret fields using the values generated in Report Gateway.
Note
For more information about these fields and the Export MRI Configuration and Download Report Gateway Metadata buttons, refer to the Report Gateway Installation Guide.
7. Click Save.
Note
Use the Upload Manifest button when configuring an external IdP, to upload your IdP's federation metadata to MRI. For more information, refer to the System Administration Guide.