IT Asset Management Settings: Security Tab
- Documents
- Session timeout
- Authentication.
Documents
- Document upload — Select this check box to allow documents to be uploaded in any locations where files can be attached in the web interface of IT Asset Management. Uploaded documents are saved in the central compliance database.
- File location — Select this check box to allow for text fields where operators can enter a file path location (such as a network share). The file is not uploaded, and only this reference to its location is saved.
- URL — Select this check box to allow for text fields where
operators can enter a URL hyperlink to a location elsewhere, either on your corporate
intranet or the public Internet, as appropriate.Tip: When an operator enters a URL in a field resulting from this setting (for example, in the Documents tab of license or contract properties), a modal dialog appears asking whether the operator wishes to continue with the redirect. The URL is provided in a read-only text field in the modal dialog, allowing the operator to safely copy and paste the URL to check accuracy before confirming the URL redirection.
Session timeout
- When operators have logged in through Flexera Account Management, the timeout value always applies, as described below.
- When you have configured any operators' accounts to log in through a SAML
2.0-compliant identity provider (such as Okta), the timeout value is used only
when the identity provider does not return its own timeout information in the
optional
SessionNotOnOrAfter
attribute within its assertion:- When the identity provider does not provide timeout information, the value set here is used as a timer for asking the identity provider whether the session is still valid. If so, the session continues; or if not, the operator is redirected to the configured authentication URL.
- When the identity provider includes the
SessionNotOnOrAfter
attribute, the supplied time/date limit is applied to the operator's session; and the values set here in the Session timeout setting are completely ignored for sessions authorized in this way.
When applicable, the Session timeout setting specifies the maximum period of inactivity for which each operator in your enterprise can remain logged into the web interface of IT Asset Management. This is a "sliding expiration": when an operator performs any operation that interacts with the central application server (such as saving data, moving to a new page, or searching), the timeout period is reset for that operator, and starts counting down again. It is not required that the activity occur on a single browser tab or window: the operator may use several tabs or separate windows in the same browser, and server interactions on any one restarts the count down.
SessionNotOnOrAfter
attribute within its assertion.- Choose a setting for your enterprise from the Timeout period
options list:
- 12 hours (the default)
- 4 hours
- 1 hour
- 30 minutes.
- Click Save (on the right side).
- The timeout period expires
- Cookies are cleared on the web browser
- The operator logs out
- The operator switches to a different web browser or computing device.
Since the cookie's countdown value is set as the operator logs in, any change to this value only reaches an operator after one of the above events, when the operator has to log in again. A change in the setting doesn't affect any sessions already running before the change was saved: these continue with their previous timeout values until one of the above listed conditions occurs.
Authentication
The settings in this part allow integration of your cloud-based implementation of IT Asset Management with a SAML-based single sign-on solution (such as Okta or similar products). In SAML terminology, the authentication tool is called the identity provider, which controls access to a service provider or application (in this case, IT Asset Management). For details about using a SAML 2.0-compliant system for single sign-on, see the chapter on Authentication in the IT Asset Management System Reference, available at https://docs.flexera.com/.
General information
- SAML assertion signing is supported — When SAML tools send assertions of identity to service providers, many of them require support for digital certificates to secure the communication. IT Asset Management supports this use of digital certificates, taking all the necessary details from the metadata XML file supplied by the identity provider. (However, this applies only to signing the assertion from the identity provider to the service provider. The reverse, the original request from the service provider, is not signed.)
- SAML assertion encryption is not supported — Communications between your identity provider and your service provider always pass through the operator's web browser. These communications are protected by the HTTPS protocol and the encryption it provides; and in the case of the IT Asset Management service provider, the packages exchanged are digitally signed and cannot be tampered with. However, IT Asset Management does not provide additional encryption within that framework, so that data is not encrypted in the moments within the operator's web browser.
- Identity provider logout is not supported — Naturally, when an operator logs out (locally) from IT Asset Management, this has no effect on the identity provider: logging out of the service provider removes the local session cookies from the operator's web browser, but does not change the operator's identity validation with the identity provider (see next tip). However, in the case of IT Asset Management, logging out (centrally) from the identity provider does not force a logout from the service provider, and the operator's current session in IT Asset Management continues until the operator also logs out locally (in other words, single sign-out is not supported).
SAML identity provider metadata
- URL — This is the URL provided by your identity provider
for download of its metadata document. The metadata is an XML document that contains
information necessary for IT Asset Management to interact with the identity provider. The file can contain URLs of endpoints, information about supported
bindings, identifiers, and public keys. (For more information, see the SAML 2.0 metadata
schema available at http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd.)Tip: When you click Save with a value in this field, IT Asset Management immediately downloads and validates the metadata file. If there are any errors, you see an alert to help you remedy the problem. The authentication settings cannot be saved until a valid metadata file is obtained.
- Metadata file — You can browse to the metadata XML file, if you have a local copy (or enter the full file path, if you cannot browse). With this option, the metadata XML file must contain the URLs required to allow IT Asset Management to link to your identity provider. Once you have selected the metadata file, click Upload to save a copy to the central application server. The uploaded file is validated, and authentication settings cannot be saved without a valid metadata file.
Active identity provider(s)
- Flexera Account Management — This is the default, and is always
the case for enterprises that are not implementing a SAML-compliant, single
sign-on solution. With this setting, all operators (within this tenant) must log in
using Flexera Account Management, providing their user name and password to start each
session. The login screen does not provide any access to a single sign-on option. If an
operator who is not currently logged in attempts to navigate to your customized
tenant-specific URL, she is redirected to the Flexera login
page.Tip: Any operator who makes six unsuccessful attempts to log in within a day is locked out permanently. (The days are measured from midnight at the cloud application server, so Pacific time for the US server, and Central European time for the EU instance.) To recover an operator's account that has been locked out, please contact Flexera Support with details.
- Flexera (default) with SAML identity provider (pilot) — This setting is intended for a transition period when you are migrating operators from Flexera Account Management to the use of your SAML-compliant identity provider. Operators navigating to your customized tenant-specific URL see a login screen requesting their Flexera credentials. To test your single sign-on solution, operators may navigate to your SAML identity provider's list of supported applications, and select IT Asset Management from that listing (service provider initiated SSO).
- SAML identity provider (default) with Flexera option — This`
option provides two separate paths for logging in:
- Operators navigating to your customized tenant-specific URL (such as
https://exampleTenant.flexnetmanager.com/Suite) are
redirected to the login page from your SAML identity provider (for example,
Okta). Tip: The tenant name used in the URL (shown here as exampleTenant) must be registered with Flexera, through your consultant or Support contact. Until there is a tenant name registered, the tenant UID is used instead, which is neither memorable nor particularly meaningful to your operators.
- Operators navigating to a non-tenanted URL (such as https://www.flexnetmanager.com/Suite) are redirected to the Flexera login page.
- Operators navigating to your customized tenant-specific URL (such as
https://exampleTenant.flexnetmanager.com/Suite) are
redirected to the login page from your SAML identity provider (for example,
Okta).
- SAML identity provider only — All operators (for your tenant)
must log in using your SAML identity provider. When an operator who is not
currently logged attempts to navigate to your customized tenant-specific URL, she is
redirected to your single sign-on solution. Warning: In this mode, any operator who has credentials only through your SAML identity provider cannot log in through the non-tenanted URL (such as
https://www.flexnetmanager.com/Suite
). Any attempt to do so will fail. If an administrator has credentials for both kinds of identity provider, she can navigate to the non-tenanted URL (such ashttps://www.flexnetmanager.com/Suite
), and log in with her Flexera credentials. Flexera Account Management then passes back to IT Asset Management the authorization for this person to access the specific tenant; but since this tenant is now configured for the SAML identity provider only, access is refused, the login attempt is redirected to your single sign-on solution, and the administrator must log in again.
When you have completed your settings, click Save (bottom right). Your settings are validated, and you have an opportunity to fix any problems. When all is well, the configuration details are saved to the central compliance database for the current tenant.
Troubleshooting your authentication settings
- If you received an error with a particular error code, copy this from your error message, and paste it into a simple filter on the Description column. The error codes are reproduced in the detailed descriptions so that this filter finds instances of just the chosen error.
- To check all related log items, click Add filter, pick Activity, and choose SAML authentication.
IT Asset Management (Cloud)
Current