Step 1 - Configuring RAS Profile
To make it easier for business applications to request management of users, keys and devices along with signing operations, the ADSS RAS Service uses RAS Profiles. A RAS profile defines the format and characteristics of the SAM Service configurations (e.g. which SAM Service address, profile ID, Client ID to be used) and define characteristics of user authentication settings (e.g. Basic or SAML) that will be used when this profile is referenced in a user keys generation, device registration and signing request from a client application.
To create or edit a RAS Profile click on RAS Profiles and the following screen is shown:
A new profile can be created by clicking the New button. An existing profile can be edited by clicking the Edit button. If you want to create a new profile by copying large part of an existing profile then click Make a Copy. The following screen is shown:
The configuration items are as follows:
| Item | Description |
| Status | A SAM profile may be marked Active or Inactive. Note that an inactive profile will not not be used to process requests generated by client application. |
| Profile ID | A mandatory field which provides a system-defined unique identifier for this profile. |
| Profile Name | A mandatory unique name defined by the ADSS Server Administrator for easier recognition of the profile within the ADSS Operator Console. |
| Profile Description | This can be used to describe the profile in more detail (e.g. in which circumstances will this RAS profile be used). This is for information purposes only. |
| SAM Service Settings | This section defines the configuration required for requests forwarding to SAM Service. |
| SAM Service Address | Use this field to add SAM service address(es). |
| List of SAM Service Addresses | This field shows the SAM Service addresses that can be used to generate user keys, register user devices within SAM Service. Multiple service addresses can be added. The Test button checks that the ADSS SAM Service is available. The Remove button deletes a configured SAM Service address. |
| SAM Profile |
Specifies the SAM profile to be used for this RAS profile. |
| Client ID |
Shows the Client ID of SAM Service. RAS Service will send this Client ID while communicating with SAM service. SAM service verifies that this is a registered Client ID within the Client Manager module before granting access to this service. |
| Use TLS client Authentication | If this option is enabled then RAS service will communicate with SAM service using TLS client authentication. By default it is disabled. |
| Certificate |
Note: It is required to register the Issuer CA of the Client TLS certificate in Trust Manager with the CA for verifying TLS client certificates purpose.
|
| User Authentication Settings for Business Application |
This section defines the configuration required for user authentication mechanism for business application. |
| Basic Authentication (User ID and Password) |
Using Basic Authentication, the user is authorized by providing UserID and password, the RAS Service will return a user access token to the client application for the subsequent communication.
Note: By default it is disabled.
|
| OAuth2 Authentication |
The user is authenticated using OAuth2.0 mechanism. In this case, an access token is provided by RAS service that can be used by business application for subsequent communication. Note: By default it is disabled. |
| SAML Assertion |
Using SAML Authentication, the user is authorised using a SAML assertion provided by an external IDP, the RAS Service will validate the provided assertion and will return a user access token to the client application for the subsequent communication.
Note: By default it is disabled.
|
| IDP Signing Certificate |
Specifies the certificate use to verify SAML Assertion. |
| Identify UserID from Subject |
If enabled RAS service will get UserID from Subject Element of SAML Assertion. |
| Identify UserID from Attribute |
If enabled RAS service will get UserID from Attribute in SAML Assertion. |
| Attribute Name |
Specifies the Attribute Name use to get UserID from SAML Assertion by RAS Service. |
| Credentials Authorisation Setting |
This section defines the configuration required for credentials authorisation mechanism. |
| Implicit |
Implicit authorisation means that the RAS service is taking care of the authorisation process autonomously, by engaging with the user without any intermediation from the business application. |
| OAuth Authorisation Code | The authorisation for the user to access the signing key will be done by OAuth 2.0 authorisation code flow. The authorisation is returned in the form of an authorisation code, which the application shall then use to obtain SAD (Signature Activation Data). |
| User Authentication Settings for Mobile Application |
This section defines the configuration required for user authentication mechanism for mobile application. |
| Authenticate User with OTP(s) |
User is authenticated (at time of login and device registration) using the OTPs that are delivered to user’s mobile or email.
By selecting any check box user can received the OTPs on any of the selected option.
|
| Authenticate User with QR Code |
Go>Sign mobile app will send a request to RAS to authenticate the user, it will inform the mobile app, the user will be authenticated using a QR code. The Go>Sign mobile app will launch the mobile’s camera to scan the QR Code and ask the user to login to its Web RA account to get the QR Code. |
| No Authentication |
No authentication is required for a user at time of login and device registration. |
If both Basic Authentication (User ID and Password) and SAML Assertion are not enabled in the RAS profile then the RAS Service will authenticate the client with the provided Client ID and Client Secret and return a service access token to the Client Application for the subsequent communication.
The table of RAS profiles can be sorted in either Ascending or Descending order by selecting a table column from the drop down list. The list can be sorted by RAS Profile ID, RAS Profile Name, Created At time or Status.
Clicking on the Search button on RAS Profiles main page will display following screen:
This helps to locate a particular RAS profile, the RAS Service may have configured. The RAS profile can be searched based on "Status", "Profile ID", "Profile Name". If a search is based on multiple values, then these will be combined together using the “AND” operand, and thus only records that meet all the criteria will be presented.
If "_" character is used in the search then it will act as wildcard.
The Duplicate profile will be created without the Name and Description of the selected Profile. The Unique ID generates automatically or the next available ID will be assigned to the Profile.
See also