oxTrust Administrative Graphical User Interface (GUI)

Overview

This section of the docs covers various features associated with managing your federation service via the Gluu Server interface ("oxTrust"). There is a corresponding page in the Gluu Server user interface for each of the sections below. When necessary, this document will link to dedicated sections within the docs where additional operational details are provided.

Accessing the UI

The Gluu Server administration interface is accessible by navigating to https://hostname (the one you provided during setup). When you first complete an installation, the default username is admin and the password is the same as the LDAP superuser password.

Welcome Page

After successful authentication the administrator is taken to the Dashboard. Some basic information about the VM/server is displayed as well as the server version, free memory, and disk space. In the top right there is a user icon which can be used to log out of oxTrust. The left hand menu is used to navigate the admin interface.

Configuration

From the configuration tab, the Gluu Server administrator can manage certain non-protocol related tasks.

Organization Configuration

There are three tabs in the organization configuration page:

1. System Configuration
2. SMTP Server Configuration
3. oxTrust Settings

System Configuration

• Self-service password reset: Allow users to trigger password reset sequence by following url like https://your.idp.host/identity/person/passwordReminder.htm. A new password will be sent to email box provided in "Email" attribute of their user entry (if any). In order for this feature to work, the admin will also need to perform SMTP Server Configuration.

• SCIM Support: Enable SCIM Support if you plan on using the SCIM protocol to move identity data from applications to Gluu and vice versa.

• DNS Server(s): If the organization uses any custom DNS Server(s), the address should be added here.

• Maximum Log Size (MB): By default the maximum size of the log file is 200 mb. This value can be increased or decreased depending on the organizations requirements.

• User can edit their own profile: oxTrust has a profile section for each user. If this option is enabled, users will be able to log into oxTrust and edit the values associated with their user.

• Contact Email: This email will be displayed on all error pages with a note instructing users to contact for troubleshooting and assistance.

SMTP Server Configuration

The Gluu Server needs a mail server in order to send notifications. All fields in this form are manadory and the configuration can be tested before confirmation.

Fields	Description
SMTP Host	HostName of the SMTP server
From Name	Name of the sender
From Email Address	Email Address of the Sender
Requires Authentication	This Checkbox is enables authentication of the sender
SMTP User Name	User Name of the SMTP
SMTP Password	Password for the SMTP
Requires SSL	This checkbox is to enable the SSL
SMTP Port	Port number of the SMTP server

oxTrust Settings

From the oxTrust Settings page the administrator can find the oxTrust build date and number, and manage the organization name, logo, and favicon. This page also contains the name of the Gluu Server administrator group. Users added to this group will have administrator access to the Gluu Server.

JSON Configuration

There are three tabs included in the JSON Configuration menu:

oxTrust Configuration

From this tab you can access and edit the oxTrust JSON configuration file. Click the update button at the bottom of the page to save any changes.

WhiteList/BlackList URIs

An administrator can allow or deny access to URI's by updating JSON properties in the oxTrust UI

Configure WhiteList/BlackList of URIs

1. Click on Configuration > JSON Properties
2. Click oxTrust properties tab and search for whitelist and blacklist label.

oxAuth Configuration

The oxAuth JSON configuration page gives easy access to the different endpoints used by Gluu Server CE. This page also contains the supported response, grants, and algorithms.

Session Management

The Gluu Server administrator can manage oxAuth sessions by adding the desired session time in seconds as the value for the sessionIdUnusedLifetime field. Check the session management section of the documentation to learn more.

oxTrust Import Person Configuration

The oxTrust Import Person Configuration page contains the configuration for the file method of importing users into the Gluu Server. The administrator can import users from an xls file which must be defined in this tab to import data in the LDAP attributes. The default format should contain the following fields:

• givenname
• sn
• uid
• firstname, etc..

Manage Authentication

Manage LDAP Authentication

This section allows the Gluu Server administrator to define how and where the server should connect to authenticate users. If it is a remote LDAP/Active Directory server, the values are required. Put the details of the data source that you are trying to connect with Gluu Server. For example, the data source can be your back-end Active Directory, or your local LDAP server.

• Name: This field contains the name of the authentication server.

• Bind DN: The Username for the authentication server (local LDAP/remote LDAP/remote Active Directory) goes here.

• Max Connections: This option can be used to define the total number of simultaneous connections allowed for reading local LDAP/remote Active Directory/remote LDAP.

• Primary Key: This field contains the primary key to connect to the authentication server (i.e. SAMAccountName/uid/mail etc.).

• Local Primary Key: This field contains the Gluu Server's internal LDAP primary key. Generally the key is either uid or mail.

• Server: The unique name of the authentication server and port number (e.g. auth.company.org:636) goes here.

• Base DN: Add base DNs in this field to allow the Gluu Server to connect and search the LDAP server. Every directory tree should be added separately using the Add Base DN option.

• Change Bind Password: This button assignes a password to authenticate the Authentication Server.

• Use SSL: Enable SSL if the authentication server requires a secured port (e.g. 636).

• Enabled: This check-box is used to enable the keys that are inserted in their respective fields.

• Deactivate: This button Deactivates/Activates the Gluu Server accessibility for authentication.

• Test LDAP Connection: Use this button to check whether the provided information is sufficient to connect to the authentication server. The scan is done in real time.

Default Authentication Method

This page allows the Gluu Server administrator to select the default authentication method and level for person authentication. Additional authentication mechanisms may be enabled via custom scripts.

Authentication Method	Description
Authentication mode	This mode is used when users login to applications via Gluu
oxTrust authentication mode	This mode is used for authentication to the Gluu Server GUI

Gluu Server relies on its core component called oxAuth when authenticating users accessing its services. User authentication is mandatory step which precedes any interactions defined by a variety of supported SSO protocols ( OpenID Connect, SAML, CAS )

• Authentication mode: This control defines method used for general authentication in oxAuth by default. It will also be applied to users accessing the oxTrust administrator interface, unless overriden by "oxTrust authentication mode". Remote applications may also specify desired authentication method explicitly by including "acr_values=" url query parameter during initial authorization request of OpenID Connect flows.
• oxTrust authentication mode: This control defines authentication method used when user is accessing the oxTrust administrator interface. By setting "oxTrust authentication mode" to some other (possibly stricter, like Duo auth) method you may ensure administrator's tools are properly protected against malicious users.
• Passport Support: This control enables Passport component, an authentication middleware offering an easy access to a variety of third-party authentication mechanisms, like ones offered by Google+, Twitter, Facebook, allowing them to easily be used for users' authenticattion in Gluu Server.

Two values are available for selection out-of-the-box: "Default" and "auth_ldap_server". The later instructs corresponding modules to use a basic LDAP bind authentication against LDAP server configured on "Manage LDAP Authentication" tab of this page, which is by default a Gluu's internal LDAP directory. When "Default" is set for "oxTrust authentication mode", it will fall-back to the default method set for oxAuth.

When a custom authentication script is enabled, its name is added to both dropdown lists, allowing you to select from a wide variety of prepackaged authentication methods, or define your own.

!!! Warning: If both default authentication methods are set to "Default", oxAuth will use basic LDAP bind authentication, but only until the moment some custom authentication script becomes enabled. In case there are enabled custom auth scripts, it will use the one with the lowest priority level (defined by "Level" setting) to authenticate all users automatically, even if you don't set it as default authentication mode explicitly. So if this script hasn't yet been properly configured you may lose access to your instance's web UI. Please ensure that you set at least "auth_ldap_server" method for "Authentication mode" before trying to explore other advanced authentication methods.

Manage Custom Scripts

The Gluu Server exposes interception scripts in places where it is common for organizations to implement custom workflows, or changes to the look and feel of the Gluu Server. The most commonly used scripts are for authentication, authorization, and identity synchronization. Each type of script has its own interface--in other words, what methods are available. For more information, see the reference page detailing each type of interception script.

Manage Registration

The Gluu Server is shipped with a very basic user registration feature. The registration page can be found at https://<hostname>/identity/register. For custom enrollment requirements we recommend that you write a registration page and use SCIM to add the user record to the Gluu Server. Also, in some cases oxTrust is not Internet facing, which makes it a bad option for user registration. Net-net, Use this feature only if you have very basic requirements! See user registration for more.

The tab has two options:

1. Disable Captcha for registration form
2. Configure Registration Form Attributes

Disable Captcha for registration form

This option adds a required CAPTCHA to the registration form.

Configure Registration Form Attributes

This section allows you to manage the list of attributes displayed in the registration form. Search, select, add, and order desired attributes here.

Attributes

Attributes are individual pieces of user data, like uid or email, that are required by applications in order to identify a user and grant access to protected resources. A list of user attributes that are available in your federation service can be found by navigating to Configuration > Attributes. For a detailed discussion of attributes, visit our attributes documentation page.

Cache Refresh

Cache Refresh, a.k.a. LDAP Synchronization, is the process of connecting one or more existing backend LDAP servers, like Microsoft Active Directory, with the Gluu Server's local LDAP server. Cache Refresh periodically searches these data sources, compares the results to previous searches, and if a changed user account is found, it is updated.The frequency of cache refresh is also set from this page via the Polling interval (minutes). The key attribute(s) is used to correlate a user if the user is found in more then one LDAP server. In this case, the two entries are joined. The source attributes specify which attributes will be pulled from the backend LDAP server. The backend server address, bind DN and other connection information is speciifed in the Source Backend LDAP Servers tab. More information on LDAP Syncronization can be found in the user management section of the docs.

Configure Log Viewer / View Log File

This tool can be used to view file system logs. If you don't like to ssh, Log Viewer is your friend! Several common logs are preconfigured, or you can define new logs by specifying the path.

Server Status

This page provides basic information about the Gluu Server such as the hostname, IP address, free memory & disk space. The number of users in the backend is also available in this page.

Certificates

The certificate page provides summary information about your SSL and SAML certificates. Learn more about certificate management in the Gluu Server.

SAML

If you deployed the Shibboleth SAML IDP or the Asimba SAML proxy during Gluu Server installation, you will see a link to manage inbound and outbound SAML requirements in the left hand navigation. Learn more about configuring and managing SAML in the SAML portion of the docs.

OpenID Connect

The OpenID Connect protocol is supported by default in all Gluu Server deployments. Learn more about configuring and managing OpenID Connect in the OpenID Connect portion of the docs.

UMA

UMA (User-Managed Access) is an access management protocol that is also supported by default in all Gluu Server deployments. Learn more about configuring and managing UMA in the UMA portion of the docs.

Users

The users tab allows the Gluu admin to perform various user management tasks like adding users, searching users, and importing users from a file. Learn more about managing users in the user management portion of the docs.

Personal

The personal tab allows an individual to view and manage (if enabled) their basic profile information. However, since oxTrust is designed to be an administrative tool it is often not Internet facing, making it a bad choice for user self-service profile management. In general, if user profile management is an important requirement for your organization, we recommend writing a separate app or forking our open source credential management app.