IT Asset Management Settings: Security Tab

IT Asset Management (Cloud)
The Security tab on the IT Asset Management Settings General page enables you to specify global security settings. This page divides the security settings into the following sections:
  • Documents
  • Session timeout
  • Authentication.

Documents

This section contains global settings to control which types of attachment methods are allowed across the web interface of IT Asset Management. The fields associated with these settings will appear or disappear in the web interface throughout the web interface, based on the settings you specify here. You may choose any combination of the following options:
  • Document upload — Select this check box to allow documents to be uploaded in any locations where files can be attached in the web interface of IT Asset Management. Uploaded documents are saved in the central compliance database.
  • File location — Select this check box to allow for text fields where operators can enter a file path location (such as a network share). The file is not uploaded, and only this reference to its location is saved.
  • URL — Select this check box to allow for text fields where operators can enter a URL hyperlink to a location elsewhere, either on your corporate intranet or the public Internet, as appropriate.
    Tip: When an operator enters a URL in a field resulting from this setting (for example, in the Documents tab of license or contract properties), a modal dialog appears asking whether the operator wishes to continue with the redirect. The URL is provided in a read-only text field in the modal dialog, allowing the operator to safely copy and paste the URL to check accuracy before confirming the URL redirection.

Session timeout

Note: The Session timeout setting applies in two slightly different ways:
  1. When operators have logged in through Flexera Account Management, the timeout value always applies, as described below.
  2. When you have configured any operators' accounts to log in through a SAML 2.0-compliant identity provider (such as Okta), the timeout value is used only when the identity provider does not return its own timeout information in the optional SessionNotOnOrAfter attribute within its assertion:
    • When the identity provider does not provide timeout information, the value set here is used as a timer for asking the identity provider whether the session is still valid. If so, the session continues; or if not, the operator is redirected to the configured authentication URL.
    • When the identity provider includes the SessionNotOnOrAfter attribute, the supplied time/date limit is applied to the operator's session; and the values set here in the Session timeout setting are completely ignored for sessions authorized in this way.
For more information, see the Authentication chapter of the IT Asset Management System Reference PDF, available at https://docs.flexera.com/.

When applicable, the Session timeout setting specifies the maximum period of inactivity for which each operator in your enterprise can remain logged into the web interface of IT Asset Management. This is a "sliding expiration": when an operator performs any operation that interacts with the central application server (such as saving data, moving to a new page, or searching), the timeout period is reset for that operator, and starts counting down again. It is not required that the activity occur on a single browser tab or window: the operator may use several tabs or separate windows in the same browser, and server interactions on any one restarts the count down.

This is a single time limit for all operators in your enterprise (although, of course, the countdown runs separately for each operator's web browser). As noted above, exceptions apply for any operators logged in through your chosen single sign-on where your identity provider supplies a value for the SessionNotOnOrAfter attribute within its assertion.
  1. Choose a setting for your enterprise from the Timeout period options list:
    • 12 hours (the default)
    • 4 hours
    • 1 hour
    • 30 minutes.
  2. Click Save (on the right side).
The timeout works by setting a cookie which stops the application server issuing a new request to log in. This means that a new login is required on the first attempt to access any web interface page after any of the following events:
  • The timeout period expires
  • Cookies are cleared on the web browser
  • The operator logs out
  • The operator switches to a different web browser or computing device.

Since the cookie's countdown value is set as the operator logs in, any change to this value only reaches an operator after one of the above events, when the operator has to log in again. A change in the setting doesn't affect any sessions already running before the change was saved: these continue with their previous timeout values until one of the above listed conditions occurs.

Authentication

The settings in this part allow integration of your cloud-based implementation of IT Asset Management with a SAML-based single sign-on solution (such as Okta or similar products). In SAML terminology, the authentication tool is called the identity provider, which controls access to a service provider or application (in this case, IT Asset Management). For details about using a SAML 2.0-compliant system for single sign-on, see the chapter on Authentication in the IT Asset Management System Reference, available at https://docs.flexera.com/.

General information

The General information section provides read-only values of the settings configured in IT Asset Management. These may be safely copied and pasted into the settings for your identity provider. For details of configuring your chosen identity provider, see the documentation supplied with that tool.
Tip: The Features supported list shows that:
  • SAML assertion signing is supported — When SAML tools send assertions of identity to service providers, many of them require support for digital certificates to secure the communication. IT Asset Management supports this use of digital certificates, taking all the necessary details from the metadata XML file supplied by the identity provider. (However, this applies only to signing the assertion from the identity provider to the service provider. The reverse, the original request from the service provider, is not signed.)
  • SAML assertion encryption is not supported — Communications between your identity provider and your service provider always pass through the operator's web browser. These communications are protected by the HTTPS protocol and the encryption it provides; and in the case of the IT Asset Management service provider, the packages exchanged are digitally signed and cannot be tampered with. However, IT Asset Management does not provide additional encryption within that framework, so that data is not encrypted in the moments within the operator's web browser.
  • Identity provider logout is not supported — Naturally, when an operator logs out (locally) from IT Asset Management, this has no effect on the identity provider: logging out of the service provider removes the local session cookies from the operator's web browser, but does not change the operator's identity validation with the identity provider (see next tip). However, in the case of IT Asset Management, logging out (centrally) from the identity provider does not force a logout from the service provider, and the operator's current session in IT Asset Management continues until the operator also logs out locally (in other words, single sign-out is not supported).
In addition, a limitation of the underlying library (Kentor.AuthServices) means that SAML authentication for IT Asset Management cannot support Federal Information Processing Standards (FIPS).
Tip: Because locally logging out from IT Asset Management removes local cookies from the operator's browser, a re-authorization is forced when the operator next attempts to access IT Asset Management, just as you expect. However, if the operator with a SAML tool account is still logged in to the identity provider (and therefore authorized), the re-authorization succeeds immediately, and the operator does not see another login screen. This may confuse some operators: "I just logged out, so how come I can still access it?" The answer is that, because you are still authorized by the identity provider, another login is not required.

SAML identity provider metadata

The SAML identity provider metadata section allows you to provide information about your chosen identity provider to the service provider (IT Asset Management), allowing communication between these two. You may choose either of the following methods (but not both) to supply the necessary information:
  • URL — This is the URL provided by your identity provider for download of its metadata document. The metadata is an XML document that contains information necessary for IT Asset Management to interact with the identity provider. The file can contain URLs of endpoints, information about supported bindings, identifiers, and public keys. (For more information, see the SAML 2.0 metadata schema available at http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd.)
    Tip: When you click Save with a value in this field, IT Asset Management immediately downloads and validates the metadata file. If there are any errors, you see an alert to help you remedy the problem. The authentication settings cannot be saved until a valid metadata file is obtained.
  • Metadata file — You can browse to the metadata XML file, if you have a local copy (or enter the full file path, if you cannot browse). With this option, the metadata XML file must contain the URLs required to allow IT Asset Management to link to your identity provider. Once you have selected the metadata file, click Upload to save a copy to the central application server. The uploaded file is validated, and authentication settings cannot be saved without a valid metadata file.

Active identity provider(s)

The final section allows you to set the operating mode for your SAML integration, choosing which identity providers are in use within your enterprise/tenant.
Tip: You can save one of the last three options only when a valid metadata file has also been identified.
You may choose one of the following:
  • Flexera Account Management — This is the default, and is always the case for enterprises that are not implementing a SAML-compliant, single sign-on solution. With this setting, all operators (within this tenant) must log in using Flexera Account Management, providing their user name and password to start each session. The login screen does not provide any access to a single sign-on option. If an operator who is not currently logged in attempts to navigate to your customized tenant-specific URL, she is redirected to the Flexera login page.
    Tip: Any operator who makes six unsuccessful attempts to log in within a day is locked out permanently. (The days are measured from midnight at the cloud application server, so Pacific time for the US server, and Central European time for the EU instance.) To recover an operator's account that has been locked out, please contact Flexera Support with details.
  • Flexera (default) with SAML identity provider (pilot) — This setting is intended for a transition period when you are migrating operators from Flexera Account Management to the use of your SAML-compliant identity provider. Operators navigating to your customized tenant-specific URL see a login screen requesting their Flexera credentials. To test your single sign-on solution, operators may navigate to your SAML identity provider's list of supported applications, and select IT Asset Management from that listing (service provider initiated SSO).
  • SAML identity provider (default) with Flexera option — This` option provides two separate paths for logging in:
    • Operators navigating to your customized tenant-specific URL (such as https://exampleTenant.flexnetmanager.com/Suite) are redirected to the login page from your SAML identity provider (for example, Okta).
      Tip: The tenant name used in the URL (shown here as exampleTenant) must be registered with Flexera, through your consultant or Support contact. Until there is a tenant name registered, the tenant UID is used instead, which is neither memorable nor particularly meaningful to your operators.
    • Operators navigating to a non-tenanted URL (such as https://www.flexnetmanager.com/Suite) are redirected to the Flexera login page.
  • SAML identity provider only — All operators (for your tenant) must log in using your SAML identity provider. When an operator who is not currently logged attempts to navigate to your customized tenant-specific URL, she is redirected to your single sign-on solution.
    Warning: In this mode, any operator who has credentials only through your SAML identity provider cannot log in through the non-tenanted URL (such as https://www.flexnetmanager.com/Suite). Any attempt to do so will fail. If an administrator has credentials for both kinds of identity provider, she can navigate to the non-tenanted URL (such as https://www.flexnetmanager.com/Suite), and log in with her Flexera credentials. Flexera Account Management then passes back to IT Asset Management the authorization for this person to access the specific tenant; but since this tenant is now configured for the SAML identity provider only, access is refused, the login attempt is redirected to your single sign-on solution, and the administrator must log in again.

When you have completed your settings, click Save (bottom right). Your settings are validated, and you have an opportunity to fix any problems. When all is well, the configuration details are saved to the central compliance database for the current tenant.

Troubleshooting your authentication settings

Problems with the interaction between your identity provider and service provider (IT Asset Management) are identified in your Activity Log page — in the web interface. Search for the Activity Log page. On this page, you can isolate particular issues in either of the following ways:
  • If you received an error with a particular error code, copy this from your error message, and paste it into a simple filter on the Description column. The error codes are reproduced in the detailed descriptions so that this filter finds instances of just the chosen error.
  • To check all related log items, click Add filter, pick Activity, and choose SAML authentication.

IT Asset Management (Cloud)

Current