Download SecureAuth

23.07SecureAuth ToolsSecureAuth Certificate Installer for macOSThe Certificate Installer will place the SecureAuth Certificate Authority (CA) intermediate and root certificates onto an macOS workstation. For more information about the certificates, see the SecureAuth support document SecureAuth CA Public Certificates.Supported operating systemsFor supported macOS, see the SecureAuth compatibility guide for your release.Certificate installationDisclaimerTHIS SOFTWARE IS PROVIDED "AS IS" AND SECUREAUTH CORPORATION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL SECUREAUTH CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWAREGo to the Product Downloads page and scroll down to the Support Tools section. Then, download SecureAuth Certificate Installer for Mac.Unzip the archive.Navigate to the SecureAuth Certificate Installer and launch it.On the welcome screen, click Install.If prompted for authorization for SecureAuth Certificate Installer to make changes, then provide the credentials, and click OK.When the installation is complete, click OK to exit the installer.

In this case, your Git repository acts as a single source of truth for your SecureAuth configuration. This leads to increased productivity for your teams, enhanced developer experience, improved stability, reliability, and consistency.It is possible to configure your SecureAuth platform deployment declaratively using the acp-cd Helm Chart. The configuration import can be used for all SecureAuth deployment types including the SecureAuth SaaS deployment or SecureAuth deployment on Kubernetes.The acp-cd Helm Chart is responsible for creating a Kubernetes job that seeds SecureAuth with configuration. You can, for example, define client applications, gateways (both for multi-tenant and single-tenant authorizers), policies, and APIs.For details, read Declarative configuration import.Apigee X/Apigee EdgeApigee X and Apigee Edge are API development and management platforms. Both provide an abstract layer for your backend service APIs and provide security, rate limiting, quotas, analytics, and more. The gateways are based on the concepts of API products and API Proxies. An API proxy is a facade on Apigee Gateway that is, in fact, a set of configuration files and policies for one or more APIs. API proxies are usually delivered to consumers in groups. Such groups are called API products. To control an API proxy, flows that contain logic, condition statements, error handling, and more, are added to the proxy. Such flows can be used to introduce an external API access control enforcement tool and this is where SecureAuth steps in.Authorization is vast enough to be addressed by specialized products and its requirements are driven by non-trivial and real-life use cases and security requirements. Since Apigee Gateways allow to externalize authorization decisioning using their flows features, you can bring in SecureAuth to satisfy the authorization requirements and to greatly improve your API security.With SecureAuth you can centrally manage authorization policies at the authorization server level. SecureAuth discovers APIs by pulling them from your Apigee Edge or Apigee X platform and, later on, allows you to apply authorization policies to enforce access control and to prevent your APIs from unauthorized access. When SecureAuth is integrated with Apigee X or Edge platform, it implements externalized policy decision at the endpoint level enforced by the proxies provided by Apigee Gateways. Beyond this service-to-service authorization use case, it also covers authorization and authentication use cases related to the consumption of externally exposed APIs.Apigee X/Edge Authorizer is a built-in SecureAuth feature that allows you to download a package with the authorizer to easily integrate your SecureAuth instance with your Apigee X/Edge platform. It provides you with a possibility to automatically install a shared flow that contains two policies provided out-of-the-box that are responsible for communicating with the Apigee X/Edge Authorizer, blocking/allowing the request depending on its decision, and for delivering an error status as a response

SecureAuth IdP 9.3SecureAuth ToolsSecureAuth Hard Token Decrypt ToolApplies to Identity Platform 9.2 to 19.07Use this guide to install and use the SecureAuth Hard Token Decrypt Tool, which decrypts HID hard OATH tokens to enable their use in Multi-Factor Authentication.The SecureAuth Hard Token Decrypt Tool can decrypt batch or single HID hard tokens, in which administrators can provision user accounts, enabling users to use their HID hard tokens. By using the Account Management (Help Desk) realm, administrators can upload HID hard token OATH Seeds to user profiles for identity validation in other SecureAuth IdP realms for access to protected resources.PrerequisitesHID Hard tokens, the .pskc package, and the secret keyNew or existing realm configured for Account Management (Help Desk)See Configure Identity Platform for HID hard token provisioning and useInstall SecureAuth Hard Token Decrypt toolGo to the Product Downloads page and scroll down to the Support Tools section. Then, download the SecureAuth Hard Token Decrypt Tool and save it to any Windows computer.Run the SecureAuth-Decrypt-Seed-1.0.5.exe file to install and set up the tool.Click Next.Select the location of the SecureAuth Decrypt Seed and click Next.The path is hardcoded; however, distinct drives can be selected.Confirm the settings and click Install.Wait for the installer to complete.Once the installation is complete, click Finish.Decrypting HID hard tokensThe Decrypt Tool has the following decryption options:Batch – Package of HID hard tokens, up to 25 at a time (use command-line tool)Single – One HID hard token at a time (use command-line tool)Online – Go to a website that enables single decryption of a HID hard token (no command-line tool)Batch decryption of multiple HID hard tokens (command-line)Upload the HID token package (.pskc file) to the DecryptSeed folder.The batch command decrypts one package at a time.At the command prompt, cd to the \SecureAuth\DecryptSeed folder.Run the DecryptSeed command, using the following values:Code syntax:DecryptSeed.cmd /k /i /o Code example:DecryptSeed.cmd /k 993E183A58C1287BE4E8FC3555C8438C /i 0654150_0000000794.pskc /o decryptedseeds.csvReplace with the secret key of the HID package (for all tokens)Replace with the file name of the HID token package (.pskc)Replace with the name of the existing or new output CSV file. Take note that if a file exists, the data is appended to the existing file.In the DecryptSeed folder, locate the CSV output, which contains the serial numbers for the HID hard tokens with the decrypted OATH Seed value. (Serial numbers are located on the back of each HID hard token.)Single decryption of a HID hard token (command-line)Upload

This document describes the steps to integrate SecureAuth with client authentication and software downloads for the WatchGuard Mobile VPN with SSL client. SecureAuth offers a variety of two-factor authentication methods: Time-based passcodes Push-to-accept Email one-time passcodes (OTP) SMS OTP Knowledge-based authentication (KBA/KBQ) This document explains how to use the email OTP authentication method only. For information about other two-factor authentication methods, see the SecureAuth documentation. Test Topology and Workflow This diagram outlines the topology used in the integration. In this diagram, the SecureAuth Identity Provider (IdP) server and SecureAuth IdP RADIUS server are located on the same computer. This diagram shows the workflow for two-factor authentication through integration with SecureAuth: The SSL VPN client initiates primary authentication to the WatchGuard Firebox. The Firebox sends an authentication request to the SecureAuth Identity Provider (IdP) RADIUS server. The SecureAuth IdP RADIUS server connects to the SecureAuth IdP server. The SecureAuth IdP server forwards the authentication request to the Active Directory (AD) server where the user information is stored. The SecureAuth IdP RADIUS server completes primary authentication. The SecureAuth IdP RADIUS server requests secondary authentication from the SecureAuth IdP server. The SecureAuth IdP server requests secondary authentication information (mail address) from the AD server. The AD server sends a response. SecureAuth Cloud Services are conducted through the SecureAuth IdP server. (SecureAuth IdP server calls the SMTP server to send OTP mail.) The SecureAuth IdP server receives the secondary authentication result. The SecureAuth IdP server sends the secondary authentication result to the SecureAuth IdP RADIUS server. The SecureAuth IdP RADIUS server returns the secondary authentication result to the WatchGuard Firebox. The Firebox grants the user access. Platform and Software The hardware and software used to complete the integration outlined in this document include: WatchGuard Firebox with Fireware v12.4.1 SecureAuth IdP v9.3 SecureAuth RADIUS Server v2.5.1 Active Directory (AD) server with Windows Server 2016 Configure SecureAuth IdP Server The high-level steps to configure the Secure IdP server include: Configure email settings Configure the LDAP connection Configure the default workflow Enable API authentication To configure email settings: Log in to the SecureAuth admin console. In the upper-right corner, click Go to Classic Experience. Select Admin Realm. From the Realm Navigation section, select the SecureAuth998 check box. Select the Overview tab. In the Advanced Settings section, click Email Settings. In the SMTP section, in the Server Address text box, type the SMTP server address. In the Port text box, type 25. In the Username and Password text boxes, type the user name (email) and password. The system sends a one-time passcode to the email address specified here. In the Email section, in the Sender Address text box, type the email address that is used to send the