Configure VIP Login

Complete these procedures to configure VIP Login in VIP Manager.
  1. Complete the following steps to configure VIP Login in VIP Manager:
  2. Log into VIP Manager.
  3. Select
    Policies
    in the navigation bar at the top of the page.
  4. Select the
    VIP Login
    tab, and click
    Edit
    .
    VIP Manager Policies tab
  5. To configure VIP Login to use VIP as the Identity Provider, enter the following information in the
    Organization Service Provider Settings
    section. Complete this section if you enable VIP Login.
    You can configure up to five Service Provider configurations. VIP Login associates the appropriate configuration to the Service Provider based on the EntityID that you send in your SAML authentication request.
    Optionally, you can upload the metadata file that you export from your Single-Sign-On application software. The metadata file must contain the following information. Upload it by clicking
    Browse
    .
    Field
    Value
    Friendly Name
    Unique identifier for the Service Provider configuration. Use a friendly name that helps your VIP administrators know to which service provider this configuration applies.
    EntityID
    The unique identifier of your service provider. This identifier is typically in the form of a URI.
    Assertion Consumer Service URL
    The URL of the Assertion Consumer Service endpoint for your service provider. VIP Login sends the SAML response to this endpoint.
    Audience
    The URI that defines the audience for the SAML response. If this information is left blank, VIP Login uses the Assertion Consumer Service URL.
    Verification Certificate
    The verification certificate that signs the SAML messages which you send as a service provider to the VIP Login Service (which acts as the identity provider).
    VIP Login uses this certificate to verify the authenticity of these SAML messages.
    Click
    Browse
    to upload the verification certificate.
  6. If you configure VIP Login to obtain out-of-band credential information from your local directory or datastore to issue temporary passwords, you must enable IdP under
    Organization Identity Provider (IdP) Settings
    . Then, enter the following information in the
    Organization Identity Provider (IdP) Settings
    section. This section is required only if VIP Login should obtain out-of-band credential information from your local directory or datastore. If you do not configure this section, VIP Login issues temporary passwords to the out-of-band credentials registered by your users.
    Optionally, you can upload the metadata file that you export from your Single-Sign-On application software. The metadata file must contain the following information. Upload it by clicking
    Browse
    .
    Field
    Value
    EntityID
    The unique identifier of your identity provider. This identifier is typically in the form of a URI.
    Single Sign-on Service URL
    The URL for the Single Sign-on (SSO) Service endpoint for your identity service provider. VIP Login sends the SAML request to this endpoint.
    Verification Certificate
    The verification certificate that signs the SAML messages which you send as an identity provider to the VIP Login Service (which acts as the service provider).
    VIP Login uses this certificate to verify the authenticity of these SAML messages.
    Click
    Browse
    to upload the verification certificate.
  7. Save your changes.
  8. By default, VIP Login sends temporary passcodes to the email address that is configured for the user. If you want to send temporary passcodes to SMS or Voice credentials, you must enable these credential types in VIP Manager:
    • Select the
      Components
      tab on the VIP Manager
      VIP Policy Configuration
      page, and click
      Edit
      .
    • Select
      Yes
      to enable temporary security codes under the VIP Self Service Portal section. Then, select the credential types to which VIP Login sends temporary security codes.
      Optionally, configure the following settings:
      • Select
        Require second-factor authentication for first-time access
        to require the user to enter a security code as second-factor authentication when logging in for the first time. Then, select the credential types that the user can use to provide second-factor authentication.
      • Select
        Disable inline credential registration
        to prohibit end users from registering a new credential when signing in to a site. If you have enabled
        Require second-factor authentication for first-time access
        and you enable this option, your users are not able to register a new credential. They must contact their administrator to register their credentials.
      • Designate a default country code for your users who request temporary security codes using SMS messages or Voice calls from the VIP Self Service Portal. Phone numbers that begin with either this code number or a "+" are not modified.
      Enabling temporary security codes on the Components tab in VIP Manager
  9. If you integrate IA with VIP Login, enable it in VIP Manager:
    • Select the
      VIP Intelligent Authentication
      tab on the VIP Manager
      VIP Policy Configuration
      page, and click
      Edit
      .
    • Select
      Yes
      next to
      Enable VIP Intelligent Authentication
      .
    • Configure your IA settings. For detailed information about configuring IA settings, refer to the online Help.
    Enabling IA on the VIP Intelligent Authentication tab in VIP Manager
  10. Second-factor flows only: If you integrate authentication levels with your SAML client, define them in VIP Manager:
    • Select
      Authentication Level
      in the secondary navigation bar at the top of the page.
    • For each authentication level you define, enter the following information in the
      Authentication Level
      page. Click the plus icon to define more authentication levels, up to a maximum of 10.
      Field
      Value
      Auth Level
      Use this field to rank your authentication levels, from the lowest security (1) to the highest security (10).
      Description
      Enter a name that identifies this authentication level, up to 150 characters.
      Authentication Method
      Select each authentication method that users may use when authenticating to resources assigned this authentication level.
    • Click
      Save
      .
    Authentication Level page in VIP Manager
  11. Enable notification of additional credential registrations (optional). VIP can send an email to your users when additional credentials are registered to them in My VIP. The users must already be registered and have email addresses associated with them (VIP does not send an email during initial user registration).
    To enable the new credential registration email:
    • Contact your Symantec account representative to enable the feature.
    • Configure VIP to send the user email attribute as an out-of-band communication:
      • For VIP Enterprise Gateway: Edit the user store to include the Email attribute as a search criteria. See Modifying the user search criteria configured for a user store in the VIP Enterprise Gateway online Help for procedures.
      • For SAML: Configure your IdP to include the email attribute as an out-of-band attribute in the signed SAML assertion to VIP Login. The attribute should be in the format:
        <saml:Attribute Name="EMAIL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrnameformat: basic"> <saml:AttributeValue xsi:type="xs:string">[email protected] </saml:AttributeValue> </saml:Attribute>
    Once configured, VIP sends a new credential registration email if an additional credential is registered to any existing user for which an email address is available.
Once you have configured VIP Login, continue with the following steps: