The Identity Management page appears.
Note You cannot configure identity management if active directory is configured. Disable active directory to create a identity management profile.
This page displays:
The values that you have configured for identity management. You can either edit a few values or delete the entire configuration.
The connection status of this SRX device with the Juniper Identity Management Service (JIMS), primary as well as secondary server.
Note If you have not configured the identity management profile, the configure button is displayed; click Configure to create a profile.
Table 252 explains the contents of this page.
/—Enables you to edit the existing profile.
X—Deletes the existing profile.
Finish—Saves the configuration and returns to the main configuration page.
Back—Displays the General Information page and enables you to edit it.
Cancel—Cancels your entries and returns to the main configuration page.
Table 252: Identity Management Profile Page
Field | Displays the |
|---|---|
General Information | |
Connection Type | type of connection (HTTP or HTTPS). |
Port Number | connection port to JIMS server. |
Primary IP Address | primary IP address of the JIMS server. |
Primary CA Certificate | primary CA certificate of the JIMS server. |
Primary Client ID | client-id of the device to obtain access token from primary JIM Server |
Secondary IP Address | secondary IP address of the JIMS server. |
Secondary Connection Status | connection status to the secondary JIMS server. |
Secondary CA Certificate | secondary CA certificate of the JIMS server. |
Secondary Client ID | client-id of the device to obtain access token from secondary JIMS server. |
Query API | path of the URL for querying user identities. |
Token API | path of the URL for acquiring access token. |
Advanced Settings Note: Advanced query cannot be configured when active-directory auth or ClearPass Webapi is enabled. Disable active-directory-access and authentication-source under User-Identification and disable webapi services before committing identity management configuration. | |
Items per Batch | maximum items number in one batch query. |
No IP Query | status of no-ip-query; Enabled/Disabled |
Authentication Entry Timeout | timeout value of auth entry from identity-management. |
No Authentication Entry Timeout | |
Address-book | |
Address-set | |
Domain |
Table 253: Configure or Edit Identity Management Profile
| Field | Function | Action |
|---|---|---|
General Information - Connection for Primary and Secondary Identity | ||
Connection Type | Specifies the type of connection that you want when the device accesses the JIMS server. | Enter a connection type. The options available are: HTTPS and HTTP. |
Port | Specifies the connection port of JIMS server. | Enter the port number or press up or down arrow to either increment or decrement the port number. The default value is 443. |
Primary IP Address | Specifies the primary IP address of JIMS server. | |
Primary CA Certificate | Specifies the primary certificate of the JIMS. SRX device will use it to verify JIMS’s certificate for SSL connection. | Select Upload CA certificate to device or Specify the path of the file on device. |
Primary CA Certificate file upload | Enables you to locate and upload the CA certificate. | Click Browse to locate the CA certificate on your device and click Upload the selected CA certificate. |
Primary Client ID | Specifies the primary client ID of the SRX device to obtain access token. It must be consistent with the configuration of the API client created on JIMS. | Enter an ID. |
Primary Client Secret | Specifies the client secret of the SRX device to obtain access token. It must be consistent with the configuration of the API client created on JIMS. | Enter a password which enables you to access the primary identity management server. |
Secondary Identity Management Server | Enables a secondary JIMS server, its IP address, CA certificate, client ID, and client secret. | Select Enable to enable the secondary server. Note: If you enable, the Secondary IP Address, Secondary CA Certificate file upload, Secondary Client ID, Secondary Client Secret rows are displayed. Enter the IP address of the secondary server, browse and upload the secondary CA certificate, enter the secondary client ID and secret in the respective fields. |
Token API | Specifies the path of the URL for acquiring access token. | Enter the token API. Default is ’oauth_token/oauth’. |
Query API | Specifies the path of the URL for querying user identities. | Enter the path where the URL for querying is located. Default is ‘user_query/v2’. Click Next. The Advanced Settings page is displayed. |
Advanced Settings | ||
Batch Query | ||
Item Per Batch | Specifies the maximum number of items in one batch query. | Enter the number of items. Range is 100 to 1000 and the default number is 200. |
Query Interval | Specifies the interval for querying the newly generated user identities. | Enter the number of seconds you need between each query. The range is 1~60 (seconds), and the default value is 5. |
IP Query | ||
Query Delay Time | Specifies the time delay to send individual IP query. | Enter the time in seconds. The range is 0~60 (seconds). The default value is 15 seconds, which depends on the delay time of auth entry retrieved from JIMS to SRX. |
No IP Query | Allows you to disable IP query. | Select if you want to disable the IP query function that is enabled by default. |
Authentication Timeout | ||
Authentication Entry Timeout | Specifies the time out value for authentication entry in identity management. The timeout interval begins from when the authentication entry is added to the identity-management authentication table. If a value of 0 is specified, the entries will never expire. | Enter the value in minutes. The value range is 0 or 10~1440 (minutes). 0 means no need for a timeout. the default value is 60. |
Invalid Authentication Entry Timeout | Specifies the timeout value of invalid auth entry in the SRX Series authentication table for either Windows active directory or Aruba ClearPass. | Enter the value in minutes. The value range is 0 or 10~1440 (minutes). 0 means no need for a timeout. the default value is 60. |
Filter | ||
Include IP Address Book | Specifies the predefined address book in which an address-set must be selected as IP filter. | Select an IP address book from the list. |
Include IP Address Set | Specifies the predefined address set selected as IP filter. | Select an IP address set from the list. To add a new address set for the IP address book, click Add New Address Set |
Exclude IP Address Book | Specifies the IP address book that you want identity management profile to exclude. | Select an IP address set from the list that you want to exclude. |
Exclude IP Address Set | Specifies the predefined address set that you want identity management profile to exclude. | Select an IP address book from the list. |
Filter to Domain | Specified one or more active directory domains of interest to the SRX Series device. You can specify up to twenty domain names for the filter. | Enter the domain names separated by commas. |