User Console
Axidian User Console (User Console) is a web application that runs on IIS. In User Console, the user can manage their authenticators.
- In the browser: http(s)://server dns/am/uc
- In IIS: <machine name>\sites\Default Web Site\am\uc
Install User Console
To install User Console, start Axidian.UserConsole-version number.x64.ru-ru.msi located at Axidian version number\Axidian User Console\version number.
When the installation is complete, you will be prompted to generate a new IDP certificate. This is an optional setting.
infoThe certificate is required for authentication in User Console using Identity Provider. This certificate is not intended for establishing the SSL connection.
If this certificate was generated earlier, disable the option.
If this option is enabled, a new self-signed certificate is generated and installed in the Local Machine → Personal certificate store. The certificate is used to encrypt data transmitted between the authentication server and the client application.
HTTPS binding in IIS Manager
User Console is a web application that runs on the AIS database. During the installation process, SSL is required for User Console in the settings, which requires to enable HTTPS connection.
- In IIS Services Manager, in the left menu, navigate to Axidian Access → sites → Default Web Site.
- In the Actions section of the right menu, click Bindings.
- Click Add and set the following parameters in the window that appears:
- In the Type field, select https.
- In the Port field, specify 443.
- In the SSL Certificate field, select the Core Server certificate.
- Click OK to save the link.
If you do not plan to use the HTTPS protocol, disable the SSL requirement in the IIS settings for User Console.
Also, in C:\inetpub\wwwroot\am\uc\Web.config, change the value of the requireSSL parameter to false as follows:
<httpCookies httpOnlyCookies="true" requireSSL="false" />
Confirgure authentication
You can set different authentication methods to log in to User Console.
- Windows Authentication
- Identity Provider
Authentication using Windows Authentication
By default, User Console is configured to use SAML authentication. If necessary, you can configure transparent Windows authentication as follows:
- Run the editor with administrator rights.
- Open the C:\inetpub\wwwroot\am\uc\Web.config configuration file.
- To specify the URL for connecting to Core Server, for the
Urlparameter in theamAuthServertag set the value, such as http(s)://full_dns_name of the server/am/core/.
<amAuthServer Url="https://amserv.axidian-id.local/am/core/"/>
To ignore server certificate errors, in the am\uc\Config\ApplicationSettings.config file, change the isIgnoreCertErrors parameter to true.
- Start IIS Manager, select Default Web Site → am and open the uc application.
- Open Authentication and enable the following methods:
- ASP.NET
- Windows Authentication
- Disable all other methods.
- Open C:\inetpub\wwwroot\am\uc\Web.config\Web.config for editing.
- For the
amAuthenticationtag, inthe modeparameter, specifyWindows. Optionally, you can add theenableLogout="trueparameter to configure the ability to log out of the User Console.
Leave the loginUrl parameter unchanged. When using Windows authentication, this parameter is not taken into account.
<amAuthentication mode="Windows" loginUrl="" identityProviderCertificateThumbprint="" serviceProviderCertificateThumbprint="" enableLogout="true"/>
- Save the changes and restart the IIS server.
The User Console will be available at: http(s)://full_dns_name of the server/am/uc/.
Authentication using Identity Provider
You can set up a secure login to User Console using Identity Provider.
To log in to User Console using Identity Provider, you need to install and configure an authentication provider.
Edit the User Console configuration file
Before editing the configuration file, follow these steps:
- Start IIS Service Manager.
- Select <server Name> → Sites → Default Web Site → am → uc.
- Select Authentication and enable the options Anonymous Authentication and Authentication using forms.
Open С:\inetpub\wwwroot\am\uc\web.config.
In the
amAuthServerUrl parameter, specify the address of Core Server, such as http(s)://full_dns_name of the server/am/core/.<amAuthServer Url="https://amserv.axidian-id.local/am/core/"/>In the
amAuthenticationparameter, do the following:In the mode line, specify the
Samlvalue.In the
loginUrlline, specify the Identity Provider address, such as http(s) format://full_dns_name of the server/am/idp/.<amAuthentication mode="Saml" loginUrl="https://server.test.local/am/idp/>In the
identityProviderCertificateThumbprintline, specify the fingerprint of the Identity Provider certificate.TipIf Identity Provider and User Console are installed on different servers, export the certificate without the private key from the server with the Identity Provider module to the server with User Console. The certificate must be added to the certificate store in Local Machine → Personal.
Get-Childitem Cert:\LocalMachine\My\ | Where-Object {$_.Subject -eq "CN=idp"}In the
serviceProviderCertificateThumbprintline, specify the fingerprint of the User Console certificate that was generated during the installing.InformationThe certificate is installed in the LocalMachine → Personal certificate store with the common name
ucsp.Get-Childitem Cert:\LocalMachine\My\ | Where-Object {$_.Subject -eq "CN=ucsp"}
Save the changes and restart the IIS server.
Edit the Identity Provider configuration file
Before editing the configuration file, follow these steps:
- Start IIS Service Manager.
- Select <server name> → Sites → Default WebSite → am → idp.
- Select Authentication and disable the Windows Authentication option.
Open C:\inetpub\wwwroot\am\idp\app-settings.json for editing.
In the
PartnerServiceProviderConfigurationsparameter, perform the following actions:In the
SingleLogoutServiceUrlline, specify the address of the server where User Console was deployed, such as http(s)://full_dns_name of the server/am/uc/Account/SLOService.In the
Thumbprintline, specify the fingerprint of the User Console certificate.TipIf Identity Provider and User Console are installed on different servers, export the certificate without the private key from the server with the deployed User Console to the server with the Identity Provider module. The certificate must be added to the certificate store in LocalMachine → Personal.
Get-Childitem Cert:\LocalMachine\My\ | Where-Object {$_.Subject -eq "CN=ucsp"}"PartnerServiceProviderConfigurations":
{
"Name": "urn:axidian:selfservice",
"SingleLogoutServiceUrl": "https://server.axidian.local/am/uc/Account/SLOService",
"PartnerCertificates": [
{
"Thumbprint": "C77EDF29EA05B468BDAF553DE3D804DA4B139C1E"
In the
AllowWinPwdIfAuthMethodsAreNotAvailableparameter, you can set the value totrue, which will allow you to log in to User Console using Windows Password via IDP, even if this method is not specified in the app-settings.json configuration file. If theAllowWinPwdIfAuthMethodsAreNotAvailableparameter is set totrue, the following scenarios are possible:- Only the registered and user-accessible authentication methods are displayed. With multi-factor authentication, if at least one of the authentication methods is not available, the entire chain is not displayed.
- If there are no authentication methods available, including methods that do not require registration in User Console (Windows Password, Email, and SMS), Windows Password is displayed.
Save the changes and restart the IIS server.
Configure logout from User Console using Identity Provider
- Open C:\inetpub\wwwroot\am\uc\Web.config for editing.
- In the
amAuthentication parameter, add theenableLogoutparameter with the valuetrue(the default value isfalse).<amAuthentication mode="Saml" loginUrl="https://server.test.local/am/idp/" enableLogout="true"/> - Open C:\inetpub\wwwroot\am\idp\app-settings.json for editing.
- Change the
PartnerServiceProviderConfigurationsparameter. In thestringSingleLogoutServiceUrl, specify the server address for User Console, such as http(s)://full_dns_name of the server/am/uc/Account/SLOService."PartnerServiceProviderConfigurations": [
{
...
"SingleLogoutServiceUrl": "https://server01.test.local/am/uc/Account/SLOService",
...
]
} - Save the changes and restart IIS.
Example of logging in to User Console using Identity Provider
Open User Console in the browser at http(s)://full_dns_name of the server/am/uc/.
In the authentication window that appears, click Back to select the authentication method. By default, the last method used is suggested.
To select the authentication method, click Select.
InformationIf a user does not have a registered authenticator, select Windows Password.
NoteLogging out of Identity Provider in the user session does not lead the user exiting User Console until the browser restarts or the cookie retention period expires. Cookie retention time for Identity Provider is 30 minutes.
Enter the password and click Sing in. If the data is entered successfully, the user profile appears.
To exit User Console, perform the following steps:
NoteThis option is active if you have configured the
enableLogoutparameter.Click the username at the top of the window.
From the drop-down list, select Exit.
InformationWhen exiting User Console, you automatically exit Identity Provider.
Enable brute-force protection
In Axidian Access, you can configure account selection protection for the User Console component.
If this setting is enabled, then when you enter a non-existent username, Axidian Access simulates the login of an existing user: displays authentication methods, asks for a password, and then displays the error Invalid username or authenticator, or the device is locked.
If this setting is disabled, then when a non-existent username is entered, Axidian Access displays the error Internal Server error: User not found.
This setting is disabled by default.
To enable brute-force protection, follow these steps:
- Open C:\inetpub\wwwroot\am\core\Web.config.
- In the
appSettingsparameter, in theBruteforceprotectionappsline, specify theSelf ServiceandIdentity Providervalues.<appSettings>
...
<add key="bruteForceProtectionApps" value="Self Service, Identity Provider" />
</appSettings> - Save the changes and restart the IIS server.
Set the session lifetime
This setting is optional.
To change the session lifetime in User Console, perform the following steps:
- Open C:\inetpub\wwwroot\am\uc\Config\ApplicationSettings.config.
- Set the required value for the
sessionExpirationTimeInMinutesparameter. The default value is 30 (minutes).<amApplicationSettings isIgnoreCertErrors="false" sessionExpirationTimeInMinutes="30"/> - Save the changes.
Display/hide version number in User Console
You can remove User Console headers with the information about the platform and version number, perform the following actions:
- Open C:\inetpub\wwwroot\am\uc\Web.config.
- Depending on the version of IIS:
- For IIS 10: Remove comments from the following lines:
<security>
<requestFiltering removeServerHeader="true" />
</security> - For IIS 10 and above, perform the following actions:
- Set Rewrite URL.
- Add the following lines to the
<system.webServer>section:<rewrite>
<outboundRules>
<rule name="replace server header" patternSyntax="Wildcard" lockItem="false">
<match serverVariable="RESPONSE_SERVER" pattern="*" />
<action type="Rewrite" value="MyServer" />
</rule>
</outboundRules>
</rewrite>
- For IIS 10: Remove comments from the following lines:
Disable localization changes
To prevent a user from changing the language in User Console:
- Open C:\inetpub\wwwroot\am\uc\Web.config.
- For the
IsEnabledparameter of theamCulturetag, set thefalsevalue.<amCulture isEnabled="false" /> - Restart the IIS server.