SPS inWebo plugin parameter reference
This section describes the available options of the SPS inWebo plugin.
The plugin uses an ini-style configuration file with sections and name=value pairs. This format consists of sections, led by a [section] header and followed by name=value entries. Note that the leading whitespace is removed from values. The values can contain format strings, which refer to other values in the same section. For example, the following section would resolve the %(dir)s value to the value of the dir entry (/var in this case).
[section name] dirname=%(dir)s/mydirectory dir=/var
All reference expansions are done on demand. Lines beginning with # or ; are ignored and may be used to provide comments.
You can edit the configuration file from the SPS web interface. The following code snippet is a sample configuration file.
[inwebo]
service_id=<your-inWebo-service-ID>
api_url=https://api.myinwebo.com/FS/
# Do NOT use client_cert in production
; client_cert=
timeout=60
http_socket_timeout=10
rest_poll_interval=1
ignore_conn_err=no
[plugin]
config_version=1
log_level=info
cred_store=<name-of-credstore-storing-sensitive-data>
[auth]
prompt=Hit Enter to send inWebo push notification or provide the OTP:
whitelist=name-of-a-userlist
[username_transform]
append_domain=""
[ldap]
ldap_server_config=<SPS-LDAP-server-policy-name>
filter=(&(samAccountName={})(objectClass=user))
user_attribute=mail
[cache]
soft_timeout=15
hard_timeout=90
conn_limit=5
[question_1]
key=<name-of-name-value-pair>
prompt=<the-question-itself-in-text>
disable_echo=No
[question_2]...
[inwebo]
This section contains the options related to your inWebo account.
[inwebo] service_id=<your-inWebo-service-ID> api_url=https://api.myinwebo.com/FS/ # Do NOT use client_cert in production ; client_cert: http_socket_timeout=5 ignore_conn_err=Yes rest_poll_interval=1 timeout=25
service_id
| Type: | string |
| Required: | yes |
| Default: | N/A |
Description: For SPS to be able to communicate with the inWebo server, a service ID is required. It is displayed on the inWebo Administration interface under the Service Users tab.
api_url
| Type: | string |
| Required: | yes |
| Default: | N/A |
Description: The URL where the inWebo server can be accessed. Usually you can use the default value:
api_url=https://api.myinwebo.com/FS/
To override the access URL for the inWebo API, change the value.
client_cert
| Type: | string |
| Required: | yes |
| Default: | N/A |
|
|
Caution:
This parameter contains sensitive data. Make sure to store this data in your local Credential Store. Type the $ value for this parameter in production. For details, see "Store sensitive plugin data securely". Only enter a value different than $ for this parameter in the configuration for testing purposes in a secure, non-production environment. |
Description: For SPS to be able to communicate with the inWebo server, an unencrypted key is required. A certificate is generated by inWebo, which you have to store in the credential store of SPS. The X.509 certificate and the private key either has to be uploaded to SPS or copied into the configuration file. If you want to copy the X.509 certificate and the private key in PEM format inline, insert a whitespace before every line for both the certificate and the private key so that the configuration parser considers it a single value.
For details on using a local Credential Store to host this data, read Store sensitive plugin data securely.
-
In the inWebo Administration interface, navigate to Secure Sites and click Download a new certificate for the API. Configure the parameters (Authentication: Yes, Provisioning: No) and click Download.
Decrypt the downloaded X.509 certificate with the following command: openssl rsa -in <certificate-file-name>.crt. Enter the required passphrase. The decrypted part of the certificate is displayed on the console screen.
Copy the decrypted part from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY-----, open the <certificate-file-name>.crt and replace the encrypted part with the copied decrypted part from -----BEGIN ENCRYPTED PRIVATE KEY----- to -----END ENCRYPTED PRIVATE KEY-----.
timeout
| Type: | integer [seconds] |
| Required: | no |
| Default: | 60 |
Description: How long an HTTP request can take during the communication with the inWebo server.
http_socket_timeout
| Type: | integer [seconds] |
| Required: | no |
| Default: | 10 |
Description: How long the plugin waits for an approval when using the inWebo push notification factor. This option sets the timeframe (measured from the user initiating the connection to SPS) within which SPS must receive the approval from the inWebo server. SPS periodically asks the inWebo server to check if the user successfully authenticated on the inWebo server.
rest_poll_interval
| Type: | integer [seconds] |
| Required: | no |
| Default: | 1 |
Description: How often the plugin checks the inWebo server to see if the push notification was successful. Note that SPS rejects the connection of the user if it does not receive an approval for the push notification within the period set in http_socket_timeout.
ignore_conn_err
| Type: | yes | no |
| Required: | no |
| Default: | no |
Description: Determines how to handle the sessions if the inWebo service is not available. If set to yes, the plugin assumes that the user successfully authenticated even if the plugin cannot access inWebo to verify this.
|
|
Caution:
Enabling this option allows the users to bypass multi-factor authentication if SPS cannot access the inWebo service for any reason, for example, a network configuration error in your environment. |
[plugin]
This section contains general plugin-related settings.
[plugin] config_version=1 log_level=20 cred_store=<name-of-credstore-hosting-sensitive-data>
config_version
| Type: | integer |
| Required: | yes |
| Default: | 1 |
Description: The version number of the configuration format. This is used to enable potentially incompatible changes in the future. If provided, the configuration will not be upgraded automatically. If not provided, the configuration will be upgraded automatically.
cred_store
| Type: | string |
| Required: | no |
| Default: | N/A |
Description: The name of a local credential store policy configured on SPS. You can use this credential store to store sensitive information of the plugin in a secure way, for example, the inWebo client certificate. For details, see Store sensitive plugin data securely.
log_level
| Type: | integer or string |
| Required: | no |
| Default: | info |
Description: The logging verbosity of the plugin. The plugin sends the generated log messages to the SPS syslog system. You can check the log messages in the Basic settings > Troubleshooting > View log files section of the SPS web interface. Filter on the plugin: string to show only the messages generated by the plugins.
The possible values are:
-
debug or 10
-
info or 20
-
warning or 30
-
error or 40
-
critical or 50
For details, see Python logging API's log levels: Logging Levels.
[auth]
This section contains the options related to authentication.
[auth] prompt=Hit Enter to send inWebo push notification or provide the OTP: whitelist=name-of-a-userlist
prompt
| Type: | string |
| Required: | no |
| Default: | Hit Enter to send push notification or provide the OTP: |
Description: SPS displays this text to the user in a terminal connection to request an OTP interactively. The text is displayed only if the user uses an OTP-like factor, and does not send the OTP in the connection request.
prompt="Hit Enter to send inWebo push notification or provide the OTP:"
whitelist
| Type: | string |
| Required: | no |
| Default: | N/A |
Description: The name of a user list containing gateway users configured on SPS (Policies > User Lists). You can use this option to selectively require multi-factor authentication for your users, for example, to create break-glass access for specific users.
-
If you set the Default Policy of the user list to Reject, then the list is a whitelist, so the plugin will not request inWebo authentication from the users on the list.
-
If you set the Default Policy of the user list to Accept, then the list is a blacklist, so the plugin will request inWebo authentication only from the users on the list.
For details on creating user lists, see "Creating and editing user lists" in the Administration Guide.