1. Installation setup

System requirements

Please check the following requirements before installing Visual Guard Identity Server.

Visual Guard 2024.0

  • Operating System: Windows Server 2012, 2016, 2019, 2022
  • Hard Drive: 512 GB to 1 TB – Fast drive recommended, ideally SSD
  • CPU:  4 core min – 3 Ghz or higher
  • RAM: 8 GB 
  • Software:
  • IIS with the necessary Windows features should be installed as described below.
  • VGRepository
    • Require SQL Server 2012 or later, with a minimum of the Standard Edition.
    • Require Oracle Database with Oracle9i or later. Please ensure the Oracle Driver is installed.
  • Install the VGIdentityServerSetup. [Link available in the table above]
  1. Doing so, will create a ‘VisualGuardIdentityServer’ website.
  2. It will also create an application pool ‘AspNetCore’ ‘with – .Net CLR Version – “No Managed Code”.
    (If not created, please create it manually)
  • Check the list of websites, select ‘VisualGuardIdentityServer’.
    Go to ‘Advanced Settings’, and select application pool – ‘AspNetCore’.
  • Check ‘permissions’, and assign full permissions to ‘IIS_IUSRS’.
  • Check the application root path.
    Select ‘web.config’ , please make sure it contains the following values:
<aspNetCore processPath="dotnet" arguments=".\Novalys.VisualGuard.Tools.VGIdentityServer.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdosut">
<environmentVariables />
</aspNetCore>

Private mode Communication

  • Windows Server 2022 Build 20348 or later.

SQL Server settings

To provide appropriate login rights to create a new repository, follow the below steps to be configured in the SQL server platform.

Step 1: Go to the user properties in the SQL server, select master under the default database –> Click OK


Step 2: Under the user properties, select Server roles –> Select dbcreator and public to provide roles rights –> Click OK


Installation Steps

Step 1: Download Visual Guard Identity Server setup and follow the installation wizard


Step 2: Enter the required information, Site, Application pool and click Next


Step 3: Installation process will begin


Step 4: Once installation is complete, you will be notified with a message confirming the successful setup. Please click “Close” to exit the setup.


Once the installation is complete, Go to the installation folder that is created automatically –> open the folder –> Right click on the IdentityServer folder and select properties –> Click on Security section –> Add IIS_IURS if not added –> Click on IIS_IURS –> ensure to allow the below mentioned permissions –> Click OK

1.1 How to migrate from VGServer ?

The VGServer has been replace by Visual-Guard Identity Server.

VG Identity Server works with the bearer Token, the VGToken, which is contained inside of the claims.

We need to authenticate from VG Identity Server

The API has been updated.
Please refer to the following list to find out how to update the API:

  • /Security/Principal/GetIdentity replace by /api/Principal/GetIdentity
  • /Security/GetRoles replace by /api/Principal/GetCurrentRoles
  • /Security/IsInRoleByName/ replace by /api/Principal/IsInRoleByName
  • /Security/HasPermissionByName/ replace by /Security/HasPermissionById/
  • /Security/GetPermissions replace by /api/Principal/GetCurrentPermissions

1.2 Configure HTTPS Binding

HTTPS binding is the configuration that allows a website hosted on a web server, like Microsoft IIS (Internet Information Services), to use the HTTPS protocol. HTTPS stands for Hypertext Transfer Protocol Secure, and it ensures that data transmitted between the web server and the client (like a web browser) is encrypted and secure from eavesdropping or tampering.

When you set up HTTPS binding in IIS, you’re telling the web server to listen for HTTPS requests on a specific IP address and port (usually port 443). This binding also requires an SSL/TLS certificate, which is used to encrypt the data. The certificate is linked to the binding, ensuring that any request to the site using HTTPS will be securely transmitted.

HTTPS binding is a key configuration step in securing web applications by enabling encrypted communication between the server and clients.


To configure an IIS website for HTTPS binding with a certificate specifically for the Visual Guard Identity Server, follow these steps:

1. Obtain an SSL Certificate

  • Ensure you have a valid SSL certificate issued by a trusted Certificate Authority (CA). This certificate must include both the public and private keys.

2. Install the SSL Certificate on the Server

  • Open IIS Manager on the server where Visual Guard Identity Server is installed.
  • In the left-hand Connections pane, click on the server name.
  • Double-click on Server Certificates in the middle pane.
  • In the Actions pane on the right, click Import if you have the .pfx file or Complete Certificate Request if you have a .cer file.
  • Browse to your certificate file, provide any required password (for .pfx), and complete the import process.

3. Configure HTTPS Binding for Visual Guard Identity Server

  • In IIS Manager, expand the server node, then expand Sites, and select Visual Guard Identity Server site.
  • Click on Binding in the right-hand Actions pane under Edit Site.
  • In the Site Bindings window, click Add.
  • In the Add Site Binding dialog:
    • Type: Select https.
    • IP address: Choose the appropriate IP address or leave it as All Unassigned.
    • Port: Enter 443 (default port for HTTPS).
    • Host name: Optionally specify the hostname if applicable.
    • SSL certificate: Select the SSL certificate you imported earlier.
  • Click OK to add the binding.

4. Enforce HTTPS on Visual Guard Identity Server (Optional)

  • Select the Visual Guard Identity Server site in IIS Manager.
  • Double-click SSL Settings in the feature view.
  • Check the box labeled Require SSL to enforce HTTPS.
  • Click Apply in the Actions pane on the right.

5. Restart the IIS Services

  • After configuring HTTPS binding, restart IIS to apply the changes. Select the server node in IIS Manager and click Restart in the Actions pane.

6. Test the Configuration

  • Open a web browser and navigate to your Visual Guard Identity Server using https://yourdomain.com/identityserver. Ensure that the connection is secured by the certificate and that the site loads correctly over HTTPS.

By following these steps, you will ensure that the Visual Guard Identity Server is properly configured to use HTTPS, securing communication between users and the web application.


2. Repository configuration

Step 1: The Visual Guard identity server needs a connection to the VGRepository


Step 2: Select your repository type (SQL Server or Oracle) from the dropdown and click on Next


Step 3: Set the information of your repository as required and click on “Test Connection” to test the connection to the repository.

Once your connection is valid you will receive a connection successful message, click Ok and then Next.


Step 4: Set your VG identity server Url to configure successfully


Step 5: Once the configuration is successful you can click on Finish and you can start using the repository


3. Authentication

In Visual Guard, “Authentication” is the process of verifying the identity of a user or entity attempting to access a system or application. Visual Guard supports various types of authentication methods, each offering different levels of security and user experience:

  1. Visual Guard: Users authenticate using Visual Guard’s built-in login system, where they provide a username and password combination verified against Visual Guard’s user database. This method offers a standard authentication approach managed within the Visual Guard framework.
  2. Windows Authentication by Credential: Users authenticate through their Windows credentials, leveraging the security infrastructure of the Windows operating system. Visual Guard integrates with Windows authentication to validate user identities, providing seamless access to applications based on Windows credentials.
  3. Multi-Factor Authentication (MFA): Visual Guard supports Multi-Factor Authentication (MFA), requiring users to provide additional verification beyond a username and password. This could include receiving a one-time password (secure code) or magic link via SMS or email. MFA enhances security by adding an extra layer of protection against unauthorized access, even if login credentials are compromised.
  4. Passwordless:Passwordless login is a method of authentication that allows users to access a system or application without requiring a traditional password. Instead of entering a password, users are authenticated through alternative methods such as magic link or SMS verification. In Visual Guard, passwordless login enhances security and user experience by providing convenient and secure authentication options that eliminate the need for users to remember and manage passwords.

These authentication methods cater to different security requirements and user preferences, allowing Visual Guard to provide a flexible and robust authentication framework for securing applications and systems.


Authentication Flow

The flowchart depicts the authentication process with OpenID Connect (OIDC) and Multi-Factor Authentication (MFA). It involves the user initiating login, the application redirecting to the Identity Provider (IdP), credential validation by the IdP, an MFA challenge, token issuance, and finally, the application granting access based on validated tokens.


Click on any of the below authentication types to know steps of login

3.1 Visual-Guard User

Users authenticate using Visual Guard’s built-in login system, where they provide a username and password combination verified against Visual Guard’s user database. This method offers a standard authentication approach managed within the Visual Guard framework.

Shown below is a demo application secured by VisualGuard Identity Server.

Step 1: User tries to access the demo application, by clicking on ‘Secure using Universal Login‘.


Step 2: Since the user is not authenticated user, he/she will be redirected to the Identity server login page automatically.

Click on the drop down under Authentication and choose VisualGuard and enter the Username and Password, click sign In


Step 3: Once the user is authenticated and authorized successfully, he/she will be redirected back to the demo application.


3.2 Windows by Credential

Users authenticate through their Windows credentials, leveraging the security infrastructure of the Windows operating system. Visual Guard integrates with Windows authentication to validate user identities, providing seamless access to applications based on Windows credentials.

Shown below is a demo application secured by VisualGuard Identity Server

Step 1: User tries to access the demo application, by clicking on ‘Secure using Universal Login‘.


Step 2: Since the user is not authenticated user, he/she will be redirected to the Identity server login page automatically

Click on the drop down under Authentication and choose WindowsbyCredential and enter the Username (Domain\username) and Password


Step 3: Once the user is authenticated and authorized successfully, he/she will be redirected back to the demo application.


3.3 Multifactor Authentication (MFA)

Visual Guard supports Multi-Factor Authentication (MFA) on top of the existing authentication methods, requiring users to provide additional verification beyond a username and password. This could include receiving a one-time password (secure code) or magic link via SMS or email and TOTP via microsoft authenticator. MFA enhances security by adding an extra layer of protection against unauthorized access, even if login credentials are compromised.

Shown below is a demo application secured by VisualGuard Identity Server.

Step 1: User tries to access the demo application, by clicking on ‘Secure using Universal Login’.


Step 2: Since the user is not authenticated user, he/she will be redirected to the Identity server login page automatically

Click on the drop down under Authentication and choose your prefered authentication types i.e VisualGuard or WindowsbyCredential etc, then enter the Username and Password, Click sign In


Step 3: Once you login, the MFA authentication window will show up, which will ask you the options if you would like to have the link or OTP to be sent via email or SMS, after selecting the option click on OK.


Step 4: Once you choose the option, an OTP or link will be sent to your registered email ID or phone number, enter the OTP received and click on Sign In


Step 5: Once the user is authenticated and authorized successfully, he/she will be redirected back to the demo application.


3.4 Passwordless

Passwordless login is a method of authentication that allows users to access a system or application without requiring a traditional password. Instead of entering a password, users are authenticated through alternative methods such as magic link or SMS verification. In Visual Guard, passwordless login enhances security and user experience by providing convenient and secure authentication options that eliminate the need for users to remember and manage passwords.

Shown below is a demo application secured by VisualGuard Identity Server.

Step 1: User tries to access the demo application, by clicking on ‘Secure using Universal Login‘.


Step 2: Since the user is not authenticated user, he/she will be redirected to the Identity server login page automatically.

Click on the drop down under Authentication and choose Passwordless and enter the Username, click sign In


Step 3: You will be asked to authenticate yourself through the magice link or SMS by the registered details. Click Ok once you select the option


Step 4: Once the user is authenticated and authorized successfully, he/she will be redirected back to the demo application.


3.5 Bearer Token

What is a Bearer Token and how it works?

A Bearer Token is an access token issued by IdentityServer, which clients use to authenticate and access protected resources by including the token in the HTTP Authorization header with requests.


The process works as follows:

  1. Token Issuance: When a user successfully authenticates with IdentityServer, an access token (Bearer Token) is generated and issued to the client application. This token is a JSON Web Token (JWT) containing claims about the user and their permissions.
  2. Token Transmission: The client application includes the Bearer Token in the HTTP Authorization header for subsequent requests to protected resources. The header format is: Authorization: Bearer <token>.
  3. Resource Server Validation: The resource server (API) validates the Bearer Token by verifying its signature, expiration, and the claims contained within. This ensures the token is issued by a trusted authority (IdentityServer) and is still valid.
  4. Access Control: Based on the token’s claims, the resource server determines if the client has the necessary permissions to access the requested resource. If valid, the server processes the request; if not, it rejects the request with an appropriate error message.

Bearer Tokens provide a secure and efficient method for clients to access protected resources without needing to repeatedly authenticate, facilitating stateless and scalable security management


How it works?

Step 1: User initiates the authentication request

Step 2: Identity Server authenticates the user credentials

Step 3: Once the authentication if successfull, a token is received

Step 4: The resource server checks the validity and integrity of the Bearer Token

Step 5: Access to the requested resource is granted or denied based on the claims in the Bearer Token


4. Multifactor Authentication (MFA) Enrollment

In Visual Guard, MFA enrollment within the identity server framework enhances security by requiring users to provide multiple forms of verification before access is granted. Visual Guard supports Multi-Factor Authentication (MFA) on top of the existing authentication methods, requiring users to provide additional verification beyond a username and password. This could include receiving a one-time password (secure code) or magic link via SMS or email and TOTP via microsoft authenticator. MFA enhances security by adding an extra layer of protection against unauthorized access, even if login credentials are compromised.


Below are the different modes to enroll to MFA, click on the icons to know more about each one of them.


4.1 Via Email Address

OTP (One-Time Password) or a secure link sent via email is used as an additional layer of security to enhance the authentication process.This method significantly reduces the risk of unauthorized access and is especially useful for protecting sensitive operations and transactions.


Step 1: Select the email address option


Step 2: Enter your Email ID and select Send Email


Step 3: Enter the secure code you may have received over the registered email ID and click on Validate


Step 4: Once your identity is validated, you can return to the application home page. Upon attempting to log in, you will be presented with a screen that offers you the choice of receiving either a link or an OTP (One-Time Password) to your registered email ID for authentication. Select your preferred method and click “Continue” to complete the authentication process successfully.



4.2 Via Phone Number

In Visual Guard, the OTP/Link via phone number feature allows users to authenticate themselves through their registered mobile number. When attempting to log in, users can choose to receive an OTP (One-Time Password) or a verification link sent directly to their mobile phone via SMS. This added layer of security ensures that only users with access to the registered phone number can complete the authentication process.This method enhances security by leveraging a second factor of authentication tied to the user’s mobile device.


Step 1: Select the phone number option


Step 2: Enter your Phone Number and select Send SMS


Step 3: Enter the secure code you may have received over the registered phone number and click on Validate


Step 4: Once your identity is validated, you can return to the application home page. Upon attempting to log in, you will be presented with a screen that offers you the choice of receiving either a link or an OTP (One-Time Password) to your registered phone number for authentication. Select your preferred method and click “Continue” to complete the authentication process successfully.



4.3 Via Microsoft Authentication

In Visual Guard, TOTP (Time-based One-Time Password) via Microsoft Authenticator provides an additional layer of security for user authentication. Users can set up their Microsoft Authenticator app to generate time-based, one-time passwords that refresh every 30 seconds. During the login process, users enter the current TOTP displayed on their Microsoft Authenticator app to verify their identity. This method ensures a secure and dynamic form of authentication, as the OTP is time-sensitive and unique to each login attempt.


Step 1: Select the Microsoft TOTP authentication option


Step 2: Select the type of device you use.


Step 3: Scan the QR code to download the application.

Andriod device

IOS device (Iphone)


Step 4: Once you open the application and scan the QR code your profile account will be added automatically.


Step 5: Enter the secure code that is generated by the application and click on Validate


Step 6: You will get a notification for the successfull enrollment, click on Go back to Application to login further.


Step 7: Once you can return to the application home page. Upon attempting to log in, you have to click on the Microsoft Authenticator icon and enter the code and click on Continue to complete the authentication process successfully.



5. Dashboard

A dashboard is a graphical user interface that provides users with a consolidated view of key information and data relevant to VisualGuard Identity Server, by providing easy access.

  • Identity Clients: These applications or systems that use Visual Guard for authentication and authorization services, enabling secure access control and user identity management across various platforms
  • Client Configuration: Configuring a client in Identity Server involves registering the client and its type with the authorization server, obtaining client credentials, specifying authorization grant types and redirect URIs, and understanding the token endpoint and scope. These configurations ensure secure and proper interaction between the client and the Identity server while protecting user data and resources.
  • User Interface: The user interface (UI) in Visual Guard refers to the graphical interface which allows to customize the user interface by managing company logos and landing page text.
  • Identity Server: Configuring a server in an Identity Server involves setting up and customizing the server’s operational parameters that dictate how the identity server operates and interacts with other components to manage authentication, authorization, and user management services effectively within an IT ecosystem
  • Restart Identity Server: By clicking on this icon the identity server will restart

The dashboard allows administrators to monitor the health and performance of the identity server, track user authentication and authorization trends, and access important configuration settings and management tools to ensure smooth operation and security compliance.

Click on the below icons to know further about each of the functionalities.

6. Identity Clients

These are applications that use Visual Guard for authentication and authorization services, enabling secure access control and user identity management across various platforms


Step 1: Click on the identity clients icon.


Step 2: The dashboard will show you the details of all the clients associated.

  • Application name: The unique identifier or title of an application within Visual Guard
  • Status: Indicates whether an application or client is currently active or inactive
  • Platform type: Specifies the technology or environment in which the application operates
  • Client name: The designated name of a client application utilizing Visual Guard for security services
  • Client ID: A unique identifier assigned to a client application for authentication and authorization purposes
  • Grant types: Methods allowed for obtaining access tokens, such as authorization code, implicit, or client credentials.
  • Client configuration: Settings and parameters defined for a client application to integrate with Visual Guard’s security services

Step 3: Incase you make any changes in the backend, you will see the status of the applications and also the option to activate the application


Step 4: Once you click on activate you will get a notification as below, and you can click on Restart if you are compliant with the message.

Note: To activate Identity Client, you must restart VisualGaurs Identity server, proceeding with restart, it will briefly pause authentication and authorization services.


7. Client Configuration

Client configuration in Visual Guard involves setting up and configuring the Visual Guard Client component, which is responsible for enforcing security policies and managing user authentication and authorization within client applications. This configuration typically includes specifying the Visual Guard server endpoint, defining authentication methods, configuring access control rules, and integrating client applications with Visual Guard’s security framework. Client configuration ensures that client applications can securely authenticate users, enforce access controls, and interact with the Visual Guard server to manage user identities and permissions effectively.

Step 1: Select the Client from the dropdown


Step 2: Select the Client’s platform type as well from the dropdown and click on Generate Client Configuration


Sample data from the generation of the client configuration.


7.1 Configure Private Connection for your application

The Visual Guard Identity Server allows your application to securely connect to the Identity Server, which in turn connects to the database repository to retrieve user security data. This setup enhances security by preventing the application from accessing the database directly.

You can configure a private connection between your application and the Visual Guard Identity Server using secure protocols such as HTTPS, HTTP, and gRPC. The configuration is done via the WinConsole. Below are the steps to establish this connection.

Step 1: Configure your VisualGuard Identity Server via Identity Server or Winconsole


Note: If you want to leverage the performance using GRPC, you need to configure the parameters of VisualGuard Identity Server as shown below. The GRPC connection works only with Windows Server 2022 and Windows 11.

(These settings are available on the configuration of Identity Server, quick links given above)

  • Is GRPC Enabled: Enable the button to activate
  • Is GRPCWeb Enabled: Enable the button to activate as it makes the private service compatible with http 1.1
  • GRPC Port: Mention the Port no. on which Grpc service will be running

Step 2: After successfully configuring Visual Guard Identity Server, you need to generate the Visual Guard Configuration files as shown below.

  1. Select Client Configuration Section from the dashboard

2. Select your application/client, and Select ‘PrivateConnection’ as client’s platform type and Click on ‘Generate Configuration Files


3. By clicking on the Generate configuration files, the files are automatically generated. You will get the section as shown below confirming the successful configuration. You can click on the Download buttons on the left side to get the configuration files. You need to place these VisualGuard configuration files in your application folder.


8. Settings

Settings refer to configurable options and parameters that govern the behavior, functionality, and security of the VG identity server. These settings allow administrators to customize various aspects of the identity server to align with organizational requirements and security policies. They may include options related to authentication methods, user registration, password policies, token issuance, logging and auditing, integration with external systems, and more. Configuring settings in Visual Guard Identity Server ensures that the identity server operates effectively, securely, and in accordance with organizational needs, providing a centralized and robust platform for managing authentication and authorization across applications and systems.

Below are the different settings available under Identity Server.

8.1 Remember Me

The “Remember Me” feature in an identity server context is designed to enhance the user experience by allowing users to remain authenticated without needing to re-enter their credentials for a specified period. This feature is commonly implemented using long-lived cookies or tokens that persist across browser sessions. Here is a detailed description:

The primary purpose of the “Remember Me” feature is to provide convenience to users by maintaining their authenticated session even after they close their browser or shut down their device. This reduces the frequency of login prompts, enhancing user satisfaction and streamlining access to applications.

When a user returns to the application, the identity server checks for the presence of the persistent cookie or token. If found and valid, the user is automatically authenticated without being prompted for their credentials. This seamless experience is particularly beneficial for applications that require frequent access.

You can opt for this feature by clicking on the Remember Me icon on the login page.

    8.2 User Interface

    The user interface (UI) in Visual Guard refers to the graphical interface that users interact with to manage company logos and landing page text.

    1. Customize logo

    If you want to customize the logo, you can easily customize it as shown below.

    Steps:

    • Login to the Visual-guard Identity Server
    • You can go to the settings -> UserInterface Page.
    • Goto the ‘Company Logo’ tab.
    • Specify the logo.

    2. Change the website text

    If you want to customize the login page for specific application, you can use some pre-defined visual-guard variables as shown below.

    Pre-defined Visual-guard variables

    • [ApplicationId] – Gets the application Id.
    • [ApplicationName] – Gets the application Name
    • [ApplicationDescription]- Gets the application Description

    Steps:

    • Login to the Visual-guard Identity Server with master admin rights
    • You can go to the settings -> UserInterface Page.
    • Goto the WebSite Text tab.
    • Provide the text to be displayed along with the pre-defined variables as shown below.

    Result:

    After applying the changes, when login form will be displayed, it will contain the application name and application id information via pre-defined variables as shown below.


    8.3 Configure Server

    Configuring a server in an Identity Server involves setting up and customizing the server’s operational parameters that dictate how the identity server operates and interacts with other components to manage authentication, authorization, and user management services effectively within an IT ecosystem.

    Configuring an Identity Server is a critical task that requires a deep understanding of both the technical aspects of the Identity Server software and the security requirements of the organization. Proper configuration ensures that the Identity Server can provide secure, reliable, and efficient identity services across the organization’s applications and systems.

    You can edit the Identity Server parameters.

    1. Primary Information: You can provide the basic information of your Identity Server

    2. Edit Signing Certificate: You can manage the signing certificate and click on Validate Certificate below when you update the certificate


    3. Is Clustered: You can configure whether identity server is clustered or not, you need to provide the Issuer Uri for the clustered Uri


    4. Allow auto restart when required: You can choose if you want the server to restart automatically and you can also set up the time to check at every x minutes for the restart


    5. Is Grpc Private Service Enabled: You can choose if you want to enable Grpc, if yes then you need to provide the Grpc port and whether the Grpc web is enabled or not as it makes the private service compatible with http 1.1.


    6. Authentication Preferences: You can provide the default domain for windows authentication on IdentitySever, the authentication mode and whether the windows authentication and automatic windows aunthentication is enabled or not


    7. Other Information: You can choose if the you want to overwrite certificate when you deploy the repository or application


    8. Click on Switch Configuration if you want to select another identity server configuration, Click on Save button, when you want your changes to be saved, and make sure to restart Identity Server to reflect your new changes.You can restart the Identity Server by clicking on Restart button


    8.3.1 Switch Identity Server

    Selecting or switching the Identity Server configuration involves choosing or changing the operational settings and parameters of an Identity Server to match specific requirements or to transition between different environments (e.g., development, testing, production). It enables administrators to manage multiple configurations efficiently and switch between them as needed to support various operational scenarios or to update security measures without disrupting service.

    Click on Switch Configuration to change your Identity Server, Select the server name from the drop down and click on Next.

    Once you click on the Next button and you will get edit page incase you wan to update on settings, then click on the Save button, when you want your changes to be saved, and make sure to restart Identity Server to reflect your new hanges.You can restart the Identity Server by clicking on Restart button

    8.3.2 New Identity Server

    Process of setting up a new instance of an Identity Server,

    Step 1: Provide Primary information like server name and description


    Step 2: Edit Signing Certificate

    You can manage the signing certificate and click on Validate Certificate below when you update the certificate


    Step 3: Is Clustered

    You can configure whether identity server is clustered or not, you need to provide the Issuer Uri for the clustered Uri


    Step 4: Allow auto restart when required

    You can choose if you want the server to restart automatically and you can also set up the time to check at every x minutes for the restart


    Step 5: Is Grpc Private Service Enabled

    You can choose if you want to enable Grpc, if yes then you need to provide the Grpc port and whether the Grpc web is enabled or not as it makes the private service compatible with http 1.1.


    Step 6: Authentication Preferences

    You can provide the default domain for windows authentication on IdentitySever, the authentication mode and whether the windows authentication and automatic windows aunthentication is enabled or not


    Step 7: Other Information

    You can choose if the you want to overwrite Identity Server once it is deployed


    Step 8: Click on Save button, when you want your changes to be saved, and make sure to restart Identity Server to reflect your new changes.You can restart the Identity Server by clicking on Restart button


    8.3.3 Configure Token Signing Certificate

    Certificates are fundamental to the security and functionality of IdentityServer. They serve as digital identities that verify the authenticity of the server and the clients interacting with it.

    In the context of IdentityServer, certificates play a pivotal role in:

    • It uses certificates to digitally sign the tokens it issues and establish trust between Identity Server and clients.
    • This ensures that the token hasn’t been tampered with during transmission. Clients can verify the authenticity of a token by validating the signature against the public key of the certificate used to sign it.

    Types of Certificates Used in IdentityServer

    • Self-Signed Certificates: Created by the server itself. While convenient, they lack the trust associated with certificates issued by a trusted Certificate Authority (CA).   
    • CA-Issued Certificates: Issued by a trusted CA, providing higher levels of trust and security.

    By understanding the role of certificates in IdentityServer and implementing them correctly, you can significantly enhance the security and reliability of your authentication and authorization infrastructure.

    Note: A private key must be present in the certificate.


    How to configure the certificate for Identity Server?

    Step 1: Go to the Identity Server dashboard and click on the Identity Server section


    Step 2: Enable the Edit Signing Certificate section –> Upload the .pfx signing sertificate –> enter the certificate password –> Click on Validate Certificate which is located at the end of the page

    This certificate will be used to sign the tokens it issues and establish the trust between IdentityServer and clients.


    Note: This certificate can be configured by Identity Server and Winconsole only


    8.4 Local Settings

    Here, you can configure Visual Guard’s Identity Server Url, which will be used for internal communication.

    VGIdentityServer makes internal calls to perform operations such as authentication, session management, and loading of authorizations. Configuring this url ensures that these calls are correctly routed within the network infrastructure.

    Configuring the Internal DNS for VGIdentityServer

    To ensure optimal configuration of VGIdentityServer, follow the steps below in the “Local Settings” section:

    1. Access Local Settings: In the VGIdentityServer administration interface, navigate to the “Local Settings” submenu. This section contains various configuration settings that influence the operation of the identity server.
    2. Set the Internal DNS: Look for the field dedicated to configuring the internal DNS. This field should be filled with the Fully Qualified Domain Name (FQDN) or internal IP address of the VGIdentityServer, followed by the port used for internal communications. For example: internaldns.example.com:port or 192.168.1.1:port.
    3. Save Changes: After entering the internal DNS and port, make sure to save your changes. This action refreshes the VGIdentityServer configuration and applies the new settings.

    8.5 Restart IdentityServer

    Restarting IdentityServer involves stopping and then starting the IdentityServer service or application to apply configuration changes, update software, or troubleshoot issues, ensuring continued secure authentication and authorization services.


    Step 1: Click on the restart Identity Server icon


    Step 2: Once you click on the icon you will get a notification prior to the restart, if you are compliant with the message go ahead and click on the restart button.

    9. Advanced Settings

    You can configure some properties manually.

    inside of the appSettings.json, you can configure the Level of trace, etc…

    You can check the Server URL here.

    9.1 How to activate Tracing and Logging?

    Tracing refers to the systematic recording of events, operations, and processes within the VG system. This functionality is crucial for debugging, monitoring system performance, auditing security processes, and ensuring compliance with regulatory standards. Tracing in VG captures detailed information about the system’s behavior, including authentication attempts, authorization checks, and other security-related events.

    Purpose of Tracing in Identity Server

    1. Debugging and Troubleshooting: Helps identify and resolve issues within VG by providing a detailed log of events leading up to an error or malfunction.
    2. Security Auditing: Records security-related events, such as login attempts, access control decisions, and changes to security policies, which is essential for detecting potential breaches and unauthorized access attempts.
    3. Performance Monitoring: Tracks the performance of VG operations, allowing administrators to identify and address bottlenecks or inefficiencies in the system.
    4. Compliance and Reporting: Supports compliance with legal and regulatory requirements by logging access and changes to sensitive data, demonstrating that appropriate security controls are in place.

    To enable different levels of tracing, choose the appropriate options in the appsettings.json file (visual reference provided below).


    VGIdentityServerConfiguration.TraceLevel

    This property specifies the minimum level to log for Visual Guard Identity Server activities.
    It has following options available.

    • Off = 0, //Output no tracing and debugging messages.
    • Error = 1, //Output error-handling messages.
    • Warning = 2, //Output warnings and error-handling messages.
    • Info = 3, //Output informational messages, warnings, and error-handling messages.
    • Verbose = 4 //Output all debugging and tracing messages.

    Logging

    The Logging property can have LogLevel and log provider properties. The LogLevel specifies the minimum level to log for selected categories. In the screenshot, Information and Warning log levels are specified. LogLevel indicates the severity of the log and ranges from 0 to 6:

    • Trace = 0
    • Debug = 1
    • Information = 2
    • Warning = 3
    • Error = 4
    • Critical = 5
    • None = 6.

    The “Default” and “Microsoft” categories are specified.
    The “Microsoft” category applies to all categories that start with “Microsoft”.
    The “Microsoft” category logs at log level Warning and higher.

    A specific log provider is not specified, so LogLevel applies to all the enabled logging providers except for the Windows EventLog.


    Check Logs and Traces

    You can check the logs and traces files as shown below.


    9.2 How to set up Windows Authentication?

    Visual Guard offers two modes of Windows authentication:
    Windows SSO (Single Sign On) and Mix-Mode Authentication (Windows + another type of authentication).

    Requirement

        • The VG Identity Server needs to be installed on a Windows Server

        • The Windows Server needs to be in the domain

        • The Windows Server needs to have IIS

      Activate Windows Authentication in the VG Repository

      First, you need to check if Windows is activated in the repository

          • Open VG WinConsole

          • Select and open your VGRepository

        • In the VGRepository settings, check that Windows Authentication is enabled in the supported authentication modes section.
        Active Windows authentication


        Activate Windows Authentication in VG Identity Server

        IIS needs to have Windows Authentification activated

            • Select VG Identity Server app

            • Go to authentication module

            • Enable Anonymous and Windows authentification

          Activate Anonymous and Windows authentification


          Which Windows authentication mode should be selected?

          Visual Guard offers two modes of Windows Authentication:

          The first mode is Mixed Mode authentication that allows you to authenticate users with their Windows and another type of authentification

          The second one is Windows SSO (Single Sign On), the user don’t need to do any things, Visual Guard authenticate the user directly without any action.


          How to configure for the Mixed Mode Authentication?

          To activate this mode, you need to open the VG Identity Server folder:

              • Open appsettings.json file for VisualGuard Identity Server

              • Set IsWindowsAuthenticationEnabled = true

              • Set IsAutomaticWindowsAuthenticationEnabled = false

              • Save the file and restart the VGIdentityServer

            Sample

            {
              "VGIdentityServerConfiguration": {
                "ServerId": "a31a70b4-9a09-445e-82c9-c6262eaa58f5",
                "WebUserInterfaceId": "03d1acad-61bf-4b62-82f4-3fe5eb0bb554",
                "IsWindowsAuthenticationEnabled": true,
                "IsAutomaticWindowsAuthenticationEnabled": false,
                "TraceLevel": "Verbose",
                "ServerUrl": "http://localhost:5000",
                "UseDefaultIdentityServerWhenServerIdEmpty": false,
                "CheckIfRestartRequiredAtEveryMinutes": "1",
                "AllowAutoRestart": "true"
              }  
            }

            VG Identity Server Sample login form

            Mixed mode authentification user view

            Windows Authentification


            How to configure Windows SSO?

            The Windows SSO (Single Sign-On) allows to authenticate users without any action on their part.

            To activate this mode, you need to open the VG Identity Server folder.

                • Open appsettings.json file for VisualGuard Identity Server

                • Set IsWindowsAuthenticationEnabled = true

                • Set IsAutomaticWindowsAuthenticationEnabled = true

                • Save the file and restart the VGIdentityServer.

              Sample code

              {
                "VGIdentityServerConfiguration": {
                  "ServerId": "a31a70b4-9a09-445e-82c9-c6262eaa58f5",
                  "WebUserInterfaceId": "03d1acad-61bf-4b62-82f4-3fe5eb0bb554",
                  "IsWindowsAuthenticationEnabled": true,
                  "IsAutomaticWindowsAuthenticationEnabled": true,
                  "TraceLevel": "Verbose",
                  "ServerUrl": "http://localhost:5000",
                  "UseDefaultIdentityServerWhenServerIdEmpty": false,
                  "CheckIfRestartRequiredAtEveryMinutes": "1",
                  "AllowAutoRestart": "true"
                }
              }

              From now on, when a user accesses the page, he will be automatically authenticated with his Windows account, without displaying a login screen.

              9.3 How to activate new private communication ?

              9.4 How to deactivate Windows SSO ?

              VGIdentityServer Feature Guide: Configurable Windows SSO Authentication

              This guide provides detailed instructions on how to utilize specific settings for automatic Windows SSO authentication in VGIdentityServer. These settings allow developers to choose between automatic Windows authentication and manual authentication.

              Server Configuration Example:


              Server URL: https://vgidentityserver.mycompany.local


              IdentityServer Settings:

              Windows Authentication Enabled: true
              Automatic Windows Authentication Enabled: true



              Accessing the Identity Server UI:

              Using Current Windows Account (AutoWindowsSSO)

              URL: https://vgidentityserver.mycompany.local/Account/Login

              • If the current Windows account user has the necessary rights, the system will automatically sign you in.
              • If the user lacks the required rights, you’ll be redirected to the login page with a “not authorized to login” message. Here, you can log in using different credentials.

              Without Using Current Windows Account (Manual Authentication)

              • URL with parameter: https://vgidentityserver.mycompany.local/Account/Login?autowindowssso=false
              • The system will prompt you for credentials to authenticate.

              Requesting Tokens or Authorization Codes via Browser (AutoWindowsSSO)

              • Example URL: https://vgidentityserver.mycompany.local/connect/authorize?response_type=code&client_id=172b5450-6954-4bf5-982f-9af688f1aa58_WebApp
                • &redirect_uri=http://localhost:5002/signin-oidc&scope=openid+profile+VGActivityDate+VGApplications+VGDeveloper+VGIsApproved+VGIsLocked+
                • VGPermissions+VGProfile+VGRoles+VGToken+offline_access+IdentityServerApi
              • If the current Windows account user has rights, a code will be provided in the response.
              • Without the necessary rights, you’ll be redirected to the login page with a “not authorized to login” message.


              Requesting Tokens or Authorization Codes Without Current Windows Account

              • URL with parameter:
              • https://vgidentityserver.mycompany.local/connect/authorize?autowindowssso=false&response_type=code&client_id=172b5450-6954-4bf5-982f-9af688f1aa58_WebApp&redirect_uri=http://localhost:5002/signinoidc
                • &scope=openid+profile+VGActivityDate+VGApplications+VGDeveloper+VGIsApproved+VGIsLocked+
                • VGPermissions+VGProfile+VGRoles+VGToken+offline_access+IdentityServerApi
              • The system will prompt you for credentials to authenticate.

              10. Archive

              Welcome to the Visual-Guard Archive section. This part of our documentation is dedicated to providing easy and organized access to previous versions of Visual-Guard, allowing users and developers to find information, guides, and references for past versions of our product.

              Why an Archive?

              As Visual-Guard continues to evolve, maintaining a record of previous versions is crucial for several reasons:

              • Historical Support: Enables users to consult the documentation of previous versions to solve specific issues or understand the evolution of the product.
              • Migration Assistance: Aids users in the migration process by providing detailed information on the differences and enhancements between versions.
              • Compatibility: Ensures that users working on existing projects can access relevant information for their version of Visual-Guard.

              How to Use the Archive

              The Archive is organized by version, with each section dedicated to a specific version of Visual-Guard. Below are links to the archived versions:

              Visual-Guard 2020.X

              This section contains all documentation related to Visual-Guard 2020, including user guides, release notes, and API references.

              Previous Versions

              For versions prior to Visual-Guard 2020, please click here.

              Upgrading to VG 2024

              If you’re ready to migrate to the latest version, VG 2024, check out our migration guide for a smooth transition. Our latest version offers significant improvements in performance, security, and features.

              10.1 VG2020.X

              Welcome to the Visual-Guard 2020 Archive. This section is dedicated to preserving the comprehensive documentation, guides, and reference materials for Visual-Guard version 2020.3. As you navigate through this archive, you will find valuable resources designed to support users and developers who continue to work with or maintain systems using this specific version of Visual-Guard.

              Features and Documentation

              Visual-Guard 2020 introduced a range of features and improvements that have been foundational to subsequent versions. In this archive, you can explore:

              • User Guides: Detailed instructions on how to utilize the features introduced in VG 2020, ensuring you can make the most out of your existing projects.
              • Release Notes: A chronological list of updates, bug fixes, and enhancements made throughout the lifecycle of VG 2020.
              • API References: Comprehensive documentation of the APIs available in VG 2020, providing essential information for developers integrating Visual-Guard into their applications.

              Support and Resources

              While VG 2020 is no longer the latest version, we understand the importance of supporting our users through transition periods and beyond. If you’re working on migrating to VG 2024 or need assistance with VG 2020, the following resources are available:

              • Migration Guide: Step-by-step instructions to help you transition from VG 2020 to VG 2024 smoothly and efficiently.
              • Technical Support: Our dedicated support team is available to assist with any questions or issues you may encounter with VG 2020.

              Moving Forward

              We encourage users of VG 2020 to consider upgrading to Visual-Guard 2024 to take advantage of the latest features, security enhancements, and performance improvements. Visit our Upgrade Guide for more information on making the transition.

              Thank you for your continued support and commitment to Visual-Guard. We’re here to assist you in every step of your journey with our product.

              10.1.1 Installation setup

              System requirements

              Please check the following requirements before installing Visual Guard Identity Server.

              Visual Guard 2020.2

              • OS: Windows Server 2012, 2016, 2019, 2022
              • Hard Drive: 512 GB to 1 TB – Fast drive recommended, ideally SSD
              • CPU:  4 core min – 3 Ghz or higher
              • RAM: 8 GB 
              • SQL Server for the VG Repository : Standard Edition or higher
              • .Net Core 2.1
              • .Net Core hosting bundle 2.1

              Private mode Communication

              • Windows Server 2022 Build 20348 or later.

              Installation

              Download Visual Guard Identity Server setup and follow the installation wizard.

              10.1.2 Using an existing configuration

              You can reuse an existing configuration

              Click on the button “Configure Identity Server”
              Select one identity Server configuration need to be use
              We need to restart Identity Server to apply the new configuration
              Waiting the restart of Identity Server
              The Visual-Guard Identity server is ready to use

              10.1.3 Configuring VG Identity Server Instance

              Configure a new Visual-Guard Identity Server instance

              • Note : this requires a certificate

              Select “re-use a existing configuration” or “create a new configuration”

              The certificate validity is verified.

              • Identity server name: name of the server
              • Description : enter a description for this new configuration
              • Select a certificate (Certificate with private key required)
              • Check this box to overwrite the configuration when deploying it in another repository
              We need to restart the server to apply this new configuration
              Waiting for the Server to restart
              The Visual Guard Identity Server is now ready to use

              10.1.4 Repository configuration

              The Visual Guard identity server needs a connection to the VGRepository


              Configuration of the Visual Guard repository
              Select your repository type (SQL Server or Oracle)
              Set the information of your repository
              Test your connection to the Visual Guard Repository
              The connection to the VG Repository is successful.
              Save the configuration of the VGRepository

              Configure Visual Guard Identity Server