1. Installation setup

System requirements

Please check the following requirements before installing Visual Guard Identity Server.

Visual Guard 2024.0

  • Operating System: Windows Server 2012, 2016, 2019, 2022
  • Hard Drive: 512 GB to 1 TB – Fast drive recommended, ideally SSD
  • CPU:  4 core min – 3 Ghz or higher
  • RAM: 8 GB 
  • Software:
  • IIS with the necessary Windows features should be installed as described below.
  • VGRepository
    • Require SQL Server 2012 or later, with a minimum of the Standard Edition.
    • Require Oracle Database with Oracle9i or later. Please ensure the Oracle Driver is installed.
  • Install the VGIdentityServerSetup. [Link available in the table above]
  1. Doing so, will create a ‘VisualGuardIdentityServer’ website.
  2. It will also create an application pool ‘AspNetCore’ ‘with – .Net CLR Version – “No Managed Code”.
    (If not created, please create it manually)
  • Check the list of websites, select ‘VisualGuardIdentityServer’.
    Go to ‘Advanced Settings’, and select application pool – ‘AspNetCore’.
  • Check ‘permissions’, and assign full permissions to ‘IIS_IUSRS’.
  • Check the application root path.
    Select ‘web.config’ , please make sure it contains the following values:
<aspNetCore processPath="dotnet" arguments=".\Novalys.VisualGuard.Tools.VGIdentityServer.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdosut">
<environmentVariables />
</aspNetCore>

Private mode Communication

  • Windows Server 2022 Build 20348 or later.

Installation Steps

Step 1: Download Visual Guard Identity Server setup and follow the installation wizard

Step 2: Enter the required information, Site, Application pool and click Next

Step 3: Installation process will begin

Step 4: Once installation is complete, you will be notified with a message confirming the successful setup. Please click “Close” to exit the setup.

1.1 How to migrate from VGServer ?

The VGServer has been replace by Visual-Guard Identity Server.

VG Identity Server works with the bearer Token, the VGToken, which is contained inside of the claims.

We need to authenticate from VG Identity Server

How to get the security token ?

The API has been updated.
Please refer to the following list to find out how to update the API:

  • /Security/Principal/GetIdentity replace by /api/Principal/GetIdentity
  • /Security/GetRoles replace by /api/Principal/GetCurrentRoles
  • /Security/IsInRoleByName/ replace by /api/Principal/IsInRoleByName
  • /Security/HasPermissionByName/ replace by /Security/HasPermissionById/
  • /Security/GetPermissions replace by /api/Principal/GetCurrentPermissions

2. Repository configuration

Step 1: The Visual Guard identity server needs a connection to the VGRepository

Step 2: Select your repository type (SQL Server or Oracle) from the dropdown and click on Next

Step 3: Set the information of your repository as required and click on “Test Connection” to test the connection to the repository.

Once your connection is valid you will receive a connection successful message, click Ok and then Next.

Step 4: Set your VG identity server Url to configure successfully

Step 5: Once the configuration is successful you can click on Finish and you can start using the repository

3. Authentication

In Visual Guard, “Authentication” is the process of verifying the identity of a user or entity attempting to access a system or application. Visual Guard supports various types of authentication methods, each offering different levels of security and user experience:

  1. Visual Guard: Users authenticate using Visual Guard’s built-in login system, where they provide a username and password combination verified against Visual Guard’s user database. This method offers a standard authentication approach managed within the Visual Guard framework.
  2. Windows Authentication by Credential: Users authenticate through their Windows credentials, leveraging the security infrastructure of the Windows operating system. Visual Guard integrates with Windows authentication to validate user identities, providing seamless access to applications based on Windows credentials.
  3. Multi-Factor Authentication (MFA): Visual Guard supports Multi-Factor Authentication (MFA), requiring users to provide additional verification beyond a username and password. This could include receiving a one-time password (secure code) or magic link via SMS or email. MFA enhances security by adding an extra layer of protection against unauthorized access, even if login credentials are compromised.
  4. Passwordless:Passwordless login is a method of authentication that allows users to access a system or application without requiring a traditional password. Instead of entering a password, users are authenticated through alternative methods such as magic link or SMS verification. In Visual Guard, passwordless login enhances security and user experience by providing convenient and secure authentication options that eliminate the need for users to remember and manage passwords.

These authentication methods cater to different security requirements and user preferences, allowing Visual Guard to provide a flexible and robust authentication framework for securing applications and systems.

Authentication Flow

The flowchart depicts the authentication process with OpenID Connect (OIDC) and Multi-Factor Authentication (MFA). It involves the user initiating login, the application redirecting to the Identity Provider (IdP), credential validation by the IdP, an MFA challenge, token issuance, and finally, the application granting access based on validated tokens.

Click on any of the below authentication types to know steps of login

Visual Guard
Windows By Credential
Multifactor Authentication
Passwordless

3.1 Visual-Guard User

Users authenticate using Visual Guard’s built-in login system, where they provide a username and password combination verified against Visual Guard’s user database. This method offers a standard authentication approach managed within the Visual Guard framework.

Shown below is a demo application secured by VisualGuard Identity Server.

Step 1: User tries to access the demo application, by clicking on ‘Secure using Universal Login‘.

Step 2: Since the user is not authenticated user, he/she will be redirected to the Identity server login page automatically.

Click on the drop down under Authentication and choose VisualGuard and enter the Username and Password, click sign In

Step 3: Once the user is authenticated and authorized successfully, he/she will be redirected back to the demo application.

3.2 Windows by Credential

Users authenticate through their Windows credentials, leveraging the security infrastructure of the Windows operating system. Visual Guard integrates with Windows authentication to validate user identities, providing seamless access to applications based on Windows credentials.

Shown below is a demo application secured by VisualGuard Identity Server

Step 1: User tries to access the demo application, by clicking on ‘Secure using Universal Login‘.

Step 2: Since the user is not authenticated user, he/she will be redirected to the Identity server login page automatically

Click on the drop down under Authentication and choose WindowsbyCredential and enter the Username (Domain\username) and Password

Step 3: Once the user is authenticated and authorized successfully, he/she will be redirected back to the demo application.

3.3 Multifactor Authentication (MFA)

Visual Guard supports Multi-Factor Authentication (MFA) on top of the existing authentication methods, requiring users to provide additional verification beyond a username and password. This could include receiving a one-time password (secure code) or magic link via SMS or email and TOTP via microsoft authenticator. MFA enhances security by adding an extra layer of protection against unauthorized access, even if login credentials are compromised.

Shown below is a demo application secured by VisualGuard Identity Server.

Step 1: User tries to access the demo application, by clicking on ‘Secure using Universal Login’.

Step 2: Since the user is not authenticated user, he/she will be redirected to the Identity server login page automatically

Click on the drop down under Authentication and choose your prefered authentication types i.e VisualGuard or WindowsbyCredential etc, then enter the Username and Password, Click sign In

Step 3: Once you login, the MFA authentication window will show up, which will ask you the options if you would like to have the link or OTP to be sent via email or SMS, after selecting the option click on OK.

Step 4: Once you choose the option, an OTP or link will be sent to your registered email ID or phone number, enter the OTP received and click on Sign In

Step 5: Once the user is authenticated and authorized successfully, he/she will be redirected back to the demo application.

3.4 Passwordless

Passwordless login is a method of authentication that allows users to access a system or application without requiring a traditional password. Instead of entering a password, users are authenticated through alternative methods such as magic link or SMS verification. In Visual Guard, passwordless login enhances security and user experience by providing convenient and secure authentication options that eliminate the need for users to remember and manage passwords.

Shown below is a demo application secured by VisualGuard Identity Server.

Step 1: User tries to access the demo application, by clicking on ‘Secure using Universal Login‘.

Step 2: Since the user is not authenticated user, he/she will be redirected to the Identity server login page automatically.

Click on the drop down under Authentication and choose Passwordless and enter the Username, click sign In

Step 3: You will be asked to authenticate yourself through the magice link or SMS by the registered details. Click Ok once you select the option

Step 4: Once the user is authenticated and authorized successfully, he/she will be redirected back to the demo application.

3.5 Bearer Token

What is a Bearer Token and how it works?

A Bearer Token is an access token issued by IdentityServer, which clients use to authenticate and access protected resources by including the token in the HTTP Authorization header with requests.

The process works as follows:

  1. Token Issuance: When a user successfully authenticates with IdentityServer, an access token (Bearer Token) is generated and issued to the client application. This token is a JSON Web Token (JWT) containing claims about the user and their permissions.
  2. Token Transmission: The client application includes the Bearer Token in the HTTP Authorization header for subsequent requests to protected resources. The header format is: Authorization: Bearer <token>.
  3. Resource Server Validation: The resource server (API) validates the Bearer Token by verifying its signature, expiration, and the claims contained within. This ensures the token is issued by a trusted authority (IdentityServer) and is still valid.
  4. Access Control: Based on the token’s claims, the resource server determines if the client has the necessary permissions to access the requested resource. If valid, the server processes the request; if not, it rejects the request with an appropriate error message.

Bearer Tokens provide a secure and efficient method for clients to access protected resources without needing to repeatedly authenticate, facilitating stateless and scalable security management

How it works?

Step 1: User initiates the authentication request

Step 2: Identity Server authenticates the user credentials

Step 3: Once the authentication if successfull, a token is received

Step 4: The resource server checks the validity and integrity of the Bearer Token

Step 5: Access to the requested resource is granted or denied based on the claims in the Bearer Token

4. Multifactor Authentication (MFA) Enrollment

In Visual Guard, MFA enrollment within the identity server framework enhances security by requiring users to provide multiple forms of verification before access is granted. Visual Guard supports Multi-Factor Authentication (MFA) on top of the existing authentication methods, requiring users to provide additional verification beyond a username and password. This could include receiving a one-time password (secure code) or magic link via SMS or email and TOTP via microsoft authenticator. MFA enhances security by adding an extra layer of protection against unauthorized access, even if login credentials are compromised.

Below are the different modes to enroll to MFA, click on the icons to know more about each one of them.

Via Email ID
Via Phone Number
Via Microsoft Authenticator

4.1 Via Email Address

OTP (One-Time Password) or a secure link sent via email is used as an additional layer of security to enhance the authentication process.This method significantly reduces the risk of unauthorized access and is especially useful for protecting sensitive operations and transactions.

Step 1: Select the email address option

Step 2: Enter your Email ID and select Send Email

Step 3: Enter the secure code you may have received over the registered email ID and click on Validate

Step 4: Once your identity is validated, you can return to the application home page. Upon attempting to log in, you will be presented with a screen that offers you the choice of receiving either a link or an OTP (One-Time Password) to your registered email ID for authentication. Select your preferred method and click “Continue” to complete the authentication process successfully.

MFA Enrollment Modes

4.2 Via Phone Number

In Visual Guard, the OTP/Link via phone number feature allows users to authenticate themselves through their registered mobile number. When attempting to log in, users can choose to receive an OTP (One-Time Password) or a verification link sent directly to their mobile phone via SMS. This added layer of security ensures that only users with access to the registered phone number can complete the authentication process.This method enhances security by leveraging a second factor of authentication tied to the user’s mobile device.

Step 1: Select the phone number option

Step 2: Enter your Phone Number and select Send SMS

Step 3: Enter the secure code you may have received over the registered phone number and click on Validate

Step 4: Once your identity is validated, you can return to the application home page. Upon attempting to log in, you will be presented with a screen that offers you the choice of receiving either a link or an OTP (One-Time Password) to your registered phone number for authentication. Select your preferred method and click “Continue” to complete the authentication process successfully.

MFA Enrollment Modes

4.3 Via Microsoft Authentication

In Visual Guard, TOTP (Time-based One-Time Password) via Microsoft Authenticator provides an additional layer of security for user authentication. Users can set up their Microsoft Authenticator app to generate time-based, one-time passwords that refresh every 30 seconds. During the login process, users enter the current TOTP displayed on their Microsoft Authenticator app to verify their identity. This method ensures a secure and dynamic form of authentication, as the OTP is time-sensitive and unique to each login attempt.

Step 1: Select the Microsoft TOTP authentication option

Step 2: Select the type of device you use.

Step 3: Scan the QR code to download the application.

Andriod device

IOS device (Iphone)

Step 4: Once you open the application and scan the QR code your profile account will be added automatically.

Step 5: Enter the secure code that is generated by the application and click on Validate

Step 6: You will get a notification for the successfull enrollment, click on Go back to Application to login further.

Step 7: Once you can return to the application home page. Upon attempting to log in, you have to click on the Microsoft Authenticator icon and enter the code and click on Continue to complete the authentication process successfully.

MFA Enrollment Modes

5. Dashboard

A dashboard is a graphical user interface that provides users with a consolidated view of key information and data relevant to VisualGuard Identity Server, by providing easy access.

  • Identity Clients: These applications or systems that use Visual Guard for authentication and authorization services, enabling secure access control and user identity management across various platforms
  • Client Configuration: Configuring a client in Identity Server involves registering the client and its type with the authorization server, obtaining client credentials, specifying authorization grant types and redirect URIs, and understanding the token endpoint and scope. These configurations ensure secure and proper interaction between the client and the Identity server while protecting user data and resources.
  • User Interface: The user interface (UI) in Visual Guard refers to the graphical interface which allows to customize the user interface by managing company logos and landing page text.
  • Identity Server: Configuring a server in an Identity Server involves setting up and customizing the server’s operational parameters that dictate how the identity server operates and interacts with other components to manage authentication, authorization, and user management services effectively within an IT ecosystem
  • Restart Identity Server: By clicking on this icon the identity server will restart

The dashboard allows administrators to monitor the health and performance of the identity server, track user authentication and authorization trends, and access important configuration settings and management tools to ensure smooth operation and security compliance.

Click on the below icons to know further about each of the functionalities.

User Interface
Identity Server
Client Configuration
Identity Clients
Restart IdentityServer

6. Identity Clients

These are applications that use Visual Guard for authentication and authorization services, enabling secure access control and user identity management across various platforms

Step 1: Click on the identity clients icon.

Step 2: The dashboard will show you the details of all the clients associated.

  • Application name: The unique identifier or title of an application within Visual Guard
  • Status: Indicates whether an application or client is currently active or inactive
  • Platform type: Specifies the technology or environment in which the application operates
  • Client name: The designated name of a client application utilizing Visual Guard for security services
  • Client ID: A unique identifier assigned to a client application for authentication and authorization purposes
  • Grant types: Methods allowed for obtaining access tokens, such as authorization code, implicit, or client credentials.
  • Client configuration: Settings and parameters defined for a client application to integrate with Visual Guard’s security services

Step 3: Incase you make any changes in the backend, you will see the status of the applications and also the option to activate the application

Step 4: Once you click on activate you will get a notification as below, and you can click on Restart if you are compliant with the message.

Note: To activate Identity Client, you must restart VisualGaurs Identity server, proceeding with restart, it will briefly pause authentication and authorization services.

7. Client Configuration

Client configuration in Visual Guard involves setting up and configuring the Visual Guard Client component, which is responsible for enforcing security policies and managing user authentication and authorization within client applications. This configuration typically includes specifying the Visual Guard server endpoint, defining authentication methods, configuring access control rules, and integrating client applications with Visual Guard’s security framework. Client configuration ensures that client applications can securely authenticate users, enforce access controls, and interact with the Visual Guard server to manage user identities and permissions effectively.

Step 1: Select the Client from the dropdown

Step 2: Select the Client’s platform type as well from the dropdown and click on Generate Client Configuration

Sample data from the generation of the client configuration.

8. Settings

Settings refer to configurable options and parameters that govern the behavior, functionality, and security of the identity server. These settings allow administrators to customize various aspects of the identity server to align with organizational requirements and security policies. They may include options related to authentication methods, user registration, password policies, token issuance, logging and auditing, integration with external systems, and more. Configuring settings in Visual Guard Identity Server ensures that the identity server operates effectively, securely, and in accordance with organizational needs, providing a centralized and robust platform for managing authentication and authorization across applications and systems.

Below are the different settings available under Identity Server.

User Interface
Configure Server
Local Settings

8.1 Remember Me

The “Remember Me” feature in an identity server context is designed to enhance the user experience by allowing users to remain authenticated without needing to re-enter their credentials for a specified period. This feature is commonly implemented using long-lived cookies or tokens that persist across browser sessions. Here is a detailed description:

The primary purpose of the “Remember Me” feature is to provide convenience to users by maintaining their authenticated session even after they close their browser or shut down their device. This reduces the frequency of login prompts, enhancing user satisfaction and streamlining access to applications.

When a user returns to the application, the identity server checks for the presence of the persistent cookie or token. If found and valid, the user is automatically authenticated without being prompted for their credentials. This seamless experience is particularly beneficial for applications that require frequent access.

You can opt for this feature by clicking on the Remember Me icon on the login page.

    8.2 User Interface

    The user interface (UI) in Visual Guard refers to the graphical interface that users interact with to manage company logos and landing page text.

    1. Customize logo

    If you want to customize the logo, you can easily customize it as shown below.

    Steps:

    • Login to the Visual-guard Identity Server
    • You can go to the settings -> UserInterface Page.
    • Goto the ‘Company Logo’ tab.
    • Specify the logo.

    2. Change the website text

    If you want to customize the login page for specific application, you can use some pre-defined visual-guard variables as shown below.

    Pre-defined Visual-guard variables

    • [ApplicationId] – Gets the application Id.
    • [ApplicationName] – Gets the application Name
    • [ApplicationDescription]- Gets the application Description

    Steps:

    • Login to the Visual-guard Identity Server with master admin rights
    • You can go to the settings -> UserInterface Page.
    • Goto the WebSite Text tab.
    • Provide the text to be displayed along with the pre-defined variables as shown below.

    Result:

    After applying the changes, when login form will be displayed, it will contain the application name and application id information via pre-defined variables as shown below.

    8.3 Configure Server

    Configuring a server in an Identity Server involves setting up and customizing the server’s operational parameters that dictate how the identity server operates and interacts with other components to manage authentication, authorization, and user management services effectively within an IT ecosystem.

    Configuring an Identity Server is a critical task that requires a deep understanding of both the technical aspects of the Identity Server software and the security requirements of the organization. Proper configuration ensures that the Identity Server can provide secure, reliable, and efficient identity services across the organization’s applications and systems.

    You can edit the Identity Server parameters.

    1. Primary Information: You can provide the basic information of your Identity Server

    2. Edit Signing Certificate: You can manage the signing certificate and click on Validate Certificate below when you update the certificate

    3. Is Clustered: You can configure whether identity server is clustered or not, you need to provide the Issuer Uri for the clustered Uri

    4. Allow auto restart when required: You can choose if you want the server to restart automatically and you can also set up the time to check at every x minutes for the restart

    5. Is Grpc Private Service Enabled: You can choose if you want to enable Grpc, if yes then you need to provide the Grpc port and whether the Grpc web is enabled or not as it makes the private service compatible with http 1.1.

    6. Authentication Preferences: You can provide the default domain for windows authentication on IdentitySever, the authentication mode and whether the windows authentication and automatic windows aunthentication is enabled or not

    7. Other Information: You can choose if the you want to overwrite Identity Server once it is deployed

    8. Click on Switch Configuration if you want to select another identity server configuration, Click on Save button, when you want your changes to be saved, and make sure to restart Identity Server to reflect your new changes.You can restart the Identity Server by clicking on Restart button

    Create New Identity Server
    Switch/Select the Identity Server Configuration

    8.3.1 Switch Identity Server

    Selecting or switching the Identity Server configuration involves choosing or changing the operational settings and parameters of an Identity Server to match specific requirements or to transition between different environments (e.g., development, testing, production). It enables administrators to manage multiple configurations efficiently and switch between them as needed to support various operational scenarios or to update security measures without disrupting service.

    Click on Switch Configuration to change your Identity Server, Select the server name from the drop down and click on Next.

    Once you click on the Next button and you will get edit page incase you wan to update on settings, then click on the Save button, when you want your changes to be saved, and make sure to restart Identity Server to reflect your new hanges.You can restart the Identity Server by clicking on Restart button

    8.3.2 New Identity Server

    Process of setting up a new instance of an Identity Server,

    Step 1: Provide Primary information like server name and description

    Step 2: Edit Signing Certificate

    You can manage the signing certificate and click on Validate Certificate below when you update the certificate

    Step 3: Is Clustered

    You can configure whether identity server is clustered or not, you need to provide the Issuer Uri for the clustered Uri

    Step 4: Allow auto restart when required

    You can choose if you want the server to restart automatically and you can also set up the time to check at every x minutes for the restart

    Step 5: Is Grpc Private Service Enabled

    You can choose if you want to enable Grpc, if yes then you need to provide the Grpc port and whether the Grpc web is enabled or not as it makes the private service compatible with http 1.1.

    Step 6: Authentication Preferences

    You can provide the default domain for windows authentication on IdentitySever, the authentication mode and whether the windows authentication and automatic windows aunthentication is enabled or not

    Step 7: Other Information

    You can choose if the you want to overwrite Identity Server once it is deployed

    Step 8: Click on Save button, when you want your changes to be saved, and make sure to restart Identity Server to reflect your new changes.You can restart the Identity Server by clicking on Restart button

    8.4 Local Settings

    Here, you can configure Visual Guard’s Identity Server Url, which will be used for internal communication.

    VGIdentityServer makes internal calls to perform operations such as authentication, session management, and loading of authorizations. Configuring this url ensures that these calls are correctly routed within the network infrastructure.

    Configuring the Internal DNS for VGIdentityServer

    To ensure optimal configuration of VGIdentityServer, follow the steps below in the “Local Settings” section:

    1. Access Local Settings: In the VGIdentityServer administration interface, navigate to the “Local Settings” submenu. This section contains various configuration settings that influence the operation of the identity server.
    2. Set the Internal DNS: Look for the field dedicated to configuring the internal DNS. This field should be filled with the Fully Qualified Domain Name (FQDN) or internal IP address of the VGIdentityServer, followed by the port used for internal communications. For example: internaldns.example.com:port or 192.168.1.1:port.
    3. Save Changes: After entering the internal DNS and port, make sure to save your changes. This action refreshes the VGIdentityServer configuration and applies the new settings.

    8.5 Restart IdentityServer

    Restarting IdentityServer involves stopping and then starting the IdentityServer service or application to apply configuration changes, update software, or troubleshoot issues, ensuring continued secure authentication and authorization services.

    Step 1: Click on the restart Identity Server icon

    Step 2: Once you click on the icon you will get a notification prior to the restart, if you are compliant with the message go ahead and click on the restart button.

    9. Advanced Settings

    You can configure some properties manually.

    inside of the appSettings.json, you can configure the Level of trace, etc…

    You can check the Server URL here.

    9.1 How to activate Tracing and Logging?

    Tracing refers to the systematic recording of events, operations, and processes within the VG system. This functionality is crucial for debugging, monitoring system performance, auditing security processes, and ensuring compliance with regulatory standards. Tracing in VG captures detailed information about the system’s behavior, including authentication attempts, authorization checks, and other security-related events.

    Purpose of Tracing in Identity Server

    1. Debugging and Troubleshooting: Helps identify and resolve issues within VG by providing a detailed log of events leading up to an error or malfunction.
    2. Security Auditing: Records security-related events, such as login attempts, access control decisions, and changes to security policies, which is essential for detecting potential breaches and unauthorized access attempts.
    3. Performance Monitoring: Tracks the performance of VG operations, allowing administrators to identify and address bottlenecks or inefficiencies in the system.
    4. Compliance and Reporting: Supports compliance with legal and regulatory requirements by logging access and changes to sensitive data, demonstrating that appropriate security controls are in place.

    To enable different levels of tracing, choose the appropriate options in the appsettings.json file (visual reference provided below).

    VGIdentityServerConfiguration.TraceLevel

    This property specifies the minimum level to log for Visual Guard Identity Server activities.
    It has following options available.

    • Off = 0, //Output no tracing and debugging messages.
    • Error = 1, //Output error-handling messages.
    • Warning = 2, //Output warnings and error-handling messages.
    • Info = 3, //Output informational messages, warnings, and error-handling messages.
    • Verbose = 4 //Output all debugging and tracing messages.

    Logging

    The Logging property can have LogLevel and log provider properties. The LogLevel specifies the minimum level to log for selected categories. In the screenshot, Information and Warning log levels are specified. LogLevel indicates the severity of the log and ranges from 0 to 6:

    • Trace = 0
    • Debug = 1
    • Information = 2
    • Warning = 3
    • Error = 4
    • Critical = 5
    • None = 6.

    The “Default” and “Microsoft” categories are specified.
    The “Microsoft” category applies to all categories that start with “Microsoft”.
    The “Microsoft” category logs at log level Warning and higher.

    A specific log provider is not specified, so LogLevel applies to all the enabled logging providers except for the Windows EventLog.

    Check Logs and Traces

    You can check the logs and traces files as shown below.

    9.2 How to set up Windows Authentication?

    Visual Guard offers two modes of Windows authentication:
    Windows SSO (Single Sign On) and Mix-Mode Authentication (Windows + another type of authentication).

    Requirement

      • The VG Identity Server needs to be installed on a Windows Server

      • The Windows Server needs to be in the domain

      • The Windows Server needs to have IIS

    Activate Windows Authentication in the VG Repository

    First, you need to check if Windows is activated in the repository

      • Open VG WinConsole

      • Select and open your VGRepository

    • In the VGRepository settings, check that Windows Authentication is enabled in the supported authentication modes section.
    Active Windows authentication

    Activate Windows Authentication in VG Identity Server

    IIS needs to have Windows Authentification activated

      • Select VG Identity Server app

      • Go to authentication module

      • Enable Anonymous and Windows authentification

    Activate Anonymous and Windows authentification

    Which Windows authentication mode should be selected?

    Visual Guard offers two modes of Windows Authentication:

    The first mode is Mixed Mode authentication that allows you to authenticate users with their Windows and another type of authentification

    The second one is Windows SSO (Single Sign On), the user don’t need to do any things, Visual Guard authenticate the user directly without any action.

    How to configure for the Mixed Mode Authentication?

    To activate this mode, you need to open the VG Identity Server folder:

      • Open appsettings.json file for VisualGuard Identity Server

      • Set IsWindowsAuthenticationEnabled = true

      • Set IsAutomaticWindowsAuthenticationEnabled = false

      • Save the file and restart the VGIdentityServer

    Sample

    {
  "VGIdentityServerConfiguration": {
    "ServerId": "a31a70b4-9a09-445e-82c9-c6262eaa58f5",
    "WebUserInterfaceId": "03d1acad-61bf-4b62-82f4-3fe5eb0bb554",
    "IsWindowsAuthenticationEnabled": true,
    "IsAutomaticWindowsAuthenticationEnabled": false,
    "TraceLevel": "Verbose",
    "ServerUrl": "http://localhost:5000",
    "UseDefaultIdentityServerWhenServerIdEmpty": false,
    "CheckIfRestartRequiredAtEveryMinutes": "1",
    "AllowAutoRestart": "true"
  }  
}

    VG Identity Server Sample login form

    Mixed mode authentification user view

    Windows Authentification

    How to configure Windows SSO?

    The Windows SSO (Single Sign-On) allows to authenticate users without any action on their part.

    To activate this mode, you need to open the VG Identity Server folder.

      • Open appsettings.json file for VisualGuard Identity Server

      • Set IsWindowsAuthenticationEnabled = true

      • Set IsAutomaticWindowsAuthenticationEnabled = true

      • Save the file and restart the VGIdentityServer.

    Sample code

    {
  "VGIdentityServerConfiguration": {
    "ServerId": "a31a70b4-9a09-445e-82c9-c6262eaa58f5",
    "WebUserInterfaceId": "03d1acad-61bf-4b62-82f4-3fe5eb0bb554",
    "IsWindowsAuthenticationEnabled": true,
    "IsAutomaticWindowsAuthenticationEnabled": true,
    "TraceLevel": "Verbose",
    "ServerUrl": "http://localhost:5000",
    "UseDefaultIdentityServerWhenServerIdEmpty": false,
    "CheckIfRestartRequiredAtEveryMinutes": "1",
    "AllowAutoRestart": "true"
  }
}

    From now on, when a user accesses the page, he will be automatically authenticated with his Windows account, without displaying a login screen.

    9.3 How to activate new private communication ?

    9.4 How to deactivate Windows SSO ?

    VGIdentityServer Feature Guide: Configurable Windows SSO Authentication

    This guide provides detailed instructions on how to utilize specific settings for automatic Windows SSO authentication in VGIdentityServer. These settings allow developers to choose between automatic Windows authentication and manual authentication.

    Server Configuration Example:


    Server URL: https://vgidentityserver.mycompany.local

    IdentityServer Settings:

    Windows Authentication Enabled: true
    Automatic Windows Authentication Enabled: true


    Accessing the Identity Server UI:

    Using Current Windows Account (AutoWindowsSSO)

    URL: https://vgidentityserver.mycompany.local/Account/Login

    • If the current Windows account user has the necessary rights, the system will automatically sign you in.
    • If the user lacks the required rights, you’ll be redirected to the login page with a “not authorized to login” message. Here, you can log in using different credentials.

    Without Using Current Windows Account (Manual Authentication)

    • URL with parameter: https://vgidentityserver.mycompany.local/Account/Login?autowindowssso=false
    • The system will prompt you for credentials to authenticate.

    Requesting Tokens or Authorization Codes via Browser (AutoWindowsSSO)

    • Example URL: https://vgidentityserver.mycompany.local/connect/authorize?response_type=code&client_id=172b5450-6954-4bf5-982f-9af688f1aa58_WebApp
      • &redirect_uri=http://localhost:5002/signin-oidc&scope=openid+profile+VGActivityDate+VGApplications+VGDeveloper+VGIsApproved+VGIsLocked+
      • VGPermissions+VGProfile+VGRoles+VGToken+offline_access+IdentityServerApi
    • If the current Windows account user has rights, a code will be provided in the response.
    • Without the necessary rights, you’ll be redirected to the login page with a “not authorized to login” message.


    Requesting Tokens or Authorization Codes Without Current Windows Account

    • URL with parameter:
    • https://vgidentityserver.mycompany.local/connect/authorize?autowindowssso=false&response_type=code&client_id=172b5450-6954-4bf5-982f-9af688f1aa58_WebApp&redirect_uri=http://localhost:5002/signinoidc
      • &scope=openid+profile+VGActivityDate+VGApplications+VGDeveloper+VGIsApproved+VGIsLocked+
      • VGPermissions+VGProfile+VGRoles+VGToken+offline_access+IdentityServerApi
    • The system will prompt you for credentials to authenticate.

    10. Archive

    Welcome to the Visual-Guard Archive section. This part of our documentation is dedicated to providing easy and organized access to previous versions of Visual-Guard, allowing users and developers to find information, guides, and references for past versions of our product.

    Why an Archive?

    As Visual-Guard continues to evolve, maintaining a record of previous versions is crucial for several reasons:

    • Historical Support: Enables users to consult the documentation of previous versions to solve specific issues or understand the evolution of the product.
    • Migration Assistance: Aids users in the migration process by providing detailed information on the differences and enhancements between versions.
    • Compatibility: Ensures that users working on existing projects can access relevant information for their version of Visual-Guard.

    How to Use the Archive

    The Archive is organized by version, with each section dedicated to a specific version of Visual-Guard. Below are links to the archived versions:

    Visual-Guard 2020.X

    This section contains all documentation related to Visual-Guard 2020, including user guides, release notes, and API references.

    Previous Versions

    For versions prior to Visual-Guard 2020, please click here.

    Upgrading to VG 2024

    If you’re ready to migrate to the latest version, VG 2024, check out our migration guide for a smooth transition. Our latest version offers significant improvements in performance, security, and features.

    10.1 VG2020.X

    Welcome to the Visual-Guard 2020 Archive. This section is dedicated to preserving the comprehensive documentation, guides, and reference materials for Visual-Guard version 2020.3. As you navigate through this archive, you will find valuable resources designed to support users and developers who continue to work with or maintain systems using this specific version of Visual-Guard.

    Features and Documentation

    Visual-Guard 2020 introduced a range of features and improvements that have been foundational to subsequent versions. In this archive, you can explore:

    • User Guides: Detailed instructions on how to utilize the features introduced in VG 2020, ensuring you can make the most out of your existing projects.
    • Release Notes: A chronological list of updates, bug fixes, and enhancements made throughout the lifecycle of VG 2020.
    • API References: Comprehensive documentation of the APIs available in VG 2020, providing essential information for developers integrating Visual-Guard into their applications.

    Support and Resources

    While VG 2020 is no longer the latest version, we understand the importance of supporting our users through transition periods and beyond. If you’re working on migrating to VG 2024 or need assistance with VG 2020, the following resources are available:

    • Migration Guide: Step-by-step instructions to help you transition from VG 2020 to VG 2024 smoothly and efficiently.
    • Technical Support: Our dedicated support team is available to assist with any questions or issues you may encounter with VG 2020.

    Moving Forward

    We encourage users of VG 2020 to consider upgrading to Visual-Guard 2024 to take advantage of the latest features, security enhancements, and performance improvements. Visit our Upgrade Guide for more information on making the transition.

    Thank you for your continued support and commitment to Visual-Guard. We’re here to assist you in every step of your journey with our product.

    10.1.1 Installation setup

    System requirements

    Please check the following requirements before installing Visual Guard Identity Server.

    Visual Guard 2020.2

    • OS: Windows Server 2012, 2016, 2019, 2022
    • Hard Drive: 512 GB to 1 TB – Fast drive recommended, ideally SSD
    • CPU:  4 core min – 3 Ghz or higher
    • RAM: 8 GB 
    • SQL Server for the VG Repository : Standard Edition or higher
    • .Net Core 2.1
    • .Net Core hosting bundle 2.1

    Private mode Communication

    • Windows Server 2022 Build 20348 or later.

    Installation

    Download Visual Guard Identity Server setup and follow the installation wizard.

    10.1.2 Using an existing configuration

    You can reuse an existing configuration

    Click on the button “Configure Identity Server”
    Select one identity Server configuration need to be use
    We need to restart Identity Server to apply the new configuration
    Waiting the restart of Identity Server
    The Visual-Guard Identity server is ready to use

    10.1.3 Configuring VG Identity Server Instance

    Configure a new Visual-Guard Identity Server instance

    • Note : this requires a certificate

    Select “re-use a existing configuration” or “create a new configuration”

    The certificate validity is verified.

    • Identity server name: name of the server
    • Description : enter a description for this new configuration
    • Select a certificate (Certificate with private key required)
    • Check this box to overwrite the configuration when deploying it in another repository
    We need to restart the server to apply this new configuration
    Waiting for the Server to restart
    The Visual Guard Identity Server is now ready to use

    10.1.4 Repository configuration

    The Visual Guard identity server needs a connection to the VGRepository


    Configuration of the Visual Guard repository
    Select your repository type (SQL Server or Oracle)
    Set the information of your repository
    Test your connection to the Visual Guard Repository
    The connection to the VG Repository is successful.
    Save the configuration of the VGRepository

    Configure Visual Guard Identity Server