Skip to main content

Authentication Settings

Hermes SEG utilizes Authelia Authentication Server for controlling access to the the Hermes SEG Administration Console. The Authentication Settings page allows you to change many Authelia settings to suit your needs.

JWT Secret

The JWT Secret is used to craft JWT tokens by the identity verification process. Hermes SEG randomly generates a 20-character alphanumeric string at the time of installation. It's usually not necessary to change this field. However, if you wish to change it, Hermes SEG will accept a minimum 12-character and a maximum 20-character alphanumeric string only.

Access Control Policy

The Access Control Policy field allows you to switch between One Factor Authentication (1FA) which consists of Username and password authentication (Default) OR Two Factor Authentication (2FA) which consists of Username and password AND an additional Timed One Time Password (TOTP) generated on your mobile device for additional security. 

Please note: Two Factor Authentication is a global settings for ALL system users. Enabling Two Factor Authentication will force ALL system users to register a mobile device for Timed One Time Passsword (TOTP).

Two Factor requires the following pre-requisites before enabling:

  • Hermes SEG Outbound E-mail Flow must be working correctly
  • ALL System User Accounts must have a valid e-mail address assigned to them. E-mail addresses can be assigned to System Users by navigating to System --> System Users.
  • You must have an Authenticator app installed on your mobile device such as FreeOTP, Google Authenticator, Authy etc.

Once you set the Access Control Policy to Two Factor and click the Submit button, the system will IMMEDIATELY prompt you to register your first device. Click the Register device link at the bottom of the screen (Figure 1).

Figure 1

image-1635449972196.png

The system will display An email has been sent to your address to complete the process on the upper right-hand corner of the screen (Figure 2).

Figure 2

image-1635450273072.png

Check the mailbox of the e-mail address associated with your account and look for an e-mail that contains the subject Register your mobile and click the Register button at the bottom of the e-mail (Figure 3).

Figure 3

image-1635450744160.png

You will be taken to the Scan QR Code page. Using the Authenticator app you previously downloaded, scan the QR Code from the page and click the DONE button (Figure 4).

Figure 4

image-1635451176940.png

On the following One-Time Password screen enter the passcode generated by your authenticator app (Figure 5).

Figure 5

image-1635452032741.png

If everything goes well and you typed in the correct passcode within the allotted time, you should be able to successfully login to Hermes SEG Administration Console

If you run into a problem and the Two Factor authentication did not work for any reason, you can reset authentication back to One Factor by running the following script from the console with root privileges:

/opt/hermes/scripts/disable_authelia_2fa.sh

Reset Password Function

The Reset Password Function field allows to you switch between Enable (Default) which enables the Reset password link and functionality in the Sign in screen and Disable which disables the link and functionality in the Sign in screen (Figure 6). The Reset Password Function only works if the System Users have valid e-mail addresses assigned to them. E-mail addresses can be assigned to System Users by navigating to System --> System Users.

Figure 6

image-1635455903437.png

Session Name

The Session Name field specified the name of the session cookie which by default it's set to hermes_session. It's usually not necessary to change this field. If you with to change it, it must be an alphanumeric string with undescores (_) or dashes (-) in the name.

Session Secret

The Session Secret field is a string that is used to encrypt session data with Redis. Hermes SEG randomly generates a 20-character alphanumeric string at the time of installation. It's usually not necessary to change this field. However, if you wish to change it, Hermes SEG will accept a minimum 12-character and a maximum 20-character alphanumeric string only.

Session Expiration

The Session Expiration field specifies the amount of time (in seconds) before the cookie expires and the session is destroyed. By default it's set to 3600 (1 Hour). This can be overridden by clicking on the Remember me checkbox on the Sign in screen (Figure 7).

Figure 7

image-1635456643671.png

Session Inactivity

The Session Inactivity field specifies the amount of time (in seconds) the user can be inactive before the session is destroyed. By default it's set to 3600 (1 Hour).

SMTP Host

The SMTP Host field specifies the IP/Host Name of the e-mail server that Authelia will use to send out various notifications such password resets, 2FA notifications etc. By default it's set to the Hermes SEG appliance loopback address [127.0.0.1]. It's normally not necessary to change this field.

SMTP Port

The SMTP Port field specifies the port number of the e-mail server that Authelia will use to send out various notifications such password resets, 2FA notifications etc. By default it's set to the Hermes SEG internal port 10026. It's normally not necessary to change this field.

SMTP From Address

The SMTP From Address field is the e-mail address that Authelia will use to send out various notifications such password resets, 2FA notifications etc. It should be set to a valid e-mail address for a domain Hermes SEG relays.

SMTP E-mail Subject

The SMTP E-mail Subject field specifies the subject format all Authelia outgoing e-mails will have. By default it's set to [Hermes SEG] {title]. The {title} is a variable authelia uses for various functions and should be left intact.

No of Login Failures Before User is Banned

The No of Login Failures Before User is Banned field specified how many times a system user is allowed to fail authentication before that user is banned and not able to login. By default it's set to 5.

Time Between Failed Logins

The Time Between Failed Logins field specifies the period of time (in seconds) Authelia will search for failed login attempts to count them as failed logins before banning a user. By default it's set to 120 (2 minutes).

Banned Time

The Banned Time field specifies the amount of time (in seconds) a user will be banned after failing authentication. By default it's set to 300 (5 minutes).

Log Level

The Log Level field specifies the log level used by Authelia. It can be set to Trace, Debug, Info, Warn or Error. Setting the Log Level to Trace will expose the /debug/vars and /debug/pprof endpoints which should never be enabled unless absolutely necessary during troubleshooting. By default it's set to Debug.

Log Format

The Log Format field specified the log type used by Authelia. It can be set to JSON or Text. By default it's set to Text.Text.