Skip to main content

Knowledgebase

Tenant cloud settings

High-level overview of idemeum admin portal settings.

Overview

To access admin portal settings:

  • Navigate to your idemeum admin dashboard
  • Navigate to Settings section in the left menu
  • Use the top menu to switch between various setting categories

Global settings

Global settings are used to configure tenant-wide features, including how users onboard with a mobile device and how they authenticate to idemeum portals.

  • Onboarding attributes - defines what information users need to verify in the idemeum mobile application before they can be onboarded into the platform. For example, if you choose Email address, then users need to verify email address in idemeum mobile app to access idemeum portals.
  • Portal passkey login - this option allows users to register a passkey (in addition to using mobile application) and use the passkey to login into idemeum portals. When using passkey for authentication, users need to use biometric sensors on devices, such as Windows Hello.
  • Session expiration - specify for how long the browser session is valid before the user needs to re-authenticate with a mobile device.
  • Cloud LDAP interface - allows you to enable Cloud LDAP interface so that devices and services can authenticate with idemeum cloud leveraging LDAP protocol. By enabling LDAP idemeum will also be storing the password for users using MD4 hashing algorithm, a requirement for NTLM-based authentication.

Desktop agent

The settings in this category are used to define how idemeum desktop agent behaves.

  • Enable desktop login for users - when idemeum desktop agent is installed, it allows you to control user desktop authentication.
    • Once this setting is enabled, you can use User authentication mode to choose how you would like your users to be authenticated: with idemeum username / password, Passwordless MFA, or RFID badge.
    • You can also decide if you'd like to disable native Windows authentication with Disable native Windows login option.
  • Enable push notification for login - when you authenticate users with Passwordless MFA, they need to scan the QR-code and approve login with biometrics. In addition to scanning the QR-code, we offer the option to send a notification to a mobile device. User will need to type the email address, and the authentication notification will be sent to a mobile device.
  • Enable sharing - when this setting is enabled, multiple users can access the workstation with credentials, passwordless MFA, or RFID badge. When this setting is disabled, only the user who installed desktop agent will be able to access the workstation.
  • Assign access to all users - this setting is only applicable when Enable sharing is toggled on. At the installation time, the desktop agent will assign access to all idemeum users.
  • Assign ownership to all admins - at the installation time, admin access and rights will be assigned to all idemeum admins.
  • Master key - idemeum platform offers zero-knowledge encryption for all sensitive information. This encryption key that we call master key is only visible to you and is not accessible to idemeum team. All sensitive information, including user passwords, will be encrypted with this key. Therefore no one can access your passwords but you, even if idemeum cloud is compromised. More about master key below.
Master key
What is the master key? Idemeum desktop client handles sensitive information, including user credentials. In order to achieve the highest level of security and enable client-side encryption, you can generate master key in the admin portal and supply that key to all idemeum desktop agents during installation. This way your
idemeum documentationNik Pot
  • Desktop branding - when idemeum desktop client is installed, you can leverage branding assets, such as logo, background, or text to style the login screen. More about branding below.
Branding
Idemeum desktop agent allows you to customize desktop login screen with various branding assets.
idemeum documentationNik Pot

RFID settings

This category of settings allows you to set up the behavior of RFID Single Sign-On.

RFID SSO overview
Get started quickly? Check our page with quick-start guides so that you can set up RFID Single Sign-On for domain-joined or local workstations and test the platform. Quick-start guidesIn this post you will find links to quick-start guides, so that you can get started with idemeum services depending in your
idemeum documentationNik Pot
  • Password onboarding - password onboarding allows users to onboard / register their RFID badges using their domain credentials. New employee taps the badge that idemeum does not know about, idemeum desktop client will prompt the user for domain credentials, once the credentials are entered and verified, user will be onboarded and the badge id will be registered in idemeum
  • Daily password prompt - Idemeum allows you to configure additional security mechanism by prompting employee for a password once per day in the morning. When the employee comes to the office and taps the badge, idemeum will prompt the user for a password, before allowing employee to access any domain-joined workstation with an RFID badge.
  • Tap out mode - idemeum allows you to configure what happens when the employee taps out. The first option is to Sign out the employee from the workstaion. Another option is to Lock the computer so that the session is preserved.
  • Badge starting series - This option allows to specify comma-separated badge starting series to allow for login.
🧩
For example, say you specify 30,4, then if you tap the badge that starts with 5, that login request will be ignored.
  • Domain controller name - this setting is applicable to local workstations. When your workstation is local and has domain visibility, you can still use this workstation to onboard users with domain credentials. Use this setting to specify the address of your domain controller.

PAM settings

These settings are used to set up Privileged Access Management (PAM) products.

  • Technician login mode - with this setting you can choose how your technicians access workstations - with individual / named accounts or shared accounts. In case of individual accounts idemeum will automatically create JIT admin accounts for each technician.
  • Domain computers login mode - by default technicians access any computer with JIT local admin account. If you want to use domain accounts on domain-joined computers, set this configuration to domain option.
  • LAPS for local admin account - idemeum can automatically rotate passwords for local admin accounts. If you enable this setting, you need to provide the account name to use. Idemeum will either create a new account or will take over an existing one.
  • LAPS for domain admin account - idemeum can automatically rotate passwords for domain admin account (when agent is installed on a domain controller). If you enable this setting, you need to provide the account name to use. Idemeum will either create a new account, or will take over an existing one.
  • Account password lenght - allows you to set up the password length for all passwords created by idemeum, including LAPS credentials, JIT account passwords, and service account passwords.
  • Enable login via OTP - allows your technicians to utilize one-time code (OTP) for online login. By default OTP is only used for offline login where you need to scan the QR-code. By enabling this option, you will allow your technicians to use OTP for online login as well.