# Xiid.IM Agent Configuration #

Now that we have the Xiid Agent securely running on our domain controller, we’re ready to configure the details of the Agent.

## Authenticator Setup ##

The first step is to set up an Authenticator, which will instruct the Agent on how to communicate with your LDAP directory.

Start by opening the Xiid Agent Management Portal by clicking the Browser Icon labeled __Manage Xiid.IM Agent__ on your desktop.

In the Xiid Agent Management Portal, navigate to the __Authenticators__ tab.

Click the purple __Add Authenticator__ button in the top right.

Enter a description of the Authenticator that will help you associate the authenticator to your LDAP Service and it's corresponding user groups,
domain mapping and Active Directory Authentication Agent.

In the __Connector__ section, provide a description of the *Connector*. The *Connector* is what defines the communication parameters to your
LDAP service.

In the __Type__ dropdown window, select *ldap*.

For the __Server URL__ field, enter the IP Address of the LDAP service. You may use the *Loopback Address* if the LDAP Directory Service
is running on the same machine as the Active Directory Agent.

For the __Username__ and __Password__ fields, enter the credentials of an LDAP user that has access __only__ to query the LDAP directory.
No other permissions are needed nor recommended on this service user.

The __Username__ *must* be the fully qualified User Principle Name.
- *Incorrect* Username:
   - user
- *Correct* Username:
   - user@example.com

Hit the purple __Save__ button and a window will pop up asking for the __external__ domain name that you would like to map to the internal
domain name. You can choose the same name as the internal if no domain name mappings are necessary.

In the Authenticators table, you should now see a row for your newly created Authenticator.

Next, you can configure the __Security Groups__ that will be queried with this Authenticator.

__Note:__ Only __user-defined__ Security Groups can be used. The Windows-defined Security Groups created by default in Active Directory cannot be used.

The first thing you will need to do is enable __Advanced Mode__ by click the switch next to __Advanced Mode__ in the top right corner.

Click the __Pencil Button__ on the left side of the new row of your Authenticator to edit the settings for your Authenticator. (shown below in __purple__)

![Xiid Authenticator Page and Example](images/authenticatorsgeneric.PNG)

With __Advanced Mode__ enabled, you will see two additional fields in the Authenticator section labeled __Group Include__ and __Group Exclude__.

You can populate either of those fields with as many Security Groups as you would like __included__ for the Authenticator (using the __Group Include__
field) or specify any number of Security Groups you would like to exclude from this Authenticator using the __Group Exclude__ field.

Separate multiple Security Groups with using a __comma (",")__.

__Note: Windows default Security Groups are NOT considered in the Group Include/Exclude filters. It must be a *user-defined* Security Group.__

## Firewalls ##

__[OPTIONAL]__

Firewalls offer an additional layer of Application Security to filter unwanted IP addresses or restrict subnet access to your SSO portals.

If your Agent Management Portal does not show a Firewall tab in the left hand navigation menu, follow
[this faq for help on enabling advanced mode.](./faq.html#i-dont-see-all-of-the-tabs-in-the-agent-management-portal)

Navigate to the Firewalls tab and click the purple __Add Firewall__ button in the top right.

On the __Add Firewall__ screen, provide a description for the firewall that reminds you of the firewall rule this policy enacts.

For the __Block Type__ dropdown, select whether you wish to block all requests or approve all requests from a given IP address.

In the __IP Address__ field, enter the IP Address you wish to allow or block.

Last, enter any comma-separated Tags you would like to use to differentiate this Firewall.

Tags can be used to create groups of firewalls, so if you have a "corporate" firewall rule that encompasses multiple IP
White/Blacklists, you can group them all under a single tag to include in your SSO Portals.

Click the purple __Save__ button to wrap up creating your Firewall.

## Translator Setup ##

__[OPTIONAL]__

We’ve now defined how to communicate with our LDAP service, however there may be a problem with our external applications. Some of them may ask for an email address to sign in as opposed to your domain credentials.

We can solve this problem seamlessly using Xiid Translators.

Sign in to the Xiid Agent Management Portal and navigate to the __Translators__ tab.

On the __Translators__ screen, click the purple __Add Translator__ button in the top right.

Enter a __Description__ for the translator that helps you understand what data is being translated to and from the local domain context.

In the __Translator Type__ dropdown, select:
- __Domain__ to translate an external domain name, such as example.com for an email address, to an internal domain name, such as example.local
- __Name__ to translate a username, such as BillNye to another username, such as NeildeGrasseTyson
- __UPN__ to translate a fully qualified username, such as BillNye@example.com to NeildeGrasseTyson@example.local

In the __Translate From__ field, enter the __Name__, __UPN__, or __Domain Name__ to translate authentication requests from (inbound requests, generally from the SSO Portal).

In the __Translate To__ field, enter the __Name__ or __UPN__ to translate to when sending the authentication request to the LDAP service.

*Note: The Domain type does not have a Translate To field because the domain name is implied from the Connector in the Authenticator.*

Last, you can enter any [Tags](./faq.html#what-is-a-tag) you would like to use to group this Translator with other Translators.

Click the purple __Save__ button to finish creating your Translator.

## XOTC Component Setup ##

__[OPTIONAL]__

Start by signing into the Xiid Agent Management Portal and navigate to the __XOTC__ tab.

Click the purple __Add XOTC__ button in the top right.

Provide a description for the XOTC that helps you associate which user groups and rules this authentication standard will enforce.

Last, choose a duration of time with which the One-Time-Code will be valid for. Xiid generally recommends a 1-minute interval to give users a bit of breathing room while signing in.

Click the purple __Save__ button to finish.

Now that we have our XOTC Authentication mechanism set up, we need to enforce the XOTC Authentication on SSO Portals.

Navigate to the __SSO Portals__ tab and click the purple pencil icon to edit the SSO Portal.

Click __Next__  until you arrive at the __XOTC / MFA__ section.

On the __XOTC / MFA__ screen you should now see the new authentication mechanism listed in the table.

Select the XOTC component and click __Next__ until you reach the end and save the changes.

Now your SSO Portal will enforce XOTC Authentication for all of your users!

## SSO Portal Setup ##

__[OPTIONAL]__

Xiid provides the ability to set up multiple SSO Portals for different user groups. If you have an IT organization or an Engineering organization that may need access
to special applications or resources, you can separate access using different SSO Portals.

To start, sign into the Xiid Agent Management Portal and navigate to the __SSO Portals__ tab.

Xiid creates a default __home__ portal when your first Authenticator is created. You can edit that SSO Portal (though you cannot change the id) by clicking the
purple pencil button next to the SSO Portal row in the SSO Portals Table.

To create a new SSO Portal, start by clicking the purple __Add SSO Portal__ button in the top right corner.

On the __Add SSO Portal__ screen, start by providing an __ID__ for the Portal. The __ID__ will define the full URL path of the SSO Portal. For instance, the default
SSO Portal created by Xiid for you has the ID of __home__, so when you navigate to the SSO Portal, you will see a URL path similar to:
https://exampleportal.us.xiid.im/home which has the word __home__ in the URL. If you used __engineering__ as the ID, your new SSO Portal URL would be:
https://exampleportal.us.xiid.im/engineering

After providing an ID for the Portal, enter a __Description__ that helps you understand the purpose of this SSO Portal in conjunction with the users it will serve.

Click the __Next__ button and select the __Authenticator__ you would like to associate with the portal. Keep in mind, the *Authenticator* defines the Security Group
access policies, so the Authenticator must have properly configured Include/Exclude Groups to control user access.

Click the __Next__ button and select any __Firewalls__ you have created for use in this SSO Portal.

Click the __Next__ button again and select any __Translators__ you would like to translate requests for this SSO Portal.

Click __Next__ again and select an __XOTC__ Authenticator to enforce XOTC Authentication on the SSO Portal. You do not need to select
a secondary authentication method, however it is strongly recommended.

Last, click the purple __Save Portal__ button in the bottom right.

On the __SSO Portals__ page you will now see a row for your SSO Portal in the table. Verify that the __Ready__ column contains a green check mark.

## Application Setup ##

Now that Xiid is fully integrated with LDAP, we can create an Xiid Application. The Xiid Application will act as an umbrella for all third-party applications that we want to integrate with Xiid’s Single Sign-On Portal.

Integrating various external applications is more in-depth and the applications to integrate will depend on your needs.

Follow these setup guide sections to integrate different external applications into your SSO Portals:

- [Remote Desktop and/or VDI](./remote_desktop_setup.md)
- [Office 365](./office_application.md)
- [Google Workspace](./google_workspace.md)
- [SAML2.0 Applications](./saml_application.md)