Xiid IM Configuration

With the Xiid Agent securely running on our domain controller, we can now use its Agent Configuration Portal to configure Xiid IM! 🚀

You can access the Agent Configuration Portal via the shortcut added to your desktop during installation or at https://127.0.0.1:10458/.

TIP

If your browser indicates that your connection is not secure when accessing the Portal on 127.0.0.1:10458, this is expected behavior. This warning may be ignored safely.

Authenticator Setup

Creating an Authenticator

The first step is to set up an Authenticator, which will allow the Agent to communicate with your LDAP director(ies).

• Start by opening the Xiid Agent Management Portal by clicking the Browser Icon labeled Manage Xiid.IM Agent on your desktop.
• Log in using the administrator credentials you set during setup.
• In the Xiid Agent Management Portal, navigate to the Authenticators tab.
• Click the purple Add Authenticator button in the top right.
• Enter a description of the Authenticator that will help you associate the authenticator to your LDAP Service and its corresponding user groups, domain mapping, and IM Agent.
• In the Connector section, provide a description of the Connector. The Connector is what defines the communication parameters to your LDAP service.
• In the Type dropdown window, select ldap.
• For the Server URL field, enter the IP Address of the LDAP service. You may use the loopback address (127.x.x.x) if the LDAP Directory Service is running on the same machine as the Active Directory Agent.
• For the Username and Password fields, enter the credentials of an LDAP user that has access only to query the LDAP directory. No other permissions are needed nor recommended for this service user.

TIP

The service account that the Xiid Authenticator will use needs sufficient permissions to query the LDAP directory. The minimum level of permissions that is part of the default permissions set in AD and is sufficient is the Domain Users group.

The Username you provide must be the fully qualified User Principle Name.
Incorrect: user
Correct: user@example.com

• Click the purple Save button and a window will pop up asking for the external domain name that you would like to map to the internal domain name. You can choose the same name as the internal if no domain name mappings are necessary.
• In the Authenticators table, you should now see a row for your newly created Authenticator.

Configurating Security Groups for an Authenticator

Next, you can configure the Security Groups that will be queried with this Authenticator.

TIP

Only user-defined Security Groups can be used. The Windows-defined Security Groups created by default in Active Directory cannot be used.

• Enable Advanced Mode by clicking the switch next to Advanced Mode in the top right corner.
• Click the Pencil Button on the left side of row with the Authenticator you wish to edit (shown below in purple).

• With Advanced Mode enabled, you will now see two additional fields labeled Group Include and Group Exclude.
• You can populate either of those fields with as many Security Groups as you would like included for the Authenticator (using the Group Include field) or specify any number of Security Groups you would like to exclude from this Authenticator using the Group Exclude field.
  • Separate multiple Security Groups using a comma (,).

Firewalls

Firewalls offer an additional, optional layer of application security to filter unwanted IP addresses or restrict subnet access to your SSO portals.

• Enable Advanced Mode by clicking the switch next to Advanced Mode in the top right corner.
• Navigate to the Firewalls tab and click the purple Add Firewall button in the top right.
• On the Add Firewall screen, provide a Description for the Firewall that reminds you of the firewall rule this policy enacts.
• For the Block Type dropdown, select whether you wish to block all requests or approve all requests from a given IP address.
• In the IP Address field, enter the IP addresses you wish to allow or block.
• Enter any comma-separated Tags you would like to use to differentiate this Firewall.
  • Tags can be used to create groups of Firewalls, so if you have a corporate firewall rule that encompasses multiple IP allow/deny lists, you can group them all under a single tag to include in your SSO Portals.
• Click the purple Save button to apply your Firewall.

Translator Setup

You can choose to translate domains, usernames, or User Principle Names (UPN) to something that can be understood by the directory locally with Xiid Translators.

This could be useful, for instance, if an Application requires an email address for sign in as opposed to domain credentials.

• Sign in to the Xiid Agent Management Portal and navigate to the Translators tab.
• On the Translators screen, click the purple Add Translator button in the top right.
• Enter a Description for the translator that helps you understand what data is being translated to and from the local domain context.
• In the Translator Type dropdown, select one of the following:
  • Domain: to translate an external domain name, such as example.com for an email address, to an internal domain name, such as example.local
  • Name: to translate a username, such as BillNye to another username, such as NeildeGrasseTyson
  • UPN: to translate a fully qualified username, such as BillNye@example.com to NeildeGrasseTyson@example.local
• In the Translate From field, enter the Name, UPN, or Domain Name to translate authentication requests from.
• In the Translate To field, enter the Name or UPN to translate to when sending the authentication request to the LDAP service.
  • Note: The Domain type does not have a Translate To field because the domain name is implied from the Connector in the Authenticator.
• Enter any Tags you would like to use to group this Translator with other Translators.
• Click the purple Save button to apply your Translator.

XOTC Setup

TIP

While Xiid IM supports other types of authentication mechanisms, XOTC is the most secure and should be the first choice for most deployments.

The Xiid One Time Code (XOTC) Authenticator is a highly-secure, one-time-code-based authenticator that uses Zero Knowledge Proofs to authenticate users rather than traditional credentials.

• Sign in to the Xiid Agent Management Portal and navigate to the XOTC tab.
• Click the purple Add XOTC button in the top right.
• Provide a Description for the XOTC Authenticator that helps you associate which user groups and rules it covers.
• Choose a duration of time with which the One-Time-Code will be valid for.
  • Xiid generally recommends a one-minute interval to give users a bit of breathing room while signing in.
• Click the purple Save button to finish.

Now that XOTC Authentication is provisioned, we need to enforce XOTC Authentication on SSO Portals.

• Navigate to the SSO Portals tab and click the purple pencil icon to edit the SSO Portal.
• Click Next until you arrive at the XOTC / MFA section.
• On the XOTC / MFA screen you should now see the new XOTC Authenticator you just created listed in the table.
• Select it and click Next until you reach the end and save the changes.

Now, your SSO Portal will enforce XOTC Authentication for your users!

SSO Portal Setup

Xiid provides the ability to set up multiple SSO Portals for different user groups.

If you have an IT organization or an Engineering organization, for example, that may need access to special applications or resources, you can separate access using distinct SSO Portals.

• Sign in to the Xiid Agent Management Portal and navigate to the SSO Portals tab.
  • Xiid creates a default home portal when your first Authenticator is created. You can edit that SSO Portal (although you cannot change the id) by clicking the purple pencil button next to the SSO Portal row in the SSO Portals Table.
• To create a new SSO Portal, start by clicking the purple Add SSO Portal button in the top right corner.
• On the Add SSO Portal screen, start by providing an ID for the Portal which defines the full URL path of the SSO Portal.
  • The default SSO Portal created by Xiid has the ID of home, so its url would resemble https://exampleportal.us.xiid.im/home. If you had used engineering as the ID, the url would resemble https://exampleportal.us.xiid.im/engineering.
• After providing an ID for the Portal, enter a Description to help you remember the purpose of this SSO Portal and whom it serves.
• Click the Next button and select the Authenticator you would like to associate with the portal. Keep in mind, the Authenticator defines the Security Group access policies, so the Authenticator must have properly configured Include and Exclude Groups to control user access.
• Click the Next button and select any Firewalls you have created for use in this SSO Portal.
• Click the Next button again and select any Translators you would like to translate requests for this SSO Portal.
• Click Next again and select an XOTC Authenticator to enforce XOTC Authentication on the SSO Portal. You are not required to select a secondary authentication method.
• Click the purple Save Portal button in the bottom right to save your SSO Portal configuration.

On the SSO Portals page you will now see a row for your SSO Portal in the table. Verify that the Ready column contains a green check mark.

Application Setup

Now that Xiid IM is fully integrated with your directory, it's time to make it possible to securely access your applications and resources through Xiid!

An Xiid Application is a third-party application or resource that you want to be accessible via cards in Xiid’s SSO Portals.

Follow these guides for examples on how to integrate different types of external applications into your SSO Portals:

• Remote Desktop and/or VDI
• Microsoft 365
• Google Workspace
• SAML2.0 Applications