1. Click [OK].

  1. . After editing, click [OK]. The Username cannot be changed. If you want to change your password, refer to the Change Password section below.

Change Password

You can change your password from the login username in the Global Menu.

In this example, we are changing the password for the username “admin”.

  1. Enter your new password in the [New Password] and [Retype Password] fields.

  2. Click the [Change Password] button to register the new password.

If the new password and the re-entered string are different, the [Change password] button will not be enabled.

Note:

To set a password, the following conditions must be met:

  • Must be at least 8 characters
  • Must not be a character string that is easy to guess (person’s name, proper noun, dictionary word, commonly used password)
  • Character strings that do not repeat the same characters or are arranged in an easy-to-understand manner

Setup Two-Factor Authentication (2FA)

Two-factor authentication is a feature that enhances the security of user accounts by providing additional authentication with an authenticator app in addition to the password. Users can be optional, and administrators can set it to be mandatory for all users.

Enable Two-Factor Authentication

If the user is logged in, you can setup two-factor authentication from the user profile dialog

  1. Click the username (“tester” in the example below) in the Global Menu to open the My User Profile window.

  1. Click [Set up two-factor authentication]

  1. Follow the onscreen instructions to set it up and enter the verification code.

  1. Click [OK].

This completes the configuration. When you log out and log back in, you will be prompted to enter a verification code.

Remove Two-Factor Authentication

If you want to cancel the two-factor authentication setting, you can do so while logged in.

If you are an admin user, you can unset two-factor authentication for all users

  1. Click [Settings] > [Users]

  2. Select the target user and click the button.

  3. Check “Remove two-factor authentication”, and click [OK]

Note:

If two-factor authentication is not configured, “This user is not configured for two-factor authentication” is displayed, and this checkbox option is not displayed

  1. In the Server Settings dialog, click [OK].

Configuring External Authentication

When you configure external authentication in NetLD, you can use an authentication server to log in to the product. This eliminates the need to create all user accounts in NetLD beforehand. Additionally, you can retrieve group information from the authentication server to automatically assign product rights and network browsing restrictions.

External Authentication can be configured by clicking [Server Settings] >[External Authentication]. On this page, you can configure protocol specific configuration settings and Group Mapping. You can tell NetLD which Role to assign to the user and which Managed Networks the user should be restricted to.

RADIUS

To integrate with a RADIUS server, NetLD sends an Access-Request for authentication. To configure this integration, set up NetLD to send Access-Accept with Filter-Id attached.

Below is a sample user configuration for FreeRADIUS:

LogicVein Cleartext-Password: = "password"

Filter-Id += "GROUP"

With this configuration, when NetLD receives an Access-Request with the username LogicVein and the password password, it sends Access-Accept with Filter-Id set. Filter-Id is used to designate the group to which the authenticated user belongs.

To configure external authentication:

  1. Click [Settings] in the Global Menu to open the [Server Settings] window in NetLD, and click [External Authentication].

  2. Change the [Enable external authentication] selection to RADIUS.

  1. Set the RADIUS server’s IP address (or hostname) and “Shared Secret”.

  1. Click the button to set permissions for “External Group mappings”.

  1. Input the RADIUS server’s Filter-Id group settings into “External Group” and select [Role] for assignment.

The Active Directory RADIUS settings have now been successfully configured.

  1. Click [OK] to save.

  2. Click [Close] to exit the server settings.

After configuration, input a username and password in the Test Section, then click [Test] to confirm integration with the RADIUS server.

If successful, the message “Authentication successful” will be displayed.

Active Directory

When integrating with an Active Directory server, the Roles and Managed Networks are determined using the groups to which registered users belong.

  1. Click [Settings] in the Global Menu to open the [Server Settings] window in NetLD, and click [External Authentication].

  2. Change “Enable external authentication” to [Active Directory].

  1. Set the domain name and the IP address (or hostname) of the Active Directory server.

  1. Click the button to set permissions for External Group Mapping.

  1. Enter the group to which the user belongs in “External Group” field, and select the “Role” to be assigned.

The Active Directory settings have now been successfully configured.

Click [OK] to save the settings, and log in using the user credentials configured on the Active Directory server.

SAML

By configuring SAML authentication with an external Identity Provider (IdP), you can enable Single Sign-On (SSO). This allows users to seamlessly log in to NetLD via the IdP.

Local Authentication After SAML Configuration

After completing the SAML authentication setup, when you access a NetLD product page, the linked sign-in page will be displayed. If you want to log in to the product using local authentication instead of SAML authentication, add the variable /?forceLoginPage=true to the end of the URL to access it:

https://[IP address or Hostname]/?forceLoginPage=true

When you open the URL with the variable added, the product’s login page will be displayed. You can log in with a local account such as admin.

Testing External Authentication

After configuring external authentication, you can test external authentication by clicking the [Test] button in the [Server Settings] > [External Authentication] window.

When the [Authentication Test] dialog appears, enter the [Username] and [Password] to test authentication, and click [Test]. If the authentication is successful, the message “Authentication was successful” will be displayed as shown below.

Microsoft Entra ID Integration

Prerequisites

Before configuring single sign-on, please make sure the following conditions are met:

  • You can sign in to Microsoft Entra ID with administrator privileges.
  • The users and groups to be linked exist in Microsoft Entra ID.
  • You have the necessary permissions* to configure settings in NetLD.

*Administrator permissions or permissions to “allow security settings”.

Procedure

Configure SAML

  1. Log in to NetLD.

  2. Open [Settings] > [External Authentication].

  3. Select “SAML” from [Enable external authentication] dropdown menu.

  4. Verify that [Callback URL] is the correct URL for the NetLD server.

The format for the callback URL is:

https://[IP address or hostname]/auth

By default, it refers to the value in [Network Servers] > [Hostname/IP Address].

  1. Click the [Download LogicVein SAML Service Provider Metadata XML] link to download the Metadata XML file.

File name: LogicVein-saml-sp-metadata.xml

The downloaded file will be used in the next step.

Create A New Application

  1. Sign in to the Microsoft Entra Admin Center.

  2. Click [Identity] > [Applications] > [Enterprise Applications].

  3. Click [New Application].

  4. Click [Create your own application].

  5. Set a name for the app, select [Integrate any other application you don’t find in the gallery (Non-gallery)], and click [Create].

  6. Click [Manage] > [Single Sign-On].

  7. On the [Select a Single Sign-On Method] page, click [SAML].

  8. In the [Set up Single Sign-On with SAML] window, click [Upload metadata file], and upload the downloaded ed logicVein-saml-sp-metadata.xml file.

  9. Click [Add].

  10. Ensure that the fields for @Identifier", “Reply URL”, and “Logout URL” contain the callback URL configured in the NetLD server settings.

  11. Click [Save].

  12. Click the button to exit the window.

(If the pop-up message “Test Single Sign-On” appears, click [No, I"ll test it later].)

  1. In the [Attributes and Claims] section, click [Edit].

  2. On the [Attributes and Claims] page, select [Add a group claim].

  3. Select the [Security Group] option and select “Group ID” in [Source Attribute].

(If you prefer to use display names instead of Group IDs in the NetLD “External Group Mapping” configuration, select “Cloud-only group display names”)

  1. Click [Save].

  2. Click the button to close the [Attributes and Claims] page.

Obtain IdP Metadata

  1. In the [SAML Certificates] section, click [Download] under [Federation Metadata XML].

  2. Download the IdP metadata XML file.

  3. On the [Set up Single Sign-On with SAML] page, locate [Federation Metadata XML] under the [SAML Signing Certificate] section and select [Download] to download and save the certificate to your computer.

Register the Application in NetLD

  1. Open [Settings] > [External Authentication].

  2. Click [Upload IdP metadata XML] and select the XML file created in the “Get IdP metadata” step.

  3. Click [OK] to save.

Note the object ID

  1. Return to the Microsoft Entra admin center and click [Manage] > [Users and Groups].

  2. Click [Add user or group].

  3. Click [None selected] in the [Users] section.

  4. Select the users who need to be allowed to log in to NetLD from the list.

  5. Click [Select].

  6. Click [Assign] to complete the user assignment.

  7. In the left sidebar, click [Identity] > [Groups] > [All groups].

  8. Note the [Object ID] of the groups allowed to log in to NetLD.

Configure External Group mapping

  1. Open [Settings] > [External Authentication].

  2. On the [External Group Mapping] screen, click the button.

  3. In the [External Group] field, enter the “Object ID” noted in the previous steps.

  4. Specify the permissions to be assigned in the [Permissions] field, and click [OK].

(If you chose “Cloud-only group display names” in Entra Application “Attributes & Claims” configuration, enter the name of the group instead of “Object ID”.)

  1. Click [OK] and save the [Server Settings].

  2. Click [Log out]. You will be redirected to the Microsoft login page.

Okta Integration

Prerequisites

Before configuring single sign-on, make sure the following conditions are met.

  • You can sign in to the Okta dashboard with administrator privileges
  • The users and groups to be integrated exist in Okta
  • You have administrator privileges or permission to "Allow security settings in NetLD.

Configure SAML

  1. Log in to NetLD.

  2. Click [Settings] > [External Authentication].

  3. Select “SAML” from [Enable external authentication].

  4. Make sure that [Callback URL] is the correct URL for your server.

(By default, it refers to the value of [Network Servers] > [Hostname/IP Address] )

  1. Click the [Download LogicVein SAML Service Provider Certificate] link to download the certificate file.

File name: LogicVein-saml-sp-signing-certificate.crt

The downloaded file will be used in the next step.

Create a new application

  1. In the Okta Admin Console, click [Applications] > [Applications].

  2. Click [Create App Integration].

  3. Select “SAML 2.0” as the Sign-in method and click [Next].

  4. Enter a name for your App name and click [Next].

  5. In the General section of SAML Settings, configure the following:

Item Explanation
Single sign-on URL https://[IP address or Hostname]/auth?client_name=SAML2Client
Audience URI (SP Entity ID) https://[IP address or Hostname]/auth
Application username mail
Update application username on create and update

  1. Click [Show Advanced Settings].

  2. In the [Signature Certificate] window, click [Browse files…] and select the SP certificate certificate downloaded from NetLD.

File name: LogicVein-saml-sp-signing-certificate.crt.

  1. Configure the following items:
Item Explanation
Enable Single Logout Enable “Allow application to initiate Single Logout”
Single Logout URL https://[IP address or Hostname]
SP Issuer https://[IP address or Hostname]/auth
  1. In the [Attribute Statements] (optional) section, add the following two items:

Item 1:

  • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • Name format: Refer URI
  • Value: user.email

Item 2:

  • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
  • Name format: Refer URI
  • Value: user.lastName
  1. In the [Group Attribute Statements] (optional) section, configure the following:
  • Name: http://schemas.logicvein.com/ws/2024/05/identity/claims/groups
  • Name format: Refer URI
  • Filter | Matches with regex expression .*.

  1. Click [Next].

  2. Select “I"m an Okta customer adding an internal app”.

  3. Select “It"s required to contact the vendor to enable SAML”.

  4. Click [Finish].

Assigning groups to use the application

  1. Select the [Assignments] tab of your application.

  2. Select [Assign] > [Assign to Groups].

  3. Find the group you want to assign and click the [Assign].

  4. Click [Done].

Get IdP metadata

  1. Click the [Sign On] tab.

  2. Copy the Metadata URL in Settings.

  3. Open a new tab in your browser and paste the URL in the address bar to access it.

  4. Right-click the metadata page and select [Save As…].

  5. Save the metadata as an .xml file.

  6. You will use the downloaded file in the next step.

Register application with NetLD

  1. In NetLD, click [Settings] > [External Authentication].

  2. Click [Upload IdP Metadata XML] and select the XML file created in step “Get IdP Metadata”.

Configure External Group mapping

  1. Open [Settings] > [External Authentication].

  2. In the [External Group Mappings] window, click the button.

  3. Enter the Okta group in the External Group field, specify the permissions you want to assign in [Permissions], and click [OK.]

  4. Click [OK].

Log in to NetLD

Log in to NetLD as an Okta user.

After completing the settings described in the Okta Integration section, the Okta sign-on screen will be displayed when you access NetLD.

Keycloak Integration

Prerequisites

Before configuring single sign-on, make sure the following conditions are met:

  • You can sign in to the Keycloak dashboard with administrator privileges
  • The users and groups to be integrated exist in Keycloak.
  • You have administrator privileges or permission to "Allow security settings in NetLD.

Configuring SAML with Keycloak

Keycloak can be run with Docker:

docker run -d --name keycloak -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:25.0.6-0 start-dev
  1. Enter username KEYCLOAK_ADMIN and password KEYCLOAK_ADMIN_PASSWORD when you login to Keycloak.

Use the following command to follow Keycloak logs and debug any authentication issues:

docker logs -f keycloak

  1. Go to http://localhost:8080/ and log in with username admin and password admin.

  2. Click [Clients] > [Create Client].

  3. Enter “Client ID” and “Name”

  • Client ID:

https://<LOGIC_VEIN_SERVER_IP_OR_HOSTNAME>/auth

  • Name: Selected by user ( e.g. “NetLD”).
  1. Click [Next] and add a callback URL

The callback URL should be:

https://<LOGIC_VEIN_SERVER_IP_OR_HOSTNAME>/auth?client_name=SAML2Client

e.g. https://192.168.0.93/auth?client_name=SAML2Client

  1. Click [Save].

  2. Click the [Client Scopes] tab.

  3. Click [https://<LOGIC_VEIN_SERVER_IP_OR_HOSTNAME>/auth-dedicated].

  4. Click [Add Predefined Mapper].

  5. Select [X500 email], and click [Add].

  6. Click “X500 email”.

Set “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” as the “SAML Attribute Name”.

Set [SAML Attribute NameFormat] to URI Reference.

  1. Click [Save].

  2. Click [Client Scopes] in the left sidebar and then click [Role List] in the “Name” column.

  3. Click the [Mappers] tab then click [Role List] in the “Name” column.

Set  [Role attribute name] to “http://schemas.logicvein.com/ws/2024/05/identity/claims/groups”.

Set [SAML Attribute NameFormat] to URI Reference.

  1. Click [Save].

  2. Click [Users] in the left sidebar.

  3. Click [admin] in the “Username” column and set an email address.

  4. Click [Save].

  5. Click [Clients] in the left sidebar and click [https://192.168.0.93/auth] in the client list.

  6. Click the [Advanced] tab.

Set “Logout Service POST Binding URL” to https://<LOGIC_VEIN_SERVER_IP_OR_HOSTNAME>/

(e.g. https://192.168.0.93/ )

  1. Click the [Keys] tab.

  2. Turn “Client signature required” off and back on.

  3. In the pop-up window, select “Import”.

  4. Set the “Archive format” to “Certificate PEM”

  5. Download the “LogicVein SAML Service Provider Certificate” from the NetLD SAML External Authentication page, upload it here.

(You can view the upload certificate in a text editor.)

  1. Click [Confirm].

(You can view the upload certificate in a text editor.)

Note:

Please make sure it is the new certificate shown in the textbox to ensure UI compatibility.

  1. Click [Realm Settings] in the left sidebar, and click [Save] to download the “SAML 2.0 Identity Provider Metadata file”.

  2. Upload the SAML 2.0 Identity Provider Metadata file to “NetLD SAML Upload IDP Metadata XML”.

  3. Log out of NetLD to be redirected to Keycloak for SSO Login.

Set Session Timeout For Users

NetLD requires users to re-authenticate after 30 minutes of inactivity. To change this time, follow the steps below:

  1. Click [Settings] on the Global Menu.

  1. Click [Network Servers], and change the “User Login Idle Timeout” time.

Settable range: 10 to 525600 (minutes)

  1. Click [OK].

For the settings to take effect, you must log out of NetLD and log in again.

  1. Log out and log back in.

Remove Permissions

  1. Select the authority name you want to delete.

  2. Click .

  1. Click [OK] in the Server Settings window.

Delete User

  1. Select the user you want to delete and click the button.

The user will be deleted.

  1. Click [OK] on the server settings.

If you delete a user by mistake, click [Cancel].