Setting Hideez Server parameters
Hideez Enterprise Server – Setting HES Server parameters
Last updated
Was this helpful?
Hideez Enterprise Server – Setting HES Server parameters
Last updated
Was this helpful?
To work correctly, you need to specify some basic settings.
Go to Settings → Parameters.
Domain name setup
The domain is used in email, FIDO2 authorization processes, and SAML and OIDC protocols. In addition, the domain is used when checking the product license.
Administrators can configure credentials to send service email messages to users. These messages are used to invite new employees, reset employee passwords, change employee email addresses, send activation codes for Hideez Key, and more. To check the current credentials you are using to send emails, you need to expand the Mail section:
To set Email Credentials, fill in the following fields:
Host – this is the email server address you want to connect to. For example, for Gmail, the SMTP host might be “smtp.gmail.com” and the IMAP host might be “imap.gmail.com”. The actual host may vary depending on the email service provider and the specific protocol you are using.
Port – this is the numeric code that determines the specific network port for establishing a connection to the email server using a specific email protocol.
Enable SSL – this is an option that indicates whether to use SSL (Secure Socket Layer) to establish a secure connection with the email server. SSL encrypts the data transmitted between your computer and the server to protect sensitive information during transmission.
Email – is the email address that you use for sending and receiving messages.
Password – this is the password associated with your email address. It is used for authentication and confirming your identity when connecting to the server.
The configured mail may look like this:
Click the button Import License
Import the file license that you download from the Hideez Portal. Or you can ask us, and we will generate a license for you.
Import the file license that you download from the Hideez Portal. Or you can ask us, and we will generate a license for you.
Active Directory on-premises
These parameters must be specified if you will use HES scenarios for working with AD. Import and sync users from Active Directory Import and sync users from Active Directory with domain password changing
Click the button Settings→Parameters→Add Domain Settings
Domain Name: enter your Active Directory domain. This is necessary to import users from previously created groups in AD.
User Logon Name: AD administrator's login with permissions to get users and groups from the AD and change user passwords.
Skip credentials (sync will be disabled)
Password: AD administrator's password with permissions to get users and groups from the AD and change users' passwords.
Auto Password Change (days): number of days after which it is necessary to change the password from the domain account to users from the Security Key Auto Password Change group.
Users Sync Group Name: Users in the Active Directory sync group are automatically imported to HES during synchronization. If removed from the group, they remain in the HES employee list. Synchronization occurs every hour.
Hideez Key Auto Password Change: If a user is in both the sync group and the auto password change group, their domain account is imported during synchronization, and a new password is generated. This password is written to the Hideez Key and simultaneously updated in Active Directory. From then on, the user must log in using their Security Key. Scheduled password changes will follow the same process. If the user is removed from the auto password change group, automatic password updates stop.
Please, see more about nesesary permission for Active Directory users on On-Prem AD:
Keep – The user will remain on the Hideez server after being removed from the synchronization group in Active Directory. They will still be able to use SSO login for web services and unlock their PC.
Deactivate – The user will be deactivated on the Hideez server but not deleted after being removed from the synchronization group in Active Directory. In this state, they will not be able to use SSO login for web services but will still be able to unlock their PC. To reactivate the user, the administrator must manually activate them in the system.
Delete – The user will be completely removed from the Hideez server after being removed from the synchronization group in Active Directory. They will lose access to SSO login for web services and the ability to unlock their PC. To add the user back, the administrator must:
Add them to the synchronization group in Active Directory and perform synchronization.
Manually add the user.
Wait for automatic synchronization (once per hour, the Hideez server automatically synchronizes with Active Directory, imports users from the synchronization group, and updates their data).
If you do not need to import employees, but only need to configure workstations joined to the Active Directory On-Premises domain, you can enable the following setting: Disable Domain Synchronization.
When the parameter is enabled, employees are not imported from Active Directory because On-Premises synchronization is not enabled.
To connect the Azure AD with the HES, please, first, set the Azure AD application:
Open Settings→Parameters→Add Domain Settings→ select radio button Azure Active Directory
Login to the Azure portal
Go to the Azure Active Directory → App registrations
Click New Registration
Go to app overview copy the Application (client) ID, and Directory (tenant) ID, and paste those values into Domain Settings on Hideez Server
Application ID: enter your Azure AD application id.
Client secret: enter your Azure AD client secret.
Tenant ID: enter your Azure AD tenant id.
Auto Password Change (days): number of days after which it is necessary to change the password from the domain account to users from the Security Key Auto Password Change group.
After saving the data, login parameters are not displayed in the setting
On Azure portal, go to the Certificates & secrets → New client secret and then add and copy Client Secret
Copy the secret from column Value and paste it to the field Client Secret on Hideez Server
On Azure portal, go to the API permissions -> Add a permission -> Microsoft Graph
Click Application permissions, then scroll down and select the Directory → Directory.Read.All permission.
Click Grant admin consent
Application ID: enter your Azure AD application id.
Client secret: enter your Azure AD client secret.
Tenant ID: enter your Azure AD tenant id.
Auto Password Change (days): number of days after which it is necessary to change the password from the domain account to users from the Security Key Auto Password Change group.
After saving the data, login parameters are not displayed in the settings.
If you use Linux and need the AD integration, join your Linux server to the AD
Be aware! As soon as you remove the AD administrator login and password from the settings, all AD sync scenarios will stop working.
With this instruction, you can add on server several domains at the same time. Each domain is managed separately.
Domain Settings – These credentials will be used to connect to Active Directory via LDAPS
Users default single sign-on settings - This setting will be used for all users synchronized from Active Directory. Later you can change this Single Sign-On setting for each user individually in user settings.
Workstation passwordless logon settings - Update Workstation Passwordless Logon Settings.
Splunk is a platform for collecting, analyzing, and visualizing machine data in real-time. It helps organizations monitor systems, detect threats, and troubleshoot issues by processing logs and other data sources.
If the "Allow Platform Authenticators" feature is enabled, you can choose the type of security key you are enrolling for the user (by default it is cross-platform):
So the list of the user's FIDO keys will look like this:
More about SAML configuration you can read here.
The Openid connect clients (OIDC) parameters can be set at the OIDC section.
In this section, you can customize logos and email for the server.
