Security

• 1: Key Management Service
• 1.1: Overview
• 1.2: How-to guides
• 1.2.1: Key Management Service Encryption example using keys
• 1.3: API Reference
• 1.4: CLI Reference
• 1.5: Release Note
• 2: Config Inspection
• 2.1: Overview
• 2.2: How-to guides
• 2.2.1: Dashboard Check
• 2.2.2: Diagnosis Result Management
• 2.2.3: Setting up the Cloud
• 2.3: Release Note
• 3: Certificate Manager
• 3.1: Overview
• 3.2: How-to guides
• 3.2.1: Chain Certificate Extraction
• 3.3: API Reference
• 3.4: CLI Reference
• 3.5: Release Note
• 4: Secret Vault
• 4.1: Overview
• 4.2: How-to guides
• 4.3: API Reference
• 4.4: CLI Reference
• 4.5: Release Note
• 5: SingleID
• 5.1: Overview
• 5.2: How-to guides
• 5.2.1: SingleID Manuals
• 5.2.1.1: User Portal
• 5.2.1.1.1: Notice and Language Settings
• 5.2.1.1.2: Login using authentication method
• 5.2.1.1.3: Register authentication tool
• 5.2.1.1.4: Sign up
• 5.2.1.1.5: Find ID and Reset Password
• 5.2.1.1.6: Privacy Policy, Terms of Service, Service Desk
• 5.2.1.1.7: PC SSO Agent
• 5.2.1.1.8: My App
• 5.2.1.1.9: App Catalog
• 5.2.1.1.10: Notification
• 5.2.1.1.11: Approval Request
• 5.2.1.1.12: Personal Profile
• 5.2.1.2: Admin Portal
• 5.2.1.2.1: Dashboard
• 5.2.1.2.2: Integration
• 5.2.1.2.3: Identity Store
• 5.2.1.2.4: Policy
• 5.2.1.2.5: Terms and Conditions
• 5.2.1.2.6: Open Source licence
• 5.2.1.3: MFA Portal
• 5.2.1.3.1: Login using authentication method
• 5.2.1.3.2: Register authentication tool
• 5.2.1.3.3: Set Up Personal Information
• 5.2.1.4: CAM Portal
• 5.2.1.4.1: Getting Started
• 5.2.1.4.2: Home
• 5.2.1.4.3: Console Access
• 5.2.1.4.4: Resource Access
• 5.2.1.4.5: Monitoring
• 5.2.1.4.6: Configuration
• 5.2.1.4.7: FAQ
• 5.2.1.5: SingleID Authenticatior
• 5.2.1.5.1: Installing the App
• 5.2.1.5.2: Authenticating Users
• 5.2.1.5.3: Manage Authentication Methods
• 5.2.1.5.4: Managing Service List
• 5.2.1.5.5: Open Source Licence(Android)
• 5.2.1.5.6: Open Source Licence(ISO)
• 5.2.1.6: Open API Guides
• 5.2.1.6.1: ADFS Adapter Guide
• 5.2.1.6.2: Adapter Setup Guide
• 5.3: Release Note
• 6: WAF
• 6.1: Overview
• 6.2: How-to guides
• 6.2.1: WAF Construction Process Guide
• 6.3: Release Note
• 7: DDoS Protection
• 7.1: Overview
• 7.2: How-to guides
• 7.3: Release Note
• 8: IPS
• 8.1: Overview
• 8.2: How-to guides
• 8.3: Release Note
• 9: Secured Firewall
• 9.1: Overview
• 9.2: How-to guides
• 9.3: Release Note
• 10: Secured VPN
• 10.1: Overview
• 10.2: How-to guides
• 10.2.1: Secured VPN Construction Process Guide
• 10.3: Release Note
• 11: FPMS
• 11.1: Overview
• 11.2: How-to guides
• 11.3: Release Note
• 12: Secrets Manager
• 12.1: Overview
• 12.2: How-to guides
• 12.3: Release Note
• 13: Log Transmission
• 13.1: Overview
• 13.2: How-to guides
• 13.3: Release Note

1 - Key Management Service

1.1 - Overview

Service Overview

Key Management Service(KMS) is a service that creates and safely stores/manages encryption keys in a convenient way to securely protect important data of applications. The user uses the encryption key to encrypt/decrypt data, and the encryption key is managed stably with a hierarchically encrypted centralized encryption key method.

Provided Function

Key Management Service provides the following functions.

• Key Management: KMS can create/delete and manage keys. Users can create data keys for encrypting data using the master key created through KMS.
• Key Authority Management: You can control and manage access rights to the master key based on a user-defined policy.
• Key Life Cycle Management: through key rotation, it is possible to generate new encryption data for the corresponding master key without having to create a new key, and the key rotation cycle can be set according to customer policy. Key life cycle management safely protects data from cryptographic threats by deactivating or deleting encryption keys that are no longer in use.

Components

Master Key

The master key is used to generate a data key used for encrypting data, and depending on the purpose, it can generate symmetric keys (encryption/decryption (AES), generation/verification (HMAC)) and asymmetric keys (encryption/decryption and signing/verification (RSA), signing/verification (ECDSA)) respectively. With proper master key management, data keys can be encrypted to protect frequently used data keys during operation.

• The master key is a key created through the creation of KMS product services in the Samsung Cloud Platform Console.

Data Key

The data key is used to encrypt actual data, and is created for each target service that performs encryption, thereby ensuring that even if one data key is leaked, it will not affect services encrypted with other data keys.

HSM (Hardware Security Module)

The root key of the KMS system area is stored, the master key is created through the root key stored in the HSM (Hardware Security Module) that complies with the FIPS 140-2 Lv3 standard, and it is safely distributed and protected in the KMS.

Limitations

Samsung Cloud Platform’s Key Management Service limits the number of Key creations as follows.

Preceding service

Key Management Service has no preceding service.

1.2 - How-to guides

The user can enter the essential information of the Key Management Service service and create the service by selecting detailed options through the Samsung Cloud Platform Console.

Key Management Service creation

You can create and use the Key Management Service on the Samsung Cloud Platform Console.

To create a Key Management Service, follow the following procedure.

1. All services > Security > Key Management Service menu is clicked. It moves to the Service Home page of Key Management Service.
2. Service Home page, click the Key Management Service creation button. It moves to the Key Management Service creation page.
3. Key Management Service creation page, enter the information required for service creation and add additional information.

• Service Information Input area, please enter or select the required information.

  Classification	Mandatory	Detailed Description
  Key Name	Required	Enter Key Name
  Public Certification Algorithm	Option	Select whether to use the public certification algorithm The public certification algorithm option is only available in SCP Sovereign The public certification algorithm provides the Aria algorithm that has completed security verification by the National Intelligence Service
  Purpose	Required	Select the purpose and encryption method of the key
  Automatic Rotation	Option	Select whether to use automatic rotation of the key Use is selected, the internal algorithm of the generated key is converted to a different value and applied for each set rotation cycle
  Auto Rotation > Rotation Period	Required	Enter the rotation period of the key The rotation period can enter a value between 1~730 days. If the rotation period is not entered, it is automatically set to 90 days
  Description	Options	Enter additional information for the key

  Table. Key Management Service service information input items
• Additional Information Input area, please enter or select the required information.

  Classification	Mandatory	Detailed Description
  Tag	Selection	Add Tag Up to 50 can be added per resource Click the Add Tag button and enter or select Key, Value

  Table. Key Management Service Additional Information Input Items

4. Summary panel, review the detailed information generated and the estimated billing amount, and click the Complete button.

• Once creation is complete, check the created resource on the Key Management Service list page.

Key Management Service detailed information check

Key Management Service can check and modify the entire resource list and detailed information. The Key Management Service details page consists of details, tags, and operation history tabs.

Key Management Service detailed information to confirm, please follow the next procedure.

1. All services > Security > Key Management Service menu is clicked. It moves to the Service Home page of Key Management Service.
2. Service Home page, click the Key Management Service menu. It moves to the Key Management Service list page.
3. Key Management Service list page, click the resource to check the detailed information. It moves to the Key Management Service details page.

• Key Management Service details page top displays the status information and additional features description.

  Classification	Detailed Description
  Status	Indicates the status of Key Management Service Active: Available/Activated Stop: Stopped/Deactivated To be Terminated: Scheduled for Deletion Creating: Being Created/Creation Error (Only immediate deletion is possible for retrying creation)
  Key Rotation	A button that can manually rotate the generated key
  Key Deactivation	a button that can deactivate the generated key
  Service Cancellation	Button to cancel the service

  Table. Key Management Service Status Information and Additional Features

Detailed Information

Key Management Service list page where you can check the detailed information of the selected resource and modify the information if necessary.

Tag

Key Management Service list page where you can check the tag information of the selected resource, and add, change or delete it.

Work History

Key Management Service list page where you can check the operation history of the selected resource.

Key Management Service management

You can create a new version of the registered key or change its usage status.

KMS Key Rotation Settings

Key rotation is a function that converts the internal algorithm of the generated key into another value.

To create a new version of the created Key Management Service (key rotation), follow these steps.

1. All services > Security > Key Management Service menu is clicked. It moves to the Service Home page of Key Management Service.
2. Service Home page, click the Key Management Service menu. It moves to the Key Management Service list page.
3. Key Management Service list page, click on the resource to check the detailed information. It moves to the Key Management Service details page.
4. Key Management Service details page, click the key rotation button. It moves to the key rotation popup window.
5. Key Rotation popup window, check the message and click the Confirm button.

KMS Key Activation Settings

You can set whether to use the selected key.

To set whether to enable or disable the created Key Management Service, follow the next procedure.

1. All services > Security > Key Management Service menu is clicked. It moves to the Service Home page of Key Management Service.
2. Service Home page, click the Key Management Service menu. It moves to the Key Management Service list page.
3. Key Management Service list page, click on the resource to check the detailed information. It moves to the Key Management Service details page.
4. Key Management Service details page, click the key activation/key deactivation button. Move to the key activation/key deactivation popup window.
5. Key Activation/Key Deactivation popup window, check the message and click the Confirm button.

Key Management Service utilizing keys for encryption cases

The procedure example for storing important data of the user Application by issuing a data key from KMS and encrypting it is as follows.

1. Application startup, when KMS master key information is used to issue a data key, and then the data key in plain text form is used on the client-side to perform secure data encryption and storage.
2. The data key is stored in the database in the form encrypted with the master key.
3. When performing security data decryption, it requests decryption with KMS master key information by querying the data key stored in the database.

Key Management Service uses the key for encryption/decryption procedures, which are explained in the following concept diagram.

Encryption

Decryption

Key Management Service Cancellation

You can cancel the Key Management Service that is not being used.

To cancel the Key Management Service, follow the following procedure.

1. All services > Security > Key Management Service menu, click. It moves to the Service Home page of Key Management Service.
2. Service Home page, click the Key Management Service menu. It moves to the Key Management Service list page.
3. Key Management Service list page, click the resource to check the detailed information. It moves to the Key Management Service details page.
4. Key Management Service details page, click the service cancellation button. It moves to the service cancellation pop-up window.
5. Service Cancellation popup window, select Immediate Cancellation/Reserved Cancellation and confirm the contents, then click the Confirm button.
6. Once the cancellation is complete, check if the resource has been cancelled on the Key Management Service list page.

• Key deletion notification will be sent to both the user who created the key and the user who deleted it when the key deletion is completed.

1.2.1 - Key Management Service Encryption example using keys

Key Management Service Encryption Example Using Keys

This is a Java code example for implementing envelope encryption (Envelope Encryption) and data signing/verification using a key generated by KMS.

Envelope Encryption

It presents an envelope encryption scenario, and you can view the Java, Go, and Python example code and results written according to the scenario.

Scenario

1. Obtain a Data Key to encrypt password information using envelope encryption.
2. Use the issued Data Key information to encrypt the password.
3. Encrypt the password and encrypted Data Key information using envelope encryption and save it as a JSON file.

Java Example Code

This is a Java example code written according to the presented scenario.

// URI
static String KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }};
// END POINT
static String KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/%s";
static String KMS_API_CREATE_DATAKEY = "/v1/kms/openapi/datakey/%s";
// KEY ID
static String KEY_ID = {{Master Key ID}};
  
createEnvelop() {
    // Request creation of a new data key
    String encryptedDataKey = getDataKey();
    // Data to be encrypted
    String example_json_data = "{\"PASSWORD\":\"SECRET_CREDENTIAL\"}";
    // Encrypted data envelope(Envelop encryption)
    String envelope = encryptData(example_json_data, encryptedDataKey);
    // In this example code, the encrypted data envelope is saved to a file
    File envelopeFile = new File("envelope.json");
}
  
getDataKey() {
    String endPoint = String.format(KMS_API_CREATE_DATAKEY, KEY_ID);
    String url = KMS_API_BASE_URI + endPoint;
    JSONObject data = new JSONObject();
    data.put("key_type", "plaintext");
    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());
    return respJsonObject.get("ciphertext").toString();
}
  
encryptData() {
    Map<String, String> envelope = new HashMap<>();
    // Data key decryption
    String dataKey = decryptDataKey(encryptedDataKey);
    // Encrypt the generated data key using AES-CBC method
    // Cipher Class usage (User can use the encryption algorithm they are already using)
    SecretKey secretKey = new SecretKeySpec(decodeBase64(dataKey), "AES");
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
    cipher.init(Cipher.ENCRYPT_MODE, secretKey);
    byte[] iv = cipher.getParameters().getParameterSpec(IvParameterSpec.class).getIV();
    byte[] cipherText = cipher.doFinal(obj.toString().getBytes());
  
    envelope.put("encryptedKey", encryptedDataKey);
    envelope.put("cipherText", encodeBase64(cipherText));
    envelope.put("iv", encodeBase64(iv));
  
    return JSONValue.toJSONString(envelope);
}
  
decryptDataKey() {
    String endPoint = String.format(KMS_API_DECRYPT, KEY_ID);
    JSONObject data = new JSONObject();
    data.put("cipherText", sealedKey);
    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());
    String plaintext = (respJsonObject.get("plaintext")).toString();
    return plaintext;
}

Go example code

This is a Go example code written according to the presented scenario.

// URI
const KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }}
  
// END POINT
const KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/%s"
const KMS_API_CREATE_DATAKEY = "/v1/kms/openapi/datakey/%s"
  
// KEY ID
const KEY_ID = {{Master Key ID}}
  
createEnvelop() {
        // Request new data key creation
        encryptedDataKey := getDataKey()

        // data to be encrypted
        example_json_data := "{\"PASSWORD\":\"SECRET_CREDENTIAL\"}"
        // encrypted data envelope(Envelop encryption)
        envelope := encryptData(example_json_data, encryptedDataKey)
        // In this example code, the encrypted data envelope is saved to a file
        file, _ := os.Create("envelope.json")
        defer file.Close()

        file.WriteString(envelope)
"}
  
getDataKey() {
        endPoint := fmt.Sprintf(KMS_API_CREATE_DATAKEY, KEY_ID)
        data := map[string]interface{}{
            "key_type": "plaintext",
        }
        jsonData, _ := json.Marshal(data)
        respJsonObject := callApi(endPoint, jsonData)
        info := &KMSDatakeyInfo{}
        json.Unmarshal([]byte(respJsonObject), info)
  
        return info.DataKey
"}
  
encryptData() {
        envelope := make(map[string]string)
        // Data key decryption
        dataKey := decryptDataKey(encryptedDataKey)
        secretKey, _ := base64.StdEncoding.DecodeString(dataKey)
        // Encrypt the generated data key using AES-CBC method
        // Cipher Class use
        block, _ := aes.NewCipher(secretKey)
        cipherText := make([]byte, aes.BlockSize+len(example_json_data))
        iv := cipherText[:aes.BlockSize]
        if _, err := io.ReadFull(rand.Reader, iv); err != nil {
               panic(err)
        }
  
        mode := cipher.NewCFBEncrypter(block, iv)
        mode.XORKeyStream(cipherText[aes.BlockSize:], []byte(example_json_data))
  

        envelope["encryptedKey"] = encryptedDataKey
        envelope["cipherText"] = base64.StdEncoding.EncodeToString(cipherText)
        envelope["iv"] = base64.StdEncoding.EncodeToString(iv)
  
        jsonString, _ := json.Marshal(envelope)
  
        return string(jsonString)
}
  

decryptDataKey() {
        endPoint := fmt.Sprintf(KMS_API_DECRYPT, KEY_ID)
        data := map[string]interface{}{
               "cipherText": sealedKey,
        }
        jsonData, _ := json.Marshal(data)
        respJsonObject := callApi(endPoint, jsonData)
        info := &KMSDecryptInfo{}
        json.Unmarshal([]byte(respJsonObject), info)
  
        return info.DecryptedData
  
}

Python example code

This is a Python example code written according to the presented scenario.

# URI
KMS_API_BASE_URI = {{ Refer to the URL of the OpenAPI guide }}
  
# END POINT
KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/"
KMS_API_CREATE_DATAKEY = "/v1/kms/openapi/datakey/"
  

# KEY ID
KEY_ID = {{Master Key ID}}
    
create_envelop()
    # Request new data key creation
    encrypted_data_key = get_dataKey()

  

    # Data to be encrypted
    example_json_data = {"PASSWORDTEST":"SECRET_CREDENTIALTEST"}
    json_data_str = json.dumps(example_json_data)
     
    # Encrypted Data Envelope(Envelop encryption)
    envelope = encrypt_data(json_data_str,encrypted_data_key)
  
    # In this example code, the encrypted data envelope is saved to a file
    with open("envelope.json", "w") as file:
        file.write(envelope)
  
    
get_dataKey()
    end_point = f"{KMS_API_CREATE_DATAKEY}{KEY_ID}"
    data = {
        "key_type": "plaintext"
    }
    response_object = call_api(end_point, data)
  
    data_key = response_object.get("ciphertext", "")
  
    return data_key
  
  
encrypt_data()
    envelope = {}
    # Data key decryption
    dataKey = decrypt_data_key(encrypted_data_key)
    decoded_data_key = base64.b64decode(dataKey)
  
    # Encrypt the generated data key using AES-CBC
    # Cipher Class use
    iv = get_random_bytes(16)
    cipher = AES.new(decoded_data_key, AES.MODE_CBC, iv)
    data_to_encrypt = obj
    data_bytes = data_to_encrypt.encode()

    padded_data = pad(data_bytes, AES.block_size)
    cipher_text = cipher.encrypt(padded_data).hex()

  
    envelope["encryptedKey"] = encrypted_data_key
    envelope["cipherText"] = cipher_text
    envelope["iv"] = base64.b64encode(iv).decode()
    
    return json.dumps(envelope)
  
decrypt_data_key()
    end_point = f"{KMS_API_DECRYPT}{KEY_ID}"
    data = {}
    data["cipherText"] = sealed_key
    resp_json_object = call_api(end_point,data)
    plaintext = resp_json_object.get("decryptedData")
    return plaintext

Example code output

Displays the result value of the example code.

  {
        "cipherText":"d3S81rzaGAl8U12LlKSlRbDekPlGuibTntXX962KCjBIKuXdPOG8N8vk3Jet8lyG",
        "iv":"0kP7QKZ6BUeQPlThk4tySA==",
        "encryptedKey":"vault:v1:KJjjLtGHTbaV5N8LWC5O9eMDCaJVeff5SM\/MAYseugjiqiXFVgdXaKXg6kym0NmjHkO\/wLPsa+YK0aVk"
    }

## Use envelope encryption

Present a use case for envelope encryption and you can check the example code in Java, Go, Python written according to the scenario and the resulting values.

### Scenario

1. Decrypt the Data Key of the encrypted envelope file.
2. Decrypt the encrypted data of the envelope file using the decrypted Data Key.

### Java Example Code
This is a Java example code written according to the presented scenario.

// URI static String KMS_API_BASE_URI = {{ Refer to the OpenAPI guide URL }}; // END POINT static String KMS_API_DECRYPT = “/v1/kms/openapi/decrypt/%s”; // KEY ID static String KEY_ID = {{Master Key ID}};;

getData() { // Encrypted data envelope(Envelop encryption) String envelope = new String(Files.readAllBytes(Paths.get(“envelope.json”))); JSONParser parser = new JSONParser(); JSONObject envelopeJson = (JSONObject) parser.parse(envelope); String encryptedDataKey = envelopeJson.get(“encryptedKey”).toString(); String cipherText = envelopeJson.get(“cipherText”).toString(); String iv = envelopeJson.get(“iv”).toString();

return decryptData(cipherText, encryptedDataKey, iv);

}

decryptData() { String dataKey = decryptDataKey(encryptedDataKey); IvParameterSpec ivParameterSpec = new IvParameterSpec(decodeBase64(iv)); SecretKey secretKey = new SecretKeySpec(decodeBase64(dataKey), “AES”); Cipher cipher = Cipher.getInstance(“AES/CBC/PKCS5Padding”); cipher.init(Cipher.DECRYPT_MODE, secretKey, ivParameterSpec); byte[] plaintext = cipher.doFinal(decodeBase64(cipherText));

return new String(plaintext);

}

decryptDataKey() { String endPoint = String.format(KMS_API_DECRYPT, KEY_ID); JSONObject data = new JSONObject(); data.put(“cipherText”, sealedKey); JSONObject respJsonObject = callApi(endPoint, data.toJSONString()); String plaintext = (respJsonObject.get(“plaintext”)).toString(); return plaintext; }

### Go example code
This is a Go example code written according to the presented scenario.

// URI
const KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }}
  
// END POINT
const KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/%s"
  
// KEY ID
const KEY_ID = {{Master Key ID}}
  
getData() {
    // Load encrypted data envelope(Envelop encryption)
    jsonData, _ := os.ReadFile("envelope.json")
    var envelope map[string]interface{}
    if err := json.Unmarshal(jsonData, &envelope); err != nil {
           fmt.Println("JSON parsing error:", err)
           os.Exit(1)
    }
    encryptedDataKey := envelope["encryptedKey"].(string)
    cipherText := envelope["cipherText"].(string)
    iv := envelope["iv"].(string)
  
    return decryptData(cipherText, encryptedDataKey, iv)
}
  
decryptData() {
    dataKey := decryptDataKey(encryptedDataKey)
    ciphertext, _ := base64.StdEncoding.DecodeString(cipherText)
    dataKeyBytes, _ := base64.StdEncoding.DecodeString(dataKey)
    decodedData := ciphertext[aes.BlockSize:]
    ivparam := ciphertext[:aes.BlockSize]
    block, _ := aes.NewCipher(dataKeyBytes)
  
    mode := cipher.NewCFBDecrypter(block, ivparam)
    mode.XORKeyStream(decodedData, decodedData)
    decryptedData := string(decodedData)
  
    return decryptedData
"}
  
decryptDataKey() {
    endPoint := fmt.Sprintf(KMS_API_DECRYPT, KEY_ID)
    data := map[string]interface{}{
           "cipherText": sealedKey,
    }
    jsonData, _ := json.Marshal(data)
    respJsonObject := callApi(endPoint, jsonData)
    info := &KMSDecryptInfo{}
    json.Unmarshal([]byte(respJsonObject), info)
  
    return info.DecryptedData
}

Python example code

This is a Python example code written according to the presented scenario.

# URI
KMS_API_BASE_URI = {{ Refer to the OpenAPI guide URL }}
  

# END POINT
KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/"
  
# KEY ID
KEY_ID = {{Master Key ID}}
    
get_data()
    # Open Encrypted Data Envelope(Envelop encryption)
    with open("envelope.json", "r") as file:
        envelope = file.read()

    envelope_json = json.loads(envelope)
    encrypted_data_key = envelope_json["encryptedKey"]
    cipher_text = envelope_json["cipherText"]
    iv = envelope_json["iv"]
    return decrypt_data(cipher_text, encrypted_data_key, iv)
  
decrypt_data()
    data_key = decrypt_data_key(encrypted_data_key)
    iv_bytes = base64.b64decode(iv)
    decoded_data_key = base64.b64decode(data_key)
    cipher_txt = bytes.fromhex(cipher_text)
  
    cipher = AES.new(decoded_data_key, AES.MODE_CBC, iv_bytes)
    plain_text_bytes = unpad(cipher.decrypt(cipher_txt), AES.block_size)
    plain_text = plain_text_bytes.decode('utf-8')
    return plain_text
    
decrypt_data_key()
    end_point = f"{KMS_API_DECRYPT}{KEY_ID}"
    data = {}
    data["cipherText"] = sealed_key
    resp_json_object = call_api(end_point,data)
    plaintext = resp_json_object.get("decryptedData")
    return plaintext

Example code output

Displays the result value of the example code.

  {"PASSWORD":"SECRET_CREDENTIAL"}

Use Data Signature

It presents a data signature usage scenario to ensure data integrity, and you can check the Java, Go, Python example code and results written according to the scenario.

Scenario

1. Call OpenAPI with the data to be signed and sign it.
2. The signed data is enveloped and saved as a json file.

Java Example Code

This is a Java example code written according to the presented scenario.

// URI
static String KMS_API_BASE_URI = {{ Refer to the OpenAPI guide URL }};
  
// END POINT
static String KMS_API_SIGN = "/v1/kms/openapi/sign/%s";
  
// KEY ID
static String KEY_ID = {{master key ID}};
  
signEnvelop() {
    // signature data envelope(Envelop encryption)
    String envelope = sign();
    // In this example code, the signature data envelope is saved to a file
    File envelopeFile = new File("signEnvelope.json");
    OutputStream os = new BufferedOutputStream(new FileOutputStream(envelopeFile));
  
    try {
        os.write(envelope.getBytes());
    } finally {
        os.close();
    }
}
  
sign() {
    Map<String, String> envelope = new HashMap<>();
  
    String example_credential = "SCP KMS Sign Test!!!";
    String endPoint = String.format(KMS_API_SIGN, KEY_ID);
    JSONObject data = new JSONObject();
    data.put("input", encodeToBase64(example_credential));
  
    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());
  
    envelope.put("signature", respJsonObject.get("signature").toString());
    if(respJsonObject.get("batch_results") != null) {
  
        envelope.put("batch_results", respJsonObject.get("batch_results").toString());
    }
  
    return JSONValue.toJSONString(envelope);
"}

Go example code

This is a Go example code written according to the given scenario.

// URI
const KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }}
  

// END POINT
const KMS_API_SIGN = "/v1/kms/openapi/sign/%s"
  
// KEY ID
const KEY_ID = {{Master Key ID}}
  

signEnvelop() {
    // signature data envelope(Envelop encryption)
    envelope := sign()
    // In this example code, the signature data envelope is saved to a file
    file, _ := os.Create("signEnvelope.json")
    defer file.Close()
    file.WriteString(envelope)
"}
  
sign() {
    envelope := make(map[string]string)
    example_credential := "SCP KMS Sign Test!!!"
    endPoint := fmt.Sprintf(KMS_API_SIGN, KEY_ID)
    data := map[string]interface{}{
        "input": base64.StdEncoding.EncodeToString([]byte(example_credential)),
    }
    jsonData, _ := json.Marshal(data)
    respJsonObject := callApi(endPoint, jsonData)
    info := &KMSSignInfo{}
    json.Unmarshal([]byte(respJsonObject), info)
  
    envelope["signature"] = info.Signature
  
    jsonString, _ := json.Marshal(envelope)
  
    return string(jsonString)
}

Python Example Code

This is a Python example code written according to the given scenario.

# URI
KMS_API_BASE_URI = {{ Refer to the URL of the OpenAPI guide }}
  
# END POINT
KMS_API_SIGN = "/v1/kms/openapi/sign/"
  

# KEY ID
KEY_ID = {{Master Key ID}}
    
sign_envelop()
    # Signature Data Envelope(Envelop encryption)
    envelope = sign()
  
    # This example code saves the signature data envelope to a file
    with open("signEnvelope.json", "w") as file:
        file.write(envelope)
  
    
sign()
    envelope = {}
  
    example_credential = "SCP KMS Sign Test!!!"
    end_point = f"{KMS_API_SIGN}{KEY_ID}"
    credential_bytes = example_credential.encode('utf-8')
  

    data = {
        "input": base64.b64encode(credential_bytes).decode('utf-8')
    }
  
    resp_json_object = call_api(end_point,data)
  
    envelope["signature"] = resp_json_object.get("signature")
  
    return json.dumps(envelope)

Example code output

Displays the result value of the example code.

  {
    "signature":"vault:v1:qHGf4ALkTao1Yy\/lpSbLQ2l8YVpsHWBP6ic3Ux1BKSodQQxnEIrjPyUwXXQ1NZfGSVxdeVe5Y6kb0nUPNADQpzkOh9\/e8T\/QCOs9==",
    "projectId":"PROJECT-qWrHRJX5sZnTkopcr9N1dk"
}

Data Validation Use

It presents a verification usage scenario for validating data integrity, and you can view the Java, Go, and Python example code and results written according to the scenario.

Scenario

1. Retrieve the signature value of the signed envelope file.
2. Verify the signed data and output the result.

Java example code

This is a Java example code written according to the presented scenario.

// URI
static String KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }};
  
// END POINT
static String KMS_API_VERIFY = "/v1/kms/openapi/verify/%s";
  
// KEY ID
static String KEY_ID = {{Master Key ID}};
  
getSign() {
    // signature data envelope(Envelop encryption)
    String envelope = new String(Files.readAllBytes(Paths.get("signEnvelope.json")));
    JSONParser parser = new JSONParser();
    JSONObject envelopeJson = (JSONObject) parser.parse(envelope);
    String signature = envelopeJson.get("signature").toString();
  
    return verify(signature);
}
  
verify() {
    String endPoint = String.format(KMS_API_VERIFY, KEY_ID);
    JSONObject data = new JSONObject();
    data.put("input", "U0NQIEtNUyBTaWduIFRlc3QhISE=");
    data.put("signature", signature);
    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());
    String valid = (respJsonObject.get("valid")).toString();
    return valid;
}

Go example code

This is a Go example code written according to the presented scenario.

// URI const KMS_API_BASE_URI = {{ Reference the OpenAPI guide URL }}

// END POINT const KMS_API_VERIFY = “/v1/kms/openapi/verify/%s”

// KEY ID const KEY_ID = {{Master Key ID}}

getSign() { // Load signature data envelope (Envelop encryption) jsonData, _ := os.ReadFile(“signEnvelope.json”) var envelope map[string]interface{} if err := json.Unmarshal(jsonData, &envelope); err != nil { fmt.Println(“JSON parsing error:”, err) os.Exit(1) } signature := envelope[“signature”].(string)

return verify(signature)

}

verify() { endPoint := fmt.Sprintf(KMS_API_VERIFY, KEY_ID) data := map[string]interface{}{ “input”: “U0NQIEtNUyBTaWduIFRlc3QhISE=”, “signature”: signature, } jsonData, _ := json.Marshal(data) respJsonObject := callApi(endPoint, jsonData) info := &KMSVerifyInfo{} json.Unmarshal([]byte(respJsonObject), info)

return info.Valid

}

### Python example code
This is a Python example code written according to the presented scenario.

URI

KMS_API_BASE_URI = {{ Refer to the URL of the OpenAPI guide }}

END POINT

KMS_API_VERIFY = “/v1/kms/openapi/verify/”

KEY ID

KEY_ID = {{Master Key ID}}

get_sign() # Signature data envelope(Envelop encryption) Open with open(“signEnvelope.json”, “r”) as file: envelope = file.read()

envelope_json = json.loads(envelope)
signature = envelope_json["signature"]

return verify(signature)

verify() end_point = f"{KMS_API_VERIFY}{KEY_ID}"

data = {
    "input": "U0NQIEtNUyBTaWduIFRlc3QhISE=",
    "signature": signature
}

resp_json_object = call_api(end_point,data)
valid = resp_json_object.get("valid")

return valid

### Example code output
Displays the result value of the example code.

{ “valid”: true “}

1.3 - API Reference

1.4 - CLI Reference

1.5 - Release Note

Key Management Service

2 - Config Inspection

2.1 - Overview

Service Overview

Config Inspection is a service that diagnoses the security level of console settings for each service of Samsung Cloud Platform. It provides a security checklist organized by areas such as IAM, Networking, Database, Logging, and checks the current status via API calls to see whether the recommended security settings for each diagnostic item are applied.

Users can create a diagnostic target through service creation and then request a diagnosis, and the diagnosis request results can be checked via the Report. The Report provides the diagnosis request history and item-specific diagnosis results, and for diagnostic items that require the user’s final confirmation or action, detailed results including the resource information corresponding to each item and a remedial guide can be viewed.

Provided Features

Config Inspection provides the following features.

• Console Diagnosis: You can diagnose the security level by calling the Console API using the authentication key method.
• Diagnosis Target Management: Through service creation, you can create and manage the user’s Samsung Cloud Platform account as a diagnosis target.
• Diagnosis Request: In the resource detail screen, you can request a diagnosis by clicking the Diagnosis Request button.
• Diagnostic Result Management: In Report, you can view the list of diagnosis requests and detailed diagnosis results, and download them as an Excel file.

Components

Checklist

The checklist is a collection of diagnostic items that serve as the basis for diagnostic results, and the checklist currently provided by Config Inspection is as follows.

The detailed diagnostic items of the Best Practice checklist provided by Samsung Cloud Platform are as follows.

Report

In the Config Inspection Report, you can view the diagnostic results in the order of result list, result details, and item details.

Preliminary Service

Config Inspection has no preceding service.

2.2 - How-to guides

The user can input the necessary information for the Config Inspection service and create the service by selecting detailed options through the Samsung Cloud Platform Console.

Create a certificate

To create and use the Config Inspection service in the Samsung Cloud Platform Console, authentication key creation is required in advance.

API key creation is available at My menu > My Info. > API key management > API key creation. For more information, please refer to API key management.

Config Inspection creation

You can create and use the Config Inspection service in the Samsung Cloud Platform Console.

To create a Config Inspection, follow these steps.

1. Click All Services > Security > Config Inspection menu. It moves to the Service Home page of Config Inspection.

2. On the Service Home page, click the Config Inspection creation button. It moves to the Config Inspection creation page.

3. Config Inspection Creation page where you enter the necessary inputs for service creation and select detailed options.

   • Enter Service Information area, enter or select the required information.

   Classification	Necessity	Detailed Description
   Diagnosis Type	Required	Console
   Cloud	Required	Select cloud to diagnose SCP: Samsung Cloud Platform AWS: Amazon Web Service Azure: Microsoft Azure Detailed input items may vary depending on the selected cloud type
   Diagnosis target > Diagnosis name	Required	Name to distinguish diagnosis target Use the entered value as the resource name Use English, numbers, and special characters (-, _) within 25 characters
   Diagnosis target > Diagnosis account	Required	Diagnosis target is Console information Select the Account ID to be diagnosed from the list If you select the same Account ID, it will be duplicated and an additional fee will be incurred If you select AWS, enter the Account ID in the diagnosis account (12-digit number) If you select Azure, enter the Subscription ID in the diagnosis account (36 characters including letters, numbers, and special characters)
   Diagnosis Schedule > Check List	Mandatory	Automatically set when Using Diagnosis Schedule is selected
   Diagnosis Schedule > Diagnosis Cycle	Required	Diagnosis Cycle Selection Diagnosis is executed on the selected date according to the specified cycle Monthly is selected, diagnosis may not be performed on the selected date Example) Monthly 31st selected - February does not have that date, so diagnosis is not performed
   Diagnosis Schedule > Start Time	Mandatory	Diagnosis start time selection Set the hour and minute information to start the diagnosis
   Authentication Key	Mandatory	Select the authentication key to use for Open API calls Select button to select the corresponding authentication key from the authentication key list in the Authentication Key Selection popup window If there are no selectable authentication keys, create a new authentication key through the Authentication Key Management button For more information about authentication keys, see Managing Authentication Keys
   Rate Plan	Selection	Select the rate plan to use General: Charges are based on the number of diagnoses Monthly Fee: Charges are based on a fixed monthly amount regardless of the number of diagnoses (up to 30 diagnoses per month) The rate plan cannot be changed after applying for the service

   Table. Config Inspection service information input items
   • Enter Additional Information Please enter or select the required information in the area.

   Classification	Necessity	Detailed Description
   Tag	Select	Add Tag Up to 50 can be added per resource Click the Add Tag button and enter or select Key, Value

   Table. Additional Information Input Items for Config Inspection

4. In the Summary panel, check the detailed information and estimated billing amount generated, and click the Create button.

   • Once creation is complete, check the created resource on the Config Inspection list page.

Config Inspection detailed information check

Config Inspection service can check and modify the entire resource list and detailed information. The Config Inspection details page consists of detailed information, tags, and work history tabs.

To check the detailed information of the Config Inspection service, follow the next procedure.

1. Click on the menu of all services > Security > Config Inspection. It moves to the Service Home page of Config Inspection.
2. On the Service Home page, click the Config Inspection menu. It moves to the Config Inspection list page.
3. Config Inspection list page, click on the resource to check the detailed information. Move to the Config Inspection details page.
   • Config Inspection Details page displays status information and additional feature information, and consists of Details, Tags, Work History tabs.

     Classification	Detailed Description
     Status	Config Inspection status is displayed Ready: after service creation, when there is no diagnosis request (diagnosis request possible) In Progress: when a diagnosis request is being executed (diagnosis request/service cancellation not possible) Error: when an error occurs in the diagnosis request (diagnosis request possible) Completed: when the diagnosis request is completed normally (diagnosis request possible)
     Diagnostic Request	Button that can perform Console diagnosis
     Service Cancellation	Button to cancel the service

     Fig. Config Inspection status information and additional features

Detailed Information

On the Config Inspection List page, you can check the detailed information of the selected resource and modify the information if necessary.

Tag

On the Config Inspection 목록 page, you can check the tag information of the selected resource, and add, change, or delete it.

Work History

Config Inspection 목록 page where you can check the operation history of the selected resource.

Config Inspection Resource Management

Config Inspection resource status inquiry and diagnosis request are required in case of Config Inspection list or Config Inspection detail page where work can be performed.

Modifying the authentication key

You can select the authentication key to use for diagnosis by diagnosis target.

To modify the service authentication key, follow these steps.

1. Click on the menu for all services > Security > Config Inspection. It moves to the Service Home page of Config Inspection.
2. On the Service Home page, click the Config Inspection menu. It moves to the Config Inspection list page.
3. Config Inspection list page, click the resource to modify the authentication key. Move to the Config Inspection details page.
4. Check the authentication key and click the edit icon. The edit authentication key popup window appears.
5. Modify Authentication Key popup window, select the registered authentication key and click the OK button.

   Classification	Detailed Description
   Access Key	Access Key information of the authentication key
   Creation Date	Access Key Creation Date
   Expiration Date	Access Key Expiration Date
   Status	Authentication key status In use: available status Expired: expiration of usage period status

   Fig. Edit Authentication Key Popup Window Items

Request Diagnosis

You can request a diagnosis from the Console based on the set checklist.

To request a console diagnosis, follow these steps.

1. Click on the menu for all services > Security > Config Inspection. It moves to the Service Home page of Config Inspection.

2. On the Service Home page, click the Config Inspection menu. It moves to the Config Inspection list page.

3. Config Inspection list page, click the resource to request diagnosis. Move to the Config Inspection details page.

4. Config Inspection details page, click the Diagnosis Request button. Diagnosis Request popup window appears.

5. Diagnosis Request In the diagnosis request popup window, enter the necessary information for diagnosis and click the Confirm button.

   • Diagnostic Request The items in the popup window vary depending on the Console you select.

     Classification	Detailed Description
     Console access method	The method of accessing the Console, with the authentication key method fixed
     Check List	Fixed as Best Practice when SCP is selected
     Authentication Key	Select the authentication key created in advance if SCP is selected
     Access Key	If you selected AWS, enter the Access Key
     Secret Key	If you choose AWS, enter the Secret Key
     Client ID	Enter Client ID if Azure is selected
     Client Secret	If Azure is selected, enter Client Secret
     Tenant ID	If Azure is selected, enter the Tenant ID

     Fig. Diagnostic Request Popup Window Items

6. Check the Status value on the Config Inspection List page.

   • When the diagnosis request is completed, the status value is displayed as Completed or Error.
   • Completed case, you can check the diagnosis result in the diagnosis result menu. For more information, please refer to Report management.

Config Inspection disable

You can cancel the unused Config Inspection service. However, if you cancel Config Inspection, all saved diagnostic data will be deleted.

To disable Config Inspection, follow the next procedure.

1. Click All Services > Security > Config Inspection menu. It moves to the Service Home page of Config Inspection.
2. On the Service Home page, click the Config Inspection menu. It moves to the Config Inspection list page.
3. Config Inspection list page, click the resource to be canceled. Move to the Config Inspection details page.
4. Config Inspection details page, click the service cancellation button.
5. Once the cancellation is complete, please check if the resource has been cancelled on the Config Inspection list page.

2.2.1 - Dashboard Check

Users can check the diagnostic results of the Config Inspection service at a glance on the dashboard through the Samsung Cloud Platform Console.

Check Dashboard

On the dashboard page, you can check the diagnosis status and history of Config Inspection, etc.

To check the dashboard, follow the next procedure.

1. 모든 서비스 > Security > Config Inspection menu is clicked. It moves to the Service Home page of Config Inspection.
2. On the Service Home page, click the Dashboard menu. It moves to the Dashboard page.
3. Dashboard page where you can check the summary information of the diagnosis result.
   • Dashboard page, you can check the dashboard information based on the period or diagnosis name at the top.

• Period: You can check the summary information of the diagnosis results by setting a period within 6 months based on this month.

• Diagnosis Name: If you select all, you can summarize the entire diagnosis result, and if you select a diagnosis account, you can check the detailed history of the diagnosis result.

  • Download button allows you to download the information displayed on the dashboard page as a PDF file.

  Division	Detailed Description
  Security Level (Total)	The average value of the latest diagnosis results of all diagnosis targets is displayed The latest diagnosis results are listed Diagnosis score calculation formula = Total - (Fail + Error + Check)) / Total x 100
  Diagnostic Status by Period	Displays diagnostic status by target during the search period Diagnosis Completed: Displays recent diagnosis completion records Diagnosis Error: Displays recent diagnosis error records, and moves to the detailed diagnosis result page when selecting a diagnosis name
  Summary of diagnostic results by period (all)	Displays summary information of diagnostic results (all) during the search period Selecting a diagnosis name from the list moves to the diagnostic result details page

  Table. Detailed description of dashboard items for overall diagnosis results

  Classification	Detailed Description
  Security Level	The last diagnosis result score of the selected diagnosis account is displayed The latest diagnosis result is displayed in the list
  Periodic diagnosis result summary	Display a summary of the diagnosis results of the last diagnosis account during the search period
  Vulnerability Status by Period	Displays the vulnerability diagnosis results of the diagnosis account during the search period in a graph Displays detailed information of vulnerable items in the diagnosis results when selecting a graph
  Fig. Detailed description of dashboard items for diagnostic results by diagnostic account

2.2.2 - Diagnosis Result Management

You can check the Config Inspection diagnosis request results on the diagnosis result page and change the diagnosis results.

Checking Diagnosis Results

On the diagnosis result page, you can check the results of the diagnosis request.

Checking the Diagnosis Result List

To check the diagnosis result list, follow these steps:

1. Click All Services > Security > Config Inspection. You will be taken to the Service Home page of Config Inspection.
2. On the Service Home page, click Diagnosis Result. You will be taken to the Diagnosis Result List page.
3. On the Diagnosis Result List page, check the summary information of the diagnosis results.

   Category	Detailed Description
   Diagnosis Name	Resource Name
   Diagnosis Account	Console information that is the target of diagnosis
   Checklist	A collection of diagnosis items that serve as the basis for the diagnosis result
   PASS	The number of items in the checklist with a diagnosis result of PASS (normal)
   FAIL	The number of items in the checklist with a diagnosis result of FAIL (vulnerable)
   CHECK	The number of items in the checklist with a diagnosis result of CHECK (requires verification)
   ERROR	The number of items in the checklist with a diagnosis result of ERROR (diagnosis not possible)
   N/A	The number of items in the checklist with a diagnosis result of N/A (not applicable)
   Total	The total number of items in the checklist
   Diagnosis Result	The result of the diagnosis request Completed: The diagnosis request was completed normally Error: The diagnosis request was not completed normally, and the error status items cannot be checked in detail
   Diagnosis Time	The time the diagnosis request was made

   Table. Diagnosis Result List Items

Checking Detailed Diagnosis Result Information

To check the detailed information of the diagnosis result, follow these steps:

1. Click All Services > Security > Config Inspection. You will be taken to the Service Home page of Config Inspection.

2. On the Service Home page, click Diagnosis Result. You will be taken to the Diagnosis Result List page.

   • You can search for diagnosis results by entering the diagnosis name in the search area of the Diagnosis Result List page or by clicking the Detailed Search button.

3. On the Diagnosis Result List page, click on an item with a diagnosis result of Completed. You will be taken to the detailed diagnosis result page.

   • Items with a diagnosis result of Error do not display detailed information.

4. On the Detailed Diagnosis Result page, check the detailed diagnosis results.

   Category	Detailed Description
   Excel Download	Download the detailed diagnosis result list as an Excel file
   More > Diagnosis Result Management	Move to the diagnosis result management page
   Checklist	A collection of diagnosis items that serve as the basis for the diagnosis result
   Area	The scope of diagnosis (Samsung Cloud Platform services)
   Diagnosis Item	Security standards recommended for service settings
   Result	The result of checking the diagnosis item

   Table. Detailed Diagnosis Result Items

5. Click on the diagnosis item you want to check in detail. The Diagnosis Item Details popup window will appear.

   • In the Diagnosis Item Details popup window, you can check the following information:

       | Category | Detailed Description |
       |---------|---------|
       | Area | The scope of diagnosis (Samsung Cloud Platform services) |
       | Diagnosis Item | Security standards recommended for service settings |
       | Result | The result of checking the diagnosis item |
       | Diagnosis Criteria | The criteria for determining the result |
       | Diagnosis Method | The method for checking the current settings |
       | Countermeasure Guide | The method for setting the security standards |
       | Detailed Result | Information about the resources and settings corresponding to the diagnosis item |
       | Change Diagnosis Result | A button to change the diagnosis result |
       <div class="figure-caption">
         Table. Config Inspection Diagnosis Item Details
       </div>
     

Managing Diagnosis Results

The diagnosis result page allows you to change the results of items with a CHECK status.

Changing Diagnosis Results

To change a diagnosis result, follow these steps:

1. Click All Services > Security > Config Inspection menu. You will be directed to the Config Inspection Service Home page.

2. Click the Diagnosis Result menu on the Service Home page. You will be directed to the Diagnosis Result List page.

3. Click an item with a completed diagnosis result on the Diagnosis Result List page. You will be directed to the Diagnosis Result Detail page.

   • Items with an Error status will not display detailed information.

4. Click the Diagnosis Result Management button at the top of the Diagnosis Result Detail page. You will be directed to the Diagnosis Result Management page.

5. Click the Result Change button for the item you want to change the diagnosis result for** on the Diagnosis Result Management page. You will be directed to the Result Change popup window.

6. Select or enter the required information for the result change in the Result Change popup window.

   Category	Required	Description
   Register	-	Email of the person changing the diagnosis result
   Valid Period	Required	Set the valid period for the diagnosis result
   Result Change	Required	Select the new diagnosis result (Pass, Check, Fail)
   Detailed Reason	Required	Enter a detailed reason for changing the result
   Attachment	Optional	Upload a file required for result change confirmation Click the File Attachment button to upload a file, up to 5 files can be registered
   Inspection Result	-	Display detailed inspection results

   Table. Detailed Items for Changing Diagnosis Results

7. Confirm the entered information and click the Register button. Verify that the diagnosis result has been changed in the Diagnosis Result Management list.

Deleting Diagnosis Result Change History

To delete the diagnosis result change history, follow these steps:

1. Click All Services > Security > Config Inspection menu. You will be directed to the Config Inspection Service Home page.
2. Click the Diagnosis Result menu on the Service Home page. You will be directed to the Diagnosis Result List page.
3. Click an item with a completed diagnosis result on the Diagnosis Result List page. You will be directed to the Diagnosis Result Detail page.
   • Items with an Error status will not display detailed information.
4. Click the Diagnosis Result Management button at the top of the Diagnosis Result Detail page. You will be directed to the Diagnosis Result Management page.
5. Click the Result Confirmation button for the item you want to delete the diagnosis result change history for** on the Diagnosis Result Management page. You will be directed to the Result Confirmation popup window.
6. Click the Delete button in the Result Confirmation popup window.

2.2.3 - Setting up the Cloud

To use the Config Inspection service through the Samsung Cloud Platform Console, users must set up cloud prerequisites, such as generating authentication keys and adding access control IPs.

Setting up the Samsung Cloud Platform Console

To diagnose the Samsung Cloud Platform and external clouds using the Config Inspection service, configure the following items.

Checking policies connected to user groups

To check the policies of the user group you belong to, follow these steps:

1. Click All Services > Management > IAM. You will be taken to the Service Home page of IAM.
2. On the Service Home page, click User Group. You will be taken to the User Group List page.
3. On the User Group List page, click the user group you want to check. You will be taken to the User Group Details page.
4. On the User Group Details page, click the Policy tab. You will be taken to the Policy tab page.
5. On the Policy tab page, click the policy you want to check. You will be taken to the Policy Details page.
6. On the Policy Details page, check the detailed information.

Generating authentication keys

You can check and generate authentication keys to be used for the Config Inspection service.

To generate an authentication key in the Samsung Cloud Platform Console, follow these steps:

1. Click My Menu > My Info. You will be taken to the My Info. details page.
2. On the My Info. details page, click the Authentication Key Management tab. You will be taken to the Authentication Key Management tab page.
3. On the Authentication Key Management tab page, click the Create Authentication Key button. You will be taken to the Create Authentication Key page.
   • On the authentication key management page, you can check the list of authentication keys.
4. On the Create Authentication Key page, enter the expiration period and click the Confirm button.
5. Check if the created authentication key is displayed in the authentication key list.

Adding Allowed Access IP

You can add an allowed access IP in the Samsung Cloud Platform Console.

To add an allowed access IP in the Console, follow these steps:

1. Click the My menu > My info. menu in the Console. You will be moved to the My info. detail page.
2. Click the Authentication key management tab on the My info. detail page. You will be moved to the Authentication key management tab page.
3. On the Authentication key management tab page, click the Modify icon in the Security settings section. The Modify authentication key security settings popup window will open.
4. In the Modify authentication key security settings popup window, enter the authentication method and allowed access IP.
   • Select Authentication key as the authentication method.
   • Set the allowed access IP to Use and enter the IP address, then click the Add button.
5. Once the allowed access IP is added, click the Confirm button. Verify that the information entered in the Security settings section has been modified.

Setting up AWS

To diagnose the AWS (Amazon Web Services) cloud in the Config Inspection service, set up the following items.

Adding Permission Policy

You can add a permission policy for a user or user group in the AWS Console.

Adding User Permissions

To add a user access permission policy in the AWS Console, follow these steps:

1. Click IAM > Users in the AWS Console.
2. Select the diagnostic user name from the user list.
3. Click the Permissions tab on the user information page.
4. Select Add permissions in the permission policy.
   • When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.

Adding User Group Permissions

To add a user group access permission policy in the AWS Console, follow these steps:

1. Click IAM > User groups in the AWS Console.
2. Select the user group that the user belongs to from the user group list.
3. Click the Permissions tab on the user group page.
4. Select Add permissions in the permission policy.
   • When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.

Adding Access Control IP

If you are using an IP access control policy, you must add an exception IP to the policy.

Adding IP Access Control for Users

To add IP access control for users in the AWS Console, follow these steps:

1. Click IAM > Users in the AWS Console.
2. Select the diagnostic user name from the user list.
3. Click the Permissions tab on the user information page.
4. Click Edit on the IP Access Control Policy in the permissions policy item.
   • Add 123.37.24.82 to the exception IP for blocking.

Adding IP Access Control for User Groups

To add IP access control for user groups in the AWS Console, follow these steps:

1. Click IAM > User Groups in the AWS Console.
2. Select the user group that the user belongs to from the user group list.
3. Click the Permissions tab on the user group page.
4. Click Edit on the IP Access Control Policy in the permissions policy item.
   • Add 123.37.24.82 to the exception IP for blocking.

Creating Access Keys

To create access keys in the AWS Console, follow these steps:

1. Click IAM > Users in the AWS Console.
2. Select the diagnostic user name from the user list.
3. Click the Security Credentials tab on the user information page.
4. Click Access Keys on the Security Credentials page.
5. Create an access key for third-party services on the Create Access Key page.
   • Be sure to save the created access key information.

Setting up Azure

To diagnose Azure cloud in the Config Inspection service, set up the following items.

Registering Entra ID Application

To register Entra ID Application in the Azure Console, follow these steps:

1. Click Microsoft Entra ID > App Registration in the Azure Console.
2. Click New Registration on the App Registration page.
3. Register the application (client) ID.
4. After completing the app registration, check the App Name, Application (Client) ID, Directory (Tenant) ID on the overview page.

Adding API Permissions

To add API permissions in the Azure Console, follow these steps:

1. Click Microsoft Entra ID > App Registration (App registrations) > Entra ID Application Registration and select the created App Name > API Permissions (App permissions) > Add a permission.
2. Select Microsoft Graph from the API Permissions list.
3. Click Application Permissions on the API Permission Request page.
   • Select Application.Read.All, Device.Read.All, Group.Read.All, User.Read.All, DeviceManagementManagedDevices.Read.All, AuditLog.Read.All, Directory.Read.All, Domain.Read.All, GroupMember.Read.All, Policy.Read.All, Reports.Read.All from the permission list.
4. Click Grant admin consent for account name after adding permissions on the App API Permission Registration page.
   • Check if the status has changed to Granted for account name.

Creating Client Secret

To create a client secret in the Azure Console, follow these steps:

1. Click Microsoft Entra ID > App Registration (App registrations) > Entra ID Application Registration and select the created App Name > Certificates & Secrets.
2. Click New Client Secret on the Certificates & Secrets list.
3. Check the Value item of the client secret in the list after creating the client secret.
   • Be sure to save the client secret value.

Adding Subscription Access Permissions in Azure Console

Subscription access permissions in the Azure Console can be added to the tenant root group or individual subscriptions. Choose the desired method to add subscription access permissions.

Adding Permissions to the Tenant Root Group

To add Azure Console subscription access permissions to the Tenant Root Group, follow these steps:

1. Click on Management groups > Overview in the Azure Console.
2. Click on Tenant Root Group > IAM.
   • If you cannot access the Tenant Root Group menu, change the following settings:
     • Microsoft Entra ID > Properties > ‘Account name’ can manage access to all Azure subscriptions and management groups in this tenant. > Yes
   • After adding permissions, be sure to change it back to No.
3. On the Access Control page, click on Add > Add role assignment.
4. On the Add role assignment page, enter the details and click on Save (Review+assign).
   • When entering role assignment information, select the following information in the Role and Member tabs to add the App created in Entra ID Application registration. All three permissions below must be added.

       |  Category  |  Permission  |
       |---------|---------|
       |Reader|User, group, or service principal|
       |Key Vault Reader|User, group, or service principal|
       |Reader and Data Access|User, group, or service principal|
       <div class="figure-caption">
         Table. Additional permission items when entering role assignment information
       </div>
     

Adding Permissions to an Individual Subscription

To add Azure Console subscription access permissions to an individual subscription, follow these steps:

1. Click on Subscription > Overview in the Azure Console.
   • Check the Subscription ID in the basic information on the overview page.
2. Click on Subscription > IAM.
3. On the Access Control page, click on Add > Add role assignment.
4. On the Add role assignment page, enter the details and click on Save (Review+assign).
   • When entering role assignment information, select the following information in the Role and Member tabs to add the App created in Entra ID Application registration. All three permissions below must be added.

       |  Category  |  Permission  |
       |---------|---------|
       |Reader|User, group, or service principal|
       |Key Vault Reader|User, group, or service principal|
       |Reader and Data Access|User, group, or service principal|
       <div class="figure-caption">
         Table. Additional permission items when entering role assignment information
       </div>
     

Adding Access Permissions using PowerShell

To add Azure Console subscription access permissions using PowerShell, follow these steps:

1. In the Azure Console, run the following command in Cloud shell > PowerShell:
   • New-AzRoleAssignment -ObjectId “Object ID of the App confirmed in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’ -ObjectType ‘ServicePrincipal’
   • If the command does not work, change the following settings:
     • Microsoft Entra ID > Properties > ‘Account name’ can manage access to all Azure subscriptions and management groups in this tenant. > Yes
     • After adding permissions, be sure to change it back to No.
2. Run the following command to check if the settings are complete:
   • Get-AzRoleAssignment –ObjectId “Object ID of the App confirmed in Enterprise Application” –Scope “/providers/Microsoft.aadiam”
   • If you need to delete permissions, run the following command:
     • Remove-AzRoleAssignment -ObjectId “Object ID of the App confirmed in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’

2.3 - Release Note

Config Inspection

3 - Certificate Manager

3.1 - Overview

Service Overview

Certificate Manager is a service that supports certificate deployment and integrated management, allowing users to create and use SSL/TLS certificates issued by a Certificate Authority (CA) and self-signed certificates for development or testing purposes in Samsung Cloud Platform resources. It also enables management of the certificate lifecycle by checking expiring certificates through expiration notification emails.

Features

• Easy creation: You can create a certificate with a simple task on the Samsung Cloud Platform Console. User certificates issued from outside undergo validity verification and only deployable certificates are distributed.
• Service Integration: Connects certificates registered in Certificate Manager to Load Balancer to encrypt network connections and protect services.
• Certificate Expiration Alert: Until 1 day before the expiration date, periodic notifications allow you to check and replace certificates that are about to expire.

Service Composition Diagram

Provided Features

Certificate Manager provides the following functions.

• Certificate Creation: You can create a user certificate issued by a certificate authority or a self-signed certificate suitable for development/testing purposes.
• Connected Resource Inquiry: You can inquire about Samsung Cloud Platform resources that are using certificates. Currently, it provides a list of Load Balancer’s Listener(HTTPS).
• Expiration Notice: You can set the recipient of the expiration notice for each certificate. The notification recipient will receive an email from 45 days before expiration. (Sent 45/30/15/7/1 day before expiration)

Components

The Certificate Manager’s user certificate consists of Private Key, Certificate Body, and Certificate Chain. Enter the certificate information, including the entire contents, including the BEGIN and END lines.

Private Key

Enter the private key in PEM format. The private key supports RSA and the decrypted value must be entered.

-----BEGIN RSA PRIVATE KEY-----
Private Key
-----END RSA PRIVATE KEY-----

Certificate Body

Server(Leaf) inputs the certificate in PEM format. Only one certificate can be entered in the Certificate Body.

-----BEGIN CERTIFICATE-----
Server Certificate
-----END CERTIFICATE-----

Certificate Chain

Enter the upper certificate in PEM format. Enter in the order of Sub(Intermediate) CA → Root CA, and it can be omitted only when it is a self-signed/issued certificate.

-----BEGIN CERTIFICATE-----
Intermediate Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root Certificate
-----END CERTIFICATE-----

Constraints

Certificate Manager provides a service by Region unit. Please create and use the service in the required Region. The quota per Region is as follows.

Preceding Service

Certificate Manager has no preceding services.

3.2 - How-to guides

The user can enter the required information for the Certificate Manager service through the Samsung Cloud Platform Console, select detailed options, and create the service.

Certificate Manager Create

You can create and use the Certificate Manager service from the Samsung Cloud Platform Console.

To request the creation of a Certificate Manager service, follow the steps below.

1. All Services > Security > Certificate Manager Click the menu. Service Home page will be opened.
2. Click the Create Certificate Manager button on the Service Home page. You will be taken to the Create Certificate Manager page.
3. Certificate Manager creation On the page, enter the information required to create the service, and select detailed options.
   • Service Information Input area: enter or select the required information.

     Category	Required	Detailed description
     Certificate Name	Required	Enter the name of the Certificate Manager to use Enter within 3-30 characters, including English letters, numbers, and special characters (-, _, .) Cannot be the same as an existing name in use
     Type	Required	Select the Certificate Manager type to use User Certificate: Public certificate issued by a Certificate Authority (CA) Self-issued Certificate: Certificate self-issued (Self-signed) by Samsung Cloud Platform Since it is relatively insecure, it is recommended for development/testing use.
     User Certificate > Certificate Body	Required	Enter Server (Leaf) certificate information Only one certificate can be entered in the certificate body Enter the entire content including the lines from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—–
     User Certificate > Private Key	Required	Enter private key information Private Key supports RSA encryption method Private Key can be entered in unencrypted PEM format Enter the entire content including the lines from —–BEGIN RSA PRIVATE KEY—– to —–END RSA PRIVATE KEY—-
     User Certificate > Certificate Chain	Required	Enter Certificate Chain information Can be omitted when using a private certificate Enter the Certificate Chain in order: Intermediate (Subordinate) certificate → Root certificate Public certificates must provide Certificate Chain information; only when there is no intermediate certificate (Chain CA) should use be disabled Enter the entire content including the lines from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– If there are multiple Intermediate (Subordinate) certificates, enter each certificate’s content in order
     User Certificate > Certificate Validity Check	Required	Validate the entered certificate’s validity
     Self-issued certificate > Common Name	Required	Enter the domain name to be used for the certificate
     Self-issued certificate > Organization Unit	Required	Enter the organization and department that will use the certificate
     Self-issued Certificate > Start Date	Required	Enter the certificate usage start date (creation date)
     Self-issued certificate > Expiration date	Required	Enter certificate expiration date
     Expiration Alert	Select	Set whether to receive alerts before certificate expiration Use can be selected to enable expiration alerts If expiration alerts are set, an email is sent to recipients 45 days/30 days/15 days/7 days/1 day before certificate expiration
     Expiration Alert > Notification Recipient	Required	Select notification recipient when using expiration alert Enter user name in the search area to select notification recipient Up to 100 can be registered

     Table. Certificate Manager Service Information Input Items
     Reference

     • If the entered certificate information is not valid, you cannot create the Certificate Manager service.
     • If the Private Key is encrypted, enter the decrypted value using the openssl command below.
       • openssl rsa -in [Encrypted Private Key File name] -out [Decrypted Private Key File name]
     • For certificates issued via Let’s Encrypt, even if there is a previously issued Certificate Chain value, extract it again and input.
       • For detailed explanation of the extraction method, please refer to Chain Certificate Extraction.
   • Additional Information Input Enter or select the required information in the area.

     Category	Whether required	Detailed description
     Tag	Select	Add Tag Up to 50 can be added per resource After clicking the Add Tag button, enter or select Key, Value values

     Table. Certificate Manager additional information input items
4. Verify the entered service information and additional information, and click the Complete button.
   • Once creation is complete, check the created resource on the Certificate Manager List page.
     Reference

     To create a Load Balancer to use in the Certificate Manager service, click Load Balancer creation in Service Home.

     • For detailed explanation about creating a Load Balancer, please refer to Creating a Load Balancer.

Certificate Manager View Detailed Information

Certificate Manager service can view and edit the full resource list and detailed information. Certificate Manager Details page consists of Details, Connected Resources, Tags, Activity History tabs.

To view detailed information of Certificate Manager, follow the steps below.

1. All Services > Security > Certificate Manager Click the menu. Go to the Certificate Manager’s Service Home page.
2. On the Service Home page, click the Certificate Manager menu. Navigate to the Certificate Manager list page.
3. Click the resource to view detailed information on the Certificate Manager List page. You will be taken to the Certificate Manager Details page.

• Certificate Manager Details page displays the status information and detailed information of Certificate Manager, and consists of Details, Connected Resources, Tags, Activity History tabs.

  Category	Detailed description
  Service Status	Certificate Manager Status Creating: Creating Active/Valid: Certificate valid Expired: Certificate expired Editing: Editing settings Terminating: Terminating Error: Certificate error
  Service termination	Button to cancel Certificate Manager

  Table. Status Information and Additional Functions

Detailed Information

Certificate Manager list page, you can view detailed information of the selected resource and, if necessary, edit the information.

Connected Resources

You can view the connected Load Balancer information on the Certificate Manager list page.

Tag

Certificate Manager list page, you can view the tag information of the selected resource, and you can add, modify, or delete it.

Work History

Certificate Manager List page, you can view the operation history of the selected resource.

Certificate Manager Cancel

You can apply for termination of the Certificate Manager service from the Samsung Cloud Platform Console.

To request termination of the Certificate Manager service, follow the steps below.

1. All Services > Security > Certificate Manager Click the menu. Go to the Service Home page of Certificate Manager.
2. Click the Certificate Manager menu on the Service Home page. Navigate to the Certificate Manager list page.
3. Certificate Manager List Click the resource to view detailed information on the page. Certificate Manager Details You will be taken to the page.
4. Click the Service Termination button on the Certificate Manager Details page.
5. Once termination is complete, check the service termination status in the Certificate Manager list.

3.2.1 - Chain Certificate Extraction

The user can extract and enter the Certificate Chain certificate to be used when creating the Certificate Manager service.

Extract Certificate Chain

You can extract the Certificate Chain certificate value required when creating a Certificate Manager.

Intermediate (Subordinate) Certificate Value Extraction

You can extract the Intermediate (Subordinate) certificate of the Certificate Chain required when registering a user certificate.

To extract the Intermediate(Subordinate) certificate value, follow these steps.

1. Run the crt file format certificate file on PC. The certificate window appears.
2. Click the Certificate Path tab in the Certificate window.
   • If it is in PEM file format, change the file format to crt.
3. Click the certificate under the Root and click Certificate View.
4. Click the Details tab and move, then click Copy to file.
5. When the Certificate Export Wizard runs, click Next.
6. Select Base 64 encoded X.509(.CER)(S) as the format to use and click Next.
7. Click Browse to select the path where you want to save the file, and then click Next.
8. Click Finish. The Certificate Export Wizard is complete.
9. Open the exported file in TEXT file format and check the value.
   • The extracted certificate value must have —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—- items at the beginning and end.

Root Certificate Value Extraction

You can extract the Root certificate of the Certificate Chain required when registering a user certificate.

To extract the Root certificate value, follow these steps.

1. Run the crt file format certificate file on PC. The certificate window appears.
2. Click the Certificate Path tab in the Certificate window.
   • If it is in PEM file format, change the file format to crt.
3. Click the topmost Root certificate and click Certificate View.
4. Click the Details tab and move, then click Copy to file.
5. When the Certificate Export Wizard runs, click Next.
6. Select Base 64 encoded X.509(.CER)(S) as the format to use and click Next.
7. Click Browse to select the path where you want to save the file, and then click Next.
8. Click Finish. The Certificate Export Wizard is complete.
9. Open the exported file in TEXT file format and check the value.
   • The extracted certificate value must have —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—- items at the beginning and end.

Input Certificate Chain value

This explains how to enter the extracted Intermediate (Subordinate) certificate and Root certificate values into the Certificate Chain item when creating a Certificate Manager.

To enter the Intermediate (Subordinate) certificate and Root certificate values in the Certificate Chain item, follow these procedures.

1. Intermediate (Subordinate) certificate file and Root certificate file should be run in text file format.
2. Intermediate (Subordinate) certificate file values should be copied in their entirety.
3. Certicafate Manager creation page’s Certificate Chain input area, please paste.
   • Include the certificate value, including —–BEGIN CERTIFICATE—– at the beginning and —–END CERTIFICATE—- at the end, and paste it.
4. Copy the entire value of the Root certificate file.
5. Paste it into the Certificate Chain input area of the Certicafate Manager Creation page.
   • Includes the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—- at the start and end of the certificate value and paste it.
   • Intermediate (Subordinate) certificate’s below line will be pasted with the Root certificate value.

3.3 - API Reference

3.4 - CLI Reference

3.5 - Release Note

Certificate Manager

4 - Secret Vault

4.1 - Overview

Service Overview

Secret Vault is a service that allows access to Samsung Cloud Platform services and resources with a security-enhanced token-based temporary key without hard-coding security information in plain text format when accessing using Open API, and also manages the lifecycle of the temporary key to maintain a security-enhanced environment when using the API.

Features

• Enhanced Security Environment: Instead of entering hard-coded authentication information into the application source code, you can respond to security threats due to authentication information leakage by issuing a token-based temporary key.
• Life-Cycle based key management: Users do not need to manage the life cycle of the key directly to meet security requirements. It provides automated key management and replacement functions according to the set life cycle.
• Various resource utilization possible: Through the token issued by Secret Vault, not only resources within Samsung Cloud Platform but also external resources (other CSP, On-Premise, etc.) can be accessed through an enhanced security environment.

Service Composition Diagram

Provided Features

Secret Vault provides the following features.

• Token Authentication Addition and Encryption Storage: It provides token issuance and temporary key issuance functions using authentication keys, and safely stores authentication key information by encrypting it (AES-256).
• Key Life-cycle Management: Provides key issuance and automatic replacement functions based on the life cycle, and allows setting the replacement cycle by time unit (up to 36 hours).
• Access Control Function: The user application can control access to resources based on IP.

Component

Secret

Secret is a form of information that combines Token information and temporary key exchange cycle information, and is an object that can be applied by the user in the console.

Token

Token is a unique string used to authenticate the user’s identity and verify authority, and a temporary key can be issued to access the Samsung Cloud Platform through token-based authentication when requesting Open API.

Constraints

Secret Vault provides a region-based service. Therefore, when creating a Secret, you cannot select an authentication key being used in a Secret from a different region.

Preceding Service

Secret Vault does not require any separate prior service work.

4.2 - How-to guides

The user can enter the essential information of the Secret Vault service and create the service by selecting detailed options through the Samsung Cloud Platform Console.

Secret Vault creation

You can create and use the Secret Vault service on the Samsung Cloud Platform Console.

To create a Secret Vault, follow the following procedure.

1. All services > Security > Secret Vault menu, click. It moves to the Service Home page of Secret Vault.
2. Service Home page, click the Create Secret Vault button. It moves to the Create Secret Vault page.
3. Secret Vault Creation page where you enter the information required for service creation and select detailed options.

• Service Information Input area, please select the required information.

  Classification	Necessity	Detailed Description
  Secret name	required	Enter Secret name Enter 3-63 characters using lowercase English letters and numbers
  Type	Required	Select the type of encryption target
  Authentication Key	Required	Select the authentication key to use for the Secret Vault service Click the Use button to select from the pre-created authentication keys in the Authentication Key Management menu. In the Authentication Key Management menu, you must select the security authentication method as Private Key Authentication. Expired authentication keys will not be retrieved, and authentication keys with a remaining usage period of less than 30 days or already in use in the Secret Vault product cannot be used. (Only one Secret Vault product can be applied per authentication key.)
  Token usage period	required	The usage period of the Token provided by encrypting the authentication key The Token usage period is automatically set to be the same as the validity period of the input authentication key by default. If the authentication key validity period is set to permanent, the Token usage period can be set up to a maximum of 7300 days (20 years). The Token usage period cannot be changed after the service application is completed. For security enhancement, periodic replacement of the Token is recommended. If the Token usage period expires, it is impossible to issue a temporary key, and a new Token must be issued through a new service application. If the Token usage period expires, it is impossible to extend the period, and the Token can no longer be used. Before the Token usage period expires, a new Token must be issued through a new service application, and the issued Token information must be applied to the source code.
  Access key replacement cycle	Required	Select the replacement cycle of the access key to be used to access Samsung Cloud Platform resources The access key usage time is applied from the time the service creation is completed. For security enhancement, the access key usage period can only be set up to a maximum of 1.5 days (36 hours). A new access key is issued before the access key usage period expires, and the same usage period is applied.
  Access Allowed IP	Required	Enter the IP to allow access and click the Add button The entered IP must also be set identically in Authentication Key Management > Security Settings > Access Allowed IP to allow access. Even when entering a single IP, you must enter ‘/32’ after the IP. Up to 10 IPs can be registered.
  Description	Selection	Additional Information Input

  Table. Secret Vault service information input items
• Additional Information Input area, please select the required information.

  Classification	Mandatory	Detailed Description
  tag	selection	add tag add tag button to create and add a tag or add an existing tag up to 50 can be added per resource newly added tags are applied after service creation is completed

  Table. Additional Information Input Items for Secret Vault

4. Summary panel where you can check the detailed information generated and the expected billing amount, and click the Complete button.

• Once creation is complete, check the created resource on the Secret Vault list page.

Secret Vault detailed information check

You can check and modify the entire resource list and detailed information of the Secret Vault service. The Secret Vault details page consists of details, tags, and work history tabs.

To check the detailed information of the Secret Vault service, please follow the following procedure.

1. All services > Security > Secret Vault menu, click. It moves to the Service Home page of Secret Vault.
2. Service Home page, click the Secret Vault menu. It moves to the Secret Vault list page.
3. Secret Vault list page, click on the resource to check the detailed information. It moves to the Secret Vault details page.

• Secret Vault details page displays status information and additional feature information, and consists of details, tags, work history tabs.

  Classification	Detailed Description
  Secret Vault status	the status of the Secret Vault created by the user Active: in operation To be terminated: after applying for service cancellation, waiting for cancellation The scheduled cancellation time of the service is displayed, and the service cancellation can be canceled. Expired: token expiration status The Secret changed to the Expired status cannot perform any actions such as information inquiry, and is automatically deleted after 7 days.
  Replace Master Key	Delete the master key currently in use and create a new master key Only the creator of the Secret Vault service can replace the master key.
  Service Cancellation	Button to cancel the service

  Table. Secret Vault Status Information and Additional Functions

Detailed Information

Secret Vault List page where you can check the detailed information of the selected resource and modify the information if necessary.

Tag

Secret Vault List page where you can check the tag information of the selected resource, and add, change or delete it.

Work History

Secret Vault list page where you can check the work history of the selected resource.

Secret Vault Cancellation

You can cancel the corresponding service that is not in use to reduce operating costs. However, if you cancel the service, the operating service may be stopped immediately, so you must consider the impact of stopping the service sufficiently before proceeding with the cancellation work.

To cancel the Secret Vault, follow the following procedure.

1. All services > Security > Secret Vault menu, click. It moves to the Service Home page of Secret Vault.
2. Service Home page, click the Secret Vault menu. It moves to the Secret Vault list page.
3. Secret Vault list page, select the resource to be canceled and click the Service Cancellation button. It moves to the Service Cancellation pop-up window.
4. Service Cancellation popup window, enter the cancellation waiting period (7-30 days) and click the Confirm button. The service will be cancelled after the cancellation waiting period entered by the user.

Secret Vault cancellation cancellation

You can cancel the cancellation of the service that is waiting for cancellation and use it again.

To cancel the cancellation of Secret Vault, follow the next procedure.

1. All Services > Security > Secret Vault menu, click. It moves to the Service Home page of Secret Vault.
2. Service Home page, click the Secret Vault menu. It moves to the Secret Vault list page.
3. Secret Vault list page, click the resource to cancel the cancellation. It moves to the Secret Vault details page.
4. Secret Vault details page, click the cancel cancellation button. It moves to the service cancellation cancellation pop-up window.
5. Service Cancellation Cancel popup window, check the contents, and then click the Confirm button. The status of the resource that canceled the cancellation will be restored to Active.

Application Token settings

Secret Vault service application to obtain the Token information is required for API calls for OpenAPI key issuance request information, Token information for each application environment to fit please set.

To set the token information, follow the next procedure.

1. Apply the Token information to the environment variable setting file of the Application.
2. Set the Token information so that it can be referenced by the API call Logic within the Application.

• use OpenAPI → GET /v1/temporarykey/{secretvault_id}
• For more detailed information, please refer to the Open API Guide of Samsung Cloud Platform Console.

3. Set the Token information so that the API call Logic within the Application can reference it.

• The IMS kit can remove hard coding from existing source code and use token information to call OpenAPI and issue it for use. For more information, please refer to the Open API Guide in the Samsung Cloud Platform Console.

application.yml or application.properties and other environment variable setting files

Apply the issued Token information to the environment variable setting file.

secretvault.secretvault.id= {{ ID }}
secretvault.tokenId= {{ Token ID }}
secretvault.tokenSecret= {{ Token Secret }}

Java file

Apply to the class file for environment variable recognition.

import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class SecretVaultConfiguration {
    @Value("${secretvault.id}")
    private String id;

    @Value("${secretvault.tokenId}")
    private String tokenId;

    @Value("${secretvault.tokenSecret}")
    private String tokenSecret;

    @Bean
    public OpenApiClient openApiClient() {
// Create OpenApiClient or another API client and initialize it using the setting values
        return new OpenApiClient(secretVaultName, tokenId, tokenSecret);
    }
}

4.3 - API Reference

4.4 - CLI Reference

4.5 - Release Note

Secret Vault

5 - SingleID

5.1 - Overview

Service Overview

SingleID not only allows authorized users to easily access information assets with one-time authentication, but also strengthens account security through policy-based authority management and real-time abnormal authentication detection, and provides account management and access framework through various history management.

Features

• Easy and convenient login and app linking: Building an integrated authentication system that can log in from On-Premises to SaaS apps with one ID can improve work productivity. Administrators can automate linking to various global SaaS apps through prepared Pre-Built Connectors, allowing them to easily link various apps without domain knowledge of authentication.
• Account Management Efficiency and Security Enhancement: It systematically manages the account lifecycle from creation to deletion for various users, including employees, partner companies, corporations, and subsidiaries. Additionally, it grants permissions to authorized users in a timely manner and revokes unnecessary permissions in a timely manner to prevent unauthorized access and strengthen account security.
• Enhanced Anomaly Detection: Situation-based authentication anomaly detection through user type, login IP, device information, access time, etc. enables the application of security policies according to the situation, preventing account infringement accidents.
• Cloud Access Management: Unifies the access path of operators/developers accessing the public cloud and executes role-based temporary token-based console/resource access control to further strengthen cloud security in a multi-cloud environment.

Service Composition Diagram

Provided Features

SingleID provides the following functions.

• Integrated Authentication and Account Management
• Supports various authentication linkage protocols (SAML, OIDC, etc.)
• Provide self-service features for app usage application and approval
• Salesforce, Workday etc. account synchronization and role (group) synchronization/management within the account
• Provides membership registration/withdrawal function that can issue accounts to non-employees, such as partners and customers
• Passwordless and Multi-Factor Authentication
• PC/Mobile passwordless authentication and multi-factor authentication (MFA)
• Existing 1st authentication environment linkage to provide 2nd authentication composite authentication (MFA-only service use case)
• Support for certificate-based authentication through Private CA (Certificate Services Authority), a private certificate issuance/management function (separate Use Case)
  • Authentication method: SMS, email, mOTP, TOTP, PIN, biometric, Knox Messenger, Window Hello, etc.
• Authentication and Account Information Linking
• Automation of app connection through Pre-Built Connector
• DIY integration template for simplified custom app integration
• Anomaly Detection based on Risk-based Authentication
• Context-based access control according to the situation of attempting authentication
• Enhanced security through detailed login and authentication policy settings
• Public Cloud Access Management for Cloud Operators/Developers
• Role-based console access control through assigned accounts
• Request/Approval of Resource Access Permission and OTP-based Credential Method for Resource Access

Component

The components of the SingleID service are as follows. Users can use the service through the Samsung Cloud Platform SingleID Console.

• Access Management
• Supports various authentication linkage protocols (SAML, OIDC, etc.)
• Provide integrated login to in-house and out-of-house work systems through a single login
• Identity Management
• Manage lifecycle from account creation to disposal
• Directory integration and synchronization (Active Directory, LDAP, etc.)
• Multi Factor Authentication
• PC and mobile simple authentication
• SMS, email, mOTP, TOTP, PIN, biometric, Knox Messenger, Window Hello, etc. provide various composite authentication methods
• Anomaly Detection Management
• Context-based access control according to the situation of attempting authentication
• Providing adaptive access control through risk analysis
• Cloud Access Management
• Cloud security enhancement through singleization of access paths for cloud operators/developers
• Role-based temporary token method for console/resource access control

Regional Provision Status

SingleID can be provided in the following environments.

Preceding Service

SingleID has no preceding service.

5.2 - How-to guides

The user can enter the required information for the SingleID service and select detailed options through the Samsung Cloud Platform Console to create the service.

Create SingleID

Samsung Cloud Platform Console에서 SingleID 서비스를 생성하여 사용할 수 있습니다.

1. All Services > Security > SingleID Click the menu. SingleID Service Home Navigate to the page.
2. Service Home on the page click the Create SingleID button. Navigate to the Create SingleID page.
3. SingleID Creation On the page, enter the required information in the service information input area, and select the detailed options.

• Service Configuration Selection area, enter the information for the service and select detailed options.

  Category	Required or not	Detailed description
  Service Selection	Required	SingleID Service Selection Multiple services can be selected and applied MFA When applied alone, simple authentication function is not provided When IM, MFA are selected, AM is automatically selected Selecting ADM automatically selects AM, IM, MFA Selecting CAM automatically selects AM, IM, MFA When AM, IM, MFA or AM, IM, MFA, ADM are selected, a tenant is automatically created in the TAP/UP/MFA portal. If only the MFA item is selected, a tenant is created in the TAP/MFA portal
  Tenant user count	Required	Enter the minimum number of Tenant users according to the selected service Can be entered within the range of 50 - 999,999
  Resource Unit Count	Select	Enter the number of Resource Units to register when selecting CAM service Input possible within the range 20 - 99,999
  Integration Support	Select	Enter number of integration support units Can be entered within the range 1 - 9,999 AM: 1 unit MFA: 1 unit IM: 2 units When using AM and MFA simultaneously, counted as 1 unit

  Table. SingleID Service Configuration Selection Items
  • Enter Service Information area, enter the information required to create the service.

    Category	Required or not	Detailed description
    Tenant name	Required	Enter Tenant name
    Tenant code	Required	Tenant code input

    Table. SingleID Service Information Input Items
  • Member Selection Select the tenant user who will use the service in the area.

    Category	Required	Detailed description
    User	Required	Select members from user list You must select at least one user to be able to create the service

    Table. SingleID Service Member Selection Items
  • Additional Information Input area, please enter or select the required information.

    Category	Required or not	Detailed description
    Tag	Select	Add Tag Up to 50 can be added per resource After clicking the Add Tag button, enter or select Key, Value values

    Table. SingleID additional information input items

4. Summary Check the detailed information and estimated billing amount generated in the panel, and click the Complete button.
   • When creation is complete, check the created resources on the SingleID List page.

SingleID Check Detailed Information

SingleID service can view and edit the full resource list and detailed information. SingleID Detail page consists of Detail Information, Tags, Activity History tabs.

To view detailed SingleID information, follow the steps below.

1. All Services > Security > SingleID Click the menu. Service Home page will be displayed.
2. Click the SingleID menu on the Service Home page. Navigate to the SingleID List page.
3. SingleID List Click the resource to view detailed information on the page. SingleID Details You will be taken to the page.

• SingleID Details page displays status information and additional feature information, and consists of Details, Tags, Activity History tabs.

  Category	Detailed description
  Service Status	Service Status Display Creating: Creating tenant Active: Tenant creation completed Terminating: Terminating service Failed: Tenant creation failed
  CAM Portal	Cloud Access Management portal popup button Displayed only when applying for CAM service
  Admin Portal	Admin portal window popup button
  Service termination	Service termination button

  Table. SingleID status information and additional functions

Detailed Information

SingleID List page allows you to view detailed information of the selected resource and, if needed, modify the information.

Tag

SingleID list page allows you to view the tag information of the selected resource, and you can add, modify, or delete it.

Work History

SingleID list page allows you to view the operation history of the selected resource.

SingleID Admin Portal Using

In the Admin Portal, you can configure and manage SSO authentication settings, account synchronization integration, multi-factor authentication, etc.

To go to SingleID’s Admin Portal, follow the steps below.

1. All Services > Security > SingleID Click the menu. Service Home page will be displayed.
2. Click the SingleID menu on the Service Home page. Navigate to the SingleID list page.
3. On the SingleID List page, click the resource to view detailed information. You will be taken to the SingleID Details page.
4. Click the Admin Portal button on the SingleID Details page. The SingleID admin portal window appears.

• For detailed description of the Admin Portal, please refer to Admin Portal.

SingleID CAM Portal Usage

In the CAM Portal, you can set and manage console and resource access control and security management of the CSP.

To go to SingleID’s CAM Portal, follow the steps below.

1. All Services > Security > SingleID Click the menu. Navigate to the Service Home page.
2. Service Home page, click the SingleID menu. Go to the SingleID List page.
3. SingleID List Click the resource to view detailed information on the page. SingleID Details page will be opened. 4.SingleID Details on the page, click the CAM Portal button. The SingleID cloud access management portal window appears.
   • For detailed description of CAM Portal, please refer to CAM Portal.

SingleID Cancel

You can reduce operating costs by terminating the unused service.

To cancel SingleID, follow the steps below.

1. All Services > Security > SingleID menu, click it. SingleID Dashboard page, navigate.
2. Click the resource to be terminated on the SingleID List page. It moves to the SingleID Details page.
3. Service Cancellation Click the button. A termination notice window appears.
4. In the alert window, enter the Tenant name and click the Confirm button.

5.2.1 - SingleID Manuals

SingleID enables only authorized users to easily access information assets with a single authentication, and strengthens account security through policy-based permission management and real-time detection of abnormal authentication behavior, and provides account management and access framework through various history management.

SingleID Provided Manual List

SingleID provides various manuals as shown in the table below.

5.2.1.1 - User Portal

Overview

SingleID allows only authorized users to easily access information assets with a single authentication, and strengthens account security through policy-based permission management and real-time detection of authentication anomalies, and provides account management and access framework through various history management.

Provided Features

• Integrated authentication and account management
  • Support various authentication integration protocols (SAML, OIDC, etc)
  • Provision of self-service function for app usage request and approval
  • Salesforce, Workday account synchronization and role (group) synchronization/management within the account
  • Provide sign-up/withdrawal functionality that can issue accounts to partners, customers, etc., who are not employees.

• Passwordless and Multi-Factor Authentication
  • PC/Mobile passwordless authentication and multi-factor authentication (MFA)
    • Authentication method : SMS, email, SinlgeID Authenticator(mOTP, TOTP, PIN, biometric), Knox Messenger, Passkey, etc
  • Provide composite authentication for secondary authentication through integration with existing primary authentication environment (MFA-only service use case)
  • private certificate issuance/management function Private CA(Certificate Service Authority) through certificate-based authentication support(separate Use Case)

• Authentication and Account Information Integration
  • Automation of app integration through Pre-Built Connector
  • Simplified custom app integration through DIY integration templates
• Risk-based authentication anomaly detection
  • Context-based access control based on the situation of attempting authentication
  • Strengthening security through detailed login and authentication policy settings
• Public cloud access management for cloud operators/developers
  • Console access control through role-based assigned accounts
  • Resource access permission request/approval and resource access using OTP-based credential verification method

Service Configuration Diagram

User Portal what is?

SingleID User Portal is the user interface of the SingleID service, providing various security features such as access to company applications, SSO, and access permission requests.

User Portal Screen Layout

User Portal is composed of the following menus.

1. My App
2. App Catalog
3. Notification
4. Approval Request

Manual composition

This manual is composed of the following contents.

1. Overview: Explains the concept and manual screen composition with the SingleID overview.
2. Announcements and Language Settings: Explains how to set the language in the SingleID solution and how to check urgent announcements that can be viewed before logging in.
3. Login and Authentication: It explains how to register and use various authentication methods for login.
4. Register authentication tool: Explains the enrollment process where the user registers an authentication tool.
5. Sign Up: Explains the two methods of sign up.
6. Find ID: Describes the procedure where the user finds their ID themselves through the Find ID function.
7. Privacy Policy and Terms of Use: Explains the privacy policy and terms of use that can be found via the link at the bottom of the screen.
8. PC SSO Agent: Describes the PC SSO Agent, which is a login/logout auxiliary function of SingleID.
9. My App: Describes the My App menu that can be accessed via SSO.
10. App Catalog: Describes the App Catalog menu that allows you to view the list of apps that can be requested.
11. Notification: Describes the Notification menu that can check emergency notices and general notices. 12.Approval Request: Describes the Approval Request menu that can request or approve app usage.
12. Personal Information Settings: You can set photos, preferred language, and system time zone Personal Information Settings, Authentication Settings, Login History/Environment, Logout etc., describing the personal settings menu.

5.2.1.1.1 - Notice and Language Settings

Notice

You can check the notice notifications posted by the administrator on the user portal login screen and the screen after logging in to the user portal. Notices are divided into general notices and urgent notices.

• General Notice: General notices posted by administrators, used to deliver information to users. It can be checked in the User Portal > Notification menu.
• Urgent Notice: Urgent notices posted by the administrator, and can be checked on the User Portal > Login Screen and User Portal > Notification menu.

Language setting

To modify the language that appears on the screen, follow these steps.

1. User Portal Screen > Top Language selection, click on the desired language from Korean or English.
2. A dropdown list to select between Korean and English appears.
3. Select your desired language. The screen will be switched according to the selected language.

5.2.1.1.2 - Login using authentication method

Log in using authentication method

What is authentication method?

Authentication method is commonly called Authenticator and refers to an authentication tool.

SingleID provides the following nine authentication methods for user authentication.

• Password: Enter password on SingleID login screen
• Email OTP: Send OTP via email and enter OTP on the SingleID login screen
• SMS OTP: Send OTP via SMS and enter OTP on the SingleID login screen
• Knox Messenger OTP: Send OTP via Knox Messenger and enter OTP on the SingleID login screen
• Knox Identity: Authentication integration with Knox Portal user ID/Password

• SingleID Authenticator Bio: Install the dedicated SingleID mobile app and link authentication with biometric verification
• SingleID Authenticator PIN: Install the dedicated SingleID mobile app and link authentication with a PIN.
• SingleID Authenticator mOTP: Install the SingleID dedicated mobile app and integrate authentication with mOTP (Mobile OTP)
• SingleID Authenticator TOTP: Install the SingleID dedicated mobile app and integrate authentication with TOTP (Time base OTP)
• Passkey: Login and authentication using biometrics (fingerprint, facial), Mobile, PIN code without password based on Windows Hello

Enter user ID

The user attempts to log in by entering their ID on the login screen below.

To log in using the user ID, follow the steps below.

1. Login screen > Account ID Enter the ID in the input field, and click the Next button.
2. Enter the password in the password field, and click the Next button.
3. Login is completed.

Passwordless Login

SingleID provides login service without a password.

To log in without using a password, follow the steps below.

1. Login screen > Do you want to log in without a password? Click it.
2. Select verification method The screen appears. Click one of the desired authentication methods.
3. Enter the authentication code according to the selected authentication method.
4. After login is completed, you will be taken to the User Portal main screen.

Set Preferred Authentication Method

SingleID users log in to the User Portal provided by SingleID and set up their preferred primary and secondary authentication methods.

If the user sets their preferred method, the Select verification method screen is omitted during login and authentication, allowing immediate authentication using primary and secondary methods.

If you want to set your preferred authentication method, follow the steps below.

1. Click the User Portal > Personal Profile > Authentication settings.
2. Authentication Settings screen appears.
3. Click the ☆ 1st, ☆ 2nd that you want in front of each authentication method.
4. 1st, 2nd can each be selected only one at a time. Selection is completed when it changes to ★.

Once the setup is complete, it will be configured in that manner for the next login, providing convenient login.

Register authentication method

All authentication methods can be set by the user. Registering an authentication method by the user is called enrollment. When a user account is first created, only email OTP is automatically enrolled using the email information from the user data. Other authentication methods can be directly enrolled by the user as needed.

There are two ways to register authentication methods (Enrollment).

• Register from Authentication Settings: User Portal > Profile > Authentication settings, click the + Add New button at the bottom to register.
• Select verification method screen registration: first authentication at login, second authentication at Select verification method screen, select the authentication method with a gray check mark (V) and register.

First login

Password Reset

If the user logs in for the first time, they can log in after resetting the password.

If you want to reset your password, follow the steps below.

1. Login screen > Account ID input field, enter the ID, and click the Next button.
2. Click reset password under the Next button.

Consent for collection/use of personal information

When logging in for the first time or during a certain period, SingleID requires consent for the collection/use of personal information. According to the consent procedure, select the required, optional items and agree.

Required items must be selected to log in.

Password Authentication

Password is the most basic authentication method as the default authentication tool of SingleID.

Enter password

Follow the steps below to log in using your user ID.

1. Login screen > Account ID input field, enter ID, and click the Next button.
2. Password input field, enter the password, and click the Next button to log in.

Email OTP Authentication

Authenticate

If you want to authenticate with email OTP, an OTP will be sent to the email registered by the user.

If you want to authenticate with email OTP, follow the steps below.

1. Click Email in the Identity Verification Selection method.
2. An OTP code will be sent to the registered email. Enter the OTP within the time set by the administrator (usually 3-5 minutes).
3. After entering the OTP, click the Confirm button, and the authentication will be completed.

SMS OTP authentication

Authenticate

If you want to authenticate with SMS OTP, an SMS OTP will be sent to the mobile registered by the user.

If you want to authenticate with email OTP, follow the steps below.

1. Click Email in the Identity Verification Selection method.
2. The OTP code will be sent to the registered mobile phone. Enter the OTP within the time set by the administrator (usually 3–5 minutes).
3. After entering, click the Confirm button, and the authentication will be completed.

Knox Messenger OTP authentication

Authenticate

Knox Messaenger OTP if you want to authenticate with OTP, the OTP will be sent to the Knox Messanger you are using.

To authenticate Knox Messenger OTP, follow the steps below.

1. In the Identity Verification Selection method, click Knox Messenger.
2. The OTP code is sent via the Knox Messenger you are using. Enter the OTP within the time set by the administrator (usually 3-5 minutes).
3. After entering, click the Confirm button, and the authentication will be completed.

Knox Identity Password Authentication

Authenticate

To authenticate with Knox Identity, you need to enter the Knox Identity password you are using.

If you want to authenticate with Knox Identity, follow the steps below.

1. In the Select Identity Verification method, click Knox Identity.
2. Enter the password for your own Knox account.
3. After entering, click the Confirm button, and the authentication will be completed.

SingleID Authenticator Authentication

SingleID service provides a mobile authentication app called SingleID Authenticator, and offers authentication in various ways.

Authentication method

Passkey authentication

SingleID service provides simple authentication and multi-factor authentication through a window-based Passkey.

Authentication Method

1. Simple authentication: Provides easy login without ID/Password through Sign in with Passkey at the bottom of the login page.
2. Multi-factor authentication: Provides easy login without needing ID/Password during secondary multi-factor authentication.

Authentication Types

• Mobile Passkey: Scan the QR code, and log in using Android and iOS mobile
• Security key: Log in using the Windows security key
• PIN: Login using Windows PIN code

Admin Authentication

Authenticate

In the SingleID service, the administrator provides authentication by delegating identity verification on behalf of the user.

If you want to perform administrator authentication, follow the steps below.

1. Identity verification selection method, if you cannot perform identity verification at the bottom of the screen, you can request verification from the administrator. Click here. Click.
2. On the administrator selection screen, select the administrator to delegate and click the Request button.
3. After clicking the Request button and requesting approval from the selected administrator, the authentication will be completed.

5.2.1.1.3 - Register authentication tool

Register authentication tool

All authentication tools should be registered and used by the user themselves as a principle.
Registering an authentication tool by a user is called enrollment.
When a user is created for the first time, only Email OTP is automatically registered using the email information from the user data.
The remaining information can be directly registered and used by the user as needed.

There are three ways to register.

1. Login screen > ID/Passwrod Enter > Identity verification method Register on the selection screen
   • On the identity verification method selection screen, if you click the authentication tool marked Registration Required (V mark), you can register.
2. User Portal(after login) > Profile > Authentication Settings > + Add New Click the button to register
3. Register through the registration message link at the bottom of all authentication screens
   • Below screen is an example of SMS verification screen. At the bottom, you can click the If you have changed your mobile phone, please register. message to register.
   • All authentication code entries can be changed via the message below(Message format: ~ please register.)

Example of authentication code input screen

Register Email Verification Tool

Email registration consists of the following three steps.

1. Verification Stage: It is the identity verification stage before registering the email authentication tool.
2. Registration stage: This is the step of registering a new email and checking whether the number is valid.
3. Completion Stage: This is the final step to confirm that the registration has been completed successfully.

Verification Stage

This is the step of identity verification before using the authentication tool. To view the identity verification process, refer to Login and Authenticate.

Registration Stage

It is the step of registering the email address the user wants to register and checking the email address’s validity.

The user proceeds as follows.

1. Confirm step, when you complete identity verification, you automatically move to the Register step.
2. Enter the email address you want to register.
3. Send verification code button을 클릭하세요.
4. Check the OTP code sent to the entered email address, and enter the OTP code on the screen.
5. If the verification code is entered correctly, it moves to the Complete stage.

Completion Stage

Registration completion screen will appear, and on the next login you can perform first and second authentication using the email verification tool.

Register SMS authentication tool

SMS registration consists of the following three steps.

1. Verification step: This is the identity verification step before registering the SMS authentication tool.
2. Registration Stage: This is the stage where you register a new mobile phone number and check whether the number is valid.
3. Completion Stage: This is the final step to confirm that the registration has been completed successfully.

Verification Stage

It is the step of verifying your identity before using the authentication tool. To view the identity verification process, refer to Login and Authentication.

Confirm stage can only be authenticated using the authentication tool set by the administrator.

Registration Stage

It is the step of registering the mobile phone number the user wants to register and checking the validity of the mobile phone number.

The user proceeds as follows.

1. Verification stage, if you complete identity verification, you automatically move to the Registration stage.
2. Select the Country code, and enter the mobile phone number you want to register.
3. Click the Send verification code button.
4. Check the OTP code sent to the entered mobile phone number, and enter the OTP code on the screen.
5. If the verification code is entered correctly, it moves to the complete stage.

Completion Stage

Registration complete screen will appear, and on the next login you can perform first and second authentication using the SMS authentication tool.

Register Knox Messenger authentication tool

Knox Messenger registration consists of the following three steps.

1. Verification Stage: This is the verification stage before registering the Knox Messenger authentication tool.
2. Registration step: Enter the Knox ID to register. This is the step that checks whether the Knox ID to be registered is valid.
3. Completion Stage: This is the final verification stage confirming that the registration has been completed successfully.

Verification Stage

It is the step of identity verification before using the authentication tool. To view the identity verification process, refer to Login and Authentication.

In the verification stage, the authentication method to be used can only be authenticated using the authentication tool configured by the administrator.

Registration Stage

This is the step of registering the mobile phone number the user wants to register and checking the validity of the mobile phone number.

The user proceeds as follows.

1. Verification stage, if you complete identity verification, you automatically move to the Registration stage.
2. Enter the Knox ID to register.
3. Click the Send verification code button.
4. Check the OTP code sent to Knox Messenger of the entered Knox ID, and enter the OTP code on the screen.
5. If the authentication code is entered correctly, it moves to the complete stage.

Completion Stage

Registration complete screen appears, and on the next login you can perform first and second authentication using the Knox Messenger authentication tool.

Register Passkey authentication tool

SingleID Authenticator is an authentication tool provided to the SingleID service.

Passkey enrollment consists of the following three steps.

1. Verification stage: This is the identity verification stage before registering the Passkey authentication tool.
2. Registration Stage: Passkey registration stage.
3. Completion Stage: This is the final step to confirm that the registration has been completed successfully.

Confirmation Stage

This is the step to verify your identity before registering the authentication tool. To view the identity verification process, refer to Login and Authenticate.

Registration Stage

This is the step to check the mobile phone or PC environment you want to register a Passkey on.

Please complete the registration process in the four steps below.

1. Activation: This is a guide to the Passkey supported environment.
2. Confirm: Complete identity verification using an authentication method.
3. Registration: This is the Passkey registration step. Create on this device button click generates and registers a Passkey on the PC. Create on another device button click registers with a mobile phone or hardware security key.
4. Complete: Registration completed is the step to confirm that it has been completed. Click the Continue button.

Completion Stage

After the Passkey registration is completed, the Registration complete screen appears. During the next login, you can perform first and second factor authentication using the Windows Hello authentication tool.

SingleID Authenticator Register authentication tool

SingleID Authenticator is an authentication tool provided to the SingleID service.

SingleID Authenticator enrollment consists of the following four steps.

1. Verification Stage: It is the identity verification stage before registering the SingleID Authenticator authentication tool.
2. Installation Step: This is the user’s SingleID installation guide step.
3. Registration Stage: This is the step to register a new mobile app and for service registration.
4. Completion Stage: This is the final step to confirm that the registration has been completed successfully.

Verification Stage

Before using the authentication tool, this is the step of verifying your identity. To view the identity verification process, refer to Login and Authenticate.

Installation Steps

There are three main ways to install the SingleID mobile app.

• Recognize QR code on user mobile or search for “SinlgeID” on Google Play (for Android) or App Store (for iOS) to install SingleID Authenticator.
• How to install by entering your mobile phone number and using the download link via SMS
• How to install via manual download link Install the SingleID Authenticator app and click the Next button to proceed to the registration step.

Registration Stage

After installing the SingleID Authenticator mobile app on the mobile phone you want to register, please run SingleID Authenticator.

Please perform the registration process in the following three steps.

1. Service Registration: Click the ‘+’ at the top in the SingleID Authenticator app.
2. QR or authentication number input: Scan QR code or enter authentication code to register.
3. Service Registration Complete: Confirm Click the button to complete the registration.

Completion Stage

After registration is completed in SingleID Authenticator, the Registration Complete screen appears. At the next login, you can perform first and second factor authentication using the Windows Hello authentication tool.

5.2.1.1.4 - Sign up

Sign up

According to the company’s internal policy, users who are not employees, such as partners, subsidiaries, and customers, can create an account through separate membership registration.

Sign up through the login page link

This is a method of signing up through the sign up link on the login page.

On the login page, click “Sign up” at the bottom if you don’t have an account, join.

Agreement

To sign up, you need to agree to the terms and conditions.

Information Input

Follow the procedure below.

1. Please enter the email you want to register.
2. After entering the email, click the OTP transmission button, and the OTP code will be sent.
3. Enter the OTP code from the received email address and click the Confirm button.
4. If you enter the authentication code correctly, the sign-up button will be activated.
5. Sign up button을 클릭하세요.

Information Input

Enter various personal information required for membership.

Membership

After entering personal information and clicking the join button, the approval request will be completed. You can proceed to the next step after approval is completed. Once the administrator has completed the approval, you can log in through password reset.

Membership through invitation email

You can join through an invitation email from the administrator. By clicking the sign up button in the received email, you can sign up for membership.

The subsequent registration procedure is the same as membership registration through the login page link.

5.2.1.1.5 - Find ID and Reset Password

ID Find

If the user has forgotten their ID, click ID Find on the login screen.

Find ID using mobile phone number

The user can find their ID by entering their name and mobile phone number.

Follow the procedure below.

1. Mobile tab should be clicked.
2. Name을 입력하세요.
3. Last Name을 입력하세요.
4. Enter the country code and phone number.
5. Click the Send Authentication Code button.
6. On the authentication code input screen, enter the received authentication code and click the Confirm button.

Password Reset

Reset Password

If the user wants to reset their password, click Password Reset at the bottom of the login screen.

Perform self-authentication

To set a password, the user must first go through self-authentication. When the password reset button is clicked, a screen for selecting an authentication method according to the policy set by the administrator appears. For more information on authentication, please refer to Logging in and Authenticating.

Password Reset

Once the user completes the self-authentication, the user can move to the screen where they can set their new password.
The password must be set to match the password pattern and complexity set by the administrator as a policy. When the user enters the password, it is displayed in green if it meets the conditions, and in red if it does not. Set the password so that all items turn green.

Please follow the following procedure to reset your password.

1. Please enter a new password.
2. If the newly entered password does not meet any of the complexity and patterns set by the administrator, create a more complex password.
3. To prevent user input errors, please enter the same password as the one you entered again.
4. Click the Change Password button.

When the password setting is complete, clicking the Login with Password button will take you back to the login screen.

5.2.1.1.6 - Privacy Policy, Terms of Service, Service Desk

All screens have links to Personal Information Processing Policy and Terms of Use at the bottom left, so users can always check them.

Personal Information Processing Policy

A link to the Privacy Policy is provided at the bottom left of every screen, allowing users to view the privacy policy for SingleID services at any time.

To check the privacy policy, please follow the following procedure.

1. Click the Privacy Policy at the bottom left of the screen. You can view the latest version of the Privacy Policy.
2. When you want to check the previous version, you can select the desired version at the top and inquire about it.

Terms of Service

There is a link to Terms of Service at the bottom left of every screen, so users can always check the terms of service for SingleID services.

To check the terms of use, please follow the following procedure.

1. Click the Terms of Service at the bottom left of the screen. You can view the latest version of the Terms of Service.
2. When you want to check the previous version, you can select the desired version at the top and inquire about it.

Service Desk Information

If the user has any inquiries about SingleID, they can contact us using the Service Desk phone number and the representative email account at the bottom of the screen.

5.2.1.1.7 - PC SSO Agent

PC SSO Agent

SingleID PC SSO Agent provides integrated SSO authentication services in the Window Desktop environment.

SingleID PC SSO Agent provides the following features.

• Integration SSO and login/logout between internet browsers
• PC Device Authentication
• Check for installation of essential security software feature (SingleID administrator settings)

Check if PC SSO Agent is installed

If the administrator has set the policy to use the PC SSO Agent, SingleID automatically checks if the SingleID SSO Agent is installed on the user’s PC as follows:

1. After the user logs in to SingleID, check if the PC SSO Agent is installed automatically.
2. If the PC SSO Agent is installed on the user’s PC, it automatically moves to the next screen, and if not, it automatically moves to the installation guide screen.
3. If the automatic installation guide screen does not appear, click the Next button to install the PC SSO Agent.

Download PC SSO Agent

Click the Download button on the PC SSO Agent installation guide screen to download and install the PC SSO Agent program on your PC.

Installing PC SSO Agent

If you download and install the SingleID Agent.exe file on your PC, a ‘ID’ tray will be created in the right bottom tray of the PC as follows. If the PC SSO Agent is installed normally and SSO authentication is successful, you can check that it is working normally by right-clicking and clicking Status View.

Re-authentication attempt

After installing the PC SSO Agent, you can log in from the beginning again or click the Re-authentication button at the bottom of the screen below to try re-authentication using the Agent.

5.2.1.1.8 - My App

Recently used apps

When the user logs in to the User Portal, they can see the My Apps menu first. The left menu bar can be expanded or collapsed by clicking the arrow(→) icon at the bottom left.

When you click the My App menu, 3 sub-menus that are provided by default and cannot be modified will appear

• Recently used apps
• Bookmark
• basic app

Among them, clicking Recently Used Apps will display the apps that the user has recently used. Recently used apps can be displayed up to a maximum of 12.

Bookmark

In the My App menu, clicking the Bookmark menu displays the apps that the user has bookmarked. You can bookmark frequently used apps to use them conveniently.

You can add a bookmark by clicking the Bookmark button at the bottom right of the app card, and clicking it again will remove the bookmark. Up to 12 bookmarks are possible.

Add/Delete Bookmark

Click the Bookmark button at the bottom right of the app you want to add, and it will be added to the Bookmark. If you click again, the bookmark will be deleted.

Basic App

The basic app menu exposes all apps available to the logged-in user. When the user clicks on an app, it is authenticated with SSO and the app runs in a new browser. If a disabled app is clicked, a popup window appears indicating that it is disabled.

Add category

The user can click the Add Category button to create a category with the user’s desired category name and manage the app.

• Click the Add Category button, then enter the category name and click the Check button.
• After adding a category, the user can click the More button located to the right of the category to move, change, or delete the category.

If an app is included in a category and the category is deleted, the remaining apps will be moved to the Default App category.

5.2.1.1.9 - App Catalog

Using the App Catalog

When you click the App Catalog menu, by default, the list of apps that are Pending Approval is displayed.

The app catalog can be checked as a list of apps in three states

• Not in use: available for request
• Pending Approval: The request for use has been completed and is waiting for approval
• In use: The request for use has been approved and is in the state of being used

If there is no “request” button among unused apps, it is a case where the user cannot request it by themselves due to company policy. Please contact the administrator to use it.

Requesting App Usage

To request the use of an unused app, the user must click the Request button, enter the purpose of using the app, and then click the Request button.

The app usage approval process may vary depending on the administrator’s settings. By default, the list of approvers set by the administrator is displayed, and if there are multiple approvers, it is determined by the result of the first approval or rejection process.

When the app usage request is completed, you can check the request status in two menus.

• App Catalog > Pending Approval status can be checked from the status.
• App Usage Approval > My Request can be checked in detail.

You can check the details by clicking my request list and app, and in the waiting state for use approval, you can cancel the request through the Cancel Request button.

5.2.1.1.10 - Notification

Notification

If you click the notification menu, you can check the notification list. There are two types of notifications.

• Urgent: Tenant administrator urgently announces an urgent notification (e.g., system outage) that users can check before login regardless of the user’s login.
• General: All notifications that are not emergency alerts, which the user can see after logging in, can be checked in the Notifications menu.

When you click the Notification menu, by default the All status notification is set, so both urgent and regular notifications are displayed. If there are unread notifications, they are displayed as a number next to the notification menu, and because they are marked with a red dot in the list, unread notifications can be easily recognized. If you click this notification, you can view the details.

Approval Request

When you click the approval request menu, the administrator can view and cancel all users’ approval requests.

Approval requests consist of the Approval request list and Approval request queue tabs.

Approval Request List

There are several types of approval request statuses. You can easily filter and view them using the Approval Request, Approve, Reject, Cancel Submission buttons at the top. If you want detailed search, you can use detailed search in the search bar at the top right.

• Approval Request: Shows all approval request statuses.
• Approval: Shows all approved completed statuses.
• Rejection: Shows approval request items that have been rejected.
• Submission Cancellation: Shows approval request items where the approval has been cancelled.

The description of the approval request list items is as follows.

5.2.1.1.11 - Approval Request

Approval Request

The app usage approval menu provides two functions.

1. My Request Tab: A list of apps I’ve requested to use is displayed.
2. Approved List Tab: A list of app usage requests requested by me will be displayed.

Requesting App Usage

To request the use of an unused app, the user must click the request button, enter the purpose of using the app, and then click the request button. The app usage approval process may vary from company to company.

By default, the list of approvers set by the tenant administrator is displayed, and if there are multiple approvers, it is determined by the result of the first approval or rejection process.

When the app usage request is completed, you can check the request status in two menus.

• App Catalog > Pending Approval status can be checked from the status.
• Approval Request > My Request where you can check the details and perform additional tasks.

My Request

You can check the details by clicking the app in the My Request list, and when waiting for use approval, you can cancel the request through the Cancel Request button.

When the use approval is completed, the status item in my request list will be changed to Approved. By clicking approved apps in the list, you can check the details of the approved use.

Approval List

1. If you are an app usage approver, please click the Approved List tab.

   • If the user is in a state where approval for using the app is requested, you can see that the status item in the list is indicated as Pending Approval.

2. To check the details of the requested approval, click on the corresponding list.

3. After checking the details and leaving the approver’s opinion, clicking the approval button will approve the request so that the requester can use the app.

4. In the Approved List tab, you can see that the status item has been changed to Approved.

By clicking on the app in the list, you can also check the details of the history approved by the user as an approver.

5.2.1.1.12 - Personal Profile

Set up personal information

This is a menu for the user’s environment settings.

To set up your personal information, please follow the following procedure.

1. Click the personal profile > personal information settings on the top right corner of the screen.
2. You can check photos, names, emails, phone numbers, languages, and time zones.
3. Photo: Photo > Photo Click to change and upload the icon image you want to display.
4. Language: Korean or English, please select your desired language.
5. Language Time Zone: Please select the time zone where you are currently located. When you click the City Search button, a city search popup window appears. Search for the desired city in English and select it.
6. Click the Save button at the bottom of the screen to save.

Set up authentication

You can register the user’s authentication tool and set the preferred authentication tool.

To set up authentication, please follow the following procedure.

1. Click the Personal Profile > Authentication setting on the top right corner of the screen.
2. +Add new button is clicked to add the desired authentication tool.
3. Delete button to delete the authentication tool you do not want to use.
4. ☆ Click the icon to set your preferred authentication method.

Change password

In the authentication settings, you can change your password by clicking on the password change and going through the self-confirmation authentication process.

Check login history

You can check the user’s login history/environment.

To view the user’s login history/environment, please follow the following procedure.

1. Click Personal Profile > Login History/Environment at the top right corner of the screen.
2. Login History tab allows you to check the information of login time, location, country, city, IP address, OS type, browser type, detection, and result.
3. Login Environment tab, if there is a registered login environment, you can check the detailed contents, and if it is an environment that is no longer used, you can delete it through the ‘Delete’ button.

Log out

Click the photo icon located at the top right of the screen and click Logout.

When you click the Logout button, you will be logged out of all applications you visited through SingleID, and if PC SSO Agent is set up for integrated logout, you will also be logged out of the associated browser.

5.2.1.2 - Admin Portal

SingleID provides SSO (Single Sign-On) authentication service and account management (Identity Management) service needed to access various business systems in the company’s on-premise and cloud environments.

All authentication services and account management services of organizations using SingleID, as well as the establishment and configuration of security policies, are managed through the Admin Portal.

Users who can access the Admin Portal to configure and manage the system are called administrators, and through the Admin Portal’s management functions, they can integrate the organization’s business systems without restriction and define security policies to access each business system.

The administrative functions provided by the Admin Portal are as follows.

If you are using SingleID for the first time, you can set up the basic environment by configuring the functions in the following order.

• Register additional administrator (User registration)
• User synchronization through application integration (Application Registration)
• Management of synchronized users (User)
• Group composition (Group)
• Business application integration (Application registration)
• SMS Settings (SMS Service Settings
• Authenticator registration (Authenticator add)
• Login Policy Configuration (Login Policy)
• Authentication policy configuration (Authentication Policy)

The supported range and recommended specifications for the SingleID connection environment are as follows.

5.2.1.2.1 - Dashboard

Notifications are a feature that can deliver and share important alerts related to the use of SingleID to users.

Administrators can register and manage notifications through the notification menu. Administrators select the notification type (normal/urgent) based on the notification content and importance, and when they create a notification, users can receive the notification before login (urgent) or after login (normal/urgent).

The administrator can register and manage notifications to be delivered to users. There are two types of notifications, which are provided as distinguished below.

Notification

List

To check the notification list, access the menu as follows.

• Admin Portal > Dashboard > Notifications

Notification Registration

If you want to register a notification, follow the steps below.

1. Admin Portal > Dashboard > Notifications Please click the menu.
2. Register button, when clicked, you will be taken to the notification registration page.
3. Check the input items as below and select and enter the details in detail.
4. Click the Save button.
5. Check the notifications registered in the list.

Notification Edit

If you want to edit the notification, follow the steps below.

1. Admin Portal > Dashboard > Notifications Please click the menu.
2. Select the notification that needs editing, and click the Edit button at the bottom of the screen.
3. After editing the field you want to modify, click the Save button.
4. Check the edited notification in the list.

Delete Notification

If you want to delete the notification, follow the steps below.

1. Admin Portal > Dashboard > Notifications Click the menu.
2. Select the notification that needs to be deleted, and click the Delete button at the top right of the screen.
3. The notification delete popup appears.
4. Confirm If you click the button, the notification will be deleted.

Approval Request

When you click the approval request menu, the administrator can view and cancel all users’ approval requests.

The approval request consists of the Approval Request List and Approval Request Queue tabs.

Approval Request List

If you click the approval request list tab, you can view all approval request items.

There are four types of approval request statuses. You can easily filter and view them using the Approval Request, Approve, Reject, Cancel Submission buttons at the top. If you want a detailed search, you can use detailed search in the search bar at the top right.

• Approval Request: Shows all approval request statuses.
• Approval: Shows all completed approval statuses.
• Rejection: Shows approval request items that have been rejected.
• Submission Cancellation: Shows approval request items where the approval has been cancelled.

The description for the approval request list items is as follows.

Approval request lookup and cancellation

When you click the approval request list, the information of the corresponding approval request appears in a popup. Requests that have not yet been approved can be cancelled by the administrator using the Cancel Request button.

Approval Request Queue

Click the approval request queue tab to view all ongoing approval requests and delete them by selecting all or selecting individually. Through detailed search, if the requester has resigned or the approver is absent, the administrator can arbitrarily cancel (delete) the approval request.

Delete approval request

If you want to delete the approval request, follow the steps below.

1. check the left selection box of the list (v).
2. At the top of the list, the Delete button will be activated. Please click the Delete button.
3. Request Delete Popup appears. Click the Delete button.
4. The selected approval request in the list has been deleted.

Sign Up

When you click the sign-up menu, the list of sign-up requests appears.

Sign-up Request

When you click the sign-up request tab, the list of sign-up requests appears.

The status of approval requests has four types. You can easily filter and view them using the Approval Request, Approval, Rejection, Submission Cancel buttons at the top. If you want detailed search, you can use detailed search in the search bar at the top right.

• Approval Request: Shows all approval request statuses.
• Approval: Shows all completed approval statuses.
• Rejected: Shows approval request items that have been rejected.
• Submission Cancellation: Shows approval request items where the approval has been cancelled.

Sign-up Email Invitation

The sign-up email invitation is a method where the administrator sends an invitation email to the desired user via their email address for them to register.

If you want to send an invitation email, follow the steps below.

1. Dashboard > Sign Up > Sign Up Email Invitation Click the tab.
2. Click the Send Invitation Email button at the top right.
3. Invitation Email Sending Popup appears.
4. Enter the email address to invite in the email field, and click the Add button.
5. Select the group that will be automatically assigned when a recipient joins the group item. (If not set, the group will be unspecified)
6. Click the Invite button at the bottom right of the popup.
7. An invitation email will be sent to the email address you specified.

5.2.1.2.2 - Integration

Integration is a service that sets up and manages authentication services and account information for various applications.

In SCP SingleID, we support integration with new applications through customized authentication linkage and account distribution services, as well as the DIY (Do-It-Yourself) feature.

Through the integration menu, we provide integration management features such as Application, Identity Provider, Authenticator, MFA Service Provider.

Application

The application is a menu that registers and connects various applications to apply the authentication service of SCP SingleID.

The administrator can register/modify a new application through the application list screen, and can sort, search, and delete registered applications.

Application List

The administrator can select a registered application on the application list screen to edit/delete, sort, search, etc., and can navigate to a menu screen where a new application can be registered.

To check the application list, access the menu as follows.

• Admin Portal > Integration > Application

Application Registration

The administrator can register the application by clicking the Register button on the list screen.

Application registration is possible in two ways: Custom App Integration and Pre-Built App Integration.

To register an application, access the menu as follows.

• Admin Portal > Integration > Application > Register Button Click
• Custom App Integration or Pre-Built App Integration Select tab

Custom App Integration

Custom App Integration registration is a connection menu for authenticating the application you want to integrate and distributing accounts.

We provide three types of connection functions as follows.

When you want to register an application by linking authentication, you provide and select the type (SAML, OIDC) according to the standard authentication linkage method.

When registering an application by linking account distribution, we provide the standard online API method (SCIM).

To register the application Custom App Integration, follow the steps below.

1. Admin Portal > Integration > Application > Register Click button
2. Custom App Integration > Web Application(SAML) orWeb Application(OIDC) or Identity Provisioning(SCIM v2.0) select > Next click the button
3. Go to detailed settings

Through a screen consisting of six steps as follows, you can enter and configure the information required for integration and register the application.

Applications using standard protocols (SAML, OIDC, SCIM) can register information and set policies and attributes through a screen consisting of the following six steps.

1. General
2. SSO
3. Provisioning
4. Profile
5. Policy
6. Assignment

General

Enter the general application information by referring to the below.

SSO

On the SSO information input screen, enter Single Sign On configuration information.

Provisioning

The Provisioning menu is an account management function that can distribute user information to applications for synchronization. In SingleID, we provide methods based on global standard API specifications such as SCIM and REST.

On the Provisioning information input screen, enter the configuration information for account information distribution.

Profile

Enter the setting information for user/group for deployment on the profile information input screen.

After entering all items and clicking the Complete button, the basic application settings are completed. When you complete registering a new application, it will be added to the application list and new tabs called Policy, Assignment will be created.

Policy

You can set login policy and access control information for application policy configuration.

Allocation

Register information for assigning application users based on users and groups. This menu assigns access permissions by setting the users and groups that can access the registered application.

If you want to assign a user, follow the steps below.

1. If you click the application, you will be taken to the detailed page of that application.
2. Click the Assign tab and User tab > Assign button
3. User Assignment When the popup appears, select the user you want to assign, and click the Assign button.
4. Assignment tab shows the selected user in the list.

Pre-Built App Integration

Pre-Built App Integration menu provides a convenient way to quickly and easily connect the SaaS application you want to use, by pre-preparing necessary settings such as connection information, name, icon, so you can use it conveniently.

To integrate the application via Pre-Built App Integration, check the menu path below.

• Admin Portal > Integration > Application > Register > Pre-Built App Integration Click tab
• Application select > Next button click
• Go to detailed settings

Pre-Built App Integration menu, like the Custom App Integration menu, can register an application by entering and configuring the necessary integration information through a screen consisting of six steps as follows.

The input items and methods for each step are the same, except for the information that has been predefined and entered for Pre-Built.

1. General
2. SSO
3. Provisioning
4. Profile
5. Policy
6. Assignment

General

Enter the general application information by referring to the below.

SSO

Enter Single Sign On setting information on the SSO information input screen.

Provisioning

The Provisioning menu is an account management function that can distribute user information to applications for synchronization. In SingleID, we provide methods based on global standard API specifications such as SCIM and REST.

Enter the configuration information for account information distribution on the Provisioning information input screen.

Profile

Enter the user/group configuration information for deployment on the profile information input screen.

After entering all items and clicking the Complete button, the basic application settings are completed. When you complete registering a new application, it is added to the application list and new tabs called Policy, Assignment are created.

Policy

You can set login policies and access control information for application policy settings.

Assignment Settings

Register information for assigning application users based on User and Group. This menu assigns access permissions by setting users and groups that can access the registered application.

To assign a user, follow the steps below.

1. When you click the application, you will be taken to the detailed page of that application.
2. Click the Assign tab and the User tab > Assign button.
3. User Assignment When the popup appears, select the user you want to assign, and click the Assign button.
4. Assignment tab shows the selected user in the list.

Application Modification

You can modify the settings by clicking the application on the list screen.

If you want to modify the application, follow the steps below.

1. Admin Portal > Integration > Select Application > Edit Click the button.
2. Click the General, SSO, Provisioning, Policy, Assignment, Permission Items, Rebranding tab to edit the items.
3. Save button을 클릭하세요.

Permission Items

The permissions tab provides synchronization integration with the application’s permissions.

If you want to set permissions, follow the steps below.

1. If you click the application, you will be taken to the detailed page of that application.
2. Click the Assignment tab and the Permission Items tab > click the Register button.
3. Permission item When the popup window appears, it is necessary to register the permission item.
4. Enter Permission, key, display name, content and click Save to register the permission.

Rebranding

When registering in the application, an additional rebranding tab that does not appear is created. The application’s rebranding includes rebranding functionality for the login page when accessing a separate application.

The included rebranding features are as follows.

• Favicon : The favicon can be edited in the browser.
• Header logo: The header logo on the login screen can be changed to the logo you want.
• Key visual image: The key image set by default on the login page can be modified.
• Sign-up page redirection: Registration can be done on a separate operating sign-up page instead of SingleID’s sign-up page.
• Privacy Policy Redirection: You can register the privacy policy URL used in the existing application.
• Terms of Service redirection: You can register the Terms of Service URL used in the existing application.

UI

By clicking the application on the list screen, and clicking the edit button on the rebranding tab, you can configure application-specific UI rebranding.

Favicon Change

Favicon changes in the application can be set according to the characteristics of the corporate application.

If you want to edit the favicon, follow the steps below.

1. Admin Portal > Integration > Select Application > UI > Edit Click the button.
2. Favicon select custom in the Favicon item.
3. Favicon image (pencil shape) Click the item, then click the favicon image.
4. Upload an icon file or enter the icon image URL.
5. Save button, click it and verify through the preview screen that the upload was successful. 6.Korean page Enter the title in Korean.
6. English page Enter in English in the title.
7. If the input is completed, check through the right preview whether it was entered correctly.
8. Click the Publish button at the lower right corner.

Header Logo Change

In the application, separate header logo changes can be configured to suit the characteristics of the corporate application.

If you want to edit the header logo, follow the steps below.

1. Admin Portal > Integration > Select Application > UI > Edit Click the button.
2. Header Logo Select custom in the item.
3. Text logo and image logo can be selected and set.
4. Enter the Korean Redirect URL and the English Redirect URL.
5. If the input is completed, check through the right preview whether it was entered correctly.
6. Click the Publish button at the lower right corner.

Key Visual Change

In the application, separate key visual changes can be configured to suit the characteristics of the corporate application.

If you want to edit the key visual, follow the steps below.

1. Admin Portal > Integration > Application Selection > UI > Edit button, click it.
2. Key Visual Select Custom in the item.
3. Click to use a single key visual for all languages and language-specific key visuals.
4. If the image upload is complete, check through the right preview to see if it was entered correctly.
5. Click the Publish button at the lower right.

Redirect

By clicking the application on the list screen, then clicking the edit button in the Rebranding tab, you can configure application-specific rebranding for redirection.

Application Deletion

From the application list screen, select the application, deactivate it, then return to the list screen and you can delete it from the three‑dot menu. To register again, click the Add button to register.

Identity Provider

This is a menu for registering and managing IdPs that provide authentication services and credentials to SCP SingleID. At this time, SCP SingleID acts as a Service Provider and receives authentication services from the IdP.

Identity Provider List

On the list screen, you can select a registered Identity Provider to edit/delete, sort, search, etc., and you can navigate to a menu screen where you can register a new Identity Provider.

To view the Identity Provider list, you can access the following menu.

• Admin Portal > Integration > Identity Provider

Identity Provider Registration

You can register by clicking Register at the top of the Identity Provider list screen.

To register Identity Provider, follow the steps below.

1. Admin Portal > Integration > Identity Provider > Register Click button
2. Custom App Integration > Web Application(SAML) or Web Application(OIDC) select > next click the button
3. Go to detailed settings

Identity Provider can be registered by entering and setting the information required for integration through a three-step screen as follows.

• General
• SSO
• JIT Provisioning

General

Enter general information for IdP (Identity Provider).

SSO

Enter Single Sign On configuration information on the SSO information input screen.

When integrating with Web Application (OIDC)

JIT provisioning

Identity Provider’s JIT provisioning feature tab has been added. This feature synchronizes accounts in real time when user changes occur. You can set items when synchronizing accounts in real time.

After entering all items and clicking the Complete button, the basic application settings are completed.

Identity Provider Edit

If you click the Identity Provider in the list screen, you can modify the settings.

If you want to modify the Identity Provider, follow the steps below.

1. Admin Portal > Integration > Identity Provider Select > Edit Click the button.
2. Click the General, SSO, Provisioning, Policy, Assignment tab to edit the items you want to modify.
3. Save button을 클릭하세요.

Identity Provider Delete

On the Identity Provider list screen, after selecting an Identity Provider and disabling it, you can return to the list screen and delete it from the three‑dot menu. To register again, click the Add button to register.

Authenticator

Configure by integrating the Authenticator provided by SCP SingleID. By default, password and Email are set to active state.

The Authenticator that is additionally configured and provided is as follows.

• Knox Messenger: OTP can be sent via Knox Messenger.
• PC SSO Agent: SingleID: Provides SSO with Agentless, but uses SSO Agent for multi-browser SSO functionality,
• SingleID Authenticator: It is a SingleID dedicated authentication mobile app that supports biometrics (fingerprint, facial), PIN, mOTP, TOTP.
• SMS: OTP can be sent via mobile SMS.

• Active Directory: Performs authentication with an AD account.
• Passkey: Mobile Passkey, security key, a convenient authentication method that allows easy login with Windows biometric/PIN code.

Authenticator List

We support all authenticators of the six available types.

If you want to check the Authenticator, please check at the following path.

• Admin Portal > Integration > Authenticator

Authenticator Add

When you click Register on the Authenticator list screen, it moves to the next screen and switches to a screen where you can add an Authenticator.

Authenticator를 추가하시려면, 다음의 절차를 따르세요. -> If you want to add an Authenticator, follow the steps below.

1. Admin Portal > Integration > Authentictor > Add Click the button.
2. each authentication methodto select > Next Click the button.
3. Enter the information required for authentication settings.
4. Click the Save button.

Authenticator Edit

On the Authenticator list screen, after selecting an Authenticator and clicking edit, it switches to a screen where you can edit.

If you want to modify the Authenticator, follow the steps below.

1. Admin Portal > Integration > Authentictor > Edit button click
2. Edit each item and click the Edit button to complete the modification.

Authenticator Delete

On the Authenticator list screen, select the Authenticator, deactivate it, then return to the list screen and you can delete it from the three‑dot menu. If you want to register again, click the Add button to register.

MFA Service Provider

MFA Service Provider menu provides a service that enhances user convenience by meeting the security requirements required by companies through multi-factor authentication, applying stronger authentication technologies along with biometric and simple authentication technologies.

MFA Service Provider List

To check the MFA Service Provider list, you can access the following menu.

• Admin Portal > Integration > MFA Service Provider

MFA Service Provider Registration

To register the MFA Service Provider, follow the steps below.

1. Admin Portal > Integration > MFA Service Provider > Register button click
2. ADFS Federated Application or Custom Application or Network Equipment select > next button click

You can register an MFA Service Provider by entering and configuring the information required for MFA Service Provider integration through a three-step screen as follows.

• General
• MFA integration
• [Person in charge](#person in charge)

General

MFA Service Provider Enter general information.

MFA integration

Enter MFA integration information.

Person in charge

Select and register the person in charge of the newly registered MFA Service Provider.

Click the Complete button to complete the registration.

MFA Service Provider Edit

On the MFA Service Provider list screen, after selecting the Authenticator and clicking edit, it switches to a screen where you can modify.

If you want to modify the MFA Service Provider, follow the steps below.

1. Admin Portal > Integration > MFA Service Provider > Edit Click the button.
2. Modify each item and click the Edit button to complete the modification.

MFA Service Provider Delete

MFA Service Provider list screen, select the MFA Service Provider, deactivate it, then return to the list screen and you can delete it from the three‑dot menu. To register again, click the Add button to register.

5.2.1.2.3 - Identity Store

The Identity Store provides a feature to manage users and groups registered in an organization.

There are several cases where users or groups are registered in an organization, such as being provisioned through registered applications or being directly registered by administrators. The Identity Store integrates users and groups registered in various ways, allowing them to be searched and providing various management functions for administrators to configure detailed settings for each user or group. Administrators can manage all users and groups registered in the organization through the Identity Store.

Users

Tenant administrators can use the features provided in the user menu to search and modify all users registered in the organization, delete users, or directly register new users.

Additionally, administrators can change a user’s group membership or assign usage permissions to allow users to use applications.

Users are registered in SingleID in the following ways:

• Registered through account synchronization (Inbound Provisioning) from an application
• Registered through Just-In-Time (JIT) provisioning from an Identity Provider
• Registered from an MFA Service Provider
• Manually registered by an administrator Administrators can manage registered users in a unified manner using the user menu.

To access the user menu, go to the following menu:

• Admin Portal > Identity Store > User

User List

You can view and search all users registered in SingleID in a list format.

User Registration

The tenant administrator can register users manually on the screen without going through account synchronization.

To register a user, follow the procedure below.

• Click the Admin Portal > Identity Store > User > Register button

The user can input and register information through a 3-step screen as follows:

1. Profile
2. User Group
3. Summary

Profile

In the profile screen, enter the user’s basic profile information. The fields to be entered are as follows.

Click the Next button to move to the User Group screen.

User Group

In the User Group screen, specify the group to be registered for the user. The entire group that can be assigned to the user is displayed on the left side of the screen. Select the group to be assigned to the user and click the > button to move to the assigned group.

To cancel group assignment, select the group to be canceled in the assigned group and click the < button. Click the Next button to move to the Summary screen.

Summary

1. On the summary screen, confirm the registered information and register the user.
2. If you want to modify the entered information, click the Back button to return to the screen you want to modify.
3. To cancel the registration, click the Cancel button.
4. Clicking the Complete and Add Registration button registers the user and returns to the profile screen to register a new user.
5. Clicking the Complete button registers the user and moves to the detailed information screen of the registered user.

User Modification

To modify a user, follow the procedure below.

1. Click the user you want to modify in Admin Portal > Identity Store > User.
2. Profile, Group, Application, Multi-factor Authentication (MFA) method, Device, Active Session will be displayed.
3. Click the Modify button at the bottom and modify the data you want to change.
4. Click the Save button.

Changing the User’s Status

The status of users managed by SingleID is as follows.

The tenant administrator can change the user’s status according to the user’s current status as follows.

The button to change the user’s status is exposed as follows in the list and detail screens.

• When one or more active or inactive users are selected in the list screen
• When moving to the detail screen of an active or inactive user

Password Reset

The tenant administrator can reset a user’s password. When the tenant administrator resets a user’s password, a guidance email is sent to the user.

Group

The tenant administrator can view the groups to which a user belongs and add or delete group memberships.

To manage a user’s group, click the Group tab on the details screen.

Delete Group

To delete a group assigned to a user, follow these steps:

1. Select the group to be deleted from the list of assigned groups. (Check the checkbox to the left of the group name)
2. Click the < button to delete the assigned group.

Assign Group

To assign a new group to a user, follow these steps:

1. Select the Group to be newly assigned from the list of all groups. (Check the checkbox to the left of the group name)
2. Click the > button to assign the group.

Application

The tenant administrator can view the applications that users can use, add or delete applications. To manage a user’s application, click the Application tab on the detailed screen.

Deleting an Application

To delete an application assigned to a user, follow these steps:

Select the application to be deleted from the assigned application list. (Check the checkbox to the left of the application name) Click the Unassign button displayed above the application list. Click the Confirm button in the confirmation popup.

Application Assignment

To assign a new application to a user, follow these steps:

1. Click the Assign button located at the top right of the application list.
2. In the Application Assignment popup, select the application (check the checkbox to the left of the application name).
3. Click the Assign button.
4. If you have assigned all applications, click the Cancel button to close the popup.

Multi-Factor Authentication (MFA) Method Inquiry and Management

The tenant administrator can view the multi-factor authentication method registered by the user and modify or delete some of the registration information.

To manage a user’s multi-factor authentication (MFA) method, click the Multi-Factor Authentication (MFA) Method tab on the detailed screen.

Modifying Multi-Factor Authentication (MFA) Method

To modify the MFA method registered by the user, follow the procedure below.

1. Click the Modify button at the bottom right of the screen.
2. Click the Registration Information column of the MFA list you want to modify.
3. After modifying the information, click the Save button at the bottom right of the screen.

Deleting Multi-Factor Authentication (MFA) Method

To delete the MFA method registered by the user, follow the procedure below.

1. Click the Modify button at the bottom right of the screen.
2. Click the Delete button to the right of the MFA method you want to delete.
3. Click the Confirm button in the warning popup.
4. Click the Save button at the bottom right of the screen.

Viewing User Device Information

The administrator can view the device information added when the user registers the MFA method.

To view the user’s device information, click the Device tab in the detailed screen.

Active Sessions

When a user logs in to SingleID, SingleID manages the session information of the logged-in user.

The tenant administrator can view the user’s current active session and manage it to force the session to end and log out the user.

To manage a user’s session, click the Active Sessions tab on the detailed screen.

Session Forced Termination

To forcibly terminate a user’s session, follow these steps:

1. Click the Terminate button located at the top right of the session you want to terminate.
2. In the Terminate Confirmation popup, click the Terminate button.

Forcible Termination of Multiple Sessions

If you want to terminate multiple sessions simultaneously, follow these steps:

1. Select the sessions you want to terminate in the list and check the checkbox (V) displayed on the left side of the session information.
2. Click the Terminate button displayed at the top of the list.
3. In the Terminate Confirmation popup, click the Terminate button.

User Deletion

The tenant administrator can delete user information from SingleID.

The delete user button is exposed in both the list and detail screens as follows:

• When one or more users are selected in the list screen

1. After selecting a user, click the Delete button to display a Confirmation popup on the screen.
2. To delete a user, confirm the user’s information and enter the user’s ID, then click the Delete button.
3. When multiple users are selected and the Delete button is clicked, the following Confirmation popup is displayed on the screen.
4. To delete the selected users, use the <, > buttons to confirm all users’ information, enter Delete All, and then click the Delete button.
   Notice

   You must confirm all user information and enter Delete All to activate the delete button.

   If you have moved to the user details screen

   1. If the administrator wants to delete a user, a confirmation popup will be displayed.
   2. To delete a user, check the user’s information, enter the user’s ID, and click the Delete button.

Group

The administrator can use the functions provided in the Group menu to view and modify all groups registered in the organization, delete groups, or register new groups.

You can also change the group membership rules or assign usage permissions to group members so that they can use applications.

Groups are registered in SingleID in the following ways:

• Registered through inbound provisioning from an application (Application)
• Manually registered by the administrator (Create Group) The tenant administrator can manage registered groups in various ways using the group menu.

To access the group menu, move as follows:

• Admin Portal > Identity Store > Group

Group List

The tenant administrator can view and search all groups registered in the organization in a list format.

Create Group

The administrator can manually register a group on the screen without going through inbound provisioning.

1. To manually register a group, click the Register button on the group list screen.
2. When you click the Register button, the group registration popup is displayed on the screen.

The fields that must be entered for group registration are as follows:

3. Complete button is clicked, the group is registered and moves to the detailed information screen of the registered group.

Detailed Information Inquiry and Modification

The administrator can move to the group’s detailed information inquiry screen by clicking the Group in the group list.

If a new group is registered, it will also move to the group’s detailed screen immediately after registration.

At the top of the group detail screen, the group name, description, and management entity information are displayed, and below that, the group information is composed of multiple tabs.

The tenant administrator can confirm the detailed information of the registered group through the Group Profile tab.

To modify the group’s detailed information, follow the procedure below.

1. In the group detail screen, select the Profile tab.
2. Click the Edit button.
3. Modify the Group Information.

The fields that can be modified are as follows.

4. Click the Save button.
5. To return to the inquiry state without saving the modified information, click the Cancel button.

Group Membership Rule Management

The administrator can set rules to automatically configure users who meet certain conditions as group members.

When a group rule is set, the tenant administrator does not need to manually manage members, and the group members are automatically configured and added or deleted according to the set condition.

To manage group membership rules, click the Rules tab on the detailed screen.

To set a group rule, follow the procedure below.

1. Select the Rules tab on the group detailed screen.
2. Click the Edit button.
3. Click the On button for the membership policy setting.
4. Set the condition in the WHEN section.
5. Click the Save button.
6. To return to the inquiry state without saving the set rule, click the Cancel button.

The user’s attributes that can be set in the condition item are as follows.