Security

• 1: Key Management Service
• 1.1: Overview
• 1.2: How-to guides
• 1.2.1: Encryption Example Using Key Management Service Keys
• 1.2.2: Platform-managed Key
• 1.3: API Reference
• 1.4: CLI Reference
• 1.5: Release Note
• 2: Config Inspection
• 2.1: Overview
• 2.1.1: Checklist
• 2.2: How-to guides
• 2.2.1: Check Dashboard
• 2.2.2: Manage Diagnosis Results
• 2.2.3: Pre-configuration
• 2.3: Release Note
• 3: Certificate Manager
• 3.1: Overview
• 3.2: How-to guides
• 3.2.1: Extract Certificate Chain
• 3.3: API Reference
• 3.4: CLI Reference
• 3.5: Release Note
• 4: Secret Vault
• 4.1: Overview
• 4.2: How-to guides
• 4.3: API Reference
• 4.4: CLI Reference
• 4.5: Release Note
• 5: SingleID
• 5.1: Overview
• 5.2: How-to guides
• 5.2.1: SingleID Manuals
• 5.2.1.1: User Portal
• 5.2.1.1.1: Announcements and Language Settings
• 5.2.1.1.2: Log in using an authentication method
• 5.2.1.1.3: Register authentication tool
• 5.2.1.1.4: Sign Up
• 5.2.1.1.5: Find ID and Reset Password
• 5.2.1.1.6: Privacy Policy, Terms of Service, Service Desk
• 5.2.1.1.7: PC SSO Agent
• 5.2.1.1.8: My App
• 5.2.1.1.9: App Catalog
• 5.2.1.1.10: Notification
• 5.2.1.1.11: Approval Request
• 5.2.1.1.12: Personal Profile
• 5.2.1.2: Admin Portal
• 5.2.1.2.1: Dashboard
• 5.2.1.2.2: Integration
• 5.2.1.2.3: Identity Store
• 5.2.1.2.4: Policy
• 5.2.1.2.5: Terms and Conditions
• 5.2.1.2.6: Settings
• 5.2.1.2.7: Monitoring
• 5.2.1.2.8: Open Source licence
• 5.2.1.3: MFA Portal
• 5.2.1.3.1: Log in using an authentication method
• 5.2.1.3.2: Register authentication tool
• 5.2.1.3.3: policy
• 5.2.1.3.4: Configure Privacy Settings
• 5.2.1.3.5: Settings
• 5.2.1.4: CAM Portal
• 5.2.1.4.1: Getting Started
• 5.2.1.4.2: Home
• 5.2.1.4.3: Console Access
• 5.2.1.4.4: Resource Access
• 5.2.1.4.5: Monitoring
• 5.2.1.4.6: Configuration
• 5.2.1.5: SingleID Authenticator Manual Overview
• 5.2.1.5.1: Install App
• 5.2.1.5.2: User Authentication
• 5.2.1.5.3: Manage Authentication Method
• 5.2.1.5.4: Manage Service List
• 5.2.1.5.5: Open Source Licence(Android)
• 5.2.1.5.6: Open Source Licence(ISO)
• 5.2.1.6: Open API guides
• 5.2.1.6.1: ADFS Adapter Guide
• 5.2.1.6.2: Adapter Configuration Guide
• 5.3: Release Note
• 6: WAF
• 6.1: Overview
• 6.2: How-to guides
• 6.2.1: WAF Preparation
• 6.2.2: WAF Service Application
• 6.2.3: WAF Service Outage Response
• 6.3: Release Note
• 7: WAF
• 7.1: Overview
• 7.2: How-to guides
• 7.3: Release Note
• 8: WAF
• 8.1: Overview
• 8.2: How-to guides
• 8.2.1: WAF Build Process Guide
• 8.3: Release Note
• 9: DDoS Protection
• 9.1: Overview
• 9.2: How-to guides
• 9.3: Release Note
• 10: DDoS Protection
• 10.1: Overview
• 10.2: How-to guides
• 10.3: Release Note
• 11: IPS
• 11.1: Overview
• 11.2: How-to guides
• 11.3: Release Note
• 12: Secured Firewall
• 12.1: Overview
• 12.2: How-to guides
• 12.3: Release Note
• 13: Secured VPN
• 13.1: Overview
• 13.2: How-to guides
• 13.2.1: Secured VPN Build Process Guide
• 13.3: Release Note
• 14: FPMS
• 14.1: Overview
• 14.2: How-to guides
• 14.3: Release Note
• 15: Secrets Manager
• 15.1: Overview
• 15.2: How-to guides
• 15.2.1: Secret Retrieval API Reference
• 15.3: Release Note
• 16: DDoS Protection
• 16.1: Overview
• 16.2: How-to guides
• 16.2.1: DDoS Protection Preparation
• 16.2.2: DDoS Protection Service Application
• 16.2.3: DDoS Protection Service Outage Response
• 16.3: Release Note
• 17: Log Transmission
• 17.1: Overview
• 17.2: How-to guides
• 17.3: Release Note
• 18: ESS(Endpoint Security Suite)
• 18.1: Overview
• 18.2: How-to guides
• 18.3: Release Note
• 19: Log Transmission
• 19.1: Overview
• 19.2: How-to guides
• 19.3: Release Note

1 - Key Management Service

1.1 - Overview

Service Overview

Key Management Service(KMS) is a service that easily creates encryption keys and securely stores/manages them to safely protect an application’s critical data. The user encrypts and decrypts data using an encryption key, and the encryption key is reliably managed through a centrally managed hierarchical encryption key system.

Provided Features

Key Management Service provides the following features.

• Key Management: KMS can create, delete, and manage customer-managed keys. * The user directly generates a data key that encrypts data using the master key created by KMS.
• Key Permission Management: You can control and manage usage permissions for master keys based on custom policy.
• Key Lifecycle Management: Through key rotation, you can generate new encrypted data for the master key without creating a new key, and the key rotation interval can be set according to customer policy. * Through lifecycle management, encryption keys that are no longer used are deactivated or deleted, ensuring data is safely protected from cryptographic threats.
• Platform-managed key: When another product within the Samsung Cloud Platform uses a KMS key for encryption, the CSP (Cloud Service Provider) creates a platform-managed key and performs encryption, so the user does not need to generate a key directly in KMS.

Component

Master key

The master key is used to generate data keys for encrypting data, and depending on the purpose, you can generate symmetric key (encryption/decryption (AES), generation/verification (HMAC)) and asymmetric key (encryption/decryption and signing/verification (RSA), signing/verification (ECDSA)) respectively. Proper master key management encrypts data keys, allowing you to protect frequently used data keys during operation.

• The master key is a key generated through the creation of a KMS product service in the Samsung Cloud Platform Console.

Data key

The data key is used to encrypt the actual data and is generated for each target service that performs encryption. Thus, even if a single data key is compromised, it does not affect services encrypted with other data keys.

HSM (hardware security module)

Stores the root key of the KMS system domain. The master key is generated using the root key stored in an HSM (Hardware Security Module) that complies with the FIPS 140-2 Lv3 standard, and is securely distributed and stored in the KMS for protection.

Constraints

The Key Management Service of Samsung Cloud Platform limits the number of key creations and rotations as follows.

Preceding Service

Key Management Service has no prerequisite service.

1.2 - How-to guides

Users can create the service by entering the required information for the Key Management Service through the Samsung Cloud Platform Console and selecting detailed options.

Create a customer-managed key

You can create and use a customer-managed key in the Samsung Cloud Platform Console.

To create a customer-managed key, follow these steps.

1. All Services > Security > Key Management ServiceClick the menu. 1. Go to the Service Home page of Key Management Service.

2. On the Service Home page, click the Create Customer Managed Key button. 2. Navigate to the Customer Managed Key Creation page.

3. On the Customer Managed Key Creation page, enter the information required to create a service and provide additional details.

   • Enter or select the required information in the Service Information Input area.

     Category	Required	Detailed description
     key name	Required	Enter key name
     Public authentication algorithm	Selection	When Use is selected, you can generate encryption keys that meet public encryption standards The public authentication algorithm option is available only in the KR SOUTH region The public authentication algorithm provides the ARIA algorithm, which has passed security verification through Korea’s cryptographic module certification system
     Purpose	Required	Select the key purpose and encryption method If you do not select the public authentication algorithm, choose among encryption/decryption (AES-256), encryption/decryption and signing/verification (RSA-2048), signing/verification (ECDSA), and generation/verification (HMAC)
     Auto rotation	Selection	Select whether to enable automatic key rotation If you select Use, the internal algorithm of the generated key is converted to a different value and applied at each configured rotation interval The rotation interval can be set to a value between 1 and 730 days. If no rotation interval is entered, it defaults to 90 days automatically
     Explanation	Selection	Enter additional information for the key

     Table. Customer-managed key service information input items
   • In the Additional Information Input area, enter or select the required information.

     Category	required status	Detailed description
     tag	Selection	Add Tag Up to 50 per resource can be added Add Tag After clicking the Add Tag button, enter or select Key, Value values

     Table. Customer-managed key additional information input fields

4. Summary Check the detailed information and estimated charges generated in the panel, and click the Create button.

   • When creation is complete, check the created resources on the Customer Managed Key List page.

Check detailed information of customer-managed key

You can view and edit the complete list of resources and detailed information for customer-managed keys. Customer Managed Key Details page is composed of Details, Tags, Activity Log tabs.

To view detailed information about the Key Management Service, follow these steps.

1. Click the All Services > Security > Key Management Service menu. 1. Go to the Service Home page of Key Management Service.
2. On the Service Home page, click the Customer Managed Key menu. 2. Navigate to the Customer Managed Key List page.
3. On the Customer Managed Key List page, click the resource to view detailed information. 3. Navigate to the Customer Managed Key Details page.
   • Customer Managed Key Details page displays status information and descriptions of additional features at the top.

     Category	Detailed description
     status	Indicates the status of a customer-managed key Active: available/activated Stop: stopped/disabled To be terminated: scheduled for deletion Creating: creating/creation error (immediate retry possible)
     key rotation	Button to manually rotate the generated key
     Key Deactivation	Button to deactivate the generated key
     Service cancellation	Terminate service button When the status is To be terminated, display Cancel termination button

     Table. Customer-managed key status information and additional features

Detailed Information

On the Customer Managed Key List page, you can view detailed information of the selected resource and, if necessary, edit the information.

Tag

Customer Managed Key List page allows you to view the tag information of the selected resource, and you can add, modify, or delete it.

Job History

You can view the operation history of the selected resource on the Customer Managed Key List page.

Managing Customer-Managed Keys

You can create a new version of a registered key or change its usage status.

Configure customer-managed key rotation

Key rotation is a function that converts the internal algorithm of a generated key to a different value.

To create a new version of a customer-managed key (key rotation), follow these steps.

1. Click the All Services > Security > Key Management Service menu. 1. Go to the Service Home page of Key Management Service.
2. On the Service Home page, click the Customer Managed Key menu. 2. Navigate to the Customer Managed Key List page.
3. Customer Managed Key List page, click the resource to view detailed information. 3. Navigate to the Customer Managed Key Details page.
4. On the Customer Managed Key Details page, click the Key Rotation button. 4. Key Rotation Go to the notification window.
5. In the Key Rotation notification window, click the Confirm button.

Configure Customer-Managed Key Activation

You can configure the usage of the selected key.

To set the activation/deactivation status of a customer-managed key you created, follow these steps.

1. Click the All Services > Security > Key Management Service menu. 1. Go to the Service Home page of Key Management Service.
2. On the Service Home page, click the Customer Managed Key menu. 2. Navigate to the Customer Managed Key List page.
3. On the Customer Managed Key List page, click the resource to view its details. 3. Navigate to the Customer Managed Key Details page.
4. On the Customer Managed Key Details page, click the Key Activation/Key Deactivation button. 4. Key activation/Key deactivation Navigate to the notification dialog.
5. In the Key activation/key deactivation notification window, click the OK button.

Encryption case using Key Management Service

The following is an example procedure for encrypting and storing important data of a user application by obtaining a data key from KMS.

1. When the application starts, it obtains a data key using the KMS master key information, then performs and stores secure data encryption on the client side with the plaintext data key.
2. The data key is stored in the database in an encrypted form using the master key.
3. When performing secure data decryption, the data key stored in the database is retrieved and a decryption request is made using the KMS master key information.

The encryption/decryption process using the Key Management Service key is explained with the following diagram.

Encryption

Decryption

Terminate customer-managed key

You can revoke customer-managed keys that are not in use.

To cancel a customer-managed key, follow these steps.

1. Click the All Services > Security > Key Management Service menu. 1. Go to the Service Home page of Key Management Service.
2. On the Service Home page, click the Customer Managed Key menu. 2. Navigate to the Customer Managed Key List page.
3. On the Customer Managed Key List page, click the resource to view its details. 3. Navigate to the Customer Managed Key Details page.
4. On the Customer Managed Key Details page, click the Terminate Service button. 4. Navigate to the Service Cancellation alert window.
5. In the Service termination alert window, select Immediate termination/Scheduled termination, verify the details, and click the Confirm button.
6. When termination is complete, verify on the Customer Managed Key List page whether the resource has been terminated.
   • When the key deletion is complete, a notification is sent to both the user who created the key and the user who deleted it.

1.2.1 - Encryption Example Using Key Management Service Keys

Encryption example using Key Management Service keys

This is a Java code example for implementing envelope encryption and data signing/verification using a key generated in KMS.

Envelope encryption

It presents an envelope encryption scenario, and you can review the Java, Go, and Python example code and their output generated according to the scenario.

Scenario

1. To encrypt password information using the envelope encryption method, a Data Key is issued.
2. Encrypt the password using the issued Data Key information.
3. Encrypt the password and encrypted Data Key information using envelope encryption and store them in a JSON file.

Java example code

This is a Java example code written according to the provided scenario.

// URI
static String KMS_API_BASE_URI = {{ OpenAPI 가이드의 URL 참조 }};
// END POINT
static String KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/%s";
static String KMS_API_CREATE_DATAKEY = "/v1/kms/openapi/datakey/%s";
// KEY ID
static String KEY_ID = {{마스터 키 ID}};

createEnvelop() {
    // 새로운 데이터 키 생성을 요청
    String encryptedDataKey = getDataKey();
    // 암호화를 할 데이터
    String example_json_data = "{\"PASSWORD\":\"SECRET_CREDENTIAL\"}";
    // 암호화된 데이터 봉투(Envelop encryption)
    String envelope = encryptData(example_json_data, encryptedDataKey);
    // 이 예제 코드에서는 암호화된 데이터 봉투를 파일로 저장
    File envelopeFile = new File("envelope.json");
}

getDataKey() {
    String endPoint = String.format(KMS_API_CREATE_DATAKEY, KEY_ID);
    String url = KMS_API_BASE_URI + endPoint;
    JSONObject data = new JSONObject();
    data.put("key_type", "plaintext");
    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());
    return respJsonObject.get("ciphertext").toString();
}

encryptData() {
    Map<String, String> envelope = new HashMap<>();
    // 데이터 키 복호화
    String dataKey = decryptDataKey(encryptedDataKey);
    // Cipher Class 사용 (사용자가 기 사용 중인 암호화 알고리즘 사용 가능)
    SecretKey secretKey = new SecretKeySpec(decodeBase64(dataKey), "{사용자 선택 알고리즘}");
    Cipher cipher = Cipher.getInstance("{사용자 선택 알고리즘}");
    cipher.init(Cipher.ENCRYPT_MODE, secretKey);
    byte[] iv = cipher.getParameters().getParameterSpec(IvParameterSpec.class).getIV();
    byte[] cipherText = cipher.doFinal(obj.toString().getBytes());

    envelope.put("encryptedKey", encryptedDataKey);
    envelope.put("cipherText", encodeBase64(cipherText));
    envelope.put("iv", encodeBase64(iv));

    return JSONValue.toJSONString(envelope);
}

decryptDataKey() {
    String endPoint = String.format(KMS_API_DECRYPT, KEY_ID);
    JSONObject data = new JSONObject();
    data.put("cipherText", sealedKey);
    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());
    String plaintext = (respJsonObject.get("plaintext")).toString();
    return plaintext;
}

Go example code

This is a Go example code written based on the provided scenario.

// URI
const KMS_API_BASE_URI = {{ OpenAPI 가이드의 URL 참조 }}

// END POINT
const KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/%s"
const KMS_API_CREATE_DATAKEY = "/v1/kms/openapi/datakey/%s"

// KEY ID
const KEY_ID = {{마스터 키 ID}}

createEnvelop() {
        // 새로운 데이터 키 생성을 요청
        encryptedDataKey := getDataKey()
        // 암호화를 할 데이터
        example_json_data := "{\"PASSWORD\":\"SECRET_CREDENTIAL\"}"
        // 암호화된 데이터 봉투(Envelop encryption)
        envelope := encryptData(example_json_data, encryptedDataKey)
        // 이 예제 코드에서는 암호화된 데이터 봉투를 파일로 저장
        file, _ := os.Create("envelope.json")
        defer file.Close()
        file.WriteString(envelope)
}

getDataKey() {
        endPoint := fmt.Sprintf(KMS_API_CREATE_DATAKEY, KEY_ID)
        data := map[string]interface{}{
            "key_type": "plaintext",
        }
        jsonData, _ := json.Marshal(data)
        respJsonObject := callApi(endPoint, jsonData)
        info := &KMSDatakeyInfo{}
        json.Unmarshal([]byte(respJsonObject), info)

        return info.DataKey
}

encryptData() {
        envelope := make(map[string]string)
        // 데이터 키 복호화
        dataKey := decryptDataKey(encryptedDataKey)
        secretKey, _ := base64.StdEncoding.DecodeString(dataKey)

        // Cipher Class 사용
        block, _ := {사용자 선택 알고리즘}.NewCipher(secretKey)
        cipherText := make([]byte, {사용자 선택 알고리즘}.BlockSize+len(example_json_data))
        iv := cipherText[:{사용자 선택 알고리즘}.BlockSize]
        if _, err := io.ReadFull(rand.Reader, iv); err != nil {
               panic(err)
        }

        mode := cipher.NewCFBEncrypter(block, iv)
        mode.XORKeyStream(cipherText[{사용자 선택 알고리즘}.BlockSize:], []byte(example_json_data))

        envelope["encryptedKey"] = encryptedDataKey
        envelope["cipherText"] = base64.StdEncoding.EncodeToString(cipherText)
        envelope["iv"] = base64.StdEncoding.EncodeToString(iv)

        jsonString, _ := json.Marshal(envelope)

        return string(jsonString)
}

decryptDataKey() {
        endPoint := fmt.Sprintf(KMS_API_DECRYPT, KEY_ID)
        data := map[string]interface{}{
               "cipherText": sealedKey,
        }
        jsonData, _ := json.Marshal(data)
        respJsonObject := callApi(endPoint, jsonData)
        info := &KMSDecryptInfo{}
        json.Unmarshal([]byte(respJsonObject), info)

        return info.DecryptedData

}

Python example code

This is a Python example code written according to the presented scenario.

# URI
KMS_API_BASE_URI = {{ OpenAPI 가이드의 URL 참조 }}

# END POINT
KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/"
KMS_API_CREATE_DATAKEY = "/v1/kms/openapi/datakey/"

# KEY ID
KEY_ID = {{마스터 키 ID}}

create_envelop()
    # 새로운 데이터 키 생성을 요청
    encrypted_data_key = get_dataKey()

    # 암호화를 할 데이터
    example_json_data = {"PASSWORDTEST":"SECRET_CREDENTIALTEST"}
    json_data_str = json.dumps(example_json_data)

    # 암호화된 데이터 봉투(Envelop encryption)
    envelope = encrypt_data(json_data_str,encrypted_data_key)

    # 이 예제 코드에서는 암호화된 데이터 봉투를 파일로 저장
    with open("envelope.json", "w") as file:
        file.write(envelope)


get_dataKey()
    end_point = f"{KMS_API_CREATE_DATAKEY}{KEY_ID}"
    data = {
        "key_type": "plaintext"
    }
    response_object = call_api(end_point, data)

    data_key = response_object.get("ciphertext", "")

    return data_key


encrypt_data()
    envelope = {}
    # 데이터 키 복호화
    dataKey = decrypt_data_key(encrypted_data_key)
    decoded_data_key = base64.b64decode(dataKey)

    # Cipher Class 사용
    iv = get_random_bytes(16)
    cipher = {사용자 선택 알고리즘}.new(decoded_data_key, {사용자 선택 알고리즘}.MODE_CBC, iv)
    data_to_encrypt = obj
    data_bytes = data_to_encrypt.encode()
    padded_data = pad(data_bytes, {사용자 선택 알고리즘}.block_size)
    cipher_text = cipher.encrypt(padded_data).hex()

    envelope["encryptedKey"] = encrypted_data_key
    envelope["cipherText"] = cipher_text
    envelope["iv"] = base64.b64encode(iv).decode()

    return json.dumps(envelope)

decrypt_data_key()
    end_point = f"{KMS_API_DECRYPT}{KEY_ID}"
    data = {}
    data["cipherText"] = sealed_key
    resp_json_object = call_api(end_point,data)
    plaintext = resp_json_object.get("decryptedData")
    return plaintext

Example code result

Displays the result of the example code.

  {
        "cipherText":"d3S81rzaGAl8U12LlKSlRbDekPlGuibTntXX962KCjBIKuXdPOG8N8vk3Jet8lyG",
        "iv":"0kP7QKZ6BUeQPlThk4tySA==",
        "encryptedKey":"vault:v1:KJjjLtGHTbaV5N8LWC5O9eMDCaJVeff5SM\/MAYseugjiqiXFVgdXaKXg6kym0NmjHkO\/wLPsa+YK0aVk"
    }

Use envelope encryption

You can present an envelope encryption usage scenario and view the Java, Go, and Python example code and results written according to the scenario.

Scenario

1. Decrypt the Data Key of the encrypted envelope file.
2. Decrypt the encrypted data of the envelope file using the decrypted Data Key.

Java example code

This is a Java example code written according to the provided scenario.

// URI
static String KMS_API_BASE_URI = {{ OpenAPI 가이드의 URL 참조 }};
// END POINT
static String KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/%s";
// KEY ID
static String KEY_ID = {{마스터 키 ID}};;


getData() {
    // 암호화된 데이터 봉투(Envelop encryption)
    String envelope = new String(Files.readAllBytes(Paths.get("envelope.json")));
    JSONParser parser = new JSONParser();
    JSONObject envelopeJson = (JSONObject) parser.parse(envelope);
    String encryptedDataKey = envelopeJson.get("encryptedKey").toString();
    String cipherText = envelopeJson.get("cipherText").toString();
    String iv = envelopeJson.get("iv").toString();

    return decryptData(cipherText, encryptedDataKey, iv);
}

decryptData() {
    String dataKey = decryptDataKey(encryptedDataKey);
    IvParameterSpec ivParameterSpec = new IvParameterSpec(decodeBase64(iv));
    SecretKey secretKey = new SecretKeySpec(decodeBase64(dataKey), "{사용자 선택 알고리즘}");
    Cipher cipher = Cipher.getInstance("{사용자 선택 알고리즘}");
    cipher.init(Cipher.DECRYPT_MODE, secretKey, ivParameterSpec);
    byte[] plaintext = cipher.doFinal(decodeBase64(cipherText));

    return new String(plaintext);
}

decryptDataKey() {
    String endPoint = String.format(KMS_API_DECRYPT, KEY_ID);
    JSONObject data = new JSONObject();
    data.put("cipherText", sealedKey);
    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());
    String plaintext = (respJsonObject.get("plaintext")).toString();
    return plaintext;
}

Go example code

This is a Go example code written according to the presented scenario.

// URI
const KMS_API_BASE_URI = {{ OpenAPI 가이드의 URL 참조 }}

// END POINT
const KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/%s"

// KEY ID
const KEY_ID = {{마스터 키 ID}}

getData() {
    // 암호화된 데이터 봉투(Envelop encryption) 불러오기
    jsonData, _ := os.ReadFile("envelope.json")
    var envelope map[string]interface{}
    if err := json.Unmarshal(jsonData, &envelope); err != nil {
           fmt.Println("JSON 파싱 오류:", err)
           os.Exit(1)
    }
    encryptedDataKey := envelope["encryptedKey"].(string)
    cipherText := envelope["cipherText"].(string)
    iv := envelope["iv"].(string)

    return decryptData(cipherText, encryptedDataKey, iv)
}

decryptData() {
    dataKey := decryptDataKey(encryptedDataKey)
    ciphertext, _ := base64.StdEncoding.DecodeString(cipherText)
    dataKeyBytes, _ := base64.StdEncoding.DecodeString(dataKey)
    decodedData := ciphertext[{사용자 선택 알고리즘}.BlockSize:]
    ivparam := ciphertext[{사용자 선택 알고리즘}.BlockSize]
    block, _ := {사용자 선택 알고리즘}.NewCipher(dataKeyBytes)

    mode := cipher.NewCFBDecrypter(block, ivparam)
    mode.XORKeyStream(decodedData, decodedData)
    decryptedData := string(decodedData)

    return decryptedData
}

decryptDataKey() {
    endPoint := fmt.Sprintf(KMS_API_DECRYPT, KEY_ID)
    data := map[string]interface{}{
           "cipherText": sealedKey,
    }
    jsonData, _ := json.Marshal(data)
    respJsonObject := callApi(endPoint, jsonData)
    info := &KMSDecryptInfo{}
    json.Unmarshal([]byte(respJsonObject), info)

    return info.DecryptedData
}

Python example code

This is a Python example code written according to the presented scenario.

# URI
KMS_API_BASE_URI = {{ OpenAPI 가이드의 URL 참조 }}

# END POINT
KMS_API_DECRYPT = "/v1/kms/openapi/decrypt/"

# KEY ID
KEY_ID = {{마스터 키 ID}}

get_data()
    # 암호화된 데이터 봉투(Envelop encryption) 열기
    with open("envelope.json", "r") as file:
        envelope = file.read()
    envelope_json = json.loads(envelope)
    encrypted_data_key = envelope_json["encryptedKey"]
    cipher_text = envelope_json["cipherText"]
    iv = envelope_json["iv"]
    return decrypt_data(cipher_text, encrypted_data_key, iv)

decrypt_data()
    data_key = decrypt_data_key(encrypted_data_key)
    iv_bytes = base64.b64decode(iv)
    decoded_data_key = base64.b64decode(data_key)
    cipher_txt = bytes.fromhex(cipher_text)

    cipher = {사용자 선택 알고리즘}.new(decoded_data_key, {사용자 선택 알고리즘}.MODE_CBC, iv_bytes)
    plain_text_bytes = unpad(cipher.decrypt(cipher_txt), {사용자 선택 알고리즘}.block_size)
    plain_text = plain_text_bytes.decode('utf-8')
    return plain_text

decrypt_data_key()
    end_point = f"{KMS_API_DECRYPT}{KEY_ID}"
    data = {}
    data["cipherText"] = sealed_key
    resp_json_object = call_api(end_point,data)
    plaintext = resp_json_object.get("decryptedData")
    return plaintext

Example code result

Displays the result of the example code.

  {"PASSWORD":"SECRET_CREDENTIAL"}

Use data signature

It provides a data signing usage scenario to guarantee data integrity, and you can review the Java, Go, and Python example code and their results as written according to the scenario.

Scenario

1. Call the OpenAPI to sign the data.
2. The signed data is enveloped and saved as a JSON file.

Java example code

This is a Java example code written according to the provided scenario.

// URI
static String KMS_API_BASE_URI = {{ OpenAPI 가이드의 URL 참조 }};

// END POINT
static String KMS_API_SIGN = "/v1/kms/openapi/sign/%s";

// KEY ID
static String KEY_ID = {{마스터 키 ID}};

signEnvelop() {
    // 서명 데이터 봉투(Envelop encryption)
    String envelope = sign();
    // 이 예제 코드에서는 서명 데이터 봉투를 파일로 저장
    File envelopeFile = new File("signEnvelope.json");
    OutputStream os = new BufferedOutputStream(new FileOutputStream(envelopeFile));

    try {
        os.write(envelope.getBytes());
    } finally {
        os.close();
    }
}

sign() {
    Map<String, String> envelope = new HashMap<>();

    String example_credential = "SCP KMS Sign Test!!!";
    String endPoint = String.format(KMS_API_SIGN, KEY_ID);
    JSONObject data = new JSONObject();
    data.put("input", encodeToBase64(example_credential));

    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());

    envelope.put("signature", respJsonObject.get("signature").toString());
    if(respJsonObject.get("batch_results") != null) {

        envelope.put("batch_results", respJsonObject.get("batch_results").toString());
    }

    return JSONValue.toJSONString(envelope);
}

Go example code

This is a Go example code written according to the presented scenario.

// URI
const KMS_API_BASE_URI = {{ OpenAPI 가이드의 URL 참조 }}

// END POINT
const KMS_API_SIGN = "/v1/kms/openapi/sign/%s"

// KEY ID
const KEY_ID = {{마스터 키 ID}}

signEnvelop() {
    // 서명 데이터 봉투(Envelop encryption)
    envelope := sign()
    // 이 예제 코드에서는 서명 데이터 봉투를 파일로 저장
    file, _ := os.Create("signEnvelope.json")
    defer file.Close()
    file.WriteString(envelope)
}

sign() {
    envelope := make(map[string]string)
    example_credential := "SCP KMS Sign Test!!!"
    endPoint := fmt.Sprintf(KMS_API_SIGN, KEY_ID)
    data := map[string]interface{}{
        "input": base64.StdEncoding.EncodeToString([]byte(example_credential)),
    }
    jsonData, _ := json.Marshal(data)
    respJsonObject := callApi(endPoint, jsonData)
    info := &KMSSignInfo{}
    json.Unmarshal([]byte(respJsonObject), info)

    envelope["signature"] = info.Signature

    jsonString, _ := json.Marshal(envelope)

    return string(jsonString)
}

Python example code

This is a Python example code written according to the presented scenario.

# URI
KMS_API_BASE_URI = {{ OpenAPI 가이드의 URL 참조 }}

# END POINT
KMS_API_SIGN = "/v1/kms/openapi/sign/"

# KEY ID
KEY_ID = {{마스터 키 ID}}

sign_envelop()
    # 서명 데이터 봉투(Envelop encryption)
    envelope = sign()

    # 이 예제 코드에서는 서명 데이터 봉투를 파일로 저장
    with open("signEnvelope.json", "w") as file:
        file.write(envelope)


sign()
    envelope = {}

    example_credential = "SCP KMS Sign Test!!!"
    end_point = f"{KMS_API_SIGN}{KEY_ID}"
    credential_bytes = example_credential.encode('utf-8')

    data = {
        "input": base64.b64encode(credential_bytes).decode('utf-8')
    }

    resp_json_object = call_api(end_point,data)

    envelope["signature"] = resp_json_object.get("signature")

    return json.dumps(envelope)

Example code result

Displays the result of the example code.

  {
    "signature":"vault:v1:qHGf4ALkTao1Yy\/lpSbLQ2l8YVpsHWBP6ic3Ux1BKSodQQxnEIrjPyUwXXQ1NZfGSVxdeVe5Y6kb0nUPNADQpzkOh9\/e8T\/QCOs9==",
    "projectId":"PROJECT-qWrHRJX5sZnTkopcr9N1dk"
}

Use data validation

It presents a verification usage scenario for validating data integrity, and you can view the Java, Go, and Python example code and their results written according to the scenario.

Scenario

1. Retrieves the signature value of the signed envelope file.
2. Validates the signed data and outputs the result.

Java example code

This is a Java example code written according to the provided scenario.

// URI
static String KMS_API_BASE_URI = {{ OpenAPI 가이드의 URL 참조 }};

// END POINT
static String KMS_API_VERIFY = "/v1/kms/openapi/verify/%s";

// KEY ID
static String KEY_ID = {{마스터 키 ID}};

getSign() {
    // 서명 데이터 봉투(Envelop encryption)
    String envelope = new String(Files.readAllBytes(Paths.get("signEnvelope.json")));
    JSONParser parser = new JSONParser();
    JSONObject envelopeJson = (JSONObject) parser.parse(envelope);
    String signature = envelopeJson.get("signature").toString();

    return verify(signature);
}

verify() {
    String endPoint = String.format(KMS_API_VERIFY, KEY_ID);
    JSONObject data = new JSONObject();
    data.put("input", "U0NQIEtNUyBTaWduIFRlc3QhISE=");
    data.put("signature", signature);
    JSONObject respJsonObject = callApi(endPoint, data.toJSONString());
    String valid = (respJsonObject.get("valid")).toString();
    return valid;
}

Go example code

This is a Go example code written according to the presented scenario.

// URI
const KMS_API_BASE_URI = {{ OpenAPI 가이드의 URL 참조 }}

// END POINT
const KMS_API_VERIFY = "/v1/kms/openapi/verify/%s"

// KEY ID
const KEY_ID = {{마스터 키 ID}}

getSign() {
    // 서명 데이터 봉투(Envelop encryption) 불러오기
    jsonData, _ := os.ReadFile("signEnvelope.json")
    var envelope map[string]interface{}
    if err := json.Unmarshal(jsonData, &envelope); err != nil {
           fmt.Println("JSON 파싱 오류:", err)
           os.Exit(1)
    }
    signature := envelope["signature"].(string)

    return verify(signature)
}

verify() {
    endPoint := fmt.Sprintf(KMS_API_VERIFY, KEY_ID)
    data := map[string]interface{}{
           "input":          "U0NQIEtNUyBTaWduIFRlc3QhISE=",
           "signature":      signature,
    }
    jsonData, _ := json.Marshal(data)
    respJsonObject := callApi(endPoint, jsonData)
    info := &KMSVerifyInfo{}
    json.Unmarshal([]byte(respJsonObject), info)

    return info.Valid
}

Python example code

This is a Python example code written according to the presented scenario.

# URI
KMS_API_BASE_URI = {{ OpenAPI 가이드의 URL 참조 }}

# END POINT
KMS_API_VERIFY = "/v1/kms/openapi/verify/"

# KEY ID
KEY_ID = {{마스터 키 ID}}

get_sign()
    # 서명 데이터 봉투(Envelop encryption) 열기
    with open("signEnvelope.json", "r") as file:
        envelope = file.read()
    envelope_json = json.loads(envelope)
    signature = envelope_json["signature"]

    return verify(signature)


verify()
    end_point = f"{KMS_API_VERIFY}{KEY_ID}"

    data = {
        "input": "U0NQIEtNUyBTaWduIFRlc3QhISE=",
        "signature": signature
    }

    resp_json_object = call_api(end_point,data)
    valid = resp_json_object.get("valid")

    return valid

Example code result

Displays the result of the example code.

  {
    "valid": true
}

1.2.2 - Platform-managed Key

Users can view detailed information about the platform-managed key automatically generated for service provisioning on the Samsung Cloud Platform.

Check detailed information of platform-managed key

You can view the full resource list and detailed information of platform-managed keys. The Platform Managed Key Details page consists of Details, Operation History tabs.

To view detailed information about the Key Management Service, follow these steps.

1. Click the All Services > Security > Key Management Service menu. You will be taken to the Service Home page of Key Management Service.
2. On the Service Home page, click the Platform Managed Key menu. You will be taken to the Platform Managed Key List page.
3. On the Platform Managed Key List page, click the resource to view detailed information. You will be taken to the Platform Managed Key Details page.
   • Platform Managed Key Details page displays status information and descriptions of additional features at the top.

     Category	Detailed description
     status	Display the status of the platform-managed key Active: Available/Active

     Table. Platform Managed Key Status Information

Detailed Information

On the Platform Managed Key List page, you can view detailed information of the selected resource.

Job History

You can view the operation history of the selected resource on the Platform Managed Key List page.

1.3 - API Reference

1.4 - CLI Reference

1.5 - Release Note

Key Management Service

2 - Config Inspection

2.1 - Overview

Service Overview

Config Inspection is a service that diagnoses the security level of Console settings for each service of the Samsung Cloud Platform. Provides a security checklist organized by areas such as IAM, Networking, Database, and Logging, and checks the current status via API calls to verify whether the recommended security settings for each diagnostic item are applied.

Users can create a diagnostic target by creating a service, then request a diagnosis, and view the diagnosis request results through a Report. The report provides the diagnostic request history and per-item diagnostic results, and for diagnostic items that require the user’s final confirmation or action, detailed results—including the resource information and action guide corresponding to each item—can be viewed.

Provided Features

Config Inspection provides the following features.

• Console Diagnostics: You can call the Console API using an authentication key method to assess the security level.
• Diagnostic Target Management: Through service creation, you can create and manage a user’s Samsung Cloud Platform account as a diagnostic target.
• Diagnostic Request: On the resource detail screen, you can request a diagnosis by clicking the Diagnostic Request button.
• Diagnostic Result Management: In Report, you can view the list of diagnostic requests and detailed diagnostic results, and download them as an Excel file.

Components

Checklist

The checklist is a collection of diagnostic items that serve as the basis for diagnostic results, and the checklist currently provided by Config Inspection is as follows.

• Refer to the 체크 리스트 for the detailed diagnostic items of the checklist provided by Samsung Cloud Platform.

Report

In the Config Inspection Report, you can view the diagnostic results in the order of result list, result details, and item details.

Preliminary Service

Config Inspection has no preceding service.

2.1.1 - Checklist

You can view the types of checklists provided by Config Inspection and the detailed diagnostic items for each checklist.

Checklist

A checklist is a collection of diagnostic items that serve as the basis for diagnostic results, and the types of checklists currently provided by Config Inspection are as follows.

Best Practice

The detailed diagnostic items of the Best Practice checklist provided by Samsung Cloud Platform are as follows.

Samsung Security Index (SSI)

The detailed diagnostic items of the Samsung Security Index (SSI) checklist provided by Samsung Cloud Platform are as follows.

2.2 - How-to guides

Users can create the service by entering the required information for the Config Inspection service and selecting detailed options through the Samsung Cloud Platform Console.

Create Certificate

To create and use the Config Inspection service in the Samsung Cloud Platform Console, you need to generate an authentication key in advance.

Authentication key creation can be done from My menu > My Info. > Authentication Key Management > Create Authentication Key. For more details, refer to Manage Authentication Keys.

Create Config Inspection

You can create and use the Config Inspection service in the Samsung Cloud Platform Console.

To create a Config Inspection, follow these steps.

1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
2. On the Service Home page, click the Create Config Inspection button. You will be taken to the Create Config Inspection page.
3. Config Inspection Creation On the page, input what is required to create a service, and select detailed options.
   • Enter or select the required information in the Service Information Input area.

     Category	Required status	Detailed description
     Diagnosis Type	-	Automatic configuration via Console
     Cloud	Required	Select cloud for diagnosis SCP: Samsung Cloud Platform AWS: Amazon Web Services Azure: Microsoft Azure Detailed input fields vary depending on the selected cloud type
     Diagnostic Target > Diagnosis Name	Required	Name to distinguish the diagnostic target Use the entered value as the resource name Enter within 25 characters using English letters, numbers, and special characters (-, _)
     Diagnostic target > Diagnostic account	Required	Console information to be diagnosed Select the Account ID to diagnose from the list Selecting the same Account ID will result in duplicate requests and incur additional charges If AWS is selected, enter the Account ID (12 digits) for the diagnostic account If Azure is selected, enter the Subscription ID (36 characters, including letters, numbers, and special characters) for the diagnostic account
     Diagnosis Schedule > Checklist	Required	Automatically set when Use is selected for diagnostic schedule
     Diagnostic Schedule > Diagnostic Cycle	Required	Select Diagnosis Interval The diagnosis runs on the selected date according to the specified interval. If Monthly is selected, the diagnosis may not be performed on the selected date. Example) Selecting the 31st of each month – February has no such date, so the diagnosis is not performed.
     Diagnostic Schedule > Start Time	Required	Select diagnostic start time Set the hour and minute information for starting the diagnostic
     authentication key	Required	Select the authentication key to use for Open API calls Select button, click to choose the appropriate authentication key from the list in the Authentication Key Selection popup If no selectable authentication key is available, click Authentication Key Management to create a new authentication key For detailed information about authentication keys, refer to Manage Authentication Keys
     Pricing plan	Select	Select a plan to use Standard: Charged based on the number of diagnoses Monthly subscription: Charged a fixed amount each month regardless of the number of diagnoses (up to 30 diagnoses per month) The plan cannot be changed after the service is requested

     Table. Config Inspection Service Information Input Items
   • In the Additional Information Input area, enter or select the required information.

     Category	Required status	Detailed description
     tag	Select	Add Tag Up to 50 per resource can be added After clicking the Add Tag button, enter or select Key and Value values

     Table. Config Inspection additional information input fields
4. Summary Check the detailed information and estimated billing amount generated in the panel, and click the Create button.
   • When creation is complete, check the created resources on the Config Inspection List page.

Check detailed information of Config Inspection

Config Inspection service allows you to view and edit the full resource list and detailed information. The Config Inspection Details page consists of Details, Tags, Activity History tabs.

To view detailed information of the Config Inspection service, follow these steps.

1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
2. On the Service Home page, click the Config Inspection menu. You will be taken to the Config Inspection list page.
3. Config Inspection List page, click the resource to view detailed information. You will be taken to the Config Inspection Details page.
   • Config Inspection Details page displays status information and additional feature information, and is composed of Details, Tags, Work History tabs.

     Category	Detailed description
     status	Displays the status of Config Inspection Ready: When there is no diagnostic request after the service is created (diagnostic request possible) In Progress: When a diagnostic request is being executed (diagnostic request/service termination not allowed) Error: When an error occurs in the diagnostic request (diagnostic request possible) Completed: When the diagnostic request completes successfully (diagnostic request possible)
     Diagnostic request	Button to perform console diagnostics
     Service termination	Button to cancel the service

     Table. Config Inspection status information and additional features

Detailed Information

Config Inspection List page lets you view detailed information of the selected resource and modify the information if necessary.

tag

Config Inspection List page lets you view the tag information of the selected resource and add, modify, or delete it.

Job History

On the Config Inspection List page, you can view the operation history of the selected resource.

Config Inspection Resource Management

If you need to view the status of a Config Inspection resource or request a diagnosis, you can perform the task on the Config Inspection List or Config Inspection Details page.

Modify authentication key

You can select the authentication key to use for diagnosis for each diagnostic target.

To modify the service’s authentication key, follow these steps.

1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
2. On the Service Home page, click the Config Inspection menu. You will be taken to the Config Inspection list page.
3. On the Config Inspection List page, click the resource whose authentication key you want to edit. Then go to the Config Inspection Detail page.
4. Check the authentication key and click the Edit icon. The Edit Authentication Key popup window opens.
5. Edit Authentication Key Select the authentication key to use in the popup window and click the Confirm button.

   Category	Detailed description
   authentication key	Authentication Key Detailed Information
   Creation date and time	Authentication key creation date
   Expiration date and time	Authentication key expiration date
   status	Authentication key status Active: Usable Expired: Usage period expired

   Table. Authentication key edit popup items

Request Diagnosis

You can request a diagnosis from the Console based on the configured checklist.

To request a console diagnosis, follow these steps.

1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.

2. On the Service Home page, click the Config Inspection menu. You will be taken to the Config Inspection list page.

3. On the Config Inspection List page, click the resource you want to request a diagnosis for. You will be taken to the Config Inspection Details page.

4. On the Config Inspection Details page, click the Diagnostic Request button. The Diagnostic Request popup opens.

5. In the Diagnosis Request popup, enter the information required for the diagnosis and click the Confirm button.

   • Diagnostic Request The items in the popup window vary depending on the selected Console.

     Category	Detailed description
     Console access method	Fix the authentication key method as the console access method.
     Checklist	Set to Best Practice when selecting SCP
     authentication key	If you select SCP, choose the pre-generated authentication key.
     Access Key	If AWS is selected, enter the Access Key.
     Secret Key	If AWS is selected, enter Secret Key
     Client ID	Enter Client ID when Azure is selected
     Client Secret	If Azure is selected, enter Client Secret
     Tenant ID	If Azure is selected, enter Tenant ID

     Table. Diagnosis request popup items

6. Check the status value on the Config Inspection list page.

   • When the diagnostic request is completed, the status value is displayed as Completed or Error.
   • In the case of Completed, you can view the diagnostic request results in the diagnostic results menu. For more details, refer to Report Management.

Terminate Config Inspection

You can cancel the Config Inspection service you are not using. However, canceling Config Inspection will delete all stored diagnostic data.

To disable Config Inspection, follow these steps.

1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
2. On the Service Home page, click the Config Inspection menu. You will be taken to the Config Inspection list page.
3. On the Config Inspection List page, click the resource to be terminated. You will be taken to the Config Inspection Details page.
4. Config Inspection Details on the page, click the Cancel Service button.
5. After the termination is complete, check on the Config Inspection List page whether the resource has been terminated.

2.2.1 - Check Dashboard

Users can view the diagnostic results of the Config Inspection service at a glance on the dashboard through the Samsung Cloud Platform Console.

Check Dashboard

On the dashboard page, you can view the status of Config Inspection diagnostic targets, diagnostic history, and more.

To view the dashboard, follow these steps.

1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
2. On the Service Home page, click the Dashboard menu. You will be taken to the Dashboard page.
3. Check the summary of diagnostic results on the Dashboard page.
   • Dashboard page at the top allows you to view dashboard information based on the period or diagnosis name.
     • Period: You can set a period within six months from the current month to view a summary of the diagnostic results.
     • Diagnosis Name: If you select All, you can view a summary of the entire diagnostic results, and if you select a diagnostic account, you can view the detailed information of that specific diagnostic result.
   • Click the Download button to download the information displayed on the dashboard page as a PDF file.

     Category	Detailed description
     Security level (overall)	Display the average of the latest diagnostic results for all subjects Recent diagnostic results are displayed in the list Diagnostic score calculation formula = Total – (Fail + Error + Check)) / Total x 100
     Diagnosis status by period	Display diagnostic status by target during the search period Diagnosis Completed: Show recent completed diagnosis records Diagnosis Error: Show recent diagnosis error records, navigate to the detailed diagnosis result page when a diagnosis name is selected
     Summary of diagnostic results by period (overall)	Display summary of diagnostic results (overall) during the search period Selecting a diagnosis name from the list navigates to the detailed diagnostic result page

     Table. Detailed dashboard item description for overall diagnostic results

     Category	Detailed description
     Security level	Display the latest diagnostic result score for the selected diagnostic account Recent diagnostic results are displayed in the list
     Summary of diagnostic results by period	Display summary of the diagnostic results for the last diagnostic account within the search period
     Vulnerability status by period	Display the vulnerability assessment results of the diagnostic account as a graph during the search period When a graph is selected, display detailed information of the vulnerable items in the assessment results

     Table. Detailed dashboard item description for diagnostic results per diagnostic account

2.2.2 - Manage Diagnosis Results

Config Inspection You can view the diagnostic request results on the diagnostic results page and modify the diagnostic results.

Check diagnosis results

On the diagnosis results page, you can view the results of the diagnosis request.

Check diagnostic result list

To view the list of diagnostic results, follow these steps.

1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
2. On the Service Home page, click the Diagnosis Results menu. You will be taken to the Diagnosis Results List page.
3. View the summary information of diagnostic results on the Diagnostic Results List page.

   Category	Detailed description
   Diagnosis name	Resource name
   diagnostic account	Console information subject to diagnosis
   Checklist	Collection of diagnostic items that serve as the basis for diagnostic results
   PASS	Number of checklist items with a diagnosis result of PASS (normal)
   FAIL	Number of checklist items with a diagnosis result of FAIL (vulnerable)
   CHECK	Number of items in the checklist with a diagnosis result of CHECK (verification required)
   ERROR	Number of items in the checklist whose diagnosis result is ERROR (diagnosis not possible)
   N/A	Number of items in the checklist where the diagnosis result is N/A (not applicable)
   All	Total number of checklist items
   diagnostic result	Diagnosis request result Completed: The diagnosis request has been successfully completed; clicking Completed navigates to the detail page Error: The diagnosis request was not completed successfully; error items cannot view detailed information
   Diagnosis date and time	Diagnosis request date and time

   Table. Diagnosis result list items

View detailed diagnostic result information

To view detailed information of the diagnostic results, follow these steps.

1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.

2. On the Service Home page, click the Diagnosis Results menu. You will be taken to the Diagnosis Results List page.

   • On the Diagnosis Result List page, you can enter a diagnosis name in the search area or click the Detailed Search button to perform a search.

3. Diagnostic Results List page, click the item whose diagnostic result is Completed. You will be taken to the diagnostic result detail page.

   • Items with a diagnostic result in error status do not display detailed information.

4. On the Detailed Diagnosis Results page, view the detailed diagnosis results.

   Category	Detailed description
   Excel download	Download the detailed diagnosis results list as an Excel file
   More > Diagnosis Result Management	Go to the diagnostic results management page
   Checklist	Collection of diagnostic items that serve as the basis for diagnostic results
   Area	Diagnostic Scope (services of Samsung Cloud Platform)
   Diagnostic items	Recommended security standards for each service configuration
   Result	Diagnostic Item Criteria Inspection Results

   Table. Detailed diagnosis result items

5. Click the diagnostic item to view detailed information. Diagnostic Item Details popup will open.

   • Diagnostic Item Details In the popup window, you can view the following information.

     Category	Detailed description
     Area	Diagnostic Scope (services of Samsung Cloud Platform)
     Diagnostic items	Recommended security standards for each service configuration
     Result	Diagnostic Item Criteria Inspection Results
     Diagnostic criteria	Result Evaluation Criteria
     Diagnostic method	How to check the current settings
     Action Guide	Configuration method that meets security standards
     Detailed results	Resource information and settings for the diagnostic item
     Change diagnosis result	Button to modify the diagnosis result When the diagnosis result is modified, the Check Result button is displayed, and clicking the Delete button removes the modified result

     Table. Config Inspection diagnostic item details

Manage Diagnostic Results

On the diagnosis results page, you can modify the results of items whose diagnosis status is CHECK.

Change Diagnosis Result

To change the diagnostic result, follow the steps below.

1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.

2. On the Service Home page, click the Diagnosis Results menu. You will be taken to the Diagnosis Results List page.

3. On the Diagnosis Result List page, click the item whose diagnosis result is Completed. You will be taken to the Diagnosis Result Details page.

   • Items with a diagnostic result in error status do not display detailed information.

4. On the Diagnosis Result Details page, click the More > Diagnosis Result Management button at the top. You will be taken to the Diagnosis Result Management page.

5. On the Diagnosis Result Management page, click the Change Result button for the item whose diagnosis result you want to modify. The Change Result popup window will open.

6. Result Change In the popup window, select or enter the information required to change the result.

   Category	Required	Detailed description
   Registrant	-	Diagnostic result change registrant email
   Validity period	Required	Set the diagnostic result validity period
   Result change	Required	Select the diagnostic result to change among Pass, Check, Fail
   Detailed reason	Required	Enter the detailed reason for changing the result.
   Attached file	Select	Upload the files required to verify result changes Click the Attach File button to upload files, up to 5 can be registered
   Inspection Result	-	Display detailed inspection results

   Table. Detailed items of diagnostic result changes

7. Review the entered information and click the Register button. Verify whether the diagnostic results have changed in the Diagnostic Result Management list.

Delete diagnostic result change history

To delete the diagnostic result change log, follow these steps.

1. Click the All Services > Security > Config Inspection menu. Navigate to the Service Home page of Config Inspection.
2. On the Service Home page, click the Diagnosis Results menu. You will be taken to the Diagnosis Results List page.
3. On the Diagnosis Result List page, click the item whose diagnosis result is Completed. You will be taken to the Diagnosis Result Details page.
   • Items with a diagnostic result in error status do not display detailed information.
4. Diagnosis Result Details page, click the Diagnosis Result Management button at the top. You will be taken to the Diagnosis Result Management page.
5. On the Diagnosis Result Management page, click the Check Result button for the item whose diagnosis result you want to change. The Check Result popup will open.
6. Check Result in the popup window, click the Delete button.

2.2.3 - Pre-configuration

Users must perform pre‑cloud configuration such as generating authentication keys and adding access‑control IPs through the Samsung Cloud Platform Console to use the Config Inspection service.

Configuring Samsung Cloud Platform Console

To diagnose Samsung Cloud Platform and external clouds in the Config Inspection service, set the items below.

Check policies attached to user groups

To check the policy of the user group to which the user belongs, follow the steps below.

1. Click the All Services > Management > IAM menu. Go to the Service Home page of IAM.
2. On the Service Home page, click the User Group menu. You will be taken to the User Group List page.
3. On the User Group List page, click the user group you want to view. You will be taken to the User Group Details page.
4. User Group Details page, click the Policy tab. You will be taken to the Policy tab page.
5. Click the policy you want to view on the Policy tab page. You will be taken to the Policy Details page.
6. Check the detailed information on the Policy Details page.
   • Verify that the policy information in the table below is configured. If necessary, contact the administrator to add the policy.

     Item	Policy Requirement 1	Policy Requirement 2
     action	List, Read	Create, Delete, List, Read, Update
     Applied resource	All resources	Individual Resource (Config Inspection)
     Authentication Type	All authentication	Temporary key authentication, Console login
     Applied IP	Custom IP The IP for diagnostics is 123.37.11.42, and the IP for the user to access the console must be added separately	Custom IP

     Table. Detailed policy setting items for all cloud diagnostics

Generate authentication key

You can view and generate the authentication key used for the Config Inspection service.

To create an authentication key in the Samsung Cloud Platform Console, follow these steps.

1. Click the My menu > My info. menu in the Console. You will be taken to the My info. detail page.
2. My info. Click the API Key Management tab on the detail page. Navigating to the API Key Management tab page.
3. On the Key Management tab page, click the Create Key button. You will be taken to the Create Key page.
   • You can view the list of authentication keys on the authentication key management page.
4. On the Create Authentication Key page, after entering the expiration period, click the Confirm button.
5. Verify that the generated authentication key is displayed in the authentication key list.

Add allowed IP

You can add allowed IP addresses in the Samsung Cloud Platform Console.

To add an allowed IP for the Console, follow these steps.

1. Click the My menu > My info. menu in the Console. Go to the My info. detail page.
2. My info. Click the API Key Management tab on the detail page. You will be taken to the API Key Management tab page.
3. Authentication Key Management tab page, click the Edit icon of the Security Settings item. Edit Authentication Key Security Settings popup opens.
4. Edit Authentication Key Security Settings In the popup window, enter the authentication method and allowed IP address.
   • Select the authentication method authentication key.
   • Set the allowed access IP to Use, enter the IP address, and click the Add button.
5. When the allowed IP addition is complete, click the Confirm button. Verify that the Security Settings item has been updated with the entered information.

Configure AWS

To diagnose the AWS (Amazone Web Services) cloud in the Config Inspection service, set the items below.

Add permission policy

You can add permission policies for users or user groups in the AWS Console.

Add user permission

To add a user access policy in the AWS Console, follow these steps.

1. Click IAM > Users in the AWS Console.
2. Select the diagnostic user name from the user list.
3. Click the Permissions tab on the user information page.
4. Select Add Permission in the permission policy.
   • When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.

Add user group permissions

To add a user group access permission policy in the AWS Console, follow these steps.

1. Click IAM > User Groups in the AWS Console.
2. Select the group that the user belongs to from the user group list.
3. Click the Permissions tab on the user group page.
4. Select Add Permission in the permission policy.
   • When adding permissions, select ReadOnlyAccess, ViewOnlyAccess.

Add access control IP

If you are using an IP access control policy, you need to add an exception IP to the policy.

Add user access control IP

To add a user access control IP in the AWS Console, follow these steps.

1. Click IAM > Users in the AWS Console.
2. Select the diagnostic user name from the user list.
3. Click the Permissions tab on the user information page.
4. In the permission policy item, click Edit of the IP Access Control Policy.
   • Add 123.37.24.82 to the block exception IP list.

Add IP to user group access control

To add a user group access control IP in the AWS Console, follow these steps.

1. Click IAM > User Groups in the AWS Console.
2. Select the group that the user belongs to from the list of user groups.
3. Click the Permissions tab on the user group page.
4. In the permission policy item, click Edit of the IP Access Control Policy.
   • Add 123.37.24.82 to the block exception IP.

Access Key creation

To create an Access Key in the AWS Console, follow these steps.

1. Click IAM > Users in the AWS Console.
2. Select the diagnostic user name from the user list.
3. Click the Security Credentials tab on the user information page.
4. On the Security Credentials page, click Access Keys.
5. Create Access Key page, generate an access key for third‑party services.
   • Be sure to save the generated access key information.

Configure Azure

To diagnose Azure cloud in the Config Inspection service, set the items below.

Entra ID Application registration

To register an Entra ID Application in the Azure Console, follow these steps.

1. Click Microsoft Entra ID > App registrations in the Azure Console.
2. On the App Registration page, click New Registration.
3. Register the application (client) ID.
4. After the app registration is complete, check the app name, application (client) ID, directory (tenant) ID on the overview page.

Add API permission

To add API permissions in the Azure Console, follow these steps.

1. In the Azure Console’s Microsoft Entra ID > App registration (App registrations) > Entra ID Application registration, click App name > API permissions (App permissions) > Add permission (Add a permission).
2. From the API permissions list, select Microsoft Graph to add permissions.
3. On the API Permission Request page, click Application Permissions.
   • Select Application.Read.All, Device.Read.All, Group.Read.All, User.Read.All, DeviceManagementManagedDevices.Read.All, AuditLog.Read.All, Directory.Read.All, Domain.Read.All, GroupMember.Read.All, Policy.Read.All, Reports.Read.All from the permission list.
4. After adding permissions in App API permission registration, click Grant admin consent (Grant admin consent for account name).
   • Check whether the status for the account name has been changed to Allowed (Granted for account name).

Create Client Secret

To create a Client Secret in the Azure Console, follow these steps.

1. In the Azure Console, click App name > Certificates & secrets(Certificates & secrets) under Microsoft Entra ID > App registrations(App registrations) > Entra ID Application registration.
2. Click New Client Password in the Certificates and Passwords list.
3. When the client secret is generated, check the Client Secret in the Value(Value) field of the list.
   • Be sure to save the Client Secret value.

Add subscription access permission in Azure Console

You can add subscription access permissions in the Azure Console from the tenant root group or an individual Subscription. Choose the method you prefer to add Subscription access permissions.

Add permission in Tenant Root Group

To add subscription access permissions in the Azure Console from the Tenant Root Group, follow the steps below.

1. Click Management groups > Overview in the Azure Console.
2. Click Tenant Root Group > Access Control (IAM).
   • If you cannot access the Tenant Root Group menu, change the settings below.
     • Microsoft Entra ID > Properties > ‘Account Name’ can manage access to all Azure subscriptions and management groups in this tenant. > Yes (yes) change to
   • After adding the permission, you must change it to No.
3. On the Access Control page, click Add(Add) > Add role assignment(Add role assignment).
4. On the Add Role Assignment page, after entering the details, click Save (Review+assign).
   • When entering role assignment information, select the information below in the Role and Member tabs to add the app created in Entra ID Application registration. You must add all three of the following permissions.

     Category	Permission
     Reader(Reader)	User, group, or service principal(Users, group, or service principal)
     Key Vault Reader (Key Vault Reader)	User, group, or service principal(Users, group, or service principal)
     Reader and Data Access	User, group, or service principal(Users, group, or service principal)

     Table. Additional permission items when entering role assignment information

Add permission in individual Subscription

To add subscription access permissions in the Azure Console for an individual subscription, follow these steps.

1. Click Subscription(Subscription) > Overview(Overview) in the Azure Console.
   • Check the Subscription ID(Subscription ID) in the basic information on the Overview page.
2. Click Subscription(Subscription) > Access Control(IAM).
3. On the Access Control page, click Add(Add) > Add role assignment(Add role assignment).
4. On the Add Role Assignment page, after entering the details, click Save (Review+assign).
   • When entering role assignment information, select the information below in the Role and Member tabs to add the app created in Entra ID Application registration. You must add all three of the following permissions.

     Category	Permission
     Reader(Reader)	User, group, or service principal(Users, group, or service principal)
     Key Vault Reader (Key Vault Reader)	User, group, or service principal(Users, group, or service principal)
     Reader and Data Access	User, group, or service principal(Users, group, or service principal)

     Table. Additional permission items when entering role assignment information

Add access permissions via PowerShell

To add subscription access permissions in the Azure Console using PowerShell, follow these steps.

1. Run the following command in Cloud shell > PowerShell of the Azure Console.
   • New-AzRoleAssignment -ObjectId “the App’s Object ID as seen in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’ -ObjectType ‘ServicePrincipal’
   • If the command does not execute, change the settings below.
     • Microsoft Entra ID > Properties > ‘Account Name’ can manage access to all Azure subscriptions and management groups in this tenant. > yes change to
     • After adding the permission, you must change it to No (no).
2. Run the command below to verify whether the configuration is complete.
   • Get-AzRoleAssignment –ObjectId ＂the App’s Object ID found in Enterprise Application＂ –Scope ＂/providers/Microsoft.aadiam＂
   • If permission deletion is required, run the command below.
     • Remove-AzRoleAssignment -ObjectId “the App’s Object ID as seen in Enterprise Application” -Scope “/providers/Microsoft.aadiam” -RoleDefinitionName ‘Reader’

2.3 - Release Note

Config Inspection

3 - Certificate Manager

3.1 - Overview

Service Overview

Certificate Manager is a service that supports certificate distribution and integrated management, enabling users to generate SSL/TLS certificates issued by a Certificate Authority (CA) and self‑signed certificates for development or testing purposes, and use them on Samsung Cloud Platform resources. By receiving pre‑expiration notification emails, users can identify certificates that are about to expire and manage the certificate lifecycle.

Features

• Simple Creation: You can generate certificates with simple steps in the Samsung Cloud Platform Console. User certificates issued externally are validated, and only certificates that pass verification are distributed.
• Service Integration: Connect the certificates registered in Certificate Manager to the Load Balancer to encrypt network connections and protect the service.
• Certificate Expiration Alert: You can identify and replace certificates that are about to expire with periodic notifications up to 1 day before the expiration date.

Service Architecture Diagram

Provided features

Certificate Manager provides the following features.

• Certificate Creation: You can generate a user certificate issued by a certification authority or a self-signed certificate suitable for development/testing (Self-signed).
• Connected Resource Lookup: You can view Samsung Cloud Platform resources that are using the certificate. Currently, it provides a list of Load Balancer listeners (HTTPS).
• Expiration Alert: You can set expiration alert recipients for each certificate. Emails are sent to the recipients starting 45 days before expiration. (Sent 45/30/15/7/1 days before expiration)

Component

User certificates in Certificate Manager consist of a Private Key, Certificate Body, and Certificate Chain. Enter the entire certificate information, including the BEGIN and END lines.

Private Key

Enter the private key in PEM format. Private Key supports RSA and must be entered as a decrypted value.

-----BEGIN RSA PRIVATE KEY-----
(개인키)
-----END RSA PRIVATE KEY-----

Certificate Body

Enter the Server (Leaf) certificate in PEM format. Only one certificate can be entered in the Certificate Body.

-----BEGIN CERTIFICATE-----
(서버 인증서)
-----END CERTIFICATE-----

Certificate Chain

Enter the upper-level certificate in PEM format. Input them in the order Sub (Intermediate) CA → Root CA, and you may omit this only for self‑signed or self‑issued certificates.

-----BEGIN CERTIFICATE-----
(중간 인증서)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(루트 인증서)
-----END CERTIFICATE-----

Constraints

Certificate Manager provides services on a per‑Region basis. Create the service in the required Region and use it. The quota per Region is as follows.

Prior Service

Certificate Manager has no prerequisite services.

3.2 - How-to guides

Users can create the service by entering the required information for the Certificate Manager service and selecting detailed options through the Samsung Cloud Platform Console.

Create Certificate Manager

You can create and use the Certificate Manager service in the Samsung Cloud Platform Console.

To request the creation of a Certificate Manager service, follow these steps.

1. Click the All Services > Security > Certificate Manager menu. 1. Go to the Service Home page.
2. On the Service Home page, click the Create Certificate Manager button. 2. Go to the Create Certificate Manager page.
3. Create Certificate Manager page, enter the information needed to create the service, and choose detailed options.
   • In the Service Information Input area, enter or select the required information.

     Category	required status	Detailed description
     Certificate name	Required	Enter the Certificate Manager name to use Enter within 3-30 characters, including English letters, numbers, and special characters (-, _, .) Cannot be the same as an existing name
     type	Required	Select the Certificate Manager type to use User Certificate: a public certificate issued by a Certificate Authority (CA) Self-issued Certificate: a certificate self-issued (Self-signed) by Samsung Cloud Platform Since it is relatively less secure, it is recommended for development/testing use only.
     User Certificate > Certificate Body	Required	Enter Server(Leaf) certificate information Only one certificate can be entered in the certificate body Enter the full content, including the lines from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—–
     User Certificate > Private Key	Required	Enter the private key information The Private Key supports the RSA encryption method The Private Key can be entered in an unencrypted PEM format Enter the entire content, including the lines from —–BEGIN RSA PRIVATE KEY—–to —–END RSA PRIVATE KEY—-
     User Certificate > Certificate Chain	Required	Enter the Certificate Chain information Can be omitted when using a private certificate The Certificate Chain should be entered in the order: Intermediate (Subordinate) certificate → Root certificate For a public certificate, the Certificate Chain information must be entered; only when there is no intermediate certificate (Chain CA) should use be disabled Enter the full content, including the lines from —–BEGIN CERTIFICATE—– —–END CERTIFICATE—– If there are multiple Intermediate (Subordinate) certificates, enter each certificate’s content in order
     User Certificate > Certificate Validation	Required	Validate the entered certificate’s validity
     Self-signed certificate > Common Name	Required	Enter the domain name to use the certificate
     Self-issued certificate > Organization Unit	Required	Enter the organization and department that will use the certificate
     Self-issued certificate > Start date	Required	Enter the certificate start date (creation date)
     Self-issued certificate > Expiration date	Required	Enter the certificate expiration date
     Expiration alert	Selection	Set whether to receive pre‑expiration certificate alerts Select Use to enable expiration alerts If expiration alerts are set, an email is sent to the recipients 45, 30, 15, 7, and 1 days before the certificate expires
     Expiration Alert > Alert Recipient	Required	Select notification recipients when using expiration alerts Enter a user name in the search area to select notification recipients Up to 100 recipients can be registered

     Table. Certificate Manager service information input items
     Reference

     • If the entered certificate information is invalid, you cannot create the Certificate Manager service.
     • If the Private Key is encrypted, enter the decrypted value using the openssl command below.
       • openssl rsa -in [Encrypted Private Key File name] -out [Decrypted Private Key File name]
     • For certificates issued via Let’s Encrypt, even if you already have a previously issued Certificate Chain value, extract it again and enter it.
       • For detailed instructions on extraction methods, see Extract Chain Certificate.
   • In the Additional Information Input area, enter or select the required information.

     Category	required status	Detailed description
     tag	Selection	Add Tag Up to 50 can be added per resource After clicking the Add Tag button, input or select Key, Value values

     Table. Certificate Manager additional information input fields
4. Review the entered service information and additional details, then click the Create button.
   • When creation is complete, check the created resource on the Certificate Manager List page.
     Reference

     To create a Load Balancer for use with the Certificate Manager service, click Load Balancer creation in Service Home.

     • For detailed information on creating a Load Balancer, please refer to Load Balancer Creation.

Check Certificate Manager detailed information

The Certificate Manager service allows you to view and edit the full list of resources and detailed information. Certificate Manager Details page consists of Details, Connected Resources, Tags, Activity History tabs.

To view detailed information for Certificate Manager, follow these steps.

1. All Services > Security > Certificate Manager Click the menu. 1. Go to the Service Home page of Certificate Manager.
2. On the Service Home page, click the Certificate Manager menu. 2. Navigate to the Certificate Manager List page.
3. On the Certificate Manager List page, click the resource to view its detailed information. 3. Navigate to the Certificate Manager Details page.
   • Certificate Manager Details page displays the status and detailed information of the Certificate Manager, and consists of Details, Connected Resources, Tags, Activity History tabs.

     Category	Detailed description
     Service status	Certificate Manager status Creating: In progress Active/Valid: Certificate valid Expired: Certificate expired Editing: Changing settings Terminating: Terminating Error: Certificate error
     Service termination	Button to cancel Certificate Manager

     Table. Status information and additional features

Detailed Information

Certificate Manager List page lets you view detailed information of the selected resource and, if necessary, edit the information.

Connected resource

On the Certificate Manager List page, you can view the connected Load Balancer information.

Tag

On the Certificate Manager List page, you can view the tag information of the selected resource and add, modify, or delete it.

Job History

You can view the operation history of the selected resource on the Certificate Manager List page.

Terminate Certificate Manager

You can request the termination of the Certificate Manager service from the Samsung Cloud Platform Console.

To request termination of the Certificate Manager service, follow the steps below.

1. Click the All Services > Security > Certificate Manager menu. 1. Go to the Service Home page of Certificate Manager.
2. On the Service Home page, click the Certificate Manager menu. 2. Go to the Certificate Manager List page.
3. On the Certificate Manager List page, click the resource to view its detailed information. 3. Navigate to the Certificate Manager Details page.
4. On the Certificate Manager Details page, click the Cancel Service button.
5. Once the termination is complete, verify the service termination status in the Certificate Manager list.

3.2.1 - Extract Certificate Chain

Users can extract and input the Certificate Chain certificate to be used when creating a Certificate Manager service.

Extract Certificate Chain

You can extract the Certificate Chain value required when creating a Certificate Manager.

Extract Intermediate (Subordinate) Certificate Value

You can extract the intermediate (subordinate) certificate from the certificate chain required for user certificate enrollment.

To extract the Intermediate(Subordinate) certificate value, follow these steps.

1. Run the certificate file in crt format on the PC. The certificate window will appear.
2. In the certificate window, click the Certificate Path tab.
   • If the file is in PEM format, convert it to a .crt file.
3. Click the certificate under Root and click View Certificate.
4. After clicking the Details tab, click Copy to file.
5. When the certificate export wizard runs, click Next.
6. Select the format Base 64-encoded X.509(.CER)(S) and click Next.
7. Click Browse to select the folder where you want to save the file, then click Next.
8. Click Finish. The certificate export wizard will complete.
9. Open the exported file as a TEXT file and verify the values.
   • The extracted certificate value must start and end with —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—-.

Extract Root certificate value

You can extract the root certificate of the certificate chain required for user certificate enrollment.

To extract the Root certificate value, follow these steps.

1. Run the certificate file in crt format on the PC. The certificate window will appear.
2. In the certificate window, click the Certificate Path tab.
   • If the file is in PEM format, convert it to a .crt file.
3. Click the topmost Root certificate and click View Certificate.
4. After clicking the Details tab, click Copy to File.
5. When the certificate export wizard runs, click Next.
6. Select the format Base 64-encoded X.509(.CER)(S) and click Next.
7. Click Browse to select the path where you want to save the file, then click Next.
8. Click Finish. The certificate export wizard will complete.
9. Open the exported file in TEXT format and verify the values.
   • The start and end of the extracted certificate value must include the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—- entries.

Enter Certificate Chain value

This explains how to enter the extracted Intermediate (Subordinate) certificate and Root certificate values into the Certificate Chain field when creating a Certificate Manager.

To enter the Intermediate (Subordinate) certificate and Root certificate values into the Certificate Chain field, follow these steps.

1. Execute the Intermediate (Subordinate) certificate file and the Root certificate file as text files.
2. Copy the entire value of the Intermediate (Subordinate) certificate file.
3. Paste it into the Certificate Chain input area on the Certicafate Manager Creation page.
   • Paste it, including the —–BEGIN CERTIFICATE—– at the beginning and the —–END CERTIFICATE—- at the end of the certificate value.
4. Copy the entire value of the Root certificate file.
5. Paste it into the Certificate Chain input area on the Create Certicafate Manager page.
   • Paste it, including the —–BEGIN CERTIFICATE—– at the beginning and —–END CERTIFICATE—- at the end of the certificate value.
   • Paste the Root certificate value on the line below the Intermediate (Subordinate) certificate.

3.3 - API Reference

3.4 - CLI Reference

3.5 - Release Note

Certificate Manager

4 - Secret Vault

4.1 - Overview

Service Overview

Secret Vault is a service that, by using the Open API to connect to the Samsung Cloud Platform, allows you to obtain a secure token‑based temporary key without hard‑coding security information in plain text, enabling access to the Samsung Cloud Platform’s services and resources. It also manages the lifecycle of the temporary key to maintain a hardened security environment when using APIs.

Features

• Enhanced Security Environment Implementation: Instead of hardcoding authentication credentials in the application source code, you can obtain a token-based temporary key to mitigate security threats arising from credential leakage.
• Life-Cycle based temporary key management: To meet security requirements, users do not need to manually manage the lifecycle of temporary keys. It provides automated temporary key management and replacement functions according to the initially configured lifecycle.
• Various resource utilization possible: Through the Token issued by Secret Vault, you can access not only resources within the Samsung Cloud Platform but also external resources (other CSPs, on‑premise, etc.) in a reinforced security environment.

Service Architecture Diagram

Provided features

Secret Vault provides the following features.

• Add Token authentication and encrypt authentication key storage: Provides token issuance via an authentication key and temporary key issuance using the token, and securely stores the authentication key information encrypted (AES-256).
• Temporary Key Life-cycle Management: Provides issuance and automatic replacement of temporary keys according to their life cycle, and allows setting a replacement interval in hours (up to 36 hours).
• Access Control Feature: IP-based access control of the resources where the user application runs is possible.

Component

Secret

A Secret is an object that combines token information and temporary key rotation information, and can be requested by the user in the console.

Token

A token is a unique string used to authenticate a user’s identity and verify permissions, and when making an Open API request, you can obtain a temporary token that allows access to the Samsung Cloud Platform.

Constraints

Secret Vault provides a region-based service. Therefore, when creating a Secret, you cannot select an authentication key that is being used by a Secret in another region.

Prior Service

Secret Vault does not require any separate prerequisite service work.

4.2 - How-to guides

Users can create the service by entering the required information for the Secret Vault service and selecting detailed options through the Samsung Cloud Platform Console.

Create Secret Vault

You can create and use the Secret Vault service in the Samsung Cloud Platform Console.

To create a Secret Vault, follow these steps.

1. Click the All Services > Security > Secret Vault menu. Navigate to the Service Home page of Secret Vault.
2. On the Service Home page, click the Create Secret Vault button. You will be taken to the Create Secret Vault page.
3. On the Create Secret Vault page, enter the information required to create the service and select detailed options.
   • Select the required information in the Service Information Input area.

     Category	Required status	Detailed description
     Secret name	Required	Enter Secret name Enter 3~63 characters using lowercase English letters and numbers
     type	Required	Select the type of encryption target
     authentication key	Required	Select an authentication key to use with the Secret Vault service Click the Use button and select a pre‑generated authentication key from the Authentication Key Management menu. In the Authentication Key Management menu, you must select one‑time authentication as the security authentication method. Expired authentication keys are not displayed, and keys with a remaining validity of less than 30 days or keys already in use for a Secret Vault product cannot be used. (Only one Secret Vault product can be applied per authentication key.)
     Token usage period	Required	Enter the usage period of the Token provided by encrypting the authentication key The Token usage period is automatically set to match the validity period of the entered authentication key by default. If the authentication key validity period is set to permanent, the Token usage period can be set up to a maximum of 7,300 days (20 years). The Token usage period cannot be changed after the service application is completed. Periodic replacement of the Token is recommended to enhance security. When the Token usage period expires, temporary key issuance is not possible, and you must obtain a new Token by submitting a new service application. Once the Token usage period expires, it cannot be extended and the Token can no longer be used. Before the Token usage period expires, obtain a new Token by submitting a new service application and apply the issued Token information to your source code.
     IMSI key replacement interval	Required	Select the temporary key rotation period to be used for accessing Samsung Cloud Platform resources The temporary key usage time is applied from the moment the service creation is completed. For security enhancement, the temporary key usage period can be set to a maximum of 1.5 days (36 hours). A new temporary key is issued before the temporary key expires, and the same usage period applies.
     Allowed IP	Required	Enter the IP to allow access, then click the Add button The entered IP must also be set identically in Key Management > Security Settings > Allowed Access IP for access to be permitted. Even when entering a single IP, be sure to append ‘/32’ after the IP. You can register up to 10 IPs.
     Explanation	Select	Enter additional information

     Table. Secret Vault service information input fields
   • Select the required information in the Additional Information Input area.

     Category	Required status	Detailed description
     tag	Select	Add Tag Add Tag Click the button to create and add a tag, or add an existing tag. Up to 50 tags can be added per resource. The newly added tags are applied after the service creation is completed.

     Table. Secret Vault additional information input fields
4. Summary Verify the detailed information and estimated billing amount generated in the panel, then click the Complete button.
   • After creation is complete, check the created resources on the Secret Vault List page.

Check Secret Vault detailed information

You can view and edit the full list of resources and detailed information for the Secret Vault service. The Secret Vault Details page consists of Details, Tags, and Activity Log tabs.

To view detailed information about the Secret Vault service, follow these steps.

1. Click the All Services > Security > Secret Vault menu. You will be taken to the Secret Vault Service Home page.
2. On the Service Home page, click the Secret Vault menu. You will be taken to the Secret Vault List page.
3. On the Secret Vault List page, click the resource to view detailed information. You will be taken to the Secret Vault Details page.
   • Secret Vault Details page displays status information and additional feature information, and consists of Details, Tags, Activity Log tabs.

     Category	Detailed description
     Secret Vault status	Status of the Secret Vault created by the user Active: Running To be terminated: Pending termination after a service cancellation request The scheduled termination time of the service is displayed, and you can cancel the service termination. Expired: Token expired state Secrets that have changed to the Expired state cannot perform any actions such as information retrieval, and are automatically deleted after 7 days.
     Replace temporary key	Immediately delete the current temporary key and generate a new temporary key Only the creator of the Secret Vault service can replace the temporary key.
     Service termination	Button to cancel the service

     Table. Secret Vault status information and additional features

Detailed Information

Secret Vault List page lets you view detailed information of the selected resource and modify the information if necessary.

tag

On the Secret Vault List page, you can view the tag information of the selected resource and add, modify, or delete it.

Job History

On the Secret Vault List page, you can view the operation history of the selected resource.

Terminate Secret Vault

You can cancel the unused service to reduce operating costs. However, if you cancel the service, the running service may be terminated immediately, so you should thoroughly consider the impact of service interruption before proceeding with the cancellation.

To cancel Secret Vault, follow the steps below.

1. Click the All Services > Security > Secret Vault menu. Navigate to the Service Home page of Secret Vault.
2. On the Service Home page, click the Secret Vault menu. You will be taken to the Secret Vault List page.
3. On the Secret Vault List page, select the resource to cancel and click the Cancel Service button. You will be taken to the Cancel Service popup window.
4. Service Cancellation popup window, after entering the termination waiting period (7~30 days), click the Confirm button. The service will be terminated after the waiting period entered by the user.

Cancel Secret Vault termination

You can cancel the termination of a service that is pending cancellation and use it again.

To cancel the termination of Secret Vault, follow these steps.

1. Click the All Services > Security > Secret Vault menu. Navigate to the Service Home page of Secret Vault.
2. On the Service Home page, click the Secret Vault menu to go to the Secret Vault List page.
3. On the Secret Vault List page, click the resource to cancel the termination. You will be taken to the Secret Vault Detail page.
4. On the Secret Vault Details page, click the Cancel Termination button. You will be taken to the Cancel Service Termination popup.
5. Cancel Service Termination After reviewing the content in the popup window, click the Confirm button. The status of the resource for which the termination was canceled will be restored to Active.

Configure Application Token

The Token information issued through the Secret Vault service application is required for API calls to request OpenAPI temporary key issuance. Set the Token information according to each Application environment.

To configure the token information, follow these steps.

1. Apply the token information to the application’s environment variable configuration file.
2. Configure the token information so that the API call logic within the application can reference it.
   • Use OpenAPI → GET /v1/temporarykey/{secretvault_id}
   • For more details, refer to the Open API Guide in the Samsung Cloud Platform Console.
3. Configure the token information so that the API call logic within the application can reference it.
   • The temporary key removes hard coding in the existing source code and can be obtained and used via OpenAPI calls using token information. For details, refer to the Open API Guide in the Samsung Cloud Platform Console.

application.yml or application.properties environment variable configuration files

Apply the obtained Token information to the environment variable configuration file.

secretvault.secretvault.id= {{ ID }}
secretvault.tokenId= {{ Token ID }}
secretvault.tokenSecret= {{ Token Secret }}

Java file

Apply it to the class file for environment variable recognition.

import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class SecretVaultConfiguration {
    @Value("${secretvault.id}")
    private String id;

    @Value("${secretvault.tokenId}")
    private String tokenId;

    @Value("${secretvault.tokenSecret}")
    private String tokenSecret;

    @Bean
    public OpenApiClient openApiClient() {
        // OpenApiClient 또는 다른 API 클라이언트를 생성하고 설정 값을 사용하여 초기화
        return new OpenApiClient(secretVaultName, tokenId, tokenSecret);
    }
}

4.3 - API Reference

4.4 - CLI Reference

4.5 - Release Note

Secret Vault

5 - SingleID

5.1 - Overview

Service Overview

SingleID not only allows authorized users to easily access information assets with a single authentication, but also enhances account security through policy-based permission management and real-time detection of abnormal authentication activities, and provides account management and access structures via comprehensive audit logs.

Features

• Easy and convenient login and app integration: By establishing a unified authentication system that allows login from On-Premises to SaaS apps with a single ID, you can improve work productivity. Administrators can easily integrate various apps without domain knowledge of authentication by automating connections to diverse global SaaS apps through the ready-made Pre-Built Connector.
• Account Management Optimization and Security Enhancement: We systematically manage the account lifecycle—from creation to termination—for a diverse range of users, including employees, partners, corporations, and subsidiaries. Additionally, we grant permissions to authorized users in a timely manner and promptly revoke unnecessary permissions, thereby preventing unauthorized access and strengthening account security.
• Enhanced Anomaly Detection: By detecting authentication anomalies based on context such as user type, login IP, device information, and access time, security policies can be applied according to the situation to prevent account compromise incidents.
• Cloud Access Management: It consolidates the access paths of operators/developers accessing public clouds, and implements role‑based temporary‑token console/resource access control to further enhance cloud security in multi‑cloud environments.

Service Architecture Diagram

Provided features

SingleID provides the following features.

• Unified Authentication and Account Management
  • Support for various authentication integration protocols (SAML, OIDC, etc.)
  • Providing a self-service feature for app usage requests and approvals
  • Account synchronization for Salesforce, Workday, etc., and synchronization/management of roles (groups) within accounts
  • Provide a sign‑up/withdrawal feature that can issue accounts to partners, customers, and others who are not employees.
• Passwordless and Multi-Factor Authentication
  • PC/mobile passwordless authentication and multi-factor authentication (MFA)
  • Provide composite authentication for secondary authentication by integrating with the existing primary authentication environment (MFA-only service use case)
  • Private CA(Certificate Service Authority), a private certificate issuance/management feature, provides certificate-based authentication support (separate Use Case)
    • Authentication methods: SMS, email, mOTP, TOTP, PIN, biometrics, Knox Messenger, Windows Hello, etc
• Authentication and Account Information Integration
  • Automating app integration via Pre-Built Connector
  • Simplifying custom app integration through DIY integration templates
• Risk-Based Authentication Anomaly Detection
  • Context-based access control according to authentication attempt scenarios
  • Enhancing security through detailed login and authentication policy settings
• Public Cloud Access Management for Cloud Operators/Developers
  • Console access control via role-based assigned accounts
  • Resource access request/approval and OTP-based credential authentication for resource access

Component

The components of the SingleID service are as follows. Users can access the service through the Samsung Cloud Platform SingleID Console.

• Access Management
  • Support for various authentication integration protocols (SAML, OIDC, etc.)
  • Provide unified login to internal and external business systems with a single sign‑on.
• Identity Management
  • Lifecycle management from account creation to decommission
  • Directory integration and synchronization (Active Directory, LDAP, etc.)
• Multi Factor Authentication
  • PC and mobile simple authentication
  • SMS, email, mOTP, TOTP, PIN, biometric, Knox Messenger, Window Hello, etc., offering various multi-factor authentication methods
• Anomaly Detection Management
  • Context-based access control according to authentication attempt scenarios
  • Providing adaptive access control through risk analysis
• Cloud Access Management
  • Enhancing cloud security by unifying access paths for cloud operators/developers
  • Role-based temporary token method for console and resource access control

Provision status by region

SingleID is available in the environments below.

Prior Service

SingleID has no prior service.

5.2 - How-to guides

Users can create the service by entering the required information for the SingleID service and selecting detailed options through the Samsung Cloud Platform Console.

Create SingleID

You can create and use the SingleID service in the Samsung Cloud Platform Console.

1. Click the All Services > Security > SingleID menu. Go to the SingleID Service Home page.
2. On the Service Home page, click the Create SingleID button. You will be taken to the Create SingleID page.
3. On the SingleID Creation page, enter the required information in the service information input area and select the detailed options.
   • In the Service Configuration Selection area, enter the information for the relevant service and select detailed options.

     Category	Required status	Detailed description
     Select Service	Required	Select SingleID service You can select multiple services and apply MFA when applied alone does not provide the simple authentication feature When IM, MFA are selected, AM is automatically selected When ADM is selected, AM, IM, and MFA are automatically selected When CAM is selected, AM, IM, and MFA are automatically selected When AM, IM, MFA or AM, IM, MFA, ADM are selected, a tenant is automatically created in the TAP/UP/MFA portal. If only the MFA item is selected, a tenant is created in the TAP/MFA portal
     Number of tenant users	Required	Enter the minimum number of Tenant users based on the selected service Input allowed within the range 50 - 999,999
     Number of Resource Units	Select	Enter the number of resource Units to register when selecting a CAM service Enter a value within the range 20 - 99,999
     Integration support	Select	Enter the number of integration support units Enter a value within the range 1 - 9,999 AM: 1 unit MFA: 1 unit IM: 2 units When AM and MFA are used simultaneously, they are counted as 1 unit

     Table. SingleID Service Configuration Options
   • Enter the information required to create a service in the Service Information Input area.

     Category	Required status	Detailed description
     Tenant name	Required	Enter tenant name
     Tenant code	Required	Enter Tenant code

     Table. SingleID Service Information Input Items
   • In the Member selection area, select the tenant user who will use the service.

     Category	Required status	Detailed description
     User	Required	Select members from the user list You must select at least one user to create the service

     Table. SingleID Service Member Selection Items
   • In the Additional Information Input area, enter or select the required information.

     Category	Whether required	Detailed description
     Tag	Select	Add Tag Up to 50 can be added per resource After clicking the Add Tag button, enter or select Key and Value values

     Table. SingleID additional information input fields
4. Summary Check the detailed information and estimated billing amount generated in the panel, and click the Complete button.
   • After creation is complete, check the created resource on the SingleID List page.

Check SingleID detailed information

The SingleID service allows you to view and edit the full resource list and detailed information. The SingleID Details page consists of Details, Tags, Activity Log tabs.

To view detailed information for SingleID, follow these steps.

1. All Services > Security > SingleID Click the menu. Navigate to the Service Home page.
2. On the Service Home page, click the SingleID menu. You will be taken to the SingleID List page.
3. On the SingleID List page, click the resource to view detailed information. You will be taken to the SingleID Details page.
   • SingleID Details page displays status information and additional feature information, and consists of Details, Tags, Work History tabs.

     Category	Detailed description
     Service status	Service status display Creating: Tenant creation in progress Active: Tenant creation completed Terminating: Service termination in progress Failed: Tenant creation failed
     CAM Portal	Cloud Access Management portal window popup button CAM is displayed only when applying for the service
     Admin Portal	Admin portal popup button
     Service termination	Service cancellation button

     Table. SingleID status information and additional features

Detailed Information

On the SingleID List page, you can view detailed information of the selected resource and edit the information if needed.

tag

SingleID List page allows you to view the tag information of the selected resource, and add, modify, or delete it.

Job History

You can view the operation history of the selected resource on the SingleID List page.

Using SingleID Admin Portal

In the Admin Portal, you can configure and manage SSO authentication settings, account synchronization integration, and multi-factor authentication, among other things.

To access SingleID’s Admin Portal, follow these steps.

1. Click the All Services > Security > SingleID menu. You will be taken to the Service Home page.
2. On the Service Home page, click the SingleID menu. You will be taken to the SingleID List page.
3. SingleID List page, click the resource to view detailed information. SingleID Details page will be opened.
4. On the SingleID Details page, click the Admin Portal button. The SingleID admin portal window appears.
   • For a detailed description of the Admin Portal, see Admin Portal.

Using SingleID CAM Portal

In the CAM Portal, you can configure and manage console and resource access control and security management for the CSP.

To access SingleID’s CAM Portal, follow these steps.

1. All Services > Security > SingleID Click the menu. Navigate to the Service Home page.
2. On the Service Home page, click the SingleID menu. You will be taken to the SingleID List page.
3. SingleID List page, click the resource to view detailed information. You will be taken to the SingleID Details page. 4.SingleID Details page, click the CAM Portal button. The SingleID cloud access management portal window appears.
   • For detailed information about the CAM Portal, see CAM Portal.

Terminate SingleID

You can reduce operating costs by terminating the unused service.

To cancel SingleID, follow the steps below.

1. Click the All Services > Security > SingleID menu. You will be taken to the SingleID Dashboard page.
2. On the SingleID List page, click the resource to cancel. You will be taken to the SingleID Details page.
3. Cancel Service button. Click it. A cancellation alert will appear.
4. In the alert window, enter the Tenant name and click the Confirm button.

5.2.1 - SingleID Manuals

SingleID not only enables authorized users to easily access information assets with a single authentication, but also strengthens account security through policy-based permission management and real-time detection of abnormal authentication behavior, and provides account management and access frameworks through various activity logs.

SingleID Manual List

SingleID provides various manuals as shown in the table below.

5.2.1.1 - User Portal

Overview

SingleID not only enables authorized users to easily access information assets with a single authentication, but also strengthens account security through policy‑based permission management and real‑time detection of anomalous authentication behavior, and provides account management and access frameworks through various audit logs.

Provided Features

• Unified Authentication and Account Management
  • Support for various authentication integration protocols (SAML, OIDC, etc.)
  • Providing self-service functionality for app usage requests and approvals
  • Synchronization of accounts such as Salesforce and Workday, and synchronization and management of roles (groups) within those accounts.
  • Provide registration and withdrawal functions that allow issuing accounts to partners, customers, and others who are not employees.
• Passwordless and Multi-Factor Authentication
  • PC·Mobile passwordless authentication and multi-factor authentication (MFA)
    • Authentication methods: SMS, email, SingleID Authenticator(mOTP, TOTP, PIN, biometrics), Knox Messenger, Passkey, etc
  • Provide composite authentication for secondary authentication by integrating with the existing primary authentication environment (MFA‑only service use case)
  • Support for certificate-based authentication through Private CA (Certificate Service Authority), a private certificate issuance and management function (Separate Use Case)
• Authentication and Account Information Integration
  • App integration automation via Pre‑Built Connector
  • Simplifying custom app integration through DIY integration templates
• Risk-based Authentication Anomaly Detection
  • Context-based access control according to authentication attempt scenarios
  • Enhancing security through detailed login and authentication policy settings
• Public cloud access management for cloud operators/developers
  • Console access control via role-based assigned accounts

Service diagram

What is a User Portal?

The SingleID User Portal is the user interface of the SingleID service, providing various security features such as access to company applications, SSO, and access permission requests.

User Portal screen layout

The User Portal is composed of the following menus.

1. My App: A menu that allows the user to view the list of applications currently in use. 1. Users can conveniently access and manage approved apps.
2. App Catalog: A menu that displays a list of accessible applications.
3. Notice: This menu allows the SingleID administrator to display announcements to users.
4. Approval Request: This is a menu where you can manage approval requests related to application access, member registration, usage period extension, and other similar actions.

Manual composition

This manual is organized as follows.

1. Announcements and Language Settings: It explains how to set the language in the SingleID solution and how to check urgent announcements that can be viewed before logging in.
2. Login and Authentication: Explains how to register and use various authentication methods for login.
3. Register Authentication Tool: Describes the enrollment process, which is the procedure for a user to register an authentication tool.
4. Sign Up: Explains the two methods of signing up.
5. ID Retrieval: Describes the procedure by which a user finds their own ID through the ID retrieval process.
6. Privacy Policy and Terms of Service: Explains the privacy policy and terms of service that can be accessed via the link at the bottom of the screen.
7. PC SSO Agent: Describes the PC SSO Agent, which assists with SingleID login and logout.
8. My App: Describes the My App menu that can be accessed via SSO.
9. App Catalog: Describes the App Catalog menu where you can view the list of apps available for request.
10. Notification: This explains the Notification menu that allows you to view urgent notices and regular notices.
11. Approval Request: Describes the Approval Request menu that allows you to request or approve app usage.
12. Personal Information Settings: Photos, preferred language, and system time zone can be set in Personal Settings, Authentication Settings, login history·environment, logout, etc., describing the personal settings menu.

5.2.1.1.1 - Announcements and Language Settings

Notice

You can view the notice alerts posted by the administrator on the User Portal login screen and after logging into the User Portal. There are general notices and emergency notices.

• General Notice: It is a general notice posted by the administrator and is used to convey information to users. * User Portal > Notifications can be viewed in the menu.
• Urgent Notice: It is an urgent announcement posted by the administrator and is used to convey information to users. * User Portal > Login screen top and User Portal > Notifications can be viewed in the menu.

Language Settings

To change the language displayed on the screen, follow these steps.

1. In the User Portal screen > top language selection, click the language you want, Korean or English.
2. A dropdown list appears, allowing you to select between Korean and English.
3. Please select the desired language. 2. The screen switches according to the selected language.

5.2.1.1.2 - Log in using an authentication method

Log in using an authentication method

What is an authentication method?

Authentication method, often called Authenticator, refers to an authentication tool.

SingleID offers the following 11 authentication methods for user authentication.

1. Password: Enter the password on the SingleID login screen.
2. Email OTP: Send the OTP via email and enter the OTP on the SingleID login screen.
3. SMS OTP: Send the OTP via SMS and enter the OTP on the SingleID login screen.
4. Knox Messenger OTP: Send the OTP via Knox Messenger and enter the OTP on the SingleID login screen.
5. Knox Identity: Knox Portal users enter the Knox Password for the Knox Identity Password on the SingleID login screen.
6. SingleID Authenticator Bio: Send via the dedicated SingleID mobile app and authenticate with biometric verification on the mobile device.
7. SingleID Authenticator PIN: Send it to the dedicated SingleID mobile app and enter the PIN on the mobile device.
8. SingleID Authenticator mOTP: Install the SingleID dedicated mobile app and enter the mOTP (Mobile OTP) number.
9. SingleID Authenticator TOTP: Install using the SingleID dedicated mobile app and enter the TOTP (time‑based OTP) code.
10. Passkey: An authentication method based on Mobile and Windows Hello that authenticates using biometrics (fingerprint, facial), PIN, and security keys.
11. TOTP Authenticator: Generate TOTP (Time-based OTP) with a 3rd Party Authenticator and enter the OTP on the SingleID login screen
12. Admin Authentication: Request authentication on behalf of the admin to integrate authentication

Enter user ID

The user attempts to log in by entering their ID on the login screen below.

To log in using a user ID, follow these steps.

1. Login screen > Account ID Enter the ID in the input field, then click the Next button.
2. Enter the password in the password field, and click the Next button.
3. Login is complete.

Passwordless login

SingleID provides a login service without a password.

To log in without using a password, follow these steps.

1. Login screen > Want to log in without a password? Click it.
2. Select verification method The screen appears. 2. Click one of the desired authentication methods.
3. Enter the authentication code according to the authentication method you selected.
4. After login is completed, you will be taken to the User Portal main screen.

Setting Preferred Authentication Method

SingleID users log in to the User Portal provided by SingleID to set their preferred primary and secondary authentication methods.

If the user sets their preferred method, the Select verification method screen is omitted during login and authentication, allowing immediate authentication with the primary and secondary methods.

If you want to set your preferred authentication method, follow the steps below.

1. User Portal > Personal Profile > Authentication Click the settings.
2. Authentication Settings screen appears.
3. Click the ☆ 1st, ☆ 2nd that corresponds to the authentication method you prefer, placed before each method.
4. Only one selection is allowed for each of 1st, 2nd. 4. When it changes to ★, the selection is completed.

After the configuration is complete, the next login will use this method, offering convenient access.

Register authentication method

Users can configure all authentication methods. Registering an authentication method by a user is called enrollment. When a user account is created for the first time, the email OTP is automatically enrolled using the email information from the user data. Other authentication methods can be used by having the user enroll directly as needed.

There are two methods for authentication enrollment.

• Register in Authentication Settings: User Portal > Profile > Authentication settings, click the + Add New button at the bottom to register.
• Select verification method screen registration: At login, first-factor authentication; at second-factor authentication, on the Select verification method screen, select the authentication method that has a gray check mark (V) and register it.

First login

Password reset

When a user logs in for the first time, they can log in after resetting their password.

To reset your password, follow the steps below.

1. Login screen > Account ID input field, enter the ID, and click the Next button.
2. Click Password Reset below the Next button.

Consent to collection/use of personal information

Consent for the collection and use of personal information is required when logging in with SingleID for the first time or during a certain period. Please follow the consent procedure and select the required, optional items to agree.

Required items must be selected to log in.

Password authentication

Password is the most basic authentication method, serving as SingleID’s default authentication tool.

Enter password

To log in using a user ID, follow the steps below.

1. In the Login screen > Account ID input field, enter the ID, and click the Next button.
2. Enter the password in the Password field, and click the Next button to log in.

Email OTP authentication

Authentication

To authenticate with email OTP, an OTP will be sent to the email address registered by the user.

To authenticate with an email OTP, follow the steps below.

1. In the Identity Verification Selection method, click Email.
2. An OTP code will be sent to the registered email. 2. Enter the OTP within the time set by the administrator (usually 3~5 minutes).
3. After entering the OTP, click the Confirm button to complete authentication.

SMS OTP authentication

Authenticate

To authenticate with SMS OTP, an SMS OTP is sent to the mobile device registered by the user.

To authenticate with an email OTP, follow the steps below.

1. In the Identity verification selection method, click Email.
2. The OTP code will be sent to the registered mobile phone. 2. Enter the OTP within the time set by the administrator (usually 3~5 minutes).
3. After entering, click the Confirm button, and the authentication will be completed.

Knox Messenger OTP authentication

Authenticate

If you want to authenticate with Knox Messaenger OTP, the OTP will be sent to the Knox Messanger you are using.

To authenticate Knox Messenger OTP, follow the steps below.

1. In the Identity verification selection method, click Knox Messenger.
2. The OTP code is sent via Knox Messenger. 2. Enter the OTP within the time set by the administrator (usually 3~5 minutes).
3. After entering, click the Confirm button, and the authentication will be completed.

Knox Identity Password Authentication

Authenticate

To authenticate with Knox Identity, you must enter your Knox Identity password.

If you want to authenticate with Knox Identity, follow the steps below.

1. In the Identity verification selection method, click Knox Identity.
2. Enter the password for your Knox account.
3. After entering, click the Confirm button to complete authentication.

SingleID Authenticator authentication

The SingleID service provides a mobile authentication app called SingleID Authenticator and offers authentication in various ways.

Authentication Method

Passkey authentication

The SingleID service offers simple authentication and multi-factor authentication using a Windows-based Passkey.

Authentication method

1. Convenient authentication: Provides easy login without ID/Password by using Sign in with Passkey at the bottom of the login page.
2. Multi-factor authentication: Provides convenient login without requiring an ID/password during secondary authentication.

Authentication Types

• Mobile Passkey: Scan the QR code and log in using Android and iOS mobile.
• Biometrics: Login via fingerprint recognition based on Windows Hello
• PIN: Login using Windows PIN code
• Security key: Log in using the Windows security key

Administrator authentication

Authenticate

In the SingleID service, the administrator provides authentication by delegating identity verification on behalf of the user.

To perform administrator authentication, follow the steps below.

1. Identity verification selection method, if you cannot perform identity verification at the bottom of the screen, you can request verification from the administrator. 1. Click here. click it.
2. Click the Request button.
3. You will be taken to the admin selection screen. 3. Select the administrator who requested authentication delegation and click the Request button.
4. Authentication delegation is requested to the selected administrator.
5. When the administrator approves the authentication delegation, the authentication delegation is completed automatically.

5.2.1.1.3 - Register authentication tool

1. Delete Windows Hello
2. Register Passkey authentication tool –>

Register authentication tool

The principle is that all authentication tools are registered and used by the user themselves.
Registering an authentication tool by the user is called enrollment (Enrollment).
When a user is created for the first time, the Email OTP is automatically registered using the email information from the user data.
The remaining information can be directly registered and used by the user as needed.

There are three ways to register.

1. Login screen > ID/Password enter > Identity verification method register on the selection screen
   • On the identity verification method selection screen, click the authentication tool marked Registration Required (V mark) to register.
2. Click the User Portal(after login) > Profile > Authentication Settings > + Add New button to register.
3. Register through the registration message link at the bottom of every authentication screen.
   • The screen below is an example of an SMS verification screen. * At the bottom, you can register by clicking the If you have changed your mobile phone, please register. message.
   • All authentication code inputs can be changed via a message below (Message format: ~ please register.)

Authentication code input screen example

Register Email Verification Tool

Email registration consists of the following three steps.

1. Verification Step: This is the identity verification step before registering the email authentication tool.
2. Registration step: This step registers a new email and checks whether the number is valid.
3. Completion stage: This is the final step to confirm that the registration was completed successfully.

Check step

This is the step of identity verification before using the authentication tool. To view the identity verification process, please refer to 로그인 및 인증하기.

Registration step

This is the step where the user registers the desired email address and checks its validity.

The user should follow the steps below.

1. If you complete identity verification in the Confirmation step, you will automatically move to the Registration step.
2. Enter the email address you want to register.
3. Click the Send verification code button.
4. Check the OTP code sent to the entered email address, and enter the OTP code on the screen.
5. If the authentication code is entered correctly, it proceeds to the complete stage.

Completion Phase

Registration completed screen appears, and on the next login you can perform first and second factor authentication using the email verification tool.

Register SMS authentication tool

SMS registration consists of the following three steps.

1. Verification step: This is the identity verification step before registering the SMS authentication tool.
2. Registration step: This step registers a new mobile phone number and checks whether the number is valid.
3. Completion Stage: This is the final step to confirm that the registration was completed successfully.

Check step

This is the step of identity verification before using the authentication tool. To view the identity verification process, refer to 로그인 및 인증하기.

Confirm stage can only authenticate using the authentication tool configured by the administrator.

Registration step

This step registers the mobile phone number the user wishes to add and checks its validity.

The user can proceed with the following steps.

1. If you complete identity verification in the Confirmation step, you will automatically move to the Registration step.
2. Select the Country code, and enter the Mobile phone number you wish to register.
3. Click the Send verification code button.
4. Check the OTP code sent to the entered mobile phone number, and enter the OTP code on the screen.
5. When the Authentication code is entered correctly, it proceeds to the Complete stage.

Completion phase

Registration Complete screen will appear, and on the next login you can perform first and second factor authentication using the SMS authentication tool.

Register Knox Messenger authentication tool

Knox Messenger registration consists of the following three steps.

1. Verification step: This is the identity verification step before registering the Knox Messenger authentication tool.
2. Registration Step: Enter the Knox ID to register. 2. This is the step that checks whether the Knox ID to be registered is valid.
3. Completion Stage: This is the final step to confirm that the registration was completed successfully.

Check step

This is the step of identity verification before using the authentication tool. If you want to view the identity verification procedure, refer to Login and Authentication.

In the verification stage, the authentication method to be used can only be performed with the authentication tool configured by the administrator.

Registration Step

This step registers the mobile phone number the user wants to add and checks its validity.

The user should follow the steps below.

1. If you complete identity verification in the Verification step, you will automatically move to the Registration step.
2. Enter the Knox ID to register.
3. Click the Send verification code button.
4. Check the OTP code sent to Knox Messenger of the entered Knox ID, and enter the OTP code on the screen.
5. When the authentication code is entered correctly, it proceeds to the complete stage.

Completion Phase

Registration Complete screen will appear, and on the next login you can perform first and second factor authentication using the Knox Messenger authentication tool.

Register Passkey authentication tool

The SingleID Authenticator is an authentication tool provided for the SingleID service.

Passkey enrollment consists of the following three steps.

1. Verification stage: This is the identity verification step before registering the Passkey authentication tool.
2. Registration Stage: This is the Passkey registration stage.
3. Completion Stage: This is the final step to confirm that the registration was completed successfully.

Check step

This is the step where you verify your identity before registering the authentication tool. If you want to view the identity verification procedure, refer to 로그인 및 인증하기.

Registration stage

This is the step to verify the mobile phone or PC environment where you want to register a Passkey.

Complete the registration process in the four steps below.

1. Activation: Passkey support environment guide.
2. Confirm: Complete identity verification using an authentication method.
3. Registration: Passkey registration stage. 3. When you click the Generate on this device button, a passkey is created and registered on the PC. 3. Create on another device Clicking the button registers with a mobile phone or a hardware security key.
4. Complete: Registration complete step confirming that registration has been completed. 4. Click the Continue button.

Completion Phase

After the passkey registration is completed, the Registration Complete screen appears. You can perform first- and second-factor authentication with the Windows Hello authentication tool on the next login.

How to Register PC Passkey

This guide explains how to register a Passkey using Windows Hello on a PC. Passkey must have Windows Hello set up in advance. For detailed information, see the Windows Hello setup.

If you have completed registering a fingerprint or PIN in Windows Hello settings. Follow the steps below.

1. Click User Portal > Profile > Authentication Settings.
2. Click the Add New button.
   
   
3. On the Select registration authentication method screen, select Passkey.
4. Passkey Registration The screen appears. 4. Click Start.
   
   
5. Passkey supported environment screen appears. 5. Check the supported operating system version and click the Next button.
   
   
6. The Select verification method screen appears. 6. Complete verification using an authentication method that can verify your identity.
7. Passkey registration screen appears. 7. Click the Generate on this device button. (Generate Passkey on Windows PC)
   
   
8. (If a fingerprint or PIN is set in Windows Hello) Fingerprint or PIN entry authentication screen appears.
   
   
9. When you enter a fingerprint or PIN code, the registration complete screen appears.
   
   

Mobile Passkey Registration Method

This is a guide on registering a mobile Passkey. Mobile Passkey requires the following pre-configuration to be completed in advance.

• Enable Bluetooth
• Set screen lock password
• Register PIN code
• Allow fingerprint or facial recognition

If you have completed registering the Passkey via mobile. Follow the steps below.

1. Click User Portal > Profile > Authentication Settings.
2. Click the Add New button.
   
   
3. Select registration authentication method on the screen, select Passkey.
4. Passkey registration screen appears. 4. Start click.
   
   
5. Passkey supported environment screen appears. 5. Check the supported operating system version and click the Next button.
   
   
6. Select verification method The screen appears. 6. Complete verification using an authentication method that can verify your identity.
7. Passkey Registration The screen appears. 7. Create on another device Click the button.(Android or iOS)
   
   
8. The QR code appears on the screen. 8. Scan the QR code to generate a passkey on your mobile.
   
   
9. When you enter a fingerprint or PIN code on mobile, the Registration Complete screen appears.
   
   

SingleID Authenticator Register authentication tool

The SingleID Authenticator is an authentication tool provided for the SingleID service.

SingleID Authenticator enrollment consists of the following four steps.

1. Verification step: This is the identity verification step before registering the SingleID Authenticator authentication tool.
2. Installation Step: This is the user’s SingleID installation guide step.
3. Registration Stage: This step registers a new mobile app and registers the service.
4. Completion stage: This is the final step to confirm that the registration was completed successfully.

Verification step

This is the step of verifying your identity before using the authentication tool. To view the identity verification process, refer to 로그인 및 인증하기.

Installation steps

There are three main ways to install the SingleID mobile app.

• How to install SingleID Authenticator by having the user scan a QR code on their mobile, or by searching for “SinlgeID” on Google Play (for Android) or the App Store (for iOS).
• How to install by entering your mobile phone number and receiving the download link via SMS
• How to install using a manual download link After installing the SingleID Authenticator app and clicking the Next button, you will proceed to the registration step.

Registration Step

Install the SingleID Authenticator mobile app on the mobile phone you want to register, then launch SingleID Authenticator.

Complete the registration process using the three steps below.

1. Service Registration: In the SingleID Authenticator app, click the ‘+’ at the top.
2. Enter QR or authentication number: Scan the QR code or enter the authentication code to register.
3. Service registration complete: Click the Confirm button to complete the registration.

Completion Phase

After registration is completed in SingleID Authenticator, the Registration Complete screen appears. You can perform first- and second-factor authentication with the Windows Hello authentication tool on the next login.

Register TOTP Authenticator tool

TOTP Authenticator registers 3rd Party TOTP to support various authentication tools.

TOTP Authenticator enrollment consists of the following four steps.

1. Verification step: This is the identity verification step before registering the SingleID Authenticator authentication tool.
2. Installation Step: This is the user’s SingleID installation guide step.
3. Registration Stage: This step registers a new mobile app and registers the service.
4. Completion Stage: This is the final step to confirm that the registration was completed successfully.

Verification step

This is the step of verifying your identity before using the authentication tool. If you want to view the identity verification procedure, please refer to 로그인 및 인증하기.

Installation Steps

There are two main ways to install the TOTP Authenticator.

• Mobile app
• Web browser extension

Click the Next button to proceed to the registration step.

Service Registration and Verification Phase

This step registers and verifies the 3rd Party TOTP Authenticator you wish to add.

Complete the registration process in the two steps below.

1. Service Registration: Scan the QR code of the TOTP Authenticator you want to register, or enter the manual code. 1. Code registration is completed in the TOTP mobile app or extension.
2. Service verification: Run the TOTP mobile app or extension and enter the OTP.

Completion Phase

After registration is completed in SingleID Authenticator, the Registration Complete screen appears. You can perform first- and second-factor authentication with the TOTP Authenticator tool on the next login.

Administrator authentication

Authenticate

In the SingleID service, the administrator provides authentication by delegating identity verification on behalf of the user.

To perform administrator authentication, follow the steps below.

1. In the Identity verification selection method, if you cannot complete identity verification at the bottom of the screen, you can request verification from the administrator. 1. Click here. Click it.
2. Click the Request button.
3. You will be taken to the admin selection screen. 3. Select the administrator who requested authentication delegation and click the Request button.
4. Authentication delegation is requested to the selected administrator.
5. When the administrator approves the authentication delegation, it is automatically completed.

5.2.1.1.4 - Sign Up

Sign up

According to internal company policy, users who are not employees—such as partners, subsidiaries, and customers—can create an account through a separate registration.

Sign up via login page link

This is the method to sign up via the Sign Up link on the login page.

On the login page, at the bottom of the login section, click Sign Up in the phrase “If you don’t have an account, click Sign Up.”

Agree to terms

To sign up, you need to agree to the terms.

Enter Information

Perform the following procedure.

1. Enter the email you want to register.
2. After entering the email, click the Send OTP button to send the OTP code.
3. Enter the OTP code from the received email address, then click the Confirm button.
4. If you enter the verification code correctly, the Sign Up button will be activated.
5. Click the Sign Up button.

Enter information

Enter various personal information required for registration.

Sign up

After entering personal information, click the Sign Up button to complete the approval request. Once approval is complete, you can proceed to the next step. Once the administrator’s approval is complete, you can log in by resetting your password.

Sign up via invitation email

You can sign up through an invitation email from the administrator. Click the Sign Up button in the received email to register.

After that, the registration process is the same as Sign up via login page link.

5.2.1.1.5 - Find ID and Reset Password

Find ID

If the user forgets their ID, click Find ID on the login screen.

Find ID using mobile phone number

The user can find their ID by entering their name and mobile phone number.

Please follow the steps below.

1. Click the Mobile tab.
2. Please enter Name.
3. Please enter surname.
4. Please enter the country code and phone number.
5. Click the Send verification code button.
6. On the authentication code entry screen, enter the received authentication code and click the Confirm button.

Password Reset

Reset password

To reset your password, click Password Reset at the bottom of the login screen.

Perform identity verification

To set a password, the user must first complete identity verification. Clicking the Password Reset button brings up the Select Identity Verification Method screen according to the policy set by the administrator. For detailed information about authentication, refer to Login and Authentication.

Password Reset

After the user completes identity verification, they are taken to a screen where they can set a new password.
Passwords must be set to match the password pattern and complexity defined by the administrator’s policy. When a user enters a password, criteria that are met are displayed in green, and those that are not met are displayed in red. Set the password so that all items appear in green.

Reset the password as follows.

1. Please enter a new password.
2. If the newly entered password fails to meet any of the complexity or pattern requirements set by the administrator, generate a more complex password.
3. To prevent user input errors, please re-enter the password to match the one you entered.
4. Click the Change Password button.

When password setup is complete, click the Log in with password button to return to the login screen. When password setup is complete, click the Log in with password button to return to the login screen.

5.2.1.1.6 - Privacy Policy, Terms of Service, Service Desk

On the lower left of every screen, there are links to the Privacy Policy and Terms of Service, allowing users to view them at any time.

Privacy Policy

A Privacy Policy link is placed at the bottom left of every screen, allowing users to view the SingleID service’s privacy policy at any time.

To view the privacy policy, follow the steps below.

1. Click the Privacy Policy at the bottom left of the screen. You can view the latest version of the privacy policy.
2. If you want to view a previous version, select the desired version at the top to retrieve it.

Terms of Use

Place a Terms of Service link at the bottom left of every screen so that users can view the SingleID service terms at any time.

To review the terms of service, follow the steps below.

1. Click the Terms of Service at the bottom left of the screen. You can view the latest version of the Terms of Service.
2. If you want to view a previous version, select the desired version at the top to retrieve it.

Service Desk Information

If users have inquiries about SingleID, they can contact using the Service Desk phone number and the main email address at the bottom of the screen.

5.2.1.1.7 - PC SSO Agent

SingleID PC SSO Agent provides integrated SSO authentication services in a Windows Desktop environment.

SingleID PC SSO Agent provides the following functions.

• Integrated SSO and login/logout across web browsers
• PC device authentication
• Essential security software installation verification feature (SingleID administrator setting)

Check whether PC SSO Agent is installed

If the administrator has set a policy to use the PC SSO Agent, SingleID automatically checks whether the SingleID SSO Agent is installed on the user’s PC as follows.

1. After the user logs in with SingleID, it automatically checks whether the PC SSO Agent is installed.
2. If the PC SSO Agent is installed on the user’s PC, it automatically proceeds to the next screen; otherwise, it automatically redirects to the installation prompt screen.
3. If the installation prompt does not appear automatically, click the Next button to install the PC SSO Agent.

Using the download link for the SSO Agent installation

PC SSO Agent installation prompt screen: Click the ‘Download’ button to download the Agent program to your PC and install it.

Install SingleID PC SSO Agent

If you download the SingleID Agent.exe file to the PC and install it correctly, a tray labeled ‘ID’ will appear in the lower‑right corner of the PC’s tray. If the PC SSO Agent is installed correctly and SSO authentication succeeds, right‑click and click “View Status” to verify that it operates normally.

Re-authentication attempt

After installing the PC SSO Agent, you can either log in again from the beginning, or click the re-authenticate button at the bottom of the screen below to retry authentication using the Agent.

5.2.1.1.8 - My App

Recently used apps

When a user logs into the User Portal, the first thing they see is the My Apps menu. The left menu bar can be expanded or collapsed by clicking the arrow(→) icon at the bottom left.

When you click the My App menu, three submenus that are provided by default and cannot be edited will appear.

• Recently used apps
• Bookmark
• Default app

Among these, clicking Recent Apps will display the apps the user has recently used. Recent apps are shown up to a maximum of 12.

Bookmark

My Apps menu, when you click the Bookmark menu, the apps you have bookmarked are displayed. You can conveniently use frequently used apps by bookmarking them. You can add a bookmark by clicking the bookmark button at the lower right of the app card, and clicking it again will remove the bookmark. Up to 12 bookmarks are allowed.

Add/Delete Bookmark

If you click the Bookmark icon at the lower right of the app you want to add, it will be added to Bookmark. Clicking it once more will delete the bookmark.

Default App

The default app menu displays all apps available to the logged-in user. When the user clicks an app, they are authenticated via SSO and the app launches in a new browser window. If a disabled app is clicked, a popup appears indicating that the app is disabled.

Add Category

The user can click the Add Category button to create a category with a name of their choice and manage the app.

• After clicking the Add Category button, enter the category name and click the Check button.
• After adding a category, the user can click the More button located to the right of the category to move, edit, or delete the category.

If you delete a category while it contains apps, the remaining apps are moved to the Default App category.

5.2.1.1.9 - App Catalog

Using the App Catalog

When you click the app catalog menu, the list of apps that are pending approval is displayed by default.

The app catalog can be viewed as a list of apps in three states.

• Unused: state where a usage request can be made
• Pending Approval: The usage request has been completed and is awaiting approval.
• In Use: The usage request has been approved and is currently in use.

If an app in an unused state does not have a request button, the user cannot request it themselves due to company policy. Please contact the administrator if you wish to use it.

Request App Usage

To request usage of an unused app, the user clicks the Request button, enters the purpose for using the app, and then clicks the Request button.

The app usage approval process may vary depending on the administrator’s settings. By default, the approver list configured by the administrator is displayed, and if multiple approvers exist, the outcome is determined by whichever approver processes the approval or rejection first.

Once the app usage request is completed, you can view the request status from the two menus.

• You can check the status in the App Catalog > Pending Approval state.
• You can view the detailed information in App Usage Approval > My Requests.

In the My Requests list, click the App to view details, and when pending approval, you can cancel the request using the Cancel Request button.

5.2.1.1.10 - Notification

Notification

Click the notification menu to view the list of notifications. There are two types of notifications.

• Urgent: Tenant administrators post urgent notices that users can view before logging in, regardless of the user’s login status, such as urgent alerts (system outages, etc.)
• General: All notifications that are not emergency alerts, which the user can view in the Notifications menu after logging in.

Notifications menu, when clicked, is set by default to All status, so both urgent and regular notifications are shown. If there are unread notifications, they appear as a number next to the notification menu, and because they are marked with a red dot in the list, unread notifications can be easily recognized. If you click this notification, you can view the details.

Approval request

When you click the approval request menu, the administrator can view and cancel all users’ approval requests.

Approval requests consist of the Approval Request List and Approval Request Queue tabs.

Approval request list

There are several types of approval request statuses. You can easily filter and view using the Approval Request, Approved, Rejected, Cancel Submission buttons at the top. If you want an advanced search, you can use the advanced search in the search bar at the top right.

• Approval Request: Shows the status of all approval requests.
• Approval: Shows all approved statuses.
• Rejected: Shows approval request items that have been rejected.
• Submission Cancellation: Displays approval requests that have been cancelled after submission.

The description of the approval request list items is as follows.

5.2.1.1.11 - Approval Request

Request approval

The app usage approval menu provides two functions.

1. My Request Tab: A list of apps I have requested to use is displayed.
2. Approval List Tab: Displays the list of app usage requests submitted to me.

Request App Usage

To request usage of an unused app, the user clicks the Request button, enters the purpose for using the app, and then clicks the Request button again. The app usage approval process may vary by company.

By default, the list of approvers set by the tenant administrator is displayed, and when multiple approvers exist, it is determined by the result of the first approval or rejection.

Once the app usage request is completed, you can view the request status in both menus.

• You can check the status from the App Catalog > Pending Approval status.
• In Approval Request > My Requests, you can view the details and perform additional actions.

My request

In the My Requests list, you can click an app to view its details, and when the request is pending approval, you can cancel it using the Cancel Request button.

When usage approval is completed, the status item in my request list will change to Approved. If you click Approved App in the list, you can view the detailed usage approval information.

Approval List

1. If you are the app usage approver, please click the Approval List tab.

   • If the user has a pending approval request for app usage, you can see that the status column in the list shows Pending Approval.

2. Click the relevant list to view the details of the approval request.

3. After reviewing the details and leaving the approver’s comments, click the Approve button to grant the requester permission to use the app.

4. You can confirm that the status item has been changed to Approved in the Approval List tab.

By clicking the app in the list, you can also view the detailed information of the approval history that the user approved as an approver.

Approval List

1. If you are the app usage approver, please click the Approval List tab.

   • If the user is in a state where approval for app usage has been requested, you can see that the status item in the list is displayed as Pending Approval.

2. Click the relevant list to view the details of the approval request.

3. After reviewing the details and leaving the approver’s comments, click the Approve button to allow the requester to use the app.

4. You can confirm that the status item has been changed to Approved in the Approval List tab.

By clicking the app in the list, you can also view the detailed information of the approval history that the user approved as an approver.

5.2.1.1.12 - Personal Profile

Configure Privacy Settings

This is a menu for user settings.

To set your privacy settings, follow these steps.

1. Click the Personal Profile > Personal Information setting at the top right of the screen.
2. You can view the photo, name, email, phone number, language, and time zone.
3. Image: Image > Image Click Change to upload the icon image you want to display.
4. Language: Choose your desired language in Korean or English.
5. Language/Time Zone: Please select the time zone you are currently in. Click the City Search button to open the city search popup. Search for the desired city in English and select it.
6. Click the Save button at the bottom of the screen to save.

Configure Authentication

You can register a user’s authentication tool and set a preferred authentication tool.

To configure authentication, follow these steps.

1. Click the Personal Profile > Authentication setting at the top right of the screen.
2. Click the +Add New button to add using the authentication tool you prefer.
3. Click the Delete button to delete authentication tools you do not wish to use.
4. ☆ Click the icon to set your preferred authentication method.

Change Password

In the authentication settings, click Change Password to change your password after completing the identity verification process.

Check login history

You can view the user’s login history and environment.

To view a user’s login history/environment, follow these steps.

1. Click Personal Profile > Login History/Environment at the top right of the screen.
2. Login History tab allows you to view information such as login date and time, location, country, city, IP address, OS type, browser type, detection status, and result.
3. In the Login Environment tab, you can view details of any registered login environments, and if an environment is no longer used, you can delete it using the ‘Delete’ button.

Log out

Click the photo icon located at the top right of the screen and then click Logout.

When you click the Logout button, all applications visited through SingleID are logged out simultaneously, and if integrated logout is configured via the PC SSO Agent, logout also proceeds in the associated browsers.

5.2.1.2 - Admin Portal

SingleID not only allows authorized users to easily access information assets with a single authentication, but also enhances account security through policy-based permission management and real-time detection of abnormal authentication activities, and provides account management and access frameworks via comprehensive audit logs.

All authentication services and account management services of organizations using the SingleID service, as well as the establishment and configuration of security policies, are managed through the Admin Portal.

A user who can access the Admin Portal to configure and manage the system is called an administrator, and through the Admin Portal’s management functions, they can integrate the organization’s business systems without restriction and define security policies for accessing each business system.

The management functions provided by the Admin Portal are as follows.

If you are using SingleID for the first time, you can set up the basic environment by configuring the features in the following order.

• Register additional administrator (User Registration)
• User synchronization through application integration (Application Registration)
• Management of synchronized users (사용자)
• Group configuration (그룹)
• Business application integration (애플리케이션 등록)
• SMS Settings (SMS Service Settings)
• Register Authenticator (Add Authenticator)
• Login policy configuration (로그인 정책)
• Authentication policy configuration (인증 정책)

The supported SingleID connection environment and recommended specifications are as follows.

5.2.1.2.1 - Dashboard

Notifications are a feature that can deliver and share important alerts related to SingleID usage with users.

Administrators can register and manage notifications through the notifications menu. The administrator selects the notification type (normal/urgent) based on the notification content and priority, and when a notification is created, the user can receive the notification before login (urgent) or after login (normal/urgent).

Administrators can register and manage notifications to be delivered to users. There are two types of notifications, presented as follows.

Notification

list

To view the notification list, access the menu as follows.

• Admin Portal > Dashboard > Notifications

Register notification

To register a notification, follow the steps below.

1. Admin Portal > Dashboard > Notifications Click the menu.
2. Register button, when clicked, navigates to the notification registration page.
3. Check the input fields below and select and enter the details.
4. Click the Save button.
5. Check the notifications registered in the list.

Edit notification

To edit the notification, follow the steps below.

1. Click the Admin Portal > Dashboard > Notifications menu.
2. Select the notification that needs editing, and click the Edit button at the bottom of the screen.
3. After editing the field you want to modify, click the Save button.
4. Check the edited notifications in the list.

Delete notification

To delete the notification, follow the steps below.

1. Click the Admin Portal > Dashboard > Notifications menu.
2. Select the notifications you want to delete, and click the Delete button at the top right of the screen.
3. The notification delete popup appears.
4. Click the Confirm button to delete the notification.

Approval request

When you click the approval request menu, the administrator can view and cancel all users’ approval requests.

Approval requests consist of the Approval Request List and Approval Request Queue tabs.

Approval request list

If you click the Approval Request List tab, you can view all approval requests.

There are four types of approval request statuses. You can easily filter and view using the Approval Request, Approved, Rejected, Cancel Submission buttons at the top. If you want an advanced search, you can use the advanced search in the search bar at the top right.

• Approval Request: Shows the status of all approval requests.
• Approval: Shows all approved statuses.
• Rejected: Shows approval request items that have been rejected.
• Submission Cancelled: Shows approval requests where the approval has been cancelled.

The description of the approval request list items is as follows.

View and cancel approval requests

When you click the approval request list, the information for that approval request appears in a popup.

View approval request list

A list of all approval requests is displayed.

To view the details of an approval request, click on the item, and the information will pop up.

Approval request queue

Click the Approval Request Queue tab to view all pending approval requests and delete them using either select all or selective selection. Through detailed search, if the requester has resigned or the approver is absent, the administrator can arbitrarily cancel (delete) the approval request.

Delete approval request

To delete the approval request, follow the steps below.

1. Please check(v) the left selection box in the list.
2. The Delete button is enabled at the top of the list. 2. Click the Delete button.
3. Request Deletion Popup appears. 3. Click the Delete button.
4. The selected approval request in the list has been deleted.

Sign up

Click the Sign Up menu to display the list of sign‑up requests.

Sign-up request

When you click the sign‑up request tab, the list of sign‑up requests appears.

There are four types of approval request statuses. You can easily filter and view using the Approval Request, Approved, Rejected, and Cancel Submission buttons at the top. If you want an advanced search, you can use the advanced search in the search bar at the top right.

• Approval Request: Shows the status of all approval requests.
• Approval: Displays all completed approval statuses.
• Rejection: Shows approval request items that have been rejected.
• Submission Cancel: Shows approval requests where the approval has been canceled.

Sign-up email invitation

An email invitation for account registration is a method where the administrator sends an invitation email to the desired user’s email address, allowing them to sign up. You can send up to 50 invitation emails at a time.

To send an invitation email, follow the steps below.

1. Dashboard > Sign Up > Sign Up Email Invitation Click the tab.
2. Click the Send Invitation Email button at the top right.
3. Send Invitation Email Popup appears.
4. Enter the email address to invite in the email field, and click the Add button.
5. Select the group that will be automatically assigned when a recipient joins the group item. (If not set, the group is unspecified)
6. Click the Invite button at the bottom right of the popup.
7. An invitation email will be sent to the specified email address.

5.2.1.2.2 - Integration

Integration is a service that configures and manages authentication services and account information for various applications.

In SCP SingleID, we support integration with new applications through customized authentication integration and account provisioning services, as well as a DIY (Do-It-Yourself) feature.

Through the integration menu, it provides integration management functions such as Application, Identity Provider, Authenticator, MFA Service Provider.

Application

The application is a menu for registering and linking various applications to apply SCP SingleID’s authentication service.

The administrator can register or edit a new application through the application list screen, and can sort, search, and delete registered applications.

Application List

The administrator can select a registered application on the application list screen to edit/delete, sort, search, etc., and can navigate to a menu screen where a new application can be registered through registration.

To view the list of applications, access the menu as follows.

• Admin Portal > Integration > Application

Application registration

The administrator can register the application by clicking the Register button on the list screen.

Application registration can be done using two methods: Custom App Integration and Pre-Built App Integration.

To register an application, access the menu as follows.

• Admin Portal > Integration > Application > Register Click the button
• Custom App Integration or Pre-Built App Integration Select tab

Custom App Integration

Custom App Integration registration is the connection menu for authenticating the application you want to integrate and provisioning the account.

We provide three types of connection functions as follows.

When registering an application by linking authentication, you provide and select the type (SAML, OIDC) according to the standard authentication integration method.

When registering an application by linking account provisioning, we provide the standard online API method (SCIM).

To register the application Custom App Integration, follow the steps below.

1. Click the Admin Portal > Integration > Application > Register button
2. Custom App Integration > Web Application(SAML) orWeb Application(OIDC) or Identity Provisioning(SCIM v2.0) Select > Next Click the button
3. Go to detailed settings

You can register an application by entering and configuring the information required for integration through a six-step screen as shown below.

Applications using standard protocols (SAML, OIDC, SCIM) can register information and configure policies and attributes through a screen consisting of the following six steps.

1. General
2. SSO
3. Provisioning
4. Profile
5. Policy
6. allocation

General

Enter the general application information as referenced below.

SSO

On the SSO information entry screen, enter the Single Sign On configuration settings.

Provisioning

The Provisioning menu is an account management feature that can distribute user information to applications for synchronization. SingleID provides global standard API specifications such as SCIM and REST.

On the Provisioning information entry screen, enter the configuration settings for account distribution.

Profile

Enter the configuration information for User/Group for deployment on the profile information input screen.

After entering all items, click the Complete button to complete the basic application settings. When you complete registering a new application, it is added to the application list, and new tabs called Policy, Assignment are created.

Policy

You can configure login policy and access control information for application policy settings.

Allocation

Register information for assigning application users based on users and groups. This menu assigns access permissions by configuring the users and groups that can access the registered application.

To assign a user, follow the steps below.

1. When you click the application, you will be taken to the application’s detail page.
2. Click the Assignment tab and click the User tab > Assign button.
3. User Assignment When the popup appears, select the user to assign, and click the Assign button.
4. In the Assignment tab, the selected user appears in the list.

Pre-Built App Integration

The Pre-Built App Integration menu offers a convenient way to quickly connect and use the desired SaaS application, with necessary settings such as connection information, name, and icon prepared in advance.

To integrate the application using Pre-Built App Integration, refer to the menu path below.

• Admin Portal > Integration > Application > Register > Pre-Built App Integration Click the tab
• Select Application > Next button click
• Go to detailed settings

The Pre-Built App Integration menu, like the Custom App Integration menu, allows you to register an application by entering the required integration information and configuring it through a six-step screen as shown below.

The input items and methods for each step are the same, except for the information that has been predefined and entered for Pre‑Built.

1. [General] {#general-1}
2. [SSO] {#sso-1}
3. [Provisioning] {#provisioning-1}
4. [Profile]{#file-1}
5. [Policy] {#policy-1}
6. [Assignment] {#configuration}

General

Enter the general application information as referenced below.

SSO

Enter the Single Sign On configuration information on the SSO information entry screen.

Provisioning

The Provisioning menu is an account management feature that can distribute user information to applications for synchronization. SingleID provides global standard API specifications such as SCIM and REST.

Enter the configuration settings for account information distribution on the Provisioning information input screen.

Profile

On the profile information entry screen, enter the user/group settings for deployment.

After entering all items, click the Complete button to complete the basic application configuration. When you complete registering a new application, it is added to the application list, and new tabs called Policy, Assignment are created.

Policy

You can configure login policies and access control information for application policy settings.

Allocation Settings

Register information for assigning application users based on users and groups. This menu assigns access permissions by configuring the users and groups that can access the registered application.

To assign a user, follow the steps below.

1. When you click the application, you are taken to its detail page.
2. Click the Assign tab and then click the User tab > Assign button.
3. User Assignment popup appears, select the user to assign, and click the Assign button.
4. The selected user appears in the list on the Assignment tab.

Application modification

When you click an application in the list view, you can edit its settings.

To modify the application, follow the steps below.

1. Click the Admin Portal > Integration > Select Application > Edit button.
2. Click the General, SSO, Provisioning, Policy, Assignment, Aggregation, Permission Items, Rebranding tab to edit the items you want to modify.
3. Click the Save button.

Permission item

The permission items provide synchronization by linking the user roles of the integrated application with SingleID.

Register permission item

To set the permission items, follow the steps below.

1. When you click the application, you are taken to its detail page.
2. Click the Allocation tab and the Permission Items tab > click the Register button.
3. When the Permission item popup appears, you need to register the permission item.
4. Enter Name, Key, Display Name, Content and click Save to register the permission.

Rebranding

A rebranding tab that does not appear during registration in the application is added. Rebranding of the application includes login page rebranding functionality when accessed as a separate application.

The included rebranding features are as follows.

• Favicon: The favicon can be modified in the browser.
• Header logo: The header logo on the login screen can be modified to the logo you desire.
• Key visual image: The key image set by default on the login page can be modified.
• Sign‑up page redirection: Registration can be directed to a separate operational sign‑up page instead of SingleID’s sign‑up page.
• Privacy Policy Redirection: You can register the privacy policy URL that was used in the existing application.
• Terms of Service redirection: You can register the Terms of Service URL previously used in the existing application.

UI

From the list screen, click the application, then in the Rebranding tab, click the Edit button to configure application-specific rebranding settings for the UI.

Change favicon

In the application, you can set a custom favicon to match the characteristics of the enterprise application.

To modify the favicon, follow the steps below.

1. Admin Portal > Integration > Select Application > UI > Edit Click the button.
2. Select custom in the Favicon item.
3. Favicon image (pencil shape) item, then click the favicon image.
4. Upload an icon file or enter the icon image URL.
5. Click the Save button and use the preview screen to confirm that the upload was successful. 6.Korean page Enter the title in Korean.
6. English page Enter the title in English.
7. Once the input is complete, use the preview on the right to confirm that it was entered correctly.
8. Click the Publish button at the lower right corner.

Header logo change

In the application, you can configure separate header logo changes to match the characteristics of the corporate application.

To modify the header logo, follow the steps below.

1. Click the Admin Portal > Integration > Select Application > UI > Edit button.
2. Select Custom in the Header Logo item.
3. You can select and configure a text logo or an image logo.
4. Enter the Korean Redirect URL and the English Redirect URL.
5. If the input is complete, use the preview on the right to confirm that it was entered correctly.
6. Click the Publish button at the lower right.

Key visual change

In the application, you can configure separate key visual changes to match the characteristics of the corporate application.

To edit the key visual, follow the steps below.

1. Admin Portal > Integration > Select Application > UI > Edit Click the button.
2. In the key visual item, select Custom.
3. Click to use a single key visual for all languages or language‑specific key visuals.
4. If the image upload is complete, verify through the right preview that it was entered correctly.
5. Click the Publish button at the lower right corner.

Redirection

From the list screen, click the application, then in the Rebranding tab, click the Edit button to configure application‑specific rebranding settings for the redirect.

Sign up

Sign-up allows you to configure a registration link for each application.

Privacy Policy

The privacy policy can be redirected to the URL link of the privacy policy provided for each application.

Terms of Use

The Terms of Service can be redirected to the privacy policy URL link provided for each application.

Delete application

On the application list screen, select the application, deactivate it, then return to the list screen and you can delete it from the three‑dot menu.

Identity Provider

This is the menu for registering and managing IdPs that provide authentication services and credentials to SCP SingleID. At this point, the SCP SingleID acts as a Service Provider and receives authentication services from the IdP.

Identity Provider list

On the list screen, you can select a registered Identity Provider to edit/delete, sort, search, etc., and you can navigate to a menu screen where you can register a new Identity Provider.

To view the Identity Provider list, you can access the following menu.

• Admin Portal > Integration > Identity Provider

Identity Provider registration

On the Identity Provider list screen, click Register at the top to add a new entry.

To register an Identity Provider, follow the steps below.

1. Admin Portal > Integration > Identity Provider > Register Click the button
2. Custom App Integration > Web Application(SAML) or Web Application(OIDC) Select > Next Click the button
3. Go to detailed settings

You can register an Identity Provider by entering and configuring the required integration information through a three-step screen as follows.

• [General] {#General-2}
• [SSO] {#sso-2}
• [JIT provisioning] {#jit}

General

Enter the general information for the IdP (Identity Provider).

SSO

Enter the Single Sign-On configuration information on the SSO input screen.

When integrating with a Web Application (OIDC)

JIT provisioning

The JIT provisioning feature tab has been added to the Identity Provider. This feature synchronizes the account in real time when a user’s changes occur. You can configure items when the account is synchronized in real time.

After entering all items, click the Complete button to complete the basic application setup.

Modify Identity Provider

On the list screen, you can modify the settings by clicking the Identity Provider.

If you want to modify the Identity Provider, follow the steps below.

1. Click the Admin Portal > Integration > Select Identity Provider > Edit button.
2. Click the General, SSO, Provisioning, Policies, Assignment tab to edit the items.
3. Click the Save button.

Delete Identity Provider

On the Identity Provider list screen, select an Identity Provider, deactivate it, then return to the list screen where you can delete it from the three‑dot menu. To register again, click the Add button.

Authenticator

Configure by integrating the Authenticator provided by SCP SingleID. Password and Email are enabled by default.

The types and functions of Authenticators are as follows.

• Password: The Password Authenticator verifies a password known only to the user to authenticate the user as a knowledge‑based authentication method. * It is the built-in Authenticator used for primary and secondary authentication, and it cannot be deleted or disabled for security reasons.
• Email: An ownership-based authentication method that authenticates the user through an OTP (One-Time Password) delivered to the user’s email account.
• Active Directory: Enter the user password of the linked Active Directory to authenticate.
• Knox Identity: Authenticate by entering the user password of the linked Knox Portal.
• Knox Messenger: Enter the Knox Messenger OTP received via the registered Knox Messenger to authenticate.
• PC SSO Agent: Install SingleID’s PC SSO Agent on a PC to perform integrated authentication (SSO) and unified logout across various web browsers, and to authenticate through PC security checks.
• SingleID Authenticator: SingleID dedicated authentication mobile app that supports biometrics (fingerprint, facial), PIN, mOTP, and TOTP.
• SMS: Enter the SMS OTP received on the registered mobile phone to authenticate.

• Passkey: Mobile Passkey, security key, a convenient authentication method that enables easy login with Windows biometric/PIN code.
• TOTP Authenticator: Enter the TOTP received via the registered authentication app or web extension to authenticate.

Authenticator list

We support all authenticators of the six supported types.

To check the Authenticator, please refer to the following path.

• Admin Portal > Integration > Authenticator

Add Authenticator

On the Authenticator list screen, clicking Register moves to the next screen, switching to a screen where you can add an Authenticator.

To add an Authenticator, follow the steps below.

1. Admin Portal > Integration > Authentictor > Add Click the button.
2. Each authentication methodselect > Next click the button.
3. Enter the information required for authentication settings.
4. Click the Save button.

Add Active Directory {#Active Directory-add}

Users can authenticate using the connected Active Directory.

To add Active Directory, follow the steps below.

1. Admin Portal > Integration > Authentictor > Add Click the button.
2. Select Active Directory > Click the Next button.
3. The General page appears. 3. Please review Authnticator Overview and click the Next button.
4. Settings page appears. 4. Enter the information to register Active Directory as an Authenticator.
5. After entering all information, click the Connection Test button to verify.
6. After checking everything, click the Save button.

Add Knox Identity

Users can authenticate using the connected Nox portal.

To add Knox Identity, follow the steps below.

1. Admin Portal > Integration > Authentictor > Add Click the button.
2. Select Knox Identity > Click the Next button.
3. General page appears. 3. Check the Authnticator Overview and click the Next button.
4. Policy page appears. 4. Enter the information to register Knox Identity as an Authenticator.
5. After entering all information, click the Connection Test button to verify.
6. After checking everything, click the Save button.

Add Knox Messenger

Enter the Knox Messenger OTP received via Knox Messenger to authenticate.

To add Knox Messenger, follow the steps below.

1. Admin Portal > Integration > Authentictor > Add Click the button.
2. Select Knox Messenger > Click the Next button.
3. General page appears. 3. Check the Authenticator Overview and click the Next button.
4. Policy page appears. 4. Enter the information required to register Knox Identity as an Authenticator.
5. After entering everything, click the Save button.

Add PC SSO Agent

To use SSO across multiple browsers, you can install the PC SSO Agent on the user’s PC.

To add the PC SSO Agent, follow the steps below.

1. Admin Portal > Integration > Authentictor > Add button, click it.
2. Select PC SSO Agent > Click the Next button.
3. General page appears. 3. Check the Authenticator Overview and click the Next button.
4. Policy page appears. 4. Enter the information required to register with the PC SSO Agent.
5. After entering everything, click the Save button.

Add SingleID Authenticator

Authenticate using the SingleID Authenticator mobile app provided by SingleID.

If you want to add the SingleID Authenticator, follow the steps below.

1. Admin Portal > Integration > Authentictor > Add Click the button.
2. Select SingleID Authenticator > Click the Next button.
3. The General page appears. 3. Please review the Authnticator Overview and click the Next button.
4. Policy page appears. Enter the information to register the SingleID Authenticator as an Authenticator.
5. After entering everything, click the Save button.

Add TOTP Authenticator

Enter the TOTP received through the registered authentication app or web extension to authenticate. You can use TOTP authentication methods to support 3rd Party Authenticators such as mobile authentication apps (Google Authenticator, Microsoft Authenticator, etc.) and web browser extensions (Chrome Web Store, Microsoft Edge Add-ons, etc.).

To add the TOTP Authenticator, follow the steps below.

1. Admin Portal > Integration > Authentictor > Add Click the button.
2. Select TOTP Authenticator > click the Next button.
3. General page appears. 3. Please review the Authenticator Overview and click the Next button.
4. Policy page appears. 4. Enter the information required to register with the TOTP Authenticator.
5. After entering everything, click the Save button.