Optional Security Authentication

Identity Federation with ECX Fabric

While the default mechanism for logging into the ECX FabricECX Fabric is an advanced interconnection solution that improves performance by providing a direct, private network connection portal is with a username and password, Equinix offers the option for federated single sign-on (SSO) so users from an identity federated organization can sign into the ECX Fabric portal by authenticating using their organization’s Identity Provider (IdP). By federating with ECX Fabric, organizations can maintain control of their user’s credentials, allowing them to maintain stronger passwords aligned with their Corporate policies, while offering users the convenience of Single Sign-On (SSO). Equinix supports identity federation with SAML 2.0 IdPs only.

Opting in for Federated SSO

Identity Federation can be activated at the Organization level by the Master Administrator for that Organization at their discretion. Activating identity federation will enable SSO and disable the standard username and password login mechanism for all users of that organization by default. If you would like to retain the capability for your users to login using standard username and password login process in addition to SSO, you will have to indicate as such when providing your SAML details as explained in the process below. To use federation, you will first need to configure your organization’s IdP and the Equinix account to trust each other.

To initiate the process for Identity Federation, you can either send an email to prodsecops@equinix.com, or generate a service ticket from the ECX Fabric portal as described below:

  1. Initiate a service ticket in the ECX Fabric portal by clicking Support under the menu at the top of the screen.


  1. Create a ticket by clicking on Report an Issue.

  1. Select a location where you have a physical or virtual presence with Equinix and select Federated Login Setup under Category menu.

  1. Enter any suitable descriptive title and issue description in the mandatory text fields and click Submit Ticket.

  2. You will receive a template via email from prodsecops@equinix.com, to fill out your SAML metadata details that will allow your IdP to be registered as the IAM identity provider in ECX Fabric.

Important: These details should ideally be provided in the form of an XML file and include the signing/encryption certificates, issuer name, creation and expiration dates, and the URL for the exported SAML metadata. If not, SAML metadata and these additional details can be provided individually in the template.

  1. Once all details are entered, send the file as a response to the email you received from Equinix.

Note: If you wish to continue to allow your users to use the standard login process using username and password in addition to SSO; you will need to explicitly state that in your email communication to Equinix. The default option will be to restrict user logins to using federated SSO only. When restricted, users attempting to login using the standard ECX Fabric username/login link will see an error message as shown below.

 

  1. Equinix will subsequently provide you with Equinix’s SAML metadata as an XML file that you will need to import into your IdP software. You will also be provided with a custom URL to share with your users for future logins after identity federation has been enabled.

  2. You can have users test the provided URL for federated login.

  3. Once your tests are complete, you will need to notify Equinix via email of the date you would like to cut over to federated SSO for your organization.

Multi-Factor Authentication (MFA)

While the default mechanism for logging into the ECX Fabric portal is with a username and password, Equinix offers the option to add an extra layer of security with Multi-Factor Authentication (MFA). By creating an additional verification step that requires the use of the portal password as well as a one-time password (OTP) that is sent to an alternate registered trusted device, compromising user credentials presents a significant hurdle for potential attackers.

Opting in for MFA

MFA can be activated at the organization level by the master administrator for that organization at his/her discretion. If the organization opts-in, all users within that organization will be required to register a secondary authentication method using an alternate mechanism (cell phone, email, etc) to receive the OTP for all subsequent logins to the ECX Fabric portal.

Opting in for MFA for ECX Fabric will also automatically enable MFA on multiple Equinix portals, including the Equinix Customer Portal (ECP) and Internet ExchangeEquinix Internet Exchange enables customers to exchange internet traffic through public peering on the largest peering platform in the world Portal (IXP).

  1. To opt-in for MFA, the company master administrator needs to log into the Equinix Customer Portal (ECP) and click on Administration under menu at the top of the screen.

  2. Select Account Management under Administration drop-down menu

  3. Select Multifactor Authentication under Security Management as shown in the following:

  1. Click Send Request in the ensuing Multifactor authentication pop-up. This will initiate an email to our support group, who will begin to act on your request.

  2. Once MFA is enabled for your organization, an email notification will be sent to the master administrator to indicate that they should notify users within their organization about the requirement to register for MFA in order to continue to have access to the ECX Fabric portal.

Registering device(s) for MFA

  1. The first time you attempt to log in to the ECX Fabric portal after your organization’s master administrator has opted-in for MFA, you will be prompted with an MFA Introduction screen as shown below. Select Continue to advance to the alternate device registration options.

  1. You will be presented with four different alternate authentication methods as shown in the screen below. Equinix recommends that you register at least two alternate authentication methods of your choice. You must finish registering one authentication method completely before registering other authentication methods.

 

Note: The method you select first will be the primary alternate authentication method when you finish registration. Also, selecting the Cancel at any point in this process will clear all registration methods previously configured.

Methods of authentication

SMS/Text

  1. IF you select SMS/Text, you will need to select your home country and provide a mobile number.

  1. When you click Next, you will be presented with a screen to enter the registration code/OTP that will be sent to the mobile number you provided.

  1. Enter the OTP in the provided field and click Next. You will see a screen notifying of you of successful device registration. You will also have the option of registering another authentication method (recommended) or finishing the registration process here.

  1. Clicking Register Another will return you to the Authentication methods screen.

Note: You also have options at this point to change your primary authentication device, add another authentication method, reset the process and start over, or finish registration.

 

Email

  1. If you select Email, you will need to provide an email address where the OTP is sent .

  1. When you click Next, you will be presented with a screen to enter the registration code/OTP that will be sent to the email address you provided.

  1. Enter the OTP in the provided field and click Next.

  2. You will see a screen notifying you of successful device registration as shown in the following screen. You will also have the option of registering another authentication method or finishing the registration process here.

Desktop App

  1. If you select Desktop App, upon clicking Next, you will be required to first install the PingID application on your desktop. Click on the appropriate download icon based on your computer OS and follow the instructions to install the application.

  1. After this is done, select Desktop App and you will be presented with a Pairing Key.

  2. Open the PingID desktop application, enter this pairing key and select Pair. You will be presented with a registration success screen. You can register another device or finish the registration process at this point.

Mobile App

  1. If you select Mobile App, you will be required to first download the PingID mobile app for your iOS or Android device from the app store on your smartphone. After this is done, select Mobile App and click Next. You will be shown a QR code as shown.

 

  1. You will need to scan the QR code into the PingID app on your smartphone by framing the code within the scanning window of the application.

Alternatively, you can manually enter the pairing key shown on the screen into the PingID app on your phone. You will be prompted with a success message. You can register another device or finish the registration process at this point.

  1. Once you have registered all the authentication methods you desire, select Finish Registration.

  2. The Registration Complete page will be displayed. Click Continue to Sign On. At this point, the system will automatically require you to authenticate using the first MFA method you registered.

Authenticating using MFA

  1. After you have registered your alternate authentication method(s), enter your username and password at the ECX Fabric portal login screen.

  2. You will see a pop-up to notify you that an OTP was sent to the primary method/device that you registered. Retrieve the OTP (from SMS, email, etc), enter it in the entry field provided, and click “Sign On” (Figure 13).

Authenticating using Alternate Registered Device

  1. You can choose to use a different authentication device when authenticating, providing you registered an alternate device. After entering your username and password, when presented with the popup to enter your OTP, click Change Device instead as selected in the above screen.

  2. A list of your registered authentication devices will be displayed. The selected method will be identified with a green bar to its left. Select the alternate authentication method and click Sign On.

Changing Primary Authentication Device

  1. If you registered an alternate device, you can change your default primary device. After entering your username and password, when presented with the popup to enter your OTP, click Change Device instead.

  2. You will be presented with all the registered devices. Click Settings as shown in the preceding screenshot.

  3. Flipping one of the toggles on the right to green will activate that method as your primary method.

Note: When editing primary authentication method, you will be required to authenticate with your existing method first.



  1. After changing the primary authentication mechanism, you will need to close your browser session and reopen another one to log into the ECX Fabric portal using your new primary authentication device.

How are we doing?