Advanced Authentication delivers various authentication mechanisms that enable identity assurance and proofing. Access Manager is integrated with Advanced Authentication to enable multi-factor authentication. Access Manager 4.4 release onwards, you can integrate Access Manager with Advanced Authentication with an OAuth claims-based authentication mechanism, which provides secure and trusted communication.
When a user logs in to Access Manager, Access Manager authenticates and redirects the user to the Advanced Authentication server OSP common UI page for additional authentication. After the successful execution of the Advanced Authentication method (for example, Smartphone), the user is redirected to Access Manager.
You can also configure Advanced Authentication for both primary and secondary authentication.
Access Manager 4.4 introduces the Advanced Authentication Generic Class which uses OAuth claims-based authentication mechanism. Using this class, you can configure any of the existing authentication methods. Instead of configuring each class separately, such as Email class or Smartphone class, you can configure the Generic class and select any Advanced Authentication method you want to use for authentication. If any new method is introduced in Advanced Authentication server, it will be available in Access Manager without any modification of code.
The following table lists the differences between Plug-in-based and OAuth-based Advanced Authentication classes.
Table 5-5 Differences Between Plug-in-based and OAuth-based Advanced Authentication Classes
|
Plug-in-based |
OAuth-based |
|---|---|
|
Uses Advanced Authentication Rest API |
Uses OAuth protocol |
|
You need to configure each class separately |
You need to configure only Advanced Authentication Generic class |
|
If any new method is introduced in the Advanced Authentication server, modification of code is required to make it available in Access Manager |
If any new method is introduced in the Advanced Authentication server, it will be available in Access Manager without any code change |
|
You can customize branding according to your custom need |
Advanced Authentication 5.6 and previous versions do not support branding customization. You can customize branding if you are using Advanced Authentication 6.0 and later versions |
Access Manager supports the following Advanced Authentication classes:
Advanced Authentication Generic Class: This authenticating class authenticates using any of the other authentication methods. It is used for OAuth-based authentication approach.
Dynamic (Fingerprint/PKI) Class: This authenticating class sends a list of chains from which the user can select a chain and authenticate. Only the chains which are enrolled in the Advanced Authentication portal will be available to the user for authentication.
NOTE:Fingerprint and PKI methods can be configured using Dynamic Class only. There are no separate classes for Fingerprint and PKI methods.
Email Class: This authentication class sends an email to user’s registered email address with an OTP that is valid for a specified time. You can use this OTP to authenticate within a certain time frame.
Emergency Password Class: This authentication class authenticates users with a temporary password.
FIDO U2F Class: This authentication class authenticates users with the help of a U2F security key.
IMPORTANT:FIDO U2F will not work if enrollment and authentication are performed on different domain names. With Access Manager and Advanced Authentication, you will certainly have two domain names, one for Identity server and another for Advanced Authentication server. To workaround this you should proxy the Identity server and Advanced Authentication server under the same domain name. Perform the following steps to configure FIDO U2F class:
Create a path-based, multi-homing proxy service with Advanced Authentication server as the web server. Create five paths under the proxy service with the URL paths as follows:
/account, /admin, /api, /auth, and /static
The published DNS name must be identical to the Identity Server domain name.
Create another path-based, multi-homing proxy service with Identity server as the web server and Advanced Authentication server as the parent server. Create a path under the proxy service with the URL path as follows:
/nidp
Configure a protected resource to the proxy services with URL paths as /account/*, /admin/*, /api/*, /auth/* and /static/* and Advanced Authentication server as the web server. Configure another protected resource to the proxy service with URL path as /nidp/* and Identity server as the web server.
For more information, see Configuring FIDO U2F class.
HOTP Class: This authentication class is an event-based OTP authentication. There is no time frame for an HOTP.
Password (PIN) Class: This authentication class stores a password in the Advanced Authentication appliance - that is not connected to your corporate directory. This can be a PIN or a simple password.
RADIUS Class: This authentication class forwards user’s authentication request to a third-party Radius server.
Security Question Class: This authentication class allows users to enroll answers to an administrator-defined number of security questions. When you authenticate by using security questions, Advanced Authentication asks you all the security questions or a subset of the security questions.
Smartcard Class: This authentication class allows users to authenticate by using a smart card.
Smartphone Class: This authentication class allows you to authenticate by using a smartphone.
SMS Class: This authentication class sends an SMS to user’s registered mobile number, containing OTP. User can use this OTP to authenticate within a certain time frame.
TOTP Class: This authentication class is a time-based OTP authentication. This method uses a predefined time step, which is set to 30 seconds by default.
Voice Call Class: This authentication class makes a phone call on user’s registered mobile requesting to provide a pre-defined PIN.
Voice OTP Class: This authentication class makes a phone call on user’s registered mobile and provides an OTP. User can use this OTP to authenticate within a certain time frame.
NOTE:You do not need to specify any properties for the OAuth-based authentication methods.
Access Manager supports the following optional properties (KEY/Value) for plug-in-based authentication methods:
Repository Name: REPONAME. The name of the repository used for Advanced Authentication. This parameter may not be used if the default repository is selected in the Login options policy of Advanced Authentication server appliance.
Configuration File: CONFIGFILE. The name of the configuration file path. This parameter is used only if the configuration file has a different location. The default configuration file location is: /etc/aaplugin/config.xml.
Timeout Value: RECHECKTIMEOUT. The time out parameter that is used to prevent loops. The default value is 300 seconds. The following are minimum recommended values:
Email: 120 seconds
FIDO U2F: 30 seconds
HOTP: 30 seconds
RADIUS: 30 seconds
Security Question: 30 seconds
Smartcard: 30 seconds
Smartphone: 60 seconds
SMS: 30 seconds
TOTP: 30 seconds
Voice Call: 30-60 seconds
Voice OTP: 30-60 seconds
Error Info JSP Page: ERRORJSP. The name of the JSP page that stores the error logs. This is for critical errors and failures related to the authentication process. The default file is PluginErrorPage.jsp. The file is located at:
Linux: /opt/novell/nids/lib/webapp/jsp
Windows: $INSTALL_PATH\Tomcat\webapps\nidp\jsp
LDAP Authentication Page: LDAPJSP. The name of the LDAP authentication page. This parameter is used for customization. It allows you to customize the LDAP login page for each method. The default file is LdapAuth.jsp, The file is located at:
Linux: /opt/novell/nids/lib/webapp/jsp
Windows: $INSTALL_PATH\Tomcat\webapps\nidp\jsp
Method Page: METHODJSP: The name of the method page. This parameter is used for customization. It allows you to customize the Method page for each method. The default file is <MethodName>Auth.jsp. The file is located at:
Linux: /opt/novell/nids/lib/webapp/jsp
Windows: $INSTALL_PATH\Tomcat\webapps\nidp\jsp
LDAP Password Sync Page: LDAPSYNCJSP. The name of the LDAP password synchronization page. The default file is LDAPSyncPage.jsp. The file is located at:
Linux: /opt/novell/nids/lib/webapp/jsp
Windows: $INSTALL_PATH\Tomcat\webapps\nidp\jsp
Max Password Length: PWDMAXLENGTH. This parameter restricts the maximum length of a password. The default value is 100 characters. This parameter can be used only for YubiKey tokens (FIDO U2F class)
Advanced Authentication Enrollment URL: ENROLLURL. This parameter contains the URL of the Advanced Authentication Self-Service Portal. The default value is https://<NetIQAdvancedAuthenticationFramework_server_address>:<server_port>/account.
Email Attribute: EMAIL_ATTR. (Applicable only for Dynamic class) This parameter reads and masks the user’s email address during authentication.
Mobile SMS Attribute: SMS_MOBILE_ATTR. (Applicable only for Dynamic class) This parameter reads the user’s mobile number to send SMS. It masks the mobile number.
Voice Call Telephone Attribute: VOICE_TEL_ATTR. (Applicable only for Dynamic class) This parameter reads the user’s telephone number to make voice call. It masks the telephone number.
Voice OTP Telephone Attribute: VOICE_OTP_TEL_ATTR. (Applicable only for Dynamic class) This parameter reads the user’s telephone number to send voice OTP. It masks the telephone number.
Event Used: EVENTNAME. (Applicable only for Dynamic class) The name of the event used, by default the event name is nam.
Skip Authentication Chain: SKIPCHAINS. (Applicable only for Dynamic class) This parameter skips the authentication chain selection and will always use the top chain from the list.
DEBUG: This parameter gathers additional information from a log file. It adds data from the server requests and server responses to the log file. To enable debug logging, set the value to 1.
The following list includes prerequisites required for using Advanced Authentication:
For a fresh installation of Access Manager 4.4, configure Advanced Authentication server 5.6 or later. To configure the server, see Configuring Advanced Authentication. If you are upgrading to Access Manager 4.4 from a previous version and have Advanced Authentication server 5.5 or previous version configured, you cannot use the Advanced Authentication Generic Class. However, the existing Advanced Authentication classes will work. To use the Advanced Authentication Generic Class, upgrade to Advanced Authentication server 5.6 or later.
After configuring the server, end users must enroll the methods in the Advanced Authentication Self-Service portal. To enroll the methods, see Authentication Methods Enrollment. If you are upgrading to Access Manager 4.4 and want to use the previously configured methods or do not want to use the Advanced Authentication Generic Class, you can skip this step.
Specify the server details. See Section 3.5.9, Configuring Advanced Authentication Server.
You must configure the Advanced Authentication server before creating a class. For configuration information, see Section 3.5.9, Configuring Advanced Authentication Server.
To configure Advanced Authentication, perform the following steps:
Click Devices > Identity Servers > Edit > Local > Classes.
Click New, then specify the following details:
Display name: Specify a name for the class.
Java class: Select Advanced Authentication Generic Class to use OAuth-based authentication class. Select any other class to use Plugin-based authentication class.
The Java class path is configured automatically.
Click Next > Finish.
Create a method for this class. If you are creating a method for OAuth-based authentication class, select a chain from Advanced Authentication Chains. If you do not specify any chain, the user will be prompted to select the chain when the user authenticates.
NOTE:If no chain is listed in Advanced Authentication Chains, create a chain in the Advanced Authentication server. If a chain is available in the Advanced Authentication server, but the chain is not listed in Advanced Authentication Chains, assign the chain to the configured Access Manager OAuth Event in the Advanced Authentication server. See Creating a Chain.
NOTE:When you configure a method in both single-method chain and multi-method chain in the Advanced Authentication portal (for example, LDAP Password chain and LDAP Password+Smartphone chain) and assign it to the same group of users and the same Event, Access Manager does not list the less secure chain. LDAP Password will not be listed because the more secure LDAP Password+Smartphone chain is available.
Identifies User: Select this option when you assign Access Manager to perform the first factor authentication. Do not select this option when you create an Advanced Authentication method only for second factor authentication.
Select this option when you assign Advanced Authentication to perform both first and second factor authentication.
For more information about creating a method, see Section 5.1.3, Configuring Authentication Methods.
Create a contract for the method.
To use Advanced Authentication as a primary authenticator, the chain in the Advanced Authentication server must contain the Password method along with any Advanced Authentication method.
For example: If an Email contract is configured to use only the Email method, configure both Password and Email method and then create a chain with these methods in the Advanced Authentication Administration portal. Then, enable the chain to the Access Manager event in the Advanced Authentication Administration portal.
For more information about creating a contract, see Section 5.1.4, Configuring Authentication Contracts.
If you want the user’s credentials available for Identity Injection policies and you did not select Require Password, add the password fetch method as a second method to the contract. For more information about this class and method, see Section 5.1.11, Password Retrieval.
Update Identity Server.