8.4 Creating a Chain

Authentication chains are combinations of authentication methods. Users will need to pass all methods in order to be successfully authenticated.

So when you create a chain that has LDAP Password and SMS in it then the user will first need to enter their LDAP Password. When this is correct the system will send an SMS with a One-Time-Password to the mobile phone of the user and the user will need to enter the correct OTP in order to be authenticated.

The following chains are created by default:

  1. LDAP Password Only: The chain can be used by any user from the repository. It allows to authenticate by the LDAP Password (single-factor) method.

  2. Password Only: The chain can be used by any user who has a Password authenticator enrolled. It allows to authenticate by the Password (single-factor) method.

It is possible to create any chain you want. For highly secure environments you can assign multiple methods to one chain to achieve better security.

Authentication can consist of 3 different factors. These are:

  1. Something you know: password, PIN, security questions

  2. Something you have: smartcard, token, telephone

  3. Something you are: biometrics like fingerprint or iris

Something is seen as Multi-Factor or Strong Authentication when 2 out of the 3 factors are used. So a password with a token, or a smartcard with a fingerprint are seen as multi-factor. A password and a PIN is not seen as multi-factor as they are in the same area.

Authentication chains are linked to user groups in your repositories. You can allow only a certain group to be able to use the specific authentication chain.

To create a new chain or edit an existing one that Advanced Authentication framework will work with, follow the steps:

  1. Open the Chains section.

  2. Click the Add button at the bottom of the Chains view to create a new authentication chain (or click the Edit button next to an applicable authentication chain).

  3. Specify a name of the Chain in the Name text field.

  4. Specify a Short name. The short name used by a user to switch to this chain. For example, if you call LDAP Password & SMS chain "sms" then a user can type in "<username> sms" and he will be forced to use SMS as the chain. This can be helpful in cases when the primary chain is not available.

  5. Select whether the current authentication chain is available for use or not available by clicking the Is enabled toggle button.

  6. The Methods section allows to setup a prioritized list of authentication methods. For example, an LDAP Password+ HOTP method first asks the user for the LDAP password and after that for his OTP code. HOTP + LDAP Password first asks for the OTP code and then for the LDAP password.

  7. Specify groups that will be allowed to use the current authentication chain in the Roles & Groups text field.

    IMPORTANT:It's not recommended to use the groups from which you will not be able to exclude users (like All Users group in Active Directory), because you will not be able to free up a user's license.

  8. Expand the Advanced settings section. Select Apply if used by endpoint owner, if the chain must be used only by an Endpoint owner.

    NOTE:The Endpoint Owner feature is supported for Windows Client, Mac OS Client and Linux PAM Client only.

  9. Set Required chain to Nothing, if this is a normal (high-security) chain. If you want to configure a simple chain within a specific time period after successful authentication with a high-security chain, choose an appropriate high-security chain. In this case you also need to specify a Grace period (mins). Within this time period the chain will be used instead of the appropriate high-security chain. The maximum value for grace period is 44640 min (31 days).

    NOTE:You must assign both high-security chain and simple chain to an Event. The simple chain must be higher than the corresponding high-security chain.The options are available when the Enable tracking option is set to ON.

    For example, LDAP Password+Card is a high-security chain and Card is a simple chain. The users must use LDAP Password+Card chain once in every 8 hours and within this period, they must provide only the Card method to authenticate.

  10. Click Save.

IMPORTANT:If you have configured more than one chain using one method (e.g. "LDAP Password", "LDAP Password+Smartphone") and assigned it to the same group of users and the same Event, the top chain will be always used if the user has all methods in the chain enrolled.

An exception is usage of a high-security chain and its appropriate simple chain, where the simple chain must be higher than its high-security chain.