3.6 Configuring Events

Advanced Authentication provides authentication events for the supported applications or devices. You can configure an event to leverage the Advanced Authentication functionalities for the respective application or device. The application or device triggers the respective authentication event when a user tries to access it.

You can create customized events for the following:

  • Third-party integrations.

  • To use Windows Client, Linux PAM Client or Mac OS X Client on both the domain joined and non-domain workstations and it requires to have a separate event to use the non-domain mode.

  • Integrations using SAML 2.0 and OAuth 2.0.

This section contains the following:

3.6.1 Configuring an Existing Event

  1. Click Events.

  2. Click the edit icon against the event that you want to edit.

  3. Ensure that Is enabled is set to ON if you want to use the event.

  4. Select the event type.

    For most of the predefined events, you cannot change the Event type. For events such as Windows logon, Linux logon, and Mac OS logon, you can change the Event type from OS Logon (domain) to OS Logon (local) if the workstations are not joined to the domain.

  5. Select the Authenticator category. The Authenticator category option is displayed only if you have added categories in the Event Categories policy.

  6. Select the chains that you want to assign to the current event.

    In an event, you can configure a prioritized list of chains that can be used to get access to that specific event.

  7. If you want to restrict access of some endpoints to the event, add all the endpoints that must have access to the Endpoint whitelist. The remaining endpoints are blacklisted automatically. If you leave the Endpoints whitelist blank, all the endpoints will be considered for authentication.

  8. Set Geo-fencing to ON to enable geo-fencing. Move the permitted zones from Available to Used. For more information about configuring geo-fencing, see the Smartphone method.

    IMPORTANT:You must enable the Geo Fencing Options policy to use the geo fencing functionality.

  9. Select Allow Kerberos SSO if you want to enable single sign-on (SSO) to the Advanced Authentication portals. Kerberos SSO is supported for AdminUI, Authenticators Management, Helpdesk, and Report logon events.

    IMPORTANT:To use the Kerberos SSO feature, you must configure the Kerberos SSO Options policy and upload a keytab file.

  10. You as a top administrator can enforce the configuration of events (except the Radius Server event) on secondary tenants. After configuring the settings for the event, you can freeze those settings for a specific tenant. The tenant cannot edit the settings in the tenant administrator console that have been enforced by the top administrator for that event.

    To enforce the configurations for a specific tenant, perform the following steps:

    1. In the Tenancy settings, click +.

    2. Select the tenant to in Force the configuration for the tenants to whom you want to enforce the configurations.

    3. After you select a tenant, the Hide forced settings option is displayed. You can set Hide forced settings to ON if you want to hide the configurations that you have enforced on the tenant. When this option is set to ON, the tenant administrator console does not show setting changes.

  11. Click Save.

  12. If you want to revert the changes to the default configuration, click Initialize default chains.

NOTE:If you have configured more than one chain using one method (for example, LDAP Password, LDAP Password+Smartphone) and assigned it to the same group of users and to the same event, the top chain is always used if the user has enrolled all the methods in the chain. An exception is the use of a high-security chain and its appropriate simple chain, where the simple chain must be higher than its high-security chain.

HINT:It is recommended to have a single chain with the Emergency Password method at the top of the chains list in the Authenticators Management event and other events, which are used by users. The chain will be ignored if the user does not have the Emergency Password enrolled. The user can use the Emergency Password immediately after the helpdesk administrator enrolls the user with the Emergency Password authenticator.

NOTE:Configurations that have been set by a top administrator for a particular event are grayed out. The configurations are not displayed, if the configurations are hidden by the top administrator.

By default, Advanced Authentication contains the following events.

ADFS Event

Use this event to integrate Advanced Authentication with ADFS using the ADFS plug-in. For more information about ADFS, see Configuring Advanced Authentication Server in the Advanced Authentication - ADFS Plug-in guide.

NOTE:The ADFS plug-in is discontinued and it is recommended to use integration with ADFS using SAML. For more information about integration with ADFS using SAML, see Configuring Integration with ADFS.

AdminUI Event

Use this event to access the Administration portal. You can configure the chains that can be used to get access to the /admin URL.

NOTE:You can promote users or group of users from a repository to the FULL ADMINS role in Repositories > Local. After this, you must assign chains in which the methods are enrolled for users with the AdminUI event (at a minimum with an LDAP Password).

WARNING:You must be careful when changing the default chains that are assigned to this event. You may block the access to the Administration portal.

Authenticators Management Event

Use this event to access the Self-Service portal. In the Self-Service portal, users can enroll to any of the methods that are configured for any chain and they are a member of the group assigned to the chain.

Add an LDAP Password chain as the last chain in the list of chains to ensure secure access to the portal for users who have methods enrolled.

IMPORTANT:If the Administration portal uses a repository that does not have any user, you must enable a chain with Password only (Authenticators Management - Password) for this event. This action enables you accessing the Self-Service portal or changing the password in the Self-Service portal.

You can also perform basic authentication with Advanced Authentication. To achieve basic authentication, set the Allow basic authentication option to ON in the Event Edit screen for Authenticators Management.

NOTE:The basic authentication is supported only for the Authentication Management event and for the Password (PIN), LDAP Password, and HOTP methods.

You must specify /basic with the URL to login to the enrollment page. The Login page appears and the format of the Username you must provide is: username:PASSWORD|LDAP_PASSWORD|HOTP:1. For example: admin:PASSWORD:1.

When you log in to the Self Service portal, by default the chain with the highest priority is displayed. To display the other chains with the enrolled methods, set Show chain selection to ON.

NOTE:If you enable to show the chain selection, but a chain is not displayed in the list of available chains in the Self-Service portal, ensure that all the methods of the chain are enrolled by the user.

For more information, see Authenticators Management in the Advanced Authentication- User guide.

Helpdesk Event

Configure the settings of this event to enable the Helpdesk administrator to access the Helpdesk portal. One of the roles of a Helpdesk administrator is to set an emergency password for users. An emergency password is a temporary password for users when they lose their smart card or smart phone. Some companies restrict self-enrollment and have the Helpdesk administrator who does the enrollment after hiring. You can promote the repository administrators or users as Helpdesk administrators in the Repositories > LOCAL > Edit > Global Roles > ENROLL ADMINS section.

You can manage the enrollment and re-enrollment of the authenticators in one of the following ways:

  • Restrict the self-enrollment and force users to enroll through the Helpdesk.

    Or

  • Restrict only the re-enrollment or deletion of authenticator from the Self-Service portal using the Disable re-enrollment option.

For more information, see Authenticators Management in the Advanced Authentication- Helpdesk Administrator guide.

Helpdesk User Event

Configure the settings of this event to enable the Helpdesk administrator to authenticate users in the Helpdesk portal. This event is applicable for the User to manage screen that appears on the Helpdesk portal.

You must enable the Ask credentials of management user option in the Helpdesk Options policy before using this event.

Linux Logon Event

Configure the settings of this event to enable login to the Linux Client. If you want to use Linux Client on non-domain joined workstations, change the Event type from OS Logon (domain) to OS Logon (local).

Mac OS Logon Event

Configure the settings of this event to enable login to the Mac OS Client. If you want to use Mac OS Client on non-domain joined workstations, change the Event type from OS Logon (domain) to OS Logon (local).

NAM Event

Configure the settings of this event to facilitate the integration of Advanced Authentication with NetIQ Access Manager.

NCA Event

Configure the settings of this event to facilitate the integration of Advanced Authentication with NetIQ CloudAccess. CloudAccess must be configured to use Advanced Authentication as an authentication card and user stores must be added for the repositories for the integration to work. For more information, see the Advanced Authentication CloudAccess documentation.

RADIUS Server Event

The Advanced Authentication server contains a built-in RADIUS server to authenticate any RADIUS client using one of the chains configured for the event. For more information about configuring the RADIUS Server event, see Section 8.0, RADIUS Server.

Report Logon Event

Configure the settings of this event to log in to the Advanced Authentication Reporting portal. For more information about the Reporting portal, see Section 11.0, Reporting.

Search Card Event

Configure the settings of this event to log in to the Advanced Authentication Search Card portal. The Search Card functionality helps you to get the card holder’s contact information by inserting the card in the card reader. For more information about searching a card holder’s information, see Section 13.0, Searching a Card Holder’s Information.

Windows Logon Event

Configure the settings of this event to log in to the Windows Client.

3.6.2 Creating a Customized Event

You can create customized events for the following.

  • Third-party integrations.

  • When you must use Windows Client or Linux PAM Client, or Mac OS X Client on both the domain joined and non-domain workstations and you must have a separate event to use the non-domain mode.

  • For integrations using SAML 2.0 and OAuth 2.0.

You can create the following types of customized events:

Creating a Generic Event

You can create a generic event for Windows Client, Mac OS X Client, and Linux PAM Client workstation when these clients are not joined or bound to a domain. Perform the following steps to create a generic event:

  1. Click Events > Add.

  2. Specify a name for the event.

  3. Set Is enabled to ON.

  4. Select Generic in the Event type.

  5. Select the Authenticator category. The Authenticator category option is displayed only if you have added categories in the Event Categories policy.

  6. Select the chains that you want to assign to the current event.

  7. If you want to restrict access of some endpoints to the event, add all the endpoints that must have access to the Endpoint whitelist. The remaining endpoints are blacklisted automatically. If you leave the Endpoints whitelist blank, all the endpoints will be considered for authentication.

  8. Set Geo-fencing to ON to enable geo-fencing. Move the permitted zones from Available to Used. For more information about configuring geo-fencing, see the Smartphone method.

    IMPORTANT:You must enable the Geo Fencing Options policy to use the geo fencing functionality.

  9. A top administrator can enforce the configuration of events (except the Radius Server event) on secondary tenants. For more information, see Step 10.

  10. Click Save.

NOTE:When you create a custom event, you must specify the custom event in the configuration file of the related endpoints. For more information, see the Advanced Authentication- Linux PAM Client, Advanced Authentication - Mac OS X Client, or Advanced Authentication - Windows Client guides related to the specific endpoint.

Creating an OS Logon (Domain) Event

You can create this event when the third-party application needs to read password of a user after authentication. For example, when Windows Client, Mac OS X Client, or Linux PAM Client workstation is joined or bound to a domain, the third-party application must read the password of the user.

The steps to create an OS Logon (domain) event are similar to the Generic event.

Creating an OAuth 2.0 Event

You can create this event for third-party integrations with OAuth 2.0.

IMPORTANT:Enable the WebAuth option in Server Options before configuring OAuth2 event.

To create an OAuth 2 event, perform the following steps:

  1. Click Events > Add.

  2. Specify a name for the event.

  3. Set Is enabled to ON.

  4. Select OAuth2 in the Event type.

  5. Select the Authenticator category. The Authenticator category option is displayed only if you have added categories in the Event Categories policy.

  6. Select the chains that you want to assign to the current event.

  7. Specify the Redirect URIs. The Client ID and Client secret are generated automatically. The Client ID, Client secret, and Redirect URI are consumed by the consumer web application. After successful authentication, the redirect URI web page specified in the event is displayed.

  8. In Advanced Settings, perform the following actions:

    • Set the Use for Owner Password Credentials option to ON, if the consumer web application provides authorization in the form of Resource Owner Password Credentials Grant.

    • Set the option to OFF, if the consumer web application provides authorization in the form of Authorization Code Grant or Implicit Grant.

    NOTE:If option is set to ON, you can use only the LDAP Password only chain for this event. It is recommended to use separate events for Resource Owner Password Credentials Grant (Use for Owner Password Credentials > ON) and Authorization Code Grant / Implicit Grant (Use for Owner Password Credentials > OFF).

  9. A top administrator can enforce the configuration of events (except the Radius Server event) on secondary tenants. For more information, see Step 10.

  10. Click Save.

After you have created an OAuth 2 event, perform the following steps to access the consumer web application:

  1. Specify the Client ID, Client secret, and redirect URIs in the consumer web application.

  2. Specify the appliance end point (authorization end point) in the web application. For example, https://<Appliance IP>/osp/a/TOP/auth/oauth2/grant.

  3. Authenticate with the required authentication method(s) to access the consumer web application.

    NOTE: Authorization is provided in the form of Authorization Code Grant or Implicit Grant or Resource Owner Password Credentials Grant.

Creating a SAML 2.0 Event

You can create this event for third-party integrations with SAML 2.0.

  1. Click Events > Add.

  2. Specify a name for the event.

  3. Set Is enabled to ON.

  4. Select SAML 2 in the Event type.

  5. Select the Authenticator category. The Authenticator category option is displayed only if you have added categories in the Event Categories policy.

  6. Select the chains that you want to assign to the current event.

  7. If you want to restrict access of some endpoints to the event, add all the endpoints that must have access to the Endpoint whitelist. The remaining endpoints are blacklisted automatically. If you leave the Endpoints whitelist blank, all the endpoints will be considered for authentication.

  8. Set Geo-fencing to ON to enable geo-fencing. Move the permitted zones from Available to Used. For more information about configuring geo-fencing, see the Smartphone method.

    IMPORTANT:You must enable the Geo Fencing Options policy to use the geo fencing functionality.

  9. You can either insert your Service Provider's SAML 2.0 metadata in SP SAML 2.0 metadata or click Browse and select a Service Provider's SAML 2.0 metadata XML file to upload it.

    NOTE:You must enable the SAML 2.0 options policy for the SAML 2.0 event to work appropriately.

  10. A top administrator can enforce the configuration of events (except the Radius Server event) on secondary tenants. For more information, see Step 10.

  11. Click Save.