3.8 Configuring Policies

Policies contain configuration settings for the Advanced Authentication methods, events, and so on. For example, to use the Email OTP method, you must configure the server and port settings in the Mail sender policy and to use the Multitenancy mode, you must enable the Multitenancy options policy.

Advanced Authentication provides the following policies:

To configure a policy, perform the following steps:

  1. Click Policies in the Administration portal.

  2. Click the Edit icon against the policy you want to configure.

  3. Make the required changes for a specific policy.

    A top administrator can enforce the configurations of a policy on secondary tenants. After configuring a policy, you can lock the settings for that specific tenant. The tenant cannot edit the locked settings in the tenant administrator console.

    To enforce the configurations for a specific tenant, perform the following steps:

    1. In Tenancy settings, click +.

    2. Move the tenant to whom you want to enforce the configurations from the Available to the Used list in the Force the configuration for the tenants section.

    3. After you add a tenant, the Hide forced settings option is displayed. You can turn this option to ON if you want to hide the configurations that you have enforced on the tenant.

      NOTE: The Tenancy settings are not supported for the following policies: CEF log forwarding, Event categories, HTTPS Options, Logo, and Multitenancy options.

      A tenant administrator cannot access the CEF log forwarding and Multitenancy options policies.

  4. Click Save.

IMPORTANT:The configured policies are applied for all the Advanced Authentication servers.

3.8.1 Admin UI Whitelist Policy

In this policy, you can configure the security settings to allow only permitted IP addresses to use the Advanced Authentication Administration portal.

By default, all the IP addresses are considered as whitelist. To configure a restriction so that only a particular IP address can access the Administration portal, perform the following steps:

  1. Click Add in the Admin UI whitelist policy.

  2. Specify the address in the format 10.20.30.0/255.255.255.0 or 10.20.30.0/24.

    Advanced Authentication has an automatic validation check to prevent administrators from losing access to the Administration portal. If your IP address is out of the range, a message: Your IP address is not whitelisted. You will lose access! Please add your IP is displayed.

  3. Click Save.

3.8.2 Authenticator Management Options Policy

This policy allows you to configure the following two settings:

  • Enable sharing: This setting allows a user to authenticate with his or her authenticator to another user’s account. The helpdesk administrator can link an authenticator of one user to another user.

    To enable sharing authenticators, set Enable sharing to ON.

    NOTE:Linked authenticators work only in the online mode. Cached login does not work for the linked authenticators.

    The supported methods for sharing authenticators are TOTP, HOTP, Password, Fingerprint, Card, and FIDO U2F.

  • Disable re-enrollment: This setting allows you to restrict users from re-enrolling, editing, and deleting the enrolled authenticators in the Self-Service portal.

    To disable re-enrollment or removal of authenticators, set Disable re-enrollment to ON.

    WARNING:If you access the Administration portal with local user credentials such as local\admin, you might get into a lockout situation. This can happen when the administrator's password expires and it is not possible to change the password through the Self-Service portal. Therefore, to use the Disable re-enrollment option, you must configure the access of a repository account to the Administration portal. To do this:

    • Add authorized users or a group of users from a repository to the FULL ADMINS role.

    • Assign chains, which contain methods that are enrolled for users, to the AdminUI event (at a minimum with an LDAP Password method).

    NOTE:This setting disables re-enrollment and removal of the authenticators only in the Self-Service portal. The setting has no effect on the Helpdesk portal.

3.8.3 Cache Options Policy

In this policy, you can disable the local caching of authenticators. The policy is supported for Windows Client, Mac OS X Client, and Linux PAM Client for chains that use the methods: LDAP Password, Password, HOTP, TOTP, Smartphone (offline mode), Card, FIDO U2F, Fingerprint, and PKI.

The caching functionality enables the storing of credentials on the Client for offline authentication when the Advanced Authentication server is not available. Therefore a user who has successfully logged in once to the server with the authentication, can now login with the offline authentication.

By default, the Enable local caching option is enabled. To disable the caching, set the option to OFF and click Save.

NOTE:To cache Fingerprint data, you need to install Microsoft.NET Framework 4 or higher on your workstation.The caching period cannot be configured. The cache will be cleared only if the Enable local caching option is disabled.

3.8.4 CEF Log Forward Policy

In this policy, you can configure settings to forward the logs to an external Syslog server. The central logging server can be used for log forwarding. To configure the policy, perform the following steps:

  1. Set Enable to ON.

  2. Specify the IP address of the remote logging server in Syslog server.

  3. Specify the port of the remote logging server in Port.

  4. Select an applicable transfer protocol from Transport.

  5. Click Save.

NOTE:The same Syslog configuration is used for each server type. Each server type in the appliance records its own log file.

Only logs from the Syslog section are forwarded to the external Syslog server. For more information about Syslog, see Section 12.0, Logging.

3.8.5 Delete Me Options

In this policy, you can configure settings that enable deleting all the user data from the server, including the enrolled methods.

When you set Enable delete me feature to ON, the Delete me option is displayed in a drop-down on the user name on the top-right corner of the Self-Service portal.

3.8.6 Endpoint Management Options

In this policy, you can configure settings for endpoint management.

Set Require admin password to register endpoint/workstation to ON for endpoints to provide the local administrator's credentials during the registration of endpoint.

You must disable the option when installing any components from the Advanced Authentication distributives package that uses endpoints (Advanced Authentication Windows Client, Mac OS X Client, Linux PAM Client, Logon Filter, and RDG plug-in). Otherwise, the endpoints are not created. You must use the option for third-party integrations only.

3.8.7 Event Categories

In this policy you can add categories, which can be used in an event to support multiple enrollments for a method. For each event, you can specify one category.

To add a category, perform the following steps:

  1. Click Event categories.

  2. Click Add.

  3. Specify a name and description for the category.

  4. Click Save.

  5. Click Events and edit the required event to specify the category.

    Ensure that users or helpdesk administrators enroll authenticators for the new category.

NOTE:

  • You can enroll only one authenticator of one type for each category.

  • The Authenticator category option in Events is not displayed when no category is created.

  • The LDAP Password method is an exception. There is one LDAP password authenticator always, it can be used with any category.

3.8.8 Geo Fencing Options

In this policy, you can create authentication zones by drawing boundaries for a geographical location. When you enable the geo-fencing policy, users can authenticate with their Smartphones only from the allowed geographical locations.

To enable geo-fencing, set Enable geo fencing to ON. For more information about how to configure the geo-zones, see the Smartphone method.

NOTE:When you enable the Geo-fencing options policy, the functioning of the TOTP mode of the Smartphone method, which is used in the offline mode, is affected. An error message TOTP login is disabled is displayed to the users when they try to authenticate with this method.

3.8.9 Helpdesk Options

In this policy, you can configure settings to prompt the helpdesk administrators to provide the credentials of the users in the Helpdesk portal. This enhances security. This policy is applicable to the Helpdesk User event.

Set Ask credentials of management user to ON to prompt the helpdesk administrator to provide the credentials of the user in the Helpdesk portal. Ensure that you have specified a chain (with all the methods of the chain enrolled for the users) for the Helpdesk User event.

When you set the option to OFF, it may not be secure, but the user management is done faster.

3.8.10 HTTPS Options

In this policy, you can configure settings to ensure that the appliance is safe from security vulnerabilities.

This policy allows you to configure the following two settings:

  • Enable TLS 1.0: It is recommended to keep this option disabled by default to ensure security vulnerabilities are prevented because TLS 1.0 is considered as an unsafe protocol. In some scenarios, you can enable the option to support the older versions of browsers. For more information on browser support for TLS, see TLS support for web browsers.

  • Enable TLS 1.1: This option is disabled by default to prevent security vulnerabilities and have secure connection between the server and web portals such as Helpdesk, Self-Service and so on. It is recommended to keep this option disabled because TLS 1.1 is considered as an unsafe protocol. In some scenarios, you can enable the option to support the older versions of browsers.

  • Enable HTTP compression: This setting allows you to enable the HTTP compression to accelerate performance in the scenarios of low bandwith or when the network connectivity is slow.

3.8.11 Kerberos SSO Options

In this policy, you can select an Active Directory repository that points to a domain for which you want to configure the single sign-on (SSO). Kerberos SSO is supported for the AdminUI, Authenticators Management, Helpdesk, and Report logon events.

By default, the basic authentication window is displayed in your browser while accessing an Advanced Authentication portal. Advanced Authentication servers’ sites must be added to the local intranet in the browser on the domain-joined workstations to avoid it. Perform the following steps to do it for Internet Explorer:

  1. From the Start menu, navigate to Control Panel > Network and Internet > Internet Options.

  2. In the Internet Properties window, click the Security tab and select Local intranet.

  3. Click Sites.

  4. In the Local intranet window, click Advanced.

  5. Add the Advanced Authentication Servers’ sites to the zone. For example: https://v5.netiq.loc or v5.netiq.loc.

  6. Click Close and save the changes.

Perform the following steps to configure Advanced Authentication to perform an SSO authentication:

  1. Ensure that the Multitenancy options policy is disabled.

  2. Go to Policies > Kerberos SSO options.

  3. Select Active Directory as repository in Repository.

    NOTE:This feature works only for a single Active Directory repository at a time.

  4. Click Save.

  5. Log in to a Domain Controller.

  6. Generate the keytab files for the Kerberos authentication for each Advanced Authentication server.

    A Sample command to create the keytab file is:

    ktpass /princ HTTP/aas1.netiq.loc@NETIQ.LOC /mapuser aas1srv@authasas.local /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass Q1w2e3r4 /out C:\Temp\keytab_aas1srv

    where

    • aas1 is a server name (according to the record in DNS), the domain name is netiq.loc.

    • aas1srv is a service account created in the Active Directory for the Advanced Authentication server. The password of this account is Q1w2e3r4.The keytab file keytab_aas1srv is created in the C:\Temp folder.

  7. Go to the Advanced Authentication Administration portal.

  8. Click Server Options.

  9. Scroll down to the Keytab file section.

  10. Click Choose File and select a keytab file for the Advanced Authentication server.

  11. Click Upload.

  12. Repeat Step 8 to Step 11 for the other Advanced Authentication servers.

  13. Click Events on the Global Master server.

  14. Open the properties of any supported event: AdminUI, Authenticators Management, Helpdesk, or Report logon.

  15. Scroll down and set Allow Kerberos SSO to ON.

IMPORTANT:You must add the Advanced Authentication server sites to the local intranet in the browser of the domain-joined workstations. To know how to do this for the Internet Explorer, see the above procedure.

By default, Firefox browser does not support SSO. If you use the Firefox browser, you can enable SSO by performing the steps defined on the Single Sign-On in Firefox page.

NOTE:The basic authentication window is displayed while accessing a configured Advanced Authentication portal, if the Kerberos SSO option is enabled for Authenticators Management event and security is set to High for Local intranet in the Internet Explorer.

3.8.12 Last Logon Tracking Options

The Last Logon Tracking options policy allows Advanced Authentication to enable tracking for the last login. This policy helps you to automatically move to a simple chain that contains less factors within a few hours of authentication done with a high-security chain.

For example, if a user authenticates with the LDAP Password+Card chain once in a day, the user can further use only the Card method without the LDAP Password method, or if a user authenticates with the Fingerprint method once in every four hours, the user can authenticate once with this chain and next authentication he can use only the Smartphone chain.To enable tracking, set Enable tracking option to ON. You must enable this policy for the Require chain option while creating a chain.To configure a high-security chain and the corresponding simple chain, see Creating Chains.

3.8.13 Lockout Options

In this policy, you can configure settings to lock a user’s account when the user reaches the maximum failure attempts of login. This enhances security by preventing the guessing of passwords and one-time passwords (OTPs).

You can configure the following options in this policy:

  • Enable: An option to enable the lockout settings.

  • Failed attempts: The limit of failure attempts of authentication, after which the user’s account is locked. The default value is 3.

  • Lockout period: The period within which the user’s account is locked and the user cannot authenticate. The default value is 300 seconds.

  • Lock in repository: The option to lock the user account in repository. You cannot use Lockout period if you enable this option. Only the system administrator must unlock the user in the repository.

    IMPORTANT:You must configure the appropriate settings in your repository for the options to function appropriately. For Active Directory Domain Services, you must enable the Account lockout threshold policy on Domain Controllers.For NetIQ eDirectory, you must configure the Intruder Detection properly.

After a user’s account is locked (not in the repository), you can unlock the user account. To do this, click Repositories > Edit > Locked Users and click Remove against the user’s account name.

3.8.14 Login Options

In this policy, you can configure the settings to add repositories that are used as default repositories. Therefore while logging in, you need not prefix the repository name before the username for authentication.

For example, if pjones is a member of the company repository, then while logging in, instead of specifying company\pjones, you can specify only pjones.

To add a repository as default, move the repository from Available to Default and click Save.

3.8.15 Logo

This policy allows you to set and customize an image as a logo for the Administration and Self-Service portal. You can also set an alternate text instead of an image as logo.

To set a logo for the Administration and Self-Service portal, perform the following steps:

  1. In the Logo page, set Use image to ON.

  2. Specify an alternate text for the image in Image ALT text.

  3. Specify the URL that is redirected when you click on the logo.

  4. Select an image for the logo. The image resolution must be 230x50 pixels. The supported formats are .jpg and .png.

  5. You can also set a mini logo with an image. This mini logo is displayed when the navigation pane on the left is collapsed. The image resolution for the mini logo must be 50x50 pixels.

  6. Click Save.

NOTE:The logo is applied for all the tenants. A tenant administrator cannot customize the logo.

3.8.16 Logon Filter for AD

In this policy you can configure settings to enable the use of Logon Filter that you must install on all the Domain Controllers in the domain and configure it. Logon Filter allows you to automatically update group membership if you login with the Advanced Authentication Windows Client.

To enable the policy, set Enable filter to ON and click Save.

NOTE: Before enabling the policy, you must ensure the Advanced Authentication Logon Filter is installed on all the Domain Controllers in the domain. Else, you might face problems with password validation during password synchronization on workstations that have the Windows Client installed.

For information about how to configure Logon Filter, see Configuring Logon Filter.

3.8.17 Mail Sender

In the Mail sender policy, you can configure settings for the following:

  • Email OTP method to send email messages with one-time passwords to users.

  • To send the replication conflict notification email to configured users.

To configure the Mail sender settings, perform the following steps:

  1. Specify the following details:

    1. Host: The outgoing mail server name. For example, smtp.company.com.

    2. Port: The port number. For example, 465.

    3. Username: The username of an account that is used to send the authentication or notification mail. For example, noreply or noreply@company.com.

    4. Password: The password for the specified account.

    5. Sender email: An email address of an account that is used to send the authentication or notification mail.

    6. TLS and SSL: The cryptographic protocol used by the mail server.

  2. You can test the configurations for the Mail sender policy in the Test section.

    1. Specify the email address in E-mail to which you want to send the Email OTP.

    2. Specify a message to be sent to the phone in Message.

    3. Click Send test message!.

  3. Click Save.

    Real messaging uses async sender. Ensure that you have configured a chain with the Email OTP method and assigned it to an event. Login to the Self-Service portal and test the Email authenticator. If it does not work, click async log.

Authentication Flow

The authentication flow for the Mail sender is described in the following image.

A user wants to authenticate on an endpoint such as a laptop or a website with the Email OTP method. The following steps describe the authentication flow:

  1. When the authentication request is initiated, the endpoint contacts the Advanced Authentication server.

  2. The Advanced Authentication server validates the user’s credentials and gets an email address of the user from a repository.

  3. Advanced Authentication server sends the request to a configured mail server to send an email message with the content that includes a one-time password (OTP) for authentication.

  4. Mail server sends the message to the user's email address.

  5. Mail server sends the sent signal to the Advanced Authentication server.

  6. Advanced Authentication server sends a request to the user to specify an OTP on the endpoint.

  7. The user specifies the OTP from the email message. The Advanced Authentication server gets the OTP.

  8. Advanced Authentication server validates the authentication. The authentication is done or denied.

HTTPS protocol is used for the internal communication.

Access configuration

Advanced Authentication server - Mail Server (SMTP, outbound).

3.8.18 Multitenancy Options

In this policy, you can enable the Multitenancy mode.

A tenant is a company with a group of users sharing common access with specific privileges. The Multitenancy options policy helps you to create a single instance of Advanced Authentication solution that supports multiple tenants.

Enable Multitenancy mode to support more than one tenant on a single appliance.

For workstations with Windows Client, Mac OS X Client, or Linux PAM Client installed, you must perform the following steps before you enable Multitenancy options:

  1. Ensure that you have installed Advanced Authentication 5.4 or later Client components.

  2. Configure the Clients to point to a tenant.

These steps are critical and if not performed, the users on the workstations cannot login.

IMPORTANT:The Multitenancy options policy is hidden when your license does not have the Multitenancy feature. To have the policy, you must apply for a license that contains the Multitenancy feature.

3.8.19 Password Filter for AD

In this policy, you can configure settings to synchronize the password update between the appliance and Active Directory through the Password Filter. The Password Filter automatically updates the LDAP Password stored in Advanced Authentication, whenever the password is changed or reset in the Active Directory. This helps you to authenticate without getting any prompt to synchronize the password after it is changed or reset.

You can perform the following settings in this policy:

  • Set Update password on change to ON to update the LDAP password automatically in Advanced Authentication when it is changed in the Active Directory. This helps you to authenticate without getting a prompt to synchronize the password after it is changed.

    Set Update password on change to OFF to prompt the user to synchronize the LDAP password while logging in to Windows when the password is changed in the Active Directory.

  • Set Update password on reset to ON to update the LDAP password automatically in Advanced Authentication when it is it is reset in the Active Directory.This helps users to authenticate without getting a prompt to synchronize the password if it is reset.

    Set Update password on reset to OFF to prompt the user to synchronize the LDAP password while logging in to Windows when the user's password has been reset in the Active Directory.

NOTE:Endpoint for the Password Filter must be trusted. To do this, perform the following steps:

  1. Click Endpoints in the Advanced Authentication Administration portal.

  2. Edit an endpoint of the Password Filter.

  3. Set Is trusted to ON and add a description.

  4. Save the changes.

3.8.20 Public External URLs (Load Balancers)

In this policy, you can set the external URLs used for the Smartphone and Voice methods. You can specify multiple server URLs for the different sites, which are callback URLs, for the authentication to happen between the sites.

NOTE:You must specify different public external URLs for the different Advanced Authentication sites. It is not possible to specify a public external URL of a common load balancer for all the sites.

The following work flow describes the working of this policy in a multi-site environment for the Smartphone authentication.

  1. Smartphone app receives and updates the list of callback URLs during enrollment and in the background when the Smartphone app starts.

  2. When a user opens the Smartphone app, the app sends the request get salt to all callback URLs.

  3. Only one callback URL returns the salt to the Smartphone and this is an Advanced Authentication server, which initiated the authentication.

  4. The Smartphone app sends the user's answer (Accept/Reject) only to this Advanced Authentication server.

NOTE: A tenant administrator cannot access the Public external URLs policy.

3.8.21 Replica options

In this policy, you can configure the setting for monitoring the replication process of all the servers in a cluster. Advanced Authentication performs the following actions in the replication process:

  1. Generates and sends the replication report on daily basis to the configured email address.

  2. Sends notification email to the configured email address whenever a conflict is detected.

  3. Tracks and provides the specific time from when the replication has not happened between the conflicting servers.

NOTE:You can configure the Replica options policy only in the DB Master server.

To configure the replication monitor settings, perform the following steps:

  1. Specify the Email address of the recipient who wants to receive the replication report and conflict notification.

  2. Set Everyday report to ON to send the data replication status report daily to the configured email address.

  3. Set Notify if Problem to ON to send an email notification to the configured email address whenever a replication conflict is detected.

  4. Set Delete old endpoint device and update endpoint last session to OFF to allow the Advanced Authentication server to perform the following thus prevents any new conflicts related to the endpoints:

    • Do not delete the existing endpoint device specific record though there are two devices with the same Endpoint ID and Endpoint Secret.

    • Do not update the last login session time of each device.

    When Delete old endpoint device and update endpoint last session option is set to ON (default behavior), the server performs the following:

    • Deletes the old device specific record, if there are two devices that contain the same Endpoint ID and Endpoint Secret.

    • Updates the last login session time of each device that logs in.

  5. Click Save.

NOTE:Ensure that you configure the Mail Sender policy with sender details to send the replication status report and notification on a replication conflict to the configured email address.

3.8.22 SMS Sender

In this policy, you can configure the settings for the SMS OTP method. The SMS OTP method sends SMS messages with one-time passwords to the users. Advanced Authentication contains predefined settings for Twilio and MessageBird services.

The Sender Service consists of the following three options:

To configure SMS sender manually perform the following steps:

  1. Select Generic in Sender service.

  2. Specify a Service URL value. For example, Clickatell http://api.clickatell.com/http/sendmsg?.

  3. Leave HTTP Basic Auth Username and HTTP Basic Auth Password blank.

  4. Select POST from HTTP request method.

  5. Click Add and create the following parameters in HTTP request body.

    • name: user

      value: name of your account

    • name: to

      value: {phone}

    • name: text

      value: {message}

    • name: api_id, this is a parameter that is issued after addition of an HTTP sub-product to your Clickatell account. A single account may have multiple API IDs associated with it.

    • name: from

      value: sender’s phone number

  6. Click Add secure and create the following parameter in HTTP request body.

    • name: password

      value: current password that is set on the account

    For more information about the additional parameters for Clickatell, see the Clickatell documentation.

    NOTE:The parameters may differ for different SMS service providers. But the {phone} and {message} variables are mandatory.

To configure SMS sender settings for Twilio service, perform the following steps:

  1. Select Twilio in Sender service.

  2. Specify the following details:

    • Account sid and Auth token: In Twilio, the Account SID acts as a username and the Auth Token acts as a password.

    • Use Copilot: The copilot option is used to send SMS from a Twilio’s phone number of your location. This is helpful when SMS messages have to be sent across the geographical locations. For example, with copilot, SMS will be sent from Indian phone number to the Indian users. Without copilot, SMS will be sent from US phone number to the Indian users.

      For more information on Copilot option and its features, see https://www.twilio.com/copilot#phone-number-intelligence and https://www.twilio.com/docs/api/rest/sending-messages-copilot#features.

      • Messaging Service SID: Service SID.

    • Sender phone: Sender’s phone number.

For more information, see the Twilio website.

To configure SMS sender settings for MessageBird service, perform the following steps:

  1. Select MessageBird in Sender service.

  2. Specify the Username, Password, and Sender name.

For more information, see the MessageBird website.

IMPORTANT:MessageBird API v2 is not supported. To activate MessageBird API v1, perform the following steps:

  1. Go to the MessageBird account.

  2. Click Developers in the left navigation bar and open the API access tab.

  3. Click Do you want to use one of our old API's (MessageBird V1, Mollie or Lumata)? Click here.

You can test the configurations for the SMS sender policy in the Test section.

  1. Specify the phone number in Phone to which you want to send the SMS OTP.

  2. Specify a message to be sent to the phone in Message.

  3. Click Send test message!.

  4. Click Save.

    Real messaging uses async sender. Ensure that you have configured a chain with the SMS method and assigned it to an event. Then sign-in to the Self-Service portal and test the SMS authenticator. If it does not work, see the async logs.

Authentication Flow

The authentication flow for the SMS sender in Advanced Authentication is described in the following image.

A user wants to authenticate on an endpoint such as a laptop or a website with the SMS method. The following steps describe the authentication flow:

  1. When the authentication request is initiated, the endpoint contacts the Advanced Authentication server.

  2. The Advanced Authentication server validates the user’s credentials and gets a phone number of the user from a Repository.

  3. Advanced Authentication server sends the request to a configured SMS Service Provider to send an SMS message with the content that includes a one-time password (OTP) for authentication.

  4. SMS Service Provider sends the SMS message to the user's phone.

  5. SMS Service Provider sends the 'sent' signal to the Advanced Authentication server.

  6. Advanced Authentication server sends a request to the user to specify an OTP on the endpoint.

  7. The user specifies the OTP from the SMS message. The Advanced Authentication server gets the OTP.

  8. Advanced Authentication server then validates the authentication. The authentication is done or denied.

HTTP/HTTPS protocol is used for the communication.

Access configuration

Advanced Authentication server - SMS Service Provider (HTTP/HTTPS, outbound).

3.8.23 Services Director Options

In this policy, you can configure settings required to integrate with the Services Director.

Perform the following steps to configure this policy:

  1. Set Enable integration to ON to enable the integration of Advanced Authentication with Services Director.

  2. Specify the Public DNS name of Advanced Authentication, Services Director DNS Name, Tenant Admin Name, and Tenant Admin Password of Services Director to integrate it with Advanced Authentication.

NOTE:You cannot integrate Services Director with Advanced Authentication when the Multitenancy Options policy is enabled.

3.8.24 SAML 2.0 Options

In this policy, you can configure settings to specify the Identity Provider’s URL and to download the SAML 2.0 metadata file. The downloaded SAML 2.0 metadata file is used to configure the service provider.

IMPORTANT:The WebAuth option must be enabled in Server Options before configuring this policy.

For more information about configuring this policy, see SAML 2.0.

For information about how to configure Advanced Authentication integration with Salesforce using SAML 2.0, see Configuring Integration with Salesforce.

3.8.25 Voice Sender

In this policy, you can configure the settings for the Voice and Voice OTP methods. Advanced Authentication supports the Twilio service for the Voice methods.

To configure Voice Sender settings for Twilio service, perform the following steps.

  1. Specify the following details in the Voice sender policy:

    • Account sid and Auth token: In Twilio, the Account SID acts as a username, and the Auth Token acts as a password.

    • Sender phone: The phone number of the sender.

    • Public server url: The public URL to which the Twilio service connects for authentication. This URL points to the Public External URLs (Load Balancers) policy. You can use http protocol for testing purpose, but for production environment you must use https protocol. You must have a valid certificate when you use https.

  2. In the Enroll without a phone section, you can configure settings for the user to enroll the Voice authenticator without a phone number in the repository.

    • Set Allow user enrollment without a phone to OFF to ensure that a user does not enroll the Voice authenticator without a phone. The user gets an error message that you can specify in Error message.

    • Set Allow user enrollment without a phone to ON for the user to enroll the Voice authenticator without a phone.

  3. You can test the configurations for the Voice sender policy in the Test section.

    1. Specify the phone number in Phone to which you want to send the Voice OTP.

    2. Specify a message to be sent to the phone in Message.

    3. Click Send test message!.

  4. Click Save.

    Real messaging uses async sender. Ensure that you have configured a chain with the Voice OTP method and assigned it to an event. Then sign-in to the Self-Service portal and test the Voice authenticator. If it does not work, see the async logs.

IMPORTANT:The users may receive calls with the voice Application error. This happens because of incorrect settings or invalid certificates. Ensure that the certificate is valid and is not expired. Invalid certificates cannot be applied by Twilio.

Authentication Flow

The authentication flow for the Voice sender in Advanced Authentication is described in the following image.

A user wants to authenticate on an endpoint such as a laptop or a website with the Voice Call method. The following steps describe the authentication flow:

  1. When the authentication request is initiated, the endpoint contacts the Advanced Authentication server.

  2. The Advanced Authentication server validates the user’s credentials and gets a phone number of the user from a repository.

  3. Advanced Authentication server sends the request to a configured voice call service provider (Twilio) to call the user.

  4. The voice call service provider calls the user.

  5. The user picks up the phone, listens to the call, and specifies the PIN followed by the hash (#) sign.

  6. Voice call provider sends the specified PIN to the Advanced Authentication server.

  7. Advanced Authentication server then validates the authentication. The authentication is done or denied.

HTTP/HTTPS protocol is used for the communication.

Access configuration

Advanced Authentication server - Voice Call Service Provider (HTTP/HTTPS, inbound/ outbound).