A chain is a combination of authentication methods. A user must pass all methods in the chain to be successfully authenticated. For example, if you create a chain with LDAP Password and SMS OTP, a user must first specify the LDAP Password. If the LDAP password is correct, the system sends an SMS with a One-Time-Password (OTP) to the user’s mobile. The user must specify the correct OTP to be authenticated.
Advanced Authentication contains the following chains that are created by default:
: Any user from a repository can use this chain to get authenticated with the LDAP Password (single-factor) method.
: Any user who has a Password method enrolled can use this chain to get authenticated with the Password (single-factor) method.
You can create any number of chains with multiple authentication methods. To achieve better security, you can include multiple methods in a chain.
Authentication comprises of the following three factors:
such as password, PIN, and security questions.
such as smartcard, token, and mobile phone.
such as biometrics (fingerprint or iris).
You can achieve multi-factor or strong authentication by using any two factors out of this list. For example, multi-factor authentication can include a combination of password and a token or a smartcard and a fingerprint.
After you create a chain, you can use the chain on specific user groups in your repository. The chain is then mapped to an event.
To create a new chain or edit an existing chain, perform the following steps:
Clickto create a chain. You can also click the edit icon against the chain that you want to edit.
Specify a name of the chain in.
Specify a. The short name is used by a user to move to a chain. For example, if you name a chain containing the LDAP Password and SMS methods as then a user can specify <username> sms and the user is forced to use as the chain. This is helpful in scenarios when the primary chain is not available.
NOTE:This is applicable only for the RADIUS Server event.
Setto to enable the chain.
Select the methods that you want to add to the chain from thesection. You can prioritize the methods in the list. For example, if you create a chain with LDAP Password and HOTP methods, then the user will be prompted for the LDAP Password method first and then the OTP.
Specify the groups that will use the authentication chain in.
You can specify the following roles and groups based on your requirement:
: To use all the users and groups of all the added repositories.
: To use a specific group from the repository. For example to specify users of an group, specify .
: To use all the users of a specific repository. For example to use all users in the repository , specify .
IMPORTANT:It is recommended not to use those groups from which you will not be able to exclude users because you will not be able to free up a user's license. For example, you use agroup or group. If an employee from these groups leaves the company and you do not delete the user’s domain account but just disable it, the license will not be freed.
Expandby clicking .
Set Endpoint owner must use the chain.to if an
NOTE:The Endpoint owner feature is supported for Windows Client, Mac OS Client, and Linux PAM Client only.
Specify the. When a user logs in to Windows on a workstation with Advanced Authentication Windows Client installed, the user's account is moved to the group specified in .
NOTE:This functionality is available when you set the Logon Filter.to in the policy and have configured the
For example if you specify agroup from Active Directory in , then the user will be moved from the legacy group (specified in the of Active Directory repository) to the group.
NOTE:If the user credentials are saved withthe MFA tag does not work while connecting to the Remote Desktop.
Setto , if this is a required (high-security) chain. To configure a linked chain within a specific time period after successful authentication with a required chain, choose an appropriate required chain. You also need to specify a Within this time period, the linked chain can be used instead of the required chain. The maximum value for grace period is 44640 minutes (31 days).
NOTE:You must assign both a required and a linked chain to an Event. The linked chain must be of higher order than the corresponding required chain. The option is available when the Linked Chains policy is set to .
For example, LDAP Password+Card is a required chain and Card is a linked chain. The users must use LDAP Password+Card chain once in every 8 hours and within this period, they can provide only card without the LDAP Password to authenticate.
A top administrator can enforce the configurations of a chain on secondary tenants. After the administrator configures the settings for a chain, the administrator can freeze those configurations for that specific tenant. The tenant will not be able to edit the settings in the tenant administrator console that have been enforced by the top administrator for that chain.
To enforce the configurations for a specific tenant, perform the following steps:
In the, click to expand the settings.
Select the tenant to whom you want to enforce the configurations in
After you add a tenant, theoption is displayed. You can turn this option to if you want to hide the configurations that you have enforced on the tenant. This will be hidden on the tenant administrator console.
(Conditional) In, you can specify the chain name in a specific language. To do this click to expand the settings and specify the chain name.
IMPORTANT:If you have configured more than one chain using one method (for example,, ) and assigned it to the same group of users and the same event, then the top chain is always used if the user has enrolled all the methods in the chain. An exception is the use of a high-security chain and its appropriate simple chain, where the simple chain must be higher than its high-security chain.