3.5 Configuring Events

Advanced Authentication provides authentication events for the supported applications or devices. You can configure an event to leverage the Advanced Authentication functionalities for the respective application or device. The application or device triggers the respective authentication event when a user tries to access it.

You can create customized events for the following:

  • Third-party integrations.

  • To use Windows Client, Linux PAM Client or Mac OS X Client on both the domain joined and non-domain workstations and it requires to have a separate event to use the non-domain mode.

  • Integrations using SAML 2.0 and OAUTH 2.0.

  • To create more than one RADIUS Server event.

This section contains the following:

3.5.1 Configuring an Existing Event

  1. Click Events.

  2. Click the edit icon against the event that you want to edit.

  3. Ensure that Is enabled is set to ON if you want to use the event.

  4. Select the Event type.

    For most of the predefined events, you cannot change the Event type. For events such as Windows logon, Linux logon, and Mac OS logon, you can change the Event type from OS Logon (domain) to OS Logon (local) if the workstations are not joined to the domain.

    • Select OS Logon (domain) to allow only the domain joined users to login to the event.

    • Select OS Logon (local) to allow any Advanced Authentication user from any repository to access the event. However, users must map themselves to a local user account during their first login by providing the credentials.

  5. Enable the reCAPTCHA option to ON if you want the Google reCAPTCHA option to be displayed in the login page for the particular event.

    The reCAPTCHA option is displayed only when you enable the Google reCAPTCHA Options policy.

    NOTE:The reCAPTCHA option is supported only for the Admin UI event, Authenticators Management event, Helpdesk event, Helpdesk user event, Report logon event, Tokens Management event, and the Search Card event.

  6. Select the Authenticator category. The Authenticator category option is displayed only if you have added categories in the Event Categories policy.

  7. Select the chains that you want to assign to the current event.

    In an event, you can configure a prioritized list of chains that can be used to get access to that specific event.

  8. If you want to restrict access of some endpoints to the event, add all the endpoints that must have access to the Endpoint whitelist. The remaining endpoints are blacklisted automatically. If you leave the Endpoints whitelist blank, all the endpoints will be considered for authentication.

  9. Set Geo-fencing to ON to enable geo-fencing. Move the permitted zones from Available to Used. For more information about configuring geo-fencing, see the Smartphone method.

    IMPORTANT:You must enable the Geo Fencing Options policy to use the geo fencing functionality.

  10. Select Allow Kerberos SSO if you want to enable single sign-on (SSO) to the Advanced Authentication portals. Kerberos SSO is supported for AdminUI, Authenticators Management, Helpdesk, and Report logon events.

  11. Set Bypass user lockout in repository to ON, if you want to allow users who are locked on repository to authenticate on the Advanced Authentication. By default, Bypass user lockout in repository is set to OFF and users who are locked on repository are not allowed to authenticate.

  12. Select the Allow to logon to this event by shared template option to allow users to login using shared authenticators. By default this option is disabled for the Authenticators Management, Helpdesk, Helpdesk User, AdminUI, Search Card, Token Management, and Report Logon events and enabled for all the other events.

  13. Click Save.

  14. If you want to revert the changes to the default configuration, click Initialize default chains.

NOTE:If you have configured more than one chain using one method (for example, LDAP Password, LDAP Password+Smartphone) and assigned it to the same group of users and to the same event, the top chain is always used if the user has enrolled all the methods in the chain. An exception is the use of a high-security chain and its appropriate simple chain, where the simple chain must be higher than its high-security chain.

HINT:It is recommended to have a single chain with the Emergency Password method at the top of the chains list in the Authenticators Management event and other events, which are used by users. The chain will be ignored if the user does not have the Emergency Password enrolled. The user can use the Emergency Password immediately after the helpdesk administrator enrolls the user with the Emergency Password authenticator.

NOTE:Configurations that have been set by a top administrator for a particular event are grayed out. The configurations are not displayed, if the configurations are hidden by the top administrator.

By default, Advanced Authentication contains the following events.

ADFS Event

This event is used to integrate Advanced Authentication with ADFS using the previous ADFS plug-in for Advanced Authentication 5.x.

For 6.0, you can use the new ADFS MFA plug-in. For more information see the Configuring the Advanced Authentication Server for ADFS Plug-in guide.

AdminUI Event

Use this event to access the Administration portal. You can configure the chains that can be used to get access to the /admin URL.

IMPORTANT:You must be careful when changing the default chains that are assigned to this event. You may block the access to the Administration portal.

NOTE:You can promote users or group of users from a repository to the FULL ADMINS role in Repositories > Local. After this, you must assign chains in which the methods are enrolled for users with the AdminUI event (at a minimum with an LDAP Password).

WARNING:If you have enabled the Google reCAPTCHA policy for the Admin UI event, you must consider the following guidelines. Otherwise, a deadlock scenario can happen and you will not be able to access the Administration portal without the cluster re-installation:

  • If the site key or secret key gets deleted at the Google server, you will not be able to get the same site key or secret key. The site key and secret key used on the Administration portal are no more valid and there is no way to bypass the reCaptcha on the Administration portal.

  • If you have registered the reCAPTCHA for one domain name and you change the domain name or migrate the Advanced Authentication server to another domain name, the site key or secret key used on the Administration portal are no more valid.

Authentication Agent Event

Configure the settings of this event to enable a login to the Authentication Agent on Windows Client.

Authenticators Management Event

Use this event to access the Self-Service portal. In the Self-Service portal, users can enroll to any of the methods that are configured for any chain and they are a member of the group assigned to the chain.

Add an LDAP Password chain as the last chain in the list of chains to ensure secure access to the portal for users who have methods enrolled.

IMPORTANT:If the Administration portal uses a repository that does not have any user, you must enable a chain with Password only (Authenticators Management - Password) for this event. This action enables you accessing the Self-Service portal or changing the password in the Self-Service portal.

You can also perform basic authentication with Advanced Authentication. To achieve basic authentication, set the Allow basic authentication option to ON in the Event Edit screen for Authenticators Management.

NOTE:The basic authentication is supported only for the Authentication Management event and for the Password, LDAP Password, and HOTP methods.

You must specify /basic with the URL to login to the enrollment page. The Login page appears and the format of the Username you must provide is: username:PASSWORD|LDAP_PASSWORD|HOTP:1. For example: admin:PASSWORD:1.

When you log in to the Self Service portal, by default the chain with the highest priority is displayed. To display the other chains with the enrolled methods, set Show chain selection to ON.

NOTE:If you enable to show the chain selection, but a chain is not displayed in the list of available chains in the Self-Service portal, ensure that all the methods of the chain are enrolled by the user.

For more information, see Managing Authenticators in the Advanced Authentication- User guide.

Helpdesk Event

Configure the settings of this event to enable the Helpdesk administrator to access the Helpdesk portal. One of the roles of a Helpdesk administrator is to set an emergency password for users. An emergency password is a temporary password for users when they lose their smart card or smart phone. Some companies restrict self-enrollment and have the Helpdesk administrator who does the enrollment after hiring. You can promote the repository administrators or users as Helpdesk administrators in the Repositories > LOCAL > Edit > Global Roles > ENROLL ADMINS section.

You can manage the enrollment and re-enrollment of the authenticators in one of the following ways:

  • Restrict the self-enrollment and force users to enroll through the Helpdesk. Or

  • Restrict only the re-enrollment or deletion of authenticator from the Self-Service portal using the Disable re-enrollment option.

For more information, see Authenticators Management in the Advanced Authentication- Helpdesk Administrator guide.

Helpdesk User Event

Configure the settings of this event to enable the Helpdesk administrator to authenticate users in the Helpdesk portal. This event is applicable for the User to manage screen that appears on the Helpdesk portal.

You must enable the Ask credentials of management user option in the Helpdesk Options policy before using this event.

Linux Logon Event

Configure the settings of this event to enable login to the Linux Client. If you want to use Linux Client on non-domain joined workstations, change the Event type from OS Logon (domain) to OS Logon (local).

Mac OS Logon Event

Configure the settings of this event to enable login to the Mac OS Client. If you want to use Mac OS Client on non-domain joined workstations, change the Event type from OS Logon (domain) to OS Logon (local).

Mainframe Logon Event

Configure the settings of this event to enable login to the Mainframe system.

NAM Event

Configure the settings of this event to facilitate the integration of Advanced Authentication with NetIQ Access Manager.

NCA Event

Configure the settings of this event to facilitate the integration of Advanced Authentication with NetIQ CloudAccess. CloudAccess must be configured to use Advanced Authentication as an authentication card and user stores must be added for the repositories for the integration to work. For more information, see the Advanced Authentication CloudAccess documentation.

RADIUS Server Event

The Advanced Authentication server contains a built-in RADIUS server to authenticate any RADIUS client using one of the chains configured for the event. For more information about configuring the RADIUS Server event, see Section 6.0, RADIUS Server.

Report Logon Event

Configure the settings of this event to log in to the Advanced Authentication Reporting portal. For more information about the Reporting portal, see Section 10.0, Reporting.

Search Card Event

Configure the settings of this event to log in to the Advanced Authentication Search Card portal. The Search Card functionality helps you to get the card holder’s contact information by inserting the card in the card reader. For more information about searching a card holder’s information, see Section 12.0, Searching a Card Holder’s Information.

Tokens Management Event

Configure the settings of this event to log in to the Advanced Authentication Tokens Management portal. The Tokens Management functionality allows you to assign each token to specific user. For more information about assigning a token to user, see Section 11.0, Managing Tokens.

Windows Logon Event

Configure the settings of this event to log in to the Windows Client.

3.5.2 Creating a Customized Event

You can create customized events for the following.

  • Third-party integrations.

  • When you must use Windows Client or Linux PAM Client, or Mac OS X Client on both the domain joined and non-domain workstations and you must have a separate event to use the non-domain mode.

  • For integrations using SAML 2.0 and OAUTH 2.0.

  • To create more than one RADIUS Server event.

You can create the following types of customized events:

Creating a Generic Event

You can create a generic event for Windows Client, Mac OS X Client, and Linux PAM Client workstation when these clients are not joined or bound to a domain. Perform the following steps to create a generic event:

  1. Click Events > Add.

  2. Specify a name for the event.

  3. Set Is enabled to ON.

  4. Select Generic in the Event type.

  5. Select the Authenticator category. The Authenticator category option is displayed only if you have added categories in the Event Categories policy.

  6. Select the chains that you want to assign to the current event.

  7. If you want to restrict access of some endpoints to the event, add all the endpoints that must have access to the Endpoint whitelist. The remaining endpoints are blacklisted automatically. If you leave the Endpoints whitelist blank, all the endpoints will be considered for authentication.

  8. Set Geo-fencing to ON to enable geo-fencing. Move the permitted zones from Available to Used. For more information about configuring geo-fencing, see the Smartphone method.

    IMPORTANT:You must enable the Geo Fencing Options policy to use the geo fencing functionality.

  9. Set Bypass user lockout in repository to ON, if you want to allow users who are locked on repository to authenticate on the Advanced Authentication. By default, Bypass user lockout in repository is set to OFF and users who are locked on repository are not allowed to authenticate.

  10. Click Save.

NOTE:When you create a custom event, you must specify the custom event in the configuration file of the related endpoints. For more information, see the Advanced Authentication- Linux PAM Client, Advanced Authentication - Mac OS X Client, or Advanced Authentication - Windows Client guides related to the specific endpoint.

Creating an OS Logon (Domain) Event

You can create this event when the third-party application needs to read password of a user after authentication. For example, when Windows Client, Mac OS X Client, or Linux PAM Client workstation is joined or bound to a domain, the third-party application must read the password of the user.

The steps to create an OS Logon (domain) event are similar to the Generic event.

Creating an OAuth 2.0 Event

You can create this event for third-party integrations with OAuth 2.0.

To create an OAuth 2 event, perform the following steps:

  1. Click Events > Add.

  2. Specify a name for the event.

  3. Set Is enabled to ON.

  4. Select OAuth2 in the Event type.

  5. Select the Authenticator category. The Authenticator category option is displayed only if you have added categories in the Event Categories policy.

  6. Select the chains that you want to assign to the current event.

  7. Specify the Redirect URIs. The Client ID and Client secret are generated automatically. The Client ID, Client secret, and Redirect URI are consumed by the consumer web application. After successful authentication, the redirect URI web page specified in the event is displayed.

  8. In Advanced Settings, perform the following actions:

    • Set the Use for Owner Password Credentials option to ON, if the consumer web application provides authorization in the form of Resource Owner Password Credentials Grant.

    • Set the option to OFF, if the consumer web application provides authorization in the form of Authorization Code Grant or Implicit Grant.

    NOTE:If option is set to ON, you can use only the LDAP Password only chain for this event. It is recommended to use separate events for Resource Owner Password Credentials Grant (Use for Owner Password Credentials > ON) and Authorization Code Grant / Implicit Grant (Use for Owner Password Credentials > OFF).

  9. Set Bypass user lockout in repository to ON, if you want to allow users who are locked on repository to authenticate on the Advanced Authentication. By default, Bypass user lockout in repository is set to OFF and users who are locked on repository are not allowed to authenticate.

  10. Click Save.

After you have created an OAuth 2 event, perform the following steps to access the consumer web application:

  1. Specify the Client ID, Client secret, and redirect URIs in the consumer web application.

  2. Specify the appliance end point (authorization end point) in the web application. For example, https://<Appliance IP>/osp/a/TOP/auth/oauth2/grant.

  3. Authenticate with the required authentication method(s) to access the consumer web application.

    NOTE: Authorization is provided in the form of Authorization Code Grant or Implicit Grant or Resource Owner Password Credentials Grant.

Creating a SAML 2.0 Event

You can create this event for third-party integrations with SAML 2.0.

  1. Click Events > Add.

  2. Specify a name for the event.

  3. Set Is enabled to ON.

  4. Select SAML 2 in the Event type.

  5. Select the Authenticator category. The Authenticator category option is displayed only if you have added categories in the Event Categories policy.

  6. Select the chains that you want to assign to the current event.

  7. In SAML 2.0 settings, perform the following:

    NOTE:You must configure the Web Authentication policy for the SAML 2.0 event to work appropriately.

    1. You can either insert your Service Provider's SAML 2.0 metadata in SP SAML 2.0 metadata or click Browse and select a Service Provider's SAML 2.0 metadata XML file to upload it.

    2. Set the Send E-Mail as NameID (suitable for G-Suite) option to ON for integrating with the G-suite.

    3. Set the Send SAMAccount as NameID option to ON to send SAMAccountName in the NameID attribute as a SAML response from the Advanced Authentication server.

      This option must be enabled for the integration with CyberArk.

      WARNING:You can set Send SAMAccount as NameID to ON only when the Send E-Mail as NameID (suitable for G-Suite) option is turned OFF.

    4. Set Bypass user lockout in repository to ON, if you want to allow users who are locked on repository to authenticate on the Advanced Authentication. By default, Bypass user lockout in repository is set to OFF and users who are locked on repository are not allowed to authenticate.

  8. Click Save.

Creating a RADIUS Event

When you want to add multiple RADIUS clients, you can add them to the predefined RADIUS Server event. But all the RADIUS clients will use the same authentication chain(s). If you want to configure specific authentication chain(s) for different RADIUS clients, then you must create a custom RADIUS event. To add a custom RADIUS event, perform the following steps:

  1. Click Events > Add.

  2. Specify a name for the event.

  3. Ensure that Is enabled is set to ON.

  4. Select RADIUS from Event Type.

  5. Select the chains that you want to assign to the event.

  6. Select RADIUS from Endpoint whitelist.

  7. Click Add to add and assign a RADIUS Client to the event:

    1. Specify the IP address of the RADIUS Client in IP Address.

    2. Specify the RADIUS Client name in Name.

    3. Specify the RADIUS Client secret and confirm the secret.

    4. Ensure that the RADIUS Client is set to ON.

    5. Click to save the RADIUS Client.

    6. Add more RADIUS Clients if required.

  8. Specify NAS ID for the RADIUS event and use the same NAS ID on the configured RADIUS clients to associate them with the custom RADIUS event.

    NAS ID is a unique identifier to map RADIUS clients to the custom RADIUS event.

    NOTE:While configuring the predefined RADIUS Server event, NAS ID is optional. But while adding a custom RADIUS event, it is required to specify NAS ID that is used to map RADIUS clients with the custom RADIUS event.

  9. Set Bypass user lockout in repository to ON, if you want to allow users who are locked on repository to authenticate on the Advanced Authentication. By default, Bypass user lockout in repository is set to OFF and users who are locked on repository are not allowed to authenticate.

  10. Click Save.