A chain is a combination of authentication methods. A user must pass all methods in the chain to successfully authenticate. For example, if you create a chain with LDAP Password and SMS OTP, a user must first specify the LDAP Password. If the LDAP password is correct, the system sends an SMS with a One-Time-Password (OTP) to the user’s mobile. The user must specify the correct OTP to be authenticated.
Advanced Authentication provides the following chains by default:
LDAP Password Only: Any user from a repository can use this chain to get authenticated with the LDAP Password (single-factor) method.
Password Only: Any user who has a Password method enrolled can use this chain to get authenticated with the Password (single-factor) method.
You can create any number of chains with multiple authentication methods. To achieve enhanced security, include multiple methods in a chain.
Authentication comprises of the following three factors:
Something that you know such as password, PIN, and security questions.
Something that you have such as smart card, token, and mobile phone.
Something that you are such as biometrics (fingerprint or iris).
You can achieve multi-factor or strong authentication by using any two factors out of this list. For example, multi-factor authentication can include a combination of password and a token or a smartcard and a fingerprint.
After you create a chain, you can assign the chain to a specific user groups in your repository. The chain is then mapped to an event.
To create a new chain or edit an existing chain, perform the following steps:
Click Chains > New Chain.
Specify a name of the chain in Name.
NOTE:It is recommended not to use special characters (for example, +, & and so on) in the chain name. This is to avoid issues in the OAuth 2.0 and SAML 2.0 events.
Set Is enabled to ON to enable the chain.
Select the methods that you want to add to the chain from the Methods section.
You can prioritize the methods in the list. For example, if you create a chain with LDAP Password and HOTP methods, then the user will be prompted for the LDAP Password method first and then the OTP.
Specify the groups that will use the authentication chain in Roles and Groups.
You can specify the following roles and groups based on your requirement:
ALL USERS: Applicable for all users and groups of all added repositories.
<REPO\Group>: Applicable for a specific group from the repository. For example, to specify users of an IT staff group, specify FOCUS\IT staff.
<REPO Users>: Applicable for all users of a specific repository. For example, to use all users in the repository FOCUS, specify FOCUS Users.
IMPORTANT:It is recommended to not use those groups from which you cannot exclude users because you will not be able to free up a user's license. For example, you use a Repo Users group or ALL USERS group. If an employee from these groups leaves the company and you do not delete the user’s domain account but disable it, the license will not be freed.
Expand Advanced Settings by clicking + and configure the following settings as required:
Set Apply if used by endpoint owner to ON if an Endpoint owner must use the chain.
NOTE:The Endpoint owner feature is supported only for Windows Client, Mac OS Client, and Linux PAM Client.
(Conditional) Specify the MFA tags. When a user logs in to Windows on a workstation with Advanced Authentication Windows Client installed, the user's account is moved to the group specified in MFA tags.
NOTE:This functionality is available when you set the Enable filter to ON in the Logon Filter for AD policy and configured the Logon Filter.
For example, if you specify a Card users group from Active Directory in MFA tags, the user is moved from the legacy group (specified in the Advanced Settings of Active Directory repository) to the Card users group.
NOTE:If the user credentials are saved with Remember my credentials, the MFA tag does not work while connecting to the Remote Desktop.
(Conditional) Set Required chain to Nothing if this is a required (high-security) chain. To configure a linked chain within a specific time period after successful authentication with a required chain, choose an appropriate required chain. You also need to specify Grace period (mins). Within this time period, the linked chain can be used instead of the required chain. The maximum value for grace period is 44640 minutes (31 days).
For example, LDAP Password+Card is a required chain and Card is a linked chain. The users must use LDAP Password+Card chain once in every eight hours and within this period, they can provide only card without the LDAP Password to authenticate.
IMPORTANT:The Required chain option is available when Linked Chains is set to ON in the Linked chains policy. You must assign both a required and a linked chain to an Event. The linked chain must be of higher order than the corresponding required chain.
(Conditional) Expand Risk Settings by clicking + and select a risk level in Minimum Risk Level.
A user can use this chain for completing authentication if the risk associated with the login attempt matches or above the selected value.
For example, you have selected Low. This chain will be shown to the user if the risk level of that login attempt is low, medium, or high.If you have selected Medium, the chain will be shown to the user when the risk level of the login attempt is medium or high.
IMPORTANT:This option is available when you enable Risk Settings. For more information, see Section III, Configuring Risk Settings.
The following scenarios describe which chains are displayed if a rule is set as the decisive rule with a specific action:
When a rule is set as the decisive rule with action, Allow Access and if the rule succeeds, the risk level is calculated as Low. User is shown with all chains (Low, Medium, and High) for authentication.
When a rule is set as the decisive rule with action, Deny Access and if the rule fails, the risk level is calculated as High. User is denied access and a message Access has been denied is displayed without the chain selection.
You as a top administrator can enforce the configurations of a chain on secondary tenants. After you configure the settings for a chain, you can freeze those configurations for that specific tenant. The tenant will not be able to edit the settings in the tenant administrator console that have been enforced by the top administrator for that chain.
To enforce the configurations for a specific tenant, perform the following steps:
In the Tenancy settings, click + to expand the settings.
Select the tenant to whom you want to enforce the configurations in Force the configuration for the tenants.
After you add a tenant, the Hide forced settings option is displayed. You can turn this option to ON if you want to hide the configurations that you have enforced on the tenant. This will be hidden on the tenant administrator console.
(Conditional) In Custom names, you can specify the chain name in a specific language. To do this click + to expand the settings and specify the chain name.
Click Save.
IMPORTANT:If you have configured more than one chain using one method (for example, LDAP Password, LDAP Password+Smartphone) and assigned it to the same group of users and the same event, then the top chain is always used if the user has enrolled all methods in the chain. An exception is the use of a high-security chain and its appropriate simple chain, where the simple chain must be higher than its high-security chain.