A chain is a combination of authentication methods. A user must pass all methods in the chain to successfully authenticate. For example, if you create a chain with LDAP Password and SMS OTP, a user must first specify the LDAP Password. If the LDAP password is correct, the system sends an SMS with a One-Time-Password (OTP) to the user’s mobile. The user must specify the correct OTP to be authenticated.
Advanced Authentication provides the following chains by default:
: Any user from a repository can use this chain to get authenticated with the LDAP Password (single-factor) method.
: Any user who has a Password method enrolled can use this chain to get authenticated with the Password (single-factor) method.
You can create any number of chains with multiple authentication methods. To achieve enhanced security, include multiple methods in a chain.
Authentication comprises of the following three factors:
Something that you know such as password, PIN, and security questions.
Something that you have such as smart card, token, and mobile phone.
Something that you are such as biometrics (fingerprint or iris).
You can achieve multi-factor or strong authentication by using any two factors out of this list. For example, multi-factor authentication can include a combination of password and a token or a smartcard and a fingerprint.
After you create a chain, you can assign the chain to a specific user groups in your repository. The chain is then mapped to an event.
To create a new chain or edit an existing chain, perform the following steps:
Specify a name of the chain in.
NOTE:It is recommended not to use special characters (for example, +, & and so on) in the chain name. This is to avoid issues in the OAuth 2.0 and SAML 2.0 events.
Setto to enable the chain.
Select the methods that you want to add to the chain from thesection.
You can prioritize the methods in the list. For example, if you create a chain with LDAP Password and HOTP methods, then the user will be prompted for the LDAP Password method first and then the OTP.
Specify the groups that will use the authentication chain in.
You can specify the following roles and groups based on your requirement:
: Applicable for all users and groups of all added repositories.
: Applicable for a specific group from the repository. For example, to specify users of an group, specify .
: Applicable for all users of a specific repository. For example, to use all users in the repository , specify .
IMPORTANT:It is recommended to not use those groups from which you cannot exclude users because you will not be able to free up a user's license. For example, you use agroup or group. If an employee from these groups leaves the company and you do not delete the user’s domain account but disable it, the license will not be freed.
Expandby clicking and configure the following settings as required:
Set Endpoint owner must use the chain.to if an
NOTE:The Endpoint owner feature is supported only for Windows Client, Mac OS Client, and Linux PAM Client.
(Conditional) Specify the. When a user logs in to Windows on a workstation with Advanced Authentication Windows Client installed, the user's account is moved to the group specified in .
NOTE:This functionality is available when you set the Logon Filter.to in the policy and configured the
For example, if you specify agroup from Active Directory in , the user is moved from the legacy group (specified in the of Active Directory repository) to the group.
NOTE:If the user credentials are saved withthe MFA tag does not work while connecting to the Remote Desktop.
(Conditional) Setto if this is a required (high-security) chain. To configure a linked chain within a specific time period after successful authentication with a required chain, choose an appropriate required chain. You also need to specify . Within this time period, the linked chain can be used instead of the required chain. The maximum value for grace period is 44640 minutes (31 days).
For example, LDAP Password+Card is a required chain and Card is a linked chain. The users must use LDAP Password+Card chain once in every eight hours and within this period, they can provide only card without the LDAP Password to authenticate.
IMPORTANT:The Linked Chains is set to ON in the Linked chains policy. You must assign both a required and a linked chain to an Event. The linked chain must be of higher order than the corresponding required chain.option is available when
(Conditional) Expandby clicking and select a risk level in .
A user can use this chain for completing authentication if the risk associated with the login attempt matches or above the selected value.
For example, you have selected Low. This chain will be shown to the user if the risk level of that login attempt is low, medium, or high.If you have selected Medium, the chain will be shown to the user when the risk level of the login attempt is medium or high.
IMPORTANT:This option is available when you enable Risk Settings. For more information, see Section III, Configuring Risk Settings.
The following scenarios describe which chains are displayed if a rule is set as the decisive rule with a specific action:
When a rule is set as the decisive rule with action,and if the rule succeeds, the risk level is calculated as Low. User is shown with all chains (Low, Medium, and High) for authentication.
When a rule is set as the decisive rule with action, Access has been denied is displayed without the chain selection.and if the rule fails, the risk level is calculated as High. User is denied access and a message
You as a top administrator can enforce the configurations of a chain on secondary tenants. After you configure the settings for a chain, you can freeze those configurations for that specific tenant. The tenant will not be able to edit the settings in the tenant administrator console that have been enforced by the top administrator for that chain.
To enforce the configurations for a specific tenant, perform the following steps:
In the, click to expand the settings.
Select the tenant to whom you want to enforce the configurations in
After you add a tenant, theoption is displayed. You can turn this option to if you want to hide the configurations that you have enforced on the tenant. This will be hidden on the tenant administrator console.
(Conditional) In, you can specify the chain name in a specific language. To do this click to expand the settings and specify the chain name.
IMPORTANT:If you have configured more than one chain using one method (for example,, ) and assigned it to the same group of users and the same event, then the top chain is always used if the user has enrolled all methods in the chain. An exception is the use of a high-security chain and its appropriate simple chain, where the simple chain must be higher than its high-security chain.