6.19 Out-of-band

The Out-of-band method facilitates users to perform out-of-band authentication through the Out-of-band (OOB) portal. Out-of-band authentication allows you to use different supported methods in unusual scenarios.

For example, use fingerprint or card to login to VPN (RADIUS authentication), face recognition or a U2F token to login to an SSH session, and SMS OTP or Smartphone to log in to z/OS mainframe. The Out-of-band method is enrolled automatically.

Advanced Authentication offers the Out-of-band portal where users can manage the authentication requests and perform authentication. This portal displays all authentication requests when a user tries to authenticate with the Out-of-band method. It works similar to the Smartphone method. On the portal, a user can accept or reject the authentication request.

To allow users to access the Out-of-band portal, ensure to meet the following prerequisites:

  • Specify the Hostname in the host.domain.com format during the Advanced Authentication server installation. Ensure, the hostname is resolvable through DNS properly.

    For more information, see Step 7 in Installing Advanced Authentication.

  • Specify the DNS hostname in My DNS hostname when you configure the Advanced Authentication server post-installation.

    NOTE:Ensure the DNS name is resolvable by the specified DNS server.

  • Upload a valid public SSL certificate for the DNS name on the AA servers or a load balancer in Server Options.

    For more information, see Configuring the Server Options.

  • Set the Public URL with the hostname of Advanced Authentication server (for example, https://host.domain.com/) in Policies > Public External URL.

  • Assign a chain to the OOB UI logon event.

    For more information, see OOB UI Logon Event.

For ease of accessibility, users can install one of the following authentication agents:

In the Push notification max age (minutes) option, you can configure the maximum time (in minutes) until when the push notification is sent to the Authentication Agent for Web or OOB portal on the subscribed device. The subscribed device can be the Authentication Agent for Web on the desktop or Android smartphone. Apple iOS does not support push notifications for the PWA apps. The default value is 525600 minutes (1 year).

6.19.1 Authentication Agent for Windows

Authentication Agent for Windows is supported only on Microsoft Windows. It enables users to perform multi-factor authentication on one device to get authorized access to an event or another device that does not have a user interface or where it is not possible to connect or use a required authentication device.

When a user initiates the out-of-band authentication, an Authentication Agent window appears automatically. User must authenticate using any available chain to access the authentication request with the Accept and Reject buttons.

For more information, see Advanced Authentication - Windows Authentication Agent.

The following image describes the authentication flow for the Out-of-band method when the Authentication Agent for Window is in use.

A user wants to authenticate on an endpoint such as a laptop or a website with the Out-of-band method. The following steps describe the authentication flow:

  1. When the authentication request is initiated on the Client side (application, Client, RADIUS, etc), the endpoint contacts the Advanced Authentication server.

  2. The Advanced Authentication server validates the user’s credentials.

  3. After validating the credentials, the Advanced Authentication server sends an authentication request to the Windows machine with Authentication Agent for Windows. A restricted browser window prompts to authenticate. User authenticates using any available chain to log in to the OOB portal. The authentication is indicated by the Accept and Reject options. The user’s response is then sent to the server.

  4. Finally, the server validates the authentication and the endpoint gets authenticated.

    HTTPS protocol is used for the communication.

6.19.2 Authentication Agent for Web

A browser-based Progressive Web Application (PWA) that can be installed using the Google Chrome browser on any desktop or mobile operating system.

When a user initiates the out-of-band authentication, a push notification is sent on the last subscribed device with the Authentication Agent for Web. The push notification provides information about the pending authentication request. After initiating the out-of-band authentication, the user need not wait for the push notification. However, can access the Authentication Agent for Web or log into the OOB portal to check for the authentication request.

The following image describes the authentication flow for the Out-of-band method when the Authentication Agent for Web is in use.

A user wants to authenticate on an endpoint such as a laptop or a website with the Out-of-band method. The following steps describe the authentication flow:

  1. When the authentication request is initiated on the Client side (application, Client, RADIUS, etc), the endpoint contacts the Advanced Authentication server.

  2. The Advanced Authentication server validates the user’s credentials.

  3. After validating the credentials, the Advanced Authentication server sends a push message to the third-party Push services.

  4. The third-party Push services forwards the push message to the subscribed device which is an Authentication Agent for Web PWA app or OOB portal.

  5. User clicks the push message to open the PWA app or OOB portal, or opens the PWA app or OOB portal manually. Message prompts to authenticate. User authenticates using any available chain to log in to the OOB portal. The authentication is indicated by the Accept and Reject options. The user’s selection is then sent to the server.

  6. Finally, the server validates the authentication and the endpoint gets authenticated.

    HTTPS protocol is used for the communication.

IMPORTANT:To receive the push messages, you must enable the notifications in your browser for the OOB portal or Authentication Agent for Web app. By default, the notifications are blocked.