11.1 Configuring an Existing Event

  1. Click Events > New Event.

  2. Specify a name of the event in Name.

  3. Ensure that Is enabled is set to ON if you want to use the event.

  4. Select the Event type.

    For most of the predefined events, you cannot change the Event type. For events such as Windows logon, Linux logon, and Mac OS logon, you can change the Event type from OS Logon (domain) to OS Logon (local) if the workstations are not joined to the domain.

    • Select OS Logon (domain) to allow only the domain joined users to login to the event.

    • Select OS Logon (local) to allow any Advanced Authentication user from any repository to access the event. However, users must map themselves to a local user account during their first login by providing the credentials.

  5. Enable the reCAPTCHA option to ON if you want the Google reCAPTCHA option to be displayed in the login page for the particular event.

    The reCAPTCHA option is displayed only when you enable the Google reCAPTCHA Options policy.

    NOTE:The reCAPTCHA option is supported only for the Admin UI event, Authenticators Management event, Helpdesk event, Helpdesk user event, Report logon event, Tokens Management event, and the Search Card event.

  6. By default, All Categories is set to ON. When the multiple event categories are created, users can enroll an authentication method multiple times (one enrolled method per category).

    When All Categories is set to ON, users can authenticate to the event using any of the supported methods (Card, FIDO U2F, HOTP, Password, and TOTP) and Advanced Authentication automatically chooses an appropriate authentication method.

    To use other methods, Advanced Authentication prompts for the category selection.

    The All Categories option is displayed only if you have added categories in the Event Categories policy.

    For example, an administrator has configured two categories CAT1 and CAT2. The Default category is predefined in the Administration portal. Users can enroll three devices. The All Categories is set to ON for the Windows logon event. A user has three cards and enrolls each to a category as follows:

    • Card 1 to Default

    • Card 2 to CAT1

    • Card 3 to CAT2

    After enrolling cards, the user can authenticate to the Windows event by using one of the enrolled cards.

    You can set All Categories to OFF if you want to disable support for multi-enrollment of supported methods.

    The Authenticator category is displayed when All Categories is set to OFF. Select the preferred category from Authenticator category.

  7. Select the chains that you want to assign to the current event.

    In an event, you can configure a prioritized list of chains that can be used to get access to that specific event.

  8. (Conditional) In Risk Policy, select the policy that you want to assign to this event for assessing the risk associated with a login attempt.

  9. (Conditional) Click Create New Policy to create a new risk policy for this event.

    Clicking this option opens the Risk Settings page.

    IMPORTANT:Risk Policy and Create New Policy options are available when you enable Risk Settings. For more information, see Section III, Configuring Risk Settings.

  10. If you want to restrict access of some endpoints to the event, add all the endpoints that must have access to the Endpoints whitelist. The remaining endpoints are blacklisted automatically. If the Endpoints whitelist blank, all the endpoints are considered for authentication.

    IMPORTANT:Endpoints whitelist supports only the Windows Logon, Linux Logon, and Mac OS Logon events.

  11. Set Geo-fencing to ON to enable geo-fencing. Move the permitted zones from Available to Used. For more information about configuring geo-fencing, see the Smartphone method.

    IMPORTANT:You must enable the Geo Fencing Options policy to use the geo-fencing functionality.

  12. Select Allow Kerberos SSO if you want to enable single sign-on (SSO) to the Advanced Authentication portals. Kerberos SSO is supported for AdminUI, Authenticators Management, Helpdesk, and Report logon events.

    IMPORTANT:To use the Kerberos SSO feature, you must configure the Kerberos SSO Options policy and upload a keytab file.

  13. Set Logon with Expired Password with one of the following options based on your requirement:

    • Allow: Select this option to allow users to log in to the event with the expired LDAP password.

    • Ask to change: If the password has expired this option prompts users to change the password during logon. Change in the LDAP Password is supported only for the Active Directory repositories. However, the LDAP Password change in Advanced Authentication is not allowed when the LDAP Servers in the Repository settings are configured with port 389. The LDAP server rejects the new password.

    • Deny: Select this option to deny access to the event with the expired LDAP password. When the access is denied, the following message is displayed to users:

      You must change your password to logon.

  14. Set Bypass user lockout in repository to ON, if you want to allow users who are locked on repository to authenticate on the Advanced Authentication. By default, Bypass user lockout in repository is set to OFF and users who are locked on repository are not allowed to authenticate.

  15. Set Allow token re-use to ON, if you want to allow users to apply the OTP multiple times within the Allow re-sending after (seconds) duration for authentication. This option is applicable for Email OTP, SMS OTP, and Voice OTP methods.

    By default, Allow token re-use is set to OFF and users are not allowed to apply the OTP more than once within the Allow re-sending after (seconds) duration that has been set for Email OTP, SMS OTP, and Voice OTP methods.

  16. Set Return groups on logon to ON if you want to retrieve the group details of users who authenticated to the event in the authentication response.

    With Return groups on logon set to ON, if Groups is empty, all the groups that the users are associated with are returned in the response. However, to return the required groups, specify the preferred groups in Groups.

    Sometimes, the authentication response of RADIUS event is lengthy if a user is associated with several groups. Therefore, it is recommended to use Groups to limit the groups' in the response.

    By default, Return groups on logon is set to ON for all events except for Authenticators Management, Smartphone Enrollment, and SAML 2.0 events.

    When this option is set to OFF, the groups of users authenticated to the event are not returned in the response.

  17. You as a top administrator can enforce the configuration of events (except the RADIUS Server event) on secondary tenants. After configuring the settings for the event, you can freeze those settings for a specific tenant. The tenant cannot edit the settings in the tenant administrator console that have been enforced by the top administrator for that event.

    To enforce the configurations for a specific tenant, perform the following steps:

    1. In the Tenancy settings, click +.

    2. Select the tenant to in Force the configuration for the tenants to whom you want to enforce the configurations.

    3. After you select a tenant, the Hide forced settings option is displayed. You can set Hide forced settings to ON if you want to hide the configurations that you have enforced on the tenant. When this option is set to ON, the tenant administrator console does not show setting changes.

  18. Select the Allow to logon to this event by shared authenticator option to allow users to login using shared authenticators. By default this option is disabled for the Authenticators Management, Helpdesk, Helpdesk User, AdminUI, Search Card, Token Management, and Report Logon events and enabled for all the other events.

    NOTE:The Allow to logon to this event by shared authenticator option is displayed if you enable the Enable sharing of authenticators option in Authenticator Management Options policy.

  19. Click Save.

  20. Click Initialize default chains to revert the changes that are applied to the default configuration.

NOTE:If you have configured more than one chain using one method (for example, LDAP Password, LDAP Password+Smartphone) and assigned it to the same group of users and to the same event, the top chain is always used if the user has enrolled all the methods in the chain. An exception is the use of a high-security chain and its appropriate simple chain, where the simple chain must be higher than its high-security chain.

HINT:It is recommended to have a single chain with the Emergency Password method at the top of the chains list in the Authenticators Management event and other events, which are used by users. The chain will be ignored if the user does not have the Emergency Password enrolled. The user can use the Emergency Password immediately after the helpdesk administrator enrolls the user with the Emergency Password authenticator.

By default, Advanced Authentication contains the following events: