The Advanced Authentication tool supports the use of one-time passwords (OTPs) for two-factor authentication of users as they access applications through CloudAccess. The tool works with the NetIQ Advanced Authentication Framework appliance.
With two-factor authentication, users must provide two categories of authentication factors before they can access the applications:
Something the user knows: The first authentication factor requires something the user knows, such as the password for the user’s single-sign-on user name.
Something the user has: The second authentication factor requires something the user has, such as a device to uniquely generate or receive one-time passwords or authentication requests that can be used only for that access moment.
Two-factor authentication provides an additional layer of security that helps ensure the identity of a user and reduce the risk of unauthorized access to your applications. Users still enjoy the convenience of single sign-on, but the access is more secure.
The Advanced Authentication tool supports multiple types of authentication providers for OTP in the NetIQ Advanced Authentication Framework. You configure a separate instance of the tool for each authentication provider type you want users to use. For each authentication provider type, you can enable one or more applications, but they must be mutually exclusive of the applications that you enable in other instances. The applications must also be mutually exclusive of applications configured to use the Time-Based One-Time Password tool with Google Authenticator.
At a user’s next login, the tool prompts the user for additional authentication, according to the authentication provider type enabled for the application. If you enable a single authentication provider type for all applications, the prompt occurs immediately after CloudAccess validates the user’s credentials. Otherwise, the prompt occurs when the user first selects any one of the applications enabled for Advanced Authentication. The authentication automatically applies to all applications for that session that were also enabled for the same type of authentication provider.
For more information about using the NetIQ Advanced Authentication Framework and the supported authentication providers, see the NetIQ Advanced Authentication Framework documentation website.
Use the information in the following sections to configure your system for Advanced Authentication:
Ensure that your system meets the following requirements before you configure Advanced Authentication as an authentication method:
A CloudAccess appliance, installed and configured.
A NetIQ Advanced Authentication Framework 5.x or later appliance, installed and configured.
The Advanced Authentication tool supports many of the authentication providers available in Advanced Authentication Framework.
Before you configure the Advanced Authentication tool, ensure that you install and configure the authentication providers that you want to use on the NetIQ Advanced Authentication Framework appliance. For more information, see the NetIQ Advanced Authentication Framework documentation website.
For SMS and Voice Call, the user's telephone number that will be used for authentication should be specified in the user’s properties in Active Directory.
The users must use the NetIQ Advanced Authentication Framework client or web user interface to enroll or re-enroll for the authentication providers that you want them to use.
Identify the type of authentication provider that you want to use for each of your destination applications.
NOTE:You can use the NetIQ Advanced Authentication Framework for applications on desktop browsers, but this does not work with MobileAccess. When users access an application from MobileAccess, they are automatically logged in, ignoring any advanced authentication rules that you configure in CloudAccess. MobileAccess supports only OAuth by design.
Before you configure the Advanced Authentication tool, ensure that your setup meets the requirements described in Section 6.4.1, Requirements for Advanced Authentication.
To configure the Advanced Authentication tool:
Log in with an appliance administrator account to the administration console at
https://appliance_dns_name/appliance/index.html
Drag the Advanced Authentication tool from the Tools palette to the Tools panel.
Configure the Advanced Authentication feature:
Authentication type: Select the type of authentication provider that you want to enable for the specified appliance running the NetIQ Advanced Authentication Framework.
NAAF host name/port: Specify the host name of the appliance running NetIQ Advanced Authentication Framework. The default port number is 443.
Click the Applications tab, then select the check box next to one or more applications that require the specification authentication provider.
You can enable one or more applications for the specified type of authentication provider. However, you must assign each application to only one type of authentication provider.
Click OK to save the settings and enable the tool.
Click Apply to activate the configuration.
Wait while the service is activated across all nodes in the cluster. Do not attempt other configuration actions until the activation completes successfully.