The Advanced Authentication tool in CloudAccess supports the use of one-time passwords (OTPs) for two-factor authentication of users as they access applications through CloudAccess. The tool works with the Advanced Authentication appliance.
With two-factor authentication, users must provide two categories of authentication factors before they can access the applications:
Something the user knows: The first authentication factor requires something the user knows, such as the password for the user’s single-sign-on user name.
Something the user has: The second authentication factor requires something the user has, such as a device to uniquely generate or receive one-time passwords or authentication requests that can be used only for that access moment.
Two-factor authentication provides an additional layer of security that helps ensure the identity of a user and reduce the risk of unauthorized access to your applications. Users still enjoy the convenience of single sign-on, but the access is more secure.
The Advanced Authentication tool in CloudAccess supports multiple types of authentication providers for OTP in the Advanced Authentication appliance. You configure a separate instance of the tool for each authentication provider type you want users to use. For each authentication provider type, you can enable one or more applications, but they must be mutually exclusive of the applications that you enable in other instances. The applications must also be mutually exclusive of applications configured to use the Time-Based One-Time Password tool with Google Authenticator.
At a user’s next login, the tool prompts the user for additional authentication, according to the authentication provider type enabled for the application. If you enable a single authentication provider type for all applications, the prompt occurs immediately after CloudAccess validates the user’s credentials. Otherwise, the prompt occurs when the user first selects any one of the applications enabled for Advanced Authentication. The authentication automatically applies to all applications for that session that were also enabled for the same type of authentication provider.
For more information about using the Advanced Authentication appliance and the supported authentication providers, see the Advanced Authentication documentation website.
Use the information in the following sections to configure your system for Advanced Authentication:
Ensure that your system meets the following requirements before you configure Advanced Authentication as an authentication method:
A CloudAccess appliance, installed and configured.
An Advanced Authentication 5.x or later appliance, installed and configured.
The Advanced Authentication tool in CloudAccess supports many of the authentication providers available in Advanced Authentication.
Before you configure the Advanced Authentication tool, ensure that you install and configure the authentication providers that you want to use on the Advanced Authentication appliance. For more information, see the Advanced Authentication documentation website.
For SMS and Voice Call, the user's telephone number that will be used for authentication should be specified in the user’s properties in Active Directory.
The users must use the Advanced Authentication client or web user interface to enroll or re-enroll for the authentication providers that you want them to use.
Identify the type of authentication provider that you want to use for each of your destination applications.
NOTE:You can use the Advanced Authentication appliance for applications on desktop browsers, but this does not work on mobile devices. When users access an application from the MobileAccess app, they are automatically logged in, ignoring any advanced authentication rules that you configure in CloudAccess. The MobileAccess app supports only OAuth by design.
Before you configure the Advanced Authentication tool, ensure that your setup meets the requirements described in Requirements for Advanced Authentication.
To configure the Advanced Authentication tool:
Log in with an appliance administrator account to the administration console at
https://appliance_dns_name/appliance/index.html
Drag the Advanced Authentication tool from the Tools palette to the Tools panel.
Configure the Advanced Authentication feature:
Authentication type: Select the type of authentication provider that you want to enable for the specified Advanced Authentication appliance.
NAAF host name/port: Specify the host name of the Advanced Authentication appliance. The default port number is 443.
Click the Applications tab, then select the check box next to one or more applications that require the specification authentication provider.
You can enable one or more applications for the specified type of authentication provider. However, you must assign each application to only one type of authentication provider.
Click OK to save the settings and enable the tool.
Click Apply to activate the configuration.
Wait while the service is activated across all nodes in the cluster. Do not attempt other configuration actions until the activation completes successfully.