If you want to configure Identity Governance to use two-factor authentication, this section shows how to configure OSP on your Identity Governance server with NetIQ Advanced Authentication. For more information, see the Advanced Authentication documentation.
After you have an Identity Governance server and an Advanced Authentication server running and reachable in your environment, use the following sections to configure the two-factor authentication:
Before configuring the servers for two-factor authentication, ensure the following conditions exist:
Server time is in sync for the Identity Governance and Advanced Authentication servers
Each server can correctly resolve the DNS name of the other server
You must have OSP installed and running on the Identity Governance server
Advanced Authentication allows you to increase security in your environment by providing multiple ways for advanced authentication. This solution allows you to add two-factor authentication to Identity Governance to add an additional layer of security. You must configure Advanced Authentication to communicate with the Identity Vault Identity Governance uses for authentication for the two-factor authentication to work.
This section assumes you have a good working knowledge and understanding of Advance Authentication. For more information, see the Advanced Authentication documentation.
Log in with administrator credentials to the Advanced Authentication Administration portal.
Click Repositories, then click Add.
Complete the guided process, using the following parameters:
Select the appropriate type for the Identity Vault you use with your Identity Governance server.
Specify a name for this repository.
Specify the base DN where Advances Authentication searches for the users in the Identity Vault. For example, o=data.
Specify the administrator user name in LDAP format. For example, cn=admin,ou=sa,o=system.
Specify the password for the administrative user.
(Optional) Specify a group DN if you want to collect groups.
Under LDAP Servers, click Add Server, then specify the DNS name of the LDAP server and the port.
Save the server details.
(Optional) To change default attributes or collect a new attribute, click Advanced settings and then edit the following settings:
These attributes specify the LDAP attributes Advanced Authentication uses to find a user object in the directory. The attribute names used must match the names configured in the Identity Governance Configuration Update utility. Identity Vault:Login attribute (by default, cn) and Authentication:Duplicate resolution naming attribute (by default, mail).
IMPORTANT:Expand Advanced settings and ensure that the User lookup attribute is configured. If you are using the Email OTP method, then you must configure the User mail attributes.
If using Active Directory with Identity Governance, use sAMAccountName instead of cn.
This option must contain the names of LDAP attributes used to hold a user’s email address. The default values are typically sufficient.
IMPORTANT:Ensure that all users in your Repository have unique email IDs.
Click Save to save the repository details.
For more information, see Adding a Repository
in the Advance Authentication Administration Guide.
Find the new repository that you just created, then click Edit > Full sync to sync the users and groups from the LDAP server.
Define the method for two-factor authentication of EMail OTP and LDAP Password.
Click Methods > Email OTP to it edit this method.
Change the different setting for your environment. For example, change OTP Period, OTP Format, > Sender Email, and Subject.
Click Save to save the Email OTP method.
Click LDAP Password.
Change the different settings for the LDAP Identity Vault Identity Governance uses, then click Save.
For more information, see Configuring Methods
in the Advance Authentication Administration Guide.
Configure the mail sender for the Email OTP method.
Under Policies, click mail sender.
Specify the host, port, user name, password, and whether you want to enable TLS/SSL.
Click Save to save the changes for your environment.
Create a chain to make the authentication methods available for OSP.
Click Chains to make the chain available to the users.
Click Add to create a new chain.
In the Name filed, specify a name for this new chain.
Set Is enable to On.
Select the methods you created in Step 9 This allows the users to enter their LDAP password and then perform an OTP validation.
In the Roles and Group field, type A to find the ALL USERS group, then select the ALL USERS group.
Set any additional option that you require, then click Save.
For more information, see Creating a Chain
in the Advance Authentication Administration Guide.
Create an event to define the type of authentication event you use.
Click Events.
Click the Edit icon next to the authentication event.
Ensure that Is enabled is set to ON.
Select the event type.
For example, you would select Windows logon if your Identity Vault is Active Directory.
Select the chain you created in Step 11.
Set any additional options that you require, then click Save.
For more information, see Configuring Events
in the Advanced Authentication Administration Guide.
Ensure that you have created the methods, chain, and events in Advanced Authentication before proceeding. You must configure OSP to accept the authentications from Advance Authentication.
Execute the Identity Governance Configuration Update utility.
Linux: The utility is configupdate.sh on Linux.
/opt/netiq/idm/apps/osp/bin/configupdate.sh edition=none
Windows: The utility is configupdate.bat on Windows.
C:\netiq\idm\apps\osp\bin\configupdate.bat edition=none
NOTE:Adding edition=none on the command line avoids needing to modify this value within configupdate.sh.properties or configupdate.bat.properties file. It also avoids certain unnecessary fields which the config update utility would otherwise require values for in order to save.
Click the Authentication tab, then click show advanced options.
Under Authentication method, select the Enable two factor authentication option.
Click the Second factor tab, then fill out the following fields:
Specify the repository-qualified name of the Advanced Authentication administrator account that OSP uses to interface with Advanced Authentication. Typically, the account is in the LOCAL repository.
The default Advanced Authentication administrator account is named admin. If you used this account, then the Admin name value is:
LOCAL\admin (repository name + \ + user name)
Specify the password of the Advanced Authentication administrative user you specified above.
Specify the name of the repository in Advanced Authentication you created in Configure the Advanced Authentication Server for Two-Factor Authentication. This repository corresponds to the Identity Vault for Identity Governance.
Click Add, then specify the DNS name or IP address of the Advanced Authentication server. If you use a different port than 443, specify that port as well.
(Conditional) If you have clustered the Advanced Authentication server, then click Add again, and specify each DNS name or IP address for each server in the cluster.
An Advanced Authentication endpoint is an identifier and secret that ensures that the entity performing authentication with the Advanced Authentication server is authorized to do so.
If no endpoint data is found in the configuration (or if the endpoint data in the configuration cannot be resolved with the Advanced Authentication server) then the Create new endpoint box is checked. Specify a name and description for the new endpoint you want to create. The name and description appear in the Endpoints section of the Advanced Authentication administrator interface.
If you have already created an endpoint, and the endpoint information is in the configuration, and Identity Governance the endpoint data can resolve with the Advanced Authentication server, then the Identity Governance Configuration Update utility does not select Create new endpoint box and it displays the endpoint identifier and a representation of the endpoint secret.
If you want to require all users to supply a second authentication factor at all times then check All users, all the time.
Otherwise deselect the option, then specify conditions for your environment using the following information:
When you deselect All users, all the time, the User Login Condition editor appears. This editor allows you to configure an expression that defines under which conditions Identity Governance uses the second factor authentication.
For example, if users do not have mobile devices then you should use Email OTP as a second factor authentication.
You build a login condition of expressions that evaluate various operands including user LDAP attributes, server attributes like time-of-day, and date, and HTTP request values like originating IP address, session attributes like session age and so forth. You can negate the expressions and combine the expressions using logical AND and OR operators.
Use this advanced option to enable and disable the available second factor methods and define the relative priority of each method you want to set.
If you disable a method by deselecting the box next to the method name, then that method is not available for authentication even if a user is enrolled in that method.
Identity Governance uses the relative priority of second factor methods to determine which method it should use if a user is enrolled in more than one method.
For example, using the default values configuration the Email OTP has a higher priority than the LDAP password method. Therefore, even if a user has enrolled in both methods, Identity Governance selects the Email OTP method for that user. You can change the behavior such that Identity Governance selects the LDAP Password by making the TOTP priority higher than Email OTP.
NOTE:Email OTP methods do not need enrollment to be available for a user. It is enabled by default.
Click OK to save the configuration, then exit out of the Identity Governance Configuration Update utility.
After you have configure Advanced Authentication and Identity Governance for two-factor authentication, you can test the methods to ensure that they work.
Log in to the Advanced Authentication server as an end user.
View the Enrolled and Not Enrolled methods.
Enroll the methods for the test user by clicking on the appropriate method, then click Test.
Ensure that the test is successful, then save the method for the user.
Log in to Identity Governance and OSP redirects you to use the second factor authentication.