Multi-Factor App Enrollment (URL) Realm Configuration Guide (version 9.1 and 9.2)

2. Map the necessary Properties to data store fields and check Writable:

The OATH Seed Property is required if OATH Seed (Single) is selected in the Multi-Factor App Enrollment section in the Post Authentication tab (step 6a below); otherwise, no mapping is necessary

Map the OATH Seed Property to a directory field that fulfills the following requirements:

For Active Directory data stores, the postalAddress field can be used

The One Time OATH List Property is required to enable the use of the feature; otherwise no mapping is necessary

The One Time OATH List feature temporarily stores a Time-based Passcode in the directory until the configured expiration to ensure that the OTP is used only once throughout its validity

Map the One Time OATH List Property to any directory field that is a DirectoryString

For Active Directory data stores, the wWWHomePage field (among many others) can be used

The OATH Tokens Property is required if OATH Token (Multi) is selected in the Multi-Factor App Enrollment section in the Post Authentication tab (step 6b below); otherwise, no mapping is necessary

The OATH Tokens Property can be stored as Plain Binary, JSON, or JSON Encrypted format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection

For Plain Binary, map the OATH Tokens Property to a directory field that fulfills the following requirements:

For JSON or JSON Encrypted, map the OATH Tokens Property to a directory field that fulfills the following requirements:

For typical Active Directory integrations, the Data Format is Plain Binary and the registeredAddress field is used

The Push Notification Tokens Property is required to enable the use of Push Notifications or Push-to-Accept / Symbol-to-Accept requests; otherwise, no mapping is necessary

The Push Notification Tokens Property can be stored as Plain Binary or in JSON format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection

For Plain Binary, these requirements must be met for the directory field that contains the Push Notification Token:

For JSON, these requirements must be met for the directory field that contains the Push Notification Token:

For typical Active Directory integrations, the Data Format is Plain Binary and the jpegPhoto field is used

5. Select Authenticated User ID from the User ID Mapping dropdown (default)

6a. In the OATH Options section, select OATH Seed (Single) from the OATH Seed or Token dropdown to provision user devices to utilize a single seed across multiple devices to generate the OATH OTPs

7a. Select False - Reuse same seed to enable the use of one seed with multiple devices (each newly provisioned device will reuse the same seed); or select True - Generate new seed from the One Time Provisioning dropdown to restrict the use of passcode OTPs on one device at a time (each newly provisioned device will have a new seed that will disable the use of the old seed)

8a. Select False from the Show OTP on enrollment page dropdown, unless the visibility of this information is required

9a. Select the number of digits comprising the passcode from the Passcode Length dropdown

10a. Set the Passcode Change Interval to the number of seconds during which an OATH OTP is valid

11a. In the SecureAuth App - Security Options section, select True from the Require OATH PIN dropdown if a PIN code is required to unlock the app; select False if it is not required

12a. Set the number of attempts allowed before the provisioned data is deleted from the application in the Wipe Provisioned Data after field

13a. Set the number of seconds allowed for the application to remain idle before requiring the PIN in the Show PIN screen after field

(no steps 14 - 16)

6b. In the OATH Options section, select OATH Token (Multi) from the OATH Seed or Token dropdown to provision user devices to utilize multiple tokens (that each contain a distinct OATH seed) on a single device

7b. Select False from the Wipe OATH Seed dropdown to enable the continued use of already-provisioned devices (pre-SecureAuth IdP v8.1); or select True to delete the existing the OATH seed and to enable only the use of an OATH Token

8b. Set the maximum amount of devices (tokens) allowed per user account in the Max Device Count field

Set to -1 if there is no limit to the number of devices allowed per user account

9b. Select Replace from the When exceeding max count dropdown to enable the replacement of existing provisioned devices with new ones after the maximum number of devices is met (if limit is set in step 8b)

10b. Select Created Time from the Replace in order by dropdown to replace the oldest OATH Token with the newest one; or select Last Access Time to replace the least frequently used OATH Token with the newest one (if Replace is selected in step 9b)

11b. Select False from the Show OTP on enrollment page dropdown, unless the visibility of this information is required

12b. Select the number of digits comprising the passcode from the Passcode Length dropdown

13b. Set the Passcode Change Interval to the number of seconds during which an OATH OTP is valid

14b. In the SecureAuth App - Security Options section, select True from the Require OATH PIN dropdown if a PIN code is required to unlock the app; select False if it is not required

15b. Set the number of attempts allowed before the provisioned data is deleted from the application in the Wipe Provisioned Data after field

16b. Set the number of seconds allowed for the application to remain idle before requiring the PIN in the Show PIN screen after field