Documentation
Introduction

Use this guide to configure the OATH Seed Realm from the Specialized Realms in the SecureAuth IdP Web Admin.

The OATH Seed Realm enables users to enroll and provision devices for OATH OTP Tokens.

This realm is already pre-configured for the post-authentication action; however, additional steps are required to access the realm appropriately.

Prerequisites

1. Have an on-premises directory with which SecureAuth IdP can integrate

2. Means to utilize the OATH OTP, e.g. mobile device, browser, desktop, or third-party OATH tokens

OATH Seed Realm Configuration Steps
Overview

 

1. In the Details section, SecureAuth998 is set as the Realm Name

2. Please keep Show OATH Seed=False is set as the Realm Description, which can be changed

If changed, be sure to keep Show OATH Seed as False in the Post Authentication tab

Email Settings

 

3. Provide the Simple Mail Transfer Protocol (SMTP) Server Address through which SecureAuth IdP will send emails

4. Change the Port from the defaulted 25 if the SMTP server utilizes a different one

5. Provide the Username, Password, and/or Domain if required by the SMTP Relay

If the fields are not required by the SMTP Server, then only the Server Address and Port number must be set

6. Select True from the SSL dropdown if emails will be sent through a Secure Socket Layer (SSL)

7. Upload a Logo that will be used in the SecureAuth IdP email messages (optional)

8. Provide the Subject of the SecureAuth IdP email messages

9. Provide the Sender Address of the SecureAuth IdP email messages

10. Provide the Sender Name of the SecureAuth IdP email messages

11. Select a Template that will be used for the SecureAuth IdP email messages

For all Overview configuration steps, refer to Overview Tab Configuration

Click Save once the configurations have been completed and before leaving the Overview page to avoid losing changes

Data

 

12. In the Membership Connection Settings section, select the directory with which SecureAuth IdP will integrate for 2-Factor Authentication and assertion from the Data Store dropdown

13. Follow the distinct configuration steps for the specific data store in additional to the configuration steps on this page

For Active Directory and other LDAP data stores, note the Search Attribute directory field value, e.g. sAMAccountName

The Search Attribute directory field must be the same in the OATH Provisioning Realm and all realms utilizing OATH OTPs for Multi-Factor Authentication

 Image example

 

Profile Fields

14. Map the necessary Properties to data store fields and check Writable:

The OATH Seed Property is required

Map the OATH Seed Property to a directory field that fulfills the following requirements:

    • Directory String (syntax: 2.5.5.12)
    • Upper Range of at least 4096
    • Supports Advanced Encryption, as selected from the Data Format options

For Active Directory data stores, the postalAddress field can be used

The One Time OATH List Property is required to enable the use of the feature; otherwise no mapping is necessary

The One Time OATH List feature temporarily stores a Time-based Passcode in the directory until the configured expiration to ensure that the OTP is used only once throughout its validity

Map the One Time OATH List Property to any directory field that is a Directory String

For Active Directory data stores, the wWWHomePage field (among many others) can be used

The Push Notification Tokens Property is required to enable the use of Push Notifications; otherwise, no mapping is necessary

The Push Notification Tokens Property can be stored as Plain Binary or in JSON format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection

For Plain Binary, these requirements must be met for the directory field that contains the Push Notification Token:

        • Length: 4096 minimum
        • Data Type: Octet string (bytes)
        • Multi-valued

For JSON, these requirements must be met for the directory field that contains the Push Notification Token:

        • Length: 4096 minimum
        • Data Type: DirectoryString
        • Multi-valued

For typical Active Directory integrations, the Data Format is Plain Binary and the jpegPhoto field is used

NOTE: For SQL, ASP.net, and Oracle data stores, only the Plain Binary Data Format is supported for the Push Notification Tokens Property (configured in the Data tab); and for ODBC data stores, the Push Notification Tokens Property is not supported

The Fields listed are only examples as each data store is organized differently and may have different values for each Property

For all Data configuration steps, refer to Data Tab Configuration

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Workflow

 

15. In the Product Configuration section, select Mobile Enrollment and Validation from the Integration Method dropdown (default)

16. Select the type of Client Side Control, and subsequently, the IE / PFX / Java Cert Type from the dropdowns

See variations in Workflow Tab Configuration

Workflow

 

17. Design the workflow to access SecureAuth998

18. Select Standard, Second Factor Only, User / Password on 1st Page (+2nd Factor), Valid Persistent Token + Registration Code, or Valid Persistent Token + Reg Code + Password to require 2-Factor Authentication to provision device / browser / app

For all Workflow configuration steps, refer to Workflow Tab Configuration

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Registration Methods


19. In the Registration Configuration section, enable at least one of the many authentication mechanisms if a 2-Factor Authentication Authentication Mode is selected in the Workflow tab

 

20. Select True - Generate new seed from the One Time Provisioning dropdown in the OATH Settings section

The OATH OTP can remain Disabled; however, the One Time Provisioning field must be set to True to restrict the use of one device at a time in other realms

For all Registration Methods configuration steps, refer to Registration Methods Tab Configuration

Click Save once the configurations have been completed and before leaving the Registration Methods page to avoid losing changes

Post Authentication

 

21. In the Post Authentication section, the Authenticated User Redirect is set to OATH Provisioning

22. The Redirect To field is auto-populated and points to where OATH provisioning will occur

OATH

 

23. Select False from the Show OATH Seed (default)

Keep this set to False

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Forms Auth / SSO Token

 

24. Click View and Configure FormsAuth keys / SSO token to configure SecureAuth998's token/cookie settings (optional)

 To configure this realm's token/cookie settings, follow these steps:
Forms Authentication

1. If SSL is required to view the token, select True from the Require SSL dropdown

2. Choose whether SecureAuth IdP will deliver the token in a cookie to the user's browser or device:

  • UseCookies enables SecureAuth IdP to always deliver a cookie
  • UseUri disables SecureAuth IdP to deliver a cookie, and instead deliver the token in a query string
  • AutoDetect enables SecureAuth IdP to deliver a cookie if the user's settings allow it
  • UseDeviceProfile enables SecureAuth IdP to deliver a cookie if the browser's settings allow it, no matter the user's settings

3. Set the Sliding Expiration to True if the cookie remains valid as long as the user is interacting with the page

4. Set the Timeout length to determine for how many minutes a cookie is valid

No configuration is required for the Name, Login URL, or Domain fields

Machine Key

5. No changes are required in the Validation field, unless the default value does not match the company's requirement

If a different value is required, select it from the dropdown

6. No changes are required in the Decryption field, unless the default value does not match the company's requirement

If a different value is required, select it from the dropdown

No configuration is required for the Validation Key or Decryption Key fields

Authentication Cookies

 

7. Enable the cookie to be Persistent by selecting True - Expires after Timeout from the dropdown

Selecting False - Session Cookie enables the cookie to be valid as long as the session is open, and will expire once the browser is closed or the session expires

No configuration is required for the Pre-Auth Cookie, Post-Auth Cookie, or the Clean Up Pre-Auth Cookie fields

Click Save once the configurations have been completed and before leaving the Forms Auth / SSO Token page to avoid losing changes

Logs

 

25. In the Log Options section, provide the Log Instance ID, e.g. the Application Name or the realm name (SecureAuth3)

26. Check which Audit, Debug, and Error Logs to enable

 If SysLog is enabled
SysLog

 

1. Provide the FQDN or IP Address of the Syslog Server

2. Provide the SysLog Port number

 If Database is enabled
Log Database

 

1. Provide the FQDN or the IP Address of the database in the Data Source field

2. Provide the Database Name in the Initial Catalog field

3. Select True from the Integrated Security dropdown if the webpage's ID is to be included in the Connection String

4. Select True form the Persist Security Info dropdown if access to username and password information is allowed

5. Provide the User ID of the Database

6. Provide the Password associated to the User ID

7. Click Generate Connection String, and the Connection String will auto-populate based on the previous fields

8. Click Test Connection to ensure that the integration is successful

9. Click Save to all Realms if these Database settings are to be used in each SecureAuth IdP realm

For all Logs configuration steps, refer to Logs Tab Configuration

Click Save once the configurations have been completed and before leaving the Logs page to avoid losing changes