Documentation
Introduction

Use this guide to configure the Registration Methods tab in the Web Admin for each SecureAuth IdP realm.

This includes 2-Factor Authentication mechanisms enablement and settings, and ID provisioning.

Prerequisites

1. Create a New Realm for the target resource for which the configuration settings will apply, or open an existing realm for which configurations have already been started

2. Configure the Overview, Data, and Workflow tabs in the Web Admin before configuring the Registration Methods tab

Registration Methods Configuration Steps

If the Authentication Mode selected in the Workflow tab requires 2-Factor Authentication, at least one registration method must be enabled on this page.


1. In the Registration Configuration section, under Phone Settings, enable Phone Field 1 by selecting a delivery method of the registration code to Phone 1 (refer to the Data tab for Profile Property / data store mapping)

Select Disabled from the dropdown if no registration code will be sent to Phone 1

2. Enable Phone Field 2 - Phone Field 4 in the same manner

Select Disabled from the corresponding dropdown if no registration code will be sent to Phone 2, Phone 3, or Phone 4

3. Select Voice from the Phone/SMS Selected dropdown to default the end-user's selection to Voice on the login page

4. Select True from the Phone/SMS Visible dropdown if both Voice and SMS / Text options are shown, even if both are not available for use

5. Set the Default Phone Country Code that will be appended to any user phone numbers in the directory that do not have a country code provided

Leave field empty if there is no default

6. Set the appearance of the end-users' phone numbers by designing a Phone Mask (Regex), e.g. xxx-xx1-2345

SecureAuth IdP automatically displays phone numbers as xxx-xxx-1234

Leave field empty if the out-of-the-box display is acceptable

7. Under Email Settings, enable Email Field 1 by selecting a delivery method of the registration code to Email 1 (refer to the Data tab for Profile Property / data store mapping)

Select Disabled from the dropdown if no registration code will be sent to Email 1

8. Enable Email Field 2 - Email Field 4 in the same manner

Select Disabled from the corresponding dropdown if no registration code will be sent to Email 2, Email 3, or Email 4

9. Under Knowledge Based Settings, select Enabled from the KB Questions dropdown to enable the use of knowledge-based questions for 2-Factor Authentication

10. Select the method in which the knowledge-based questions will be formatted from the KB Format dropdown

11. Select the Number of Questions that will be displayed on the login page from the dropdown

12. Select True from the KB Conversion dropdown to enable the conversion of knowledge-based questions to certificate-based encryption from Base64 encoding

13. Under Help Desk Settings, select Enabled from the Help Desk dropdown to enable the use of the Help Desk for 2-Factor Authentication

14. Provide the Phone number of the Help Desk that end-users can call for a registration code

15. Provide the Email address of the Help Desk that end-users can message for assistance

16. Under PIN Settings, select Enabled from the PIN Field dropdown to enable the use of static PINs for 2-Factor Authentication

The end-user's Personal Identification Number (PIN) must be contained in the data store and mapped to the SecureAuth IdP PIN Property

17. Select True from the Open PIN dropdown to store the PIN in plain text versus encryption

18. Select True from the One Time Use dropdown to enable a one-time-use PIN that is immediately cleared from the directory after use

This is typically utilized for first-time users in self-service enrollment processes

19. Select True from the Show When Empty dropdown if the One Time Use PIN is displayed as an option on the login page, but is inactive for use

20. Under OATH Settings, select Enabled from the OATH OTP dropdown to enable the use of mobile, browser, desktop, or third-party OATH OTP soft tokens for 2-Factor Authentication

21. Select the number of digits of which an OATH OTP will be compromised from the OATH Length dropdown

22. Set the number of minutes during which an OATH OTP is valid to make up for time differences between devices in the OATH Offset field

23. Set the number of seconds during which an OATH OTP will be displayed in the OATH Interval field

24. Select False - Reuse same seed from the One Time Provisioning dropdown to reuse the same OATH seed for each provisioned device and to enable the use of multiple devices

Selecting True - Generate new seed enables the use of only one device at a time to generate OATH OTPs, and each time a different device is utilized, it will need to be re-provisioned

25. Select True from the Require OATH PIN to require a 4-digit PIN to generate the OATH OTP

26. Select how many attempts are allowed before SecureAuth IdP locks the use of OATH OTPs from the Wipe Provisioned Data after dropdown

If this occurs, the device will need to be re-provisioned

27. Select the number of seconds during which the OATH PIN is valid from the Screen Lockout after dropdown

Once this has been surpassed, the end-user will need to reenter his/her PIN

28. Set the number of failed attempts are allowed before the user's account is locked in the DataStore Lockout after field

29. Set the number of minutes during which the account is locked from utilizing OATH OTPs after the DataStore Lockout after attempts in the Cache Lockout Duration field

30. Under Push Notification Settings, select Enabled from the Push Notification Field dropdown to enable the use of Push Notifications for 2-Factor Authentication

31. Limit the number of devices enrolled for Push Notifications in the Device Max Count field

Set this to -1 if there is no limit

32. Select Allow to replace from the When exceeding max count dropdown to enable device replacement once the limit has been reached

33. Select Created Time from the Replace in order by dropdown to replace the oldest enrolled device with the new one

Select Last Access Time to replace the least recently used enrolled device with the new one

34. Under Symantec VIP Settings, select Enabled from the Symantec VIP Integration dropdown to initiate the integration of Symantec VIP with SecureAuth IdP

35. Provide the certificate serial number (provided by Symantec) in the Issued Cert SN field

36. Select Enabled from the Symantec VIP Field to enable the use of Symantec VIP tokens for 2-Factor Authentication

37. Under Advanced Settings, check Missing Phone, Missing Email, Missing KB Answers, and/or Missing PIN from the Inline Initialization menu to enable end-users to update or provide missing information and then be redirected back to the login pages

38. Select Enabled from the Auto-Submit When One Avail dropdown to automatically select the registration method on the login page when only one is available for the user's account

39. Select the number of digits of which the One-time Passwords (OTPs) will be comprised from the OTP Length dropdown

40. Select True from the Lock AD Account to lock an end-user's Active Directory account after so many failed login attempts

41. Under Registration Method Order, drag and drop the enabled registration methods on the list to organize their display on the login page

Yubikey

 

42. Select True from the Validate Yubikey dropdown to enable the use of Yubikeys for 2-Factor Authentication

43. Provide the Yubikey Provision Page URL at which end-users can provision their Yubikeys

This would be another SecureAuth IdP realm, configured in the Post Authentication tab

Social Identity

NOTE: Social Identities as second factor mechanisms can only be enabled if an LDAP directory is being used as the Membership Data Store and the Profile Provider (configured in the Data Tab)

 

44. Under Facebook, select On from the Enable dropdown to enable the use of Facebook ID for 2-Factor Authentication

45. Provide the Client ID, which is provided by Facebook

46. Provide the Client Secret, which is provided by Facebook

The Client ID and the Client Secret must match exactly here and on Facebook's side

47. Select where to Store Facebook ID at from the dropdown (e.g. Aux ID 1)

48. Under Google, select On from the Enable dropdown to enable the use of Google ID for 2-Factor Authentication

49. Provide the Client ID, which is provided by Google

50. Provide the Client Secret, which is provided by Google

The Client ID and the Client Secret must match exactly here and on Google's side

51. Select where to Store Google ID at from the dropdown (e.g. Aux ID 2)

52. Under Windows Live, select On from the Enable dropdown to enable the use of Windows Live ID for 2-Factor Authentication

53. Provide the Client ID, which is provided by Windows Live

54. Provide the Client Secret, which is provided by Windows Live

The Client ID and the Client Secret must match exactly here and on Windows Live's side

55. Select where to Store Windows Live ID at from the dropdown (e.g. Aux ID 3)

56. Under LinkedIn, select On from the Enable dropdown to enable the use of LinkedIn ID for 2-Factor Authentication

57. Provide the Client ID, which is provided by LinkedIn

58. Provide the Client Secret, which is provided by LinkedIn

The Client ID and the Client Secret must match exactly here and on LinkedIn's side

59. Select where to Store LinkedIn ID at from the dropdown (e.g. Aux ID 4)

Click Save once the configurations have been completed and before leaving the Registration Methods page to avoid losing changes