Documentation
Introduction

Use this guide to enable the use of OATH OTPs as a Registration Method for 2-Factor Authentication.

OATH OTPs are generated on the SecureAuth Mobile Apps, Desktop Client Applications, and Chrome Browser Extension; and can be utilized in any realm requiring 2-Factor Authentication to access the post-authentication action. Depending on how the OATH Provisioning realm is configured and on the application(s) being used to generate OATH OTPs, SecureAuth IdP can create OATH Tokens or OATH Seeds.

If OATH Tokens are being used, SecureAuth IdP enables one-touch revocation of OATH Tokens to ensure security even if an OTP application is compromised. Refer to the Account Management (Help Desk) Realm Configuration Steps and Self-service Account Update Realm Configuration Steps below to learn how to configure the Help Desk and Self-services realms to enable administrator or self-revocation of OATH Tokens; and refer to the End-user Experience section below to learn how to revoke OATH Tokens on the client-side pages.

Prerequisites

1. Configure the OATH Provisioning Realm

2. Provision end-users' devices / browsers to generate OATH OTPs:

3. Create a New Realm in the SecureAuth IdP Web Admin or access existing realm(s) for which OATH OTPs are to be used for 2-Factor Authentication

4. Configure the following tabs in the Web Admin before configuring for OATH OTPs:

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access the target must be defined
  • Registration Methods – the 2-Factor Authentication methods that will be used to access the target (if any) must be defined (for Account Management Realm and Self-service Account Update Realm only, otherwise see specific OATH OTP configuration steps below)
  • Post Authentication – the target of the realm must be defined (for Realm Using OATH OTPs as Second Factor only, otherwise see specific Account Management and / or Self-service Account Update configuration steps below)
Realm Utilizing OATH as a Second Factor Configuration Steps
Data

The following Data tab steps are for LDAP directories only

If using a different directory (SQL, ASPNET, Oracle etc.), then the Properties need to be mapped to the data store via stored procedures (step 2)

 

1. In the Membership Connection Settings section, note the Search Attribute directory field, e.g. sAMAccountName

The Search Attribute directory field must be the same in all realms utilizing OATH OTPs for Multi-Factor Authentication, IdM pages in which directory access to the directory fields are required, and the OATH Provisioning Realm

Profile Fields

2. Map the necessary Properties to data store fields and check Writable:

The OATH Seed Property is required if OATH Seed (Single) is selected as the provisioning method in the OATH Provisioning Realm; otherwise, no mapping is necessary

Map the OATH Seed Property to a directory field that fulfills the following requirements:

    • Directory String (syntax: 2.5.5.12)
    • Upper Range of at least 4096
    • Supports Advanced Encryption, as selected from the Data Format options

For Active Directory data stores, the postalAddress field can be used

The One Time OATH List Property is required to enable the use of the feature; otherwise no mapping is necessary

The One Time OATH List feature temporarily stores an OATH OTP in the directory until the configured expiration to ensure that the OTP is used only once throughout its validity

Map the One Time OATH List Property to any directory field that is a Directory String

For Active Directory data stores, the wWWHomePage field (among many others) can be used

The OATH Tokens Property is required if OATH Token (Multi) is selected as the provisioning method in the OATH Provisioning Realm; otherwise, no mapping is necessary

The OATH Tokens Property can be stored as Plain Binary, JSON, or JSON Encrypted format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection

For Plain Binary, map the OATH Tokens Property to a directory field that fulfills the following requirements:

      • Octet String (syntax: 2.5.5.10)
      • Multi-valued
      • Upper Range of at least 4096

For JSON or JSON Encrypted, map the OATH Tokens Property to a directory field that fulfills the following requirements:

      • DirectoryString (syntax: 2.5.5.12)
      • Multi-valued
      • Upper Range of at least 4096

For typical Active Directory integrations, the Data Format is Plain Binary and the registeredAddress field is used

NOTE: For SQL, ASP.net, and Oracle data stores, only the Plain Binary Data Format is supported for the OATH Tokens Property (configured in the Data tab); and for ODBC data stores, the OATH Tokens Property is not supported

Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for the full list of requirements

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Registration Methods

 

3. In the Registration Configuration section, under OATH Settings, select Enabled from the OATH OTP dropdown

4. Select the number of digits of which the OATH OTPs are comprised from the OATH Length dropdown

5. Set the OATH Interval to the number of seconds the OATH OTP displays and for how long the code is valid

6. Set the OATH Offset to make up for time differences between devices and to enable prolonged validity after the code is no longer displayed

7. Set the Cache Lockout Duration to the number of minutes the OATH Service is unusable after multiple failed login attempts

**Be sure that the OATH Length and OATH Interval are the same in the realm(s) using OATH OTPs as a registration method and in the OATH Provisioning Realm
 

 OATH Provisioning Realm Example Image

Click Save once the configurations have been completed and before leaving the Registration Methods page to avoid losing changes

Help Desk Realm Configuration Steps
Data

The following Data tab steps are for LDAP directories only

If using a different directory (SQL, ASPNET, Oracle etc.), then the Properties need to be mapped to the data store via stored procedures (step 2)

 

1. In the Membership Connection Settings section, note the Search Attribute directory field, e.g. sAMAccountName

The Search Attribute directory field must be the same in all realms utilizing OATH OTPs for Multi-Factor Authentication, IdM pages in which directory access to the directory fields are required, and the OATH Provisioning Realm

Profile Fields

2. Map the necessary Properties to data store fields and check Writable:

The OATH Seed Property is required if OATH Seed (Single) is selected as the provisioning method in the OATH Provisioning Realm; otherwise, no mapping is necessary

Map the OATH Seed Property to a directory field that fulfills the following requirements:

    • Directory String (syntax: 2.5.5.12)
    • Upper Range of at least 4096
    • Supports Advanced Encryption, as selected from the Data Format options

For Active Directory data stores, the postalAddress field can be used

The One Time OATH List Property is required to enable the use of the feature; otherwise no mapping is necessary

The One Time OATH List feature temporarily stores an OATH OTP in the directory until the configured expiration to ensure that the OTP is used only once throughout its validity

Map the One Time OATH List Property to any directory field that is a Directory String

For Active Directory data stores, the wWWHomePage field (among many others) can be used

The OATH Tokens Property is required if OATH Token (Multi) is selected as the provisioning method in the OATH Provisioning Realm; otherwise, no mapping is necessary

The OATH Tokens Property can be stored as Plain Binary, JSON, or JSON Encrypted format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection

For Plain Binary, map the OATH Tokens Property to a directory field that fulfills the following requirements:

      • Octet String (syntax: 2.5.5.10)
      • Multi-valued
      • Upper Range of at least 4096

For JSON or JSON Encrypted, map the OATH Tokens Property to a directory field that fulfills the following requirements:

      • DirectoryString (syntax: 2.5.5.12)
      • Multi-valued
      • Upper Range of at least 4096

For typical Active Directory integrations, the Data Format is Plain Binary and the registeredAddress field is used

NOTE: For SQL, ASP.net, and Oracle data stores, only the Plain Binary Data Format is supported for the OATH Tokens Property (configured in the Data tab); and for ODBC data stores, the OATH Tokens Property is not supported

Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for the full list of requirements

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Post Authentication

 

3. In the Post Authentication section, select Account Management from the Authenticated User Redirect dropdown

4. An unalterable URL is auto-populated in the Redirect To field, which appends to the domain name and realm number in the address bar (Authorized/ManageAccounts.aspx)

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Identity Management

 

5. Click Configure help desk page to enable or disable help desk functions

Help Desk

 

6. Select Show Disabled or Show Enabled from the OATH Seed dropdown to show the OATH Seed stored in the user's account

7. Select Show Enabled from the OATH OTP Devices to enable the revocation of provisioned devices on the help desk page

 

 Help Desk OATH OTP Devices Revocation

Click Save once the configurations have been completed and before leaving the Help Desk page to avoid losing changes

Self-service Realm Configuration Steps
Data

The following Data tab steps are for LDAP directories only

If using a different directory (SQL, ASPNET, Oracle etc.), then the Properties need to be mapped to the data store via stored procedures (step 2)

 

1. In the Membership Connection Settings section, note the Search Attribute directory field, e.g. sAMAccountName

The Search Attribute directory field must be the same in all realms utilizing OATH OTPs for Multi-Factor Authentication, IdM pages in which directory access to the directory fields are required, and the OATH Provisioning Realm

Profile Fields

2. Map the necessary Properties to data store fields and check Writable:

The OATH Seed Property is required if OATH Seed (Single) is selected as the provisioning method in the OATH Provisioning Realm; otherwise, no mapping is necessary

Map the OATH Seed Property to a directory field that fulfills the following requirements:

    • Directory String (syntax: 2.5.5.12)
    • Upper Range of at least 4096
    • Supports Advanced Encryption, as selected from the Data Format options

For Active Directory data stores, the postalAddress field can be used

The One Time OATH List Property is required to enable the use of the feature; otherwise no mapping is necessary

The One Time OATH List feature temporarily stores an OATH OTP in the directory until the configured expiration to ensure that the OTP is used only once throughout its validity

Map the One Time OATH List Property to any directory field that is a Directory String

For Active Directory data stores, the wWWHomePage field (among many others) can be used

The OATH Tokens Property is required if OATH Token (Multi) is selected as the provisioning method in the OATH Provisioning Realm; otherwise, no mapping is necessary

The OATH Tokens Property can be stored as Plain Binary, JSON, or JSON Encrypted format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection

For Plain Binary, map the OATH Tokens Property to a directory field that fulfills the following requirements:

      • Octet String (syntax: 2.5.5.10)
      • Multi-valued
      • Upper Range of at least 4096

For JSON or JSON Encrypted, map the OATH Tokens Property to a directory field that fulfills the following requirements:

      • DirectoryString (syntax: 2.5.5.12)
      • Multi-valued
      • Upper Range of at least 4096

For typical Active Directory integrations, the Data Format is Plain Binary and the registeredAddress field is used

NOTE: For SQL, ASP.net, and Oracle data stores, only the Plain Binary Data Format is supported for the OATH Tokens Property (configured in the Data tab); and for ODBC data stores, the OATH Tokens Property is not supported

Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for the full list of requirements

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Post Authentication

 

3. Select Self Service Account Update from the Authenticated User Redirect dropdown

4. An unalterable URL is auto-populated in the Redirect To field, which appends to the domain name and realm number in the address bar (Authorized/AccountUpdate.aspx)

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Identity Management

 

5. Click Configure self service page to enable or disable self-service functions

Self Service

 

6. Select Show Disabled or Show Enabled from the OATH Seed dropdown to show the OATH Seed stored in the user's account

7. Select Show Enabled from the OATH OTP Devices to enable the self-revocation of provisioned devices on the self-service page

 

 Self-service OATH OTP Devices Revocation

Click Save once the configurations have been completed and before leaving the Self-service page to avoid losing changes

  • No labels