Documentation
Introduction

Use this guide to configure and register mobile devices to use Push Notification as a 2-Factor Authentication registration method.

Push Notifications are sent directly to a mobile device and include a one-time password (OTP) to use during the 2-Factor Authentication workflow. The Push Notification functionality must be enabled in all realms that will offer the option; and end-users must register their mobile device(s) to receive the notifications before utilizing the registration method during login.

SecureAuth IdP builds a tunnel using Apple APN and Google GCM services to distribute custom messages to registered mobile devices.

Prerequisites

1. Download the SecureAuth IdP Mobile OTP App from the Apple App Store, Google Play Store, Blackberry World, or Windows Store

2. Configure the OATH Provisioning Realm where end-users can register their device(s) for Push Notification

3. Create a New Realm or access existing realm(s) in the SecureAuth IdP Web Admin to which the Push Notification will be applied (Realm A in the SecureAuth IdP Configuration Steps)

(OPTIONAL) 4. Create a New Realm or access an existing realm in the SecureAuth IdP Web Admin that is configured for the Account Management Page (help desk) to enable administrator Push Notification enrolled device(s) revocation (Realm B in the SecureAuth IdP Configuration Steps)

(OPTIONAL) 5. Create a New Realm or access an existing realm in the SecureAuth IdP Web Admin that is configured for the Self-service Account Update (end-user self-service) to enable end-user Push Notification enrolled device(s) self-revocation (Realm C in the SecureAuth IdP Configuration Steps)

6. Configure the following tabs in the Web Admin before configuring for Push Notification (and Account Management Page and Self-service Account Update):

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access the target must be defined
  • Registration Methods – other 2-Factor Authentication methods that will be used to access the target (if any) must be defined
  • Post Authentication – the target resource or post authentication action must be defined (see Realm B and Realm C for specific Post Authentication configurations for Account Management Page and Self-service Account Update)
  • Logs – the logs that will be enabled or disabled for this realm must be defined
SecureAuth IdP Configuration Steps
Realm A
Data

This step is for LDAP data stores only (AD and others)

If using a different directory (e.g. SQL), then the Property needs to be configured as a stored procedure in the data store

NOTE: For SQL, ASP.net, and Oracle data stores, only the Plain Binary Data Format is supported (configured in the Data tab); and for ODBC data stores, Push is not supported

1. In the Membership Connection Settings section, map a directory field to the Push Notification Tokens Property

In typical AD deployments, the Data Format is Plain Binary and the jpegPhoto directory field is utilized

2. Check Writable

The Push Notification Tokens Property can be stored as Plain Binary or in JSON format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection

For Plain Binary, these requirements must be met for the directory field that contains the Push Notification Token:

  • Length: 4096 minimum
  • Data Type: Octet string (bytes)
  • Multi-valued

For JSON, these requirements must be met for the directory field that contains the Push Notification Token:

  • Length: 4096 minimum
  • Data Type: DirectoryString
  • Multi-valued

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Registration Methods

 

3. In the Registration Configuration section, select Enabled from the Push Notification Field dropdown

4. Set the Device Max Count to -1 if there is no limit to enrolled devices

If a limit is to be established, set the maximum number of devices that can be enrolled for Push Notifications

5. If a max count is set, select Allow to replace from the When exceeding max count dropdown if end-users can replace existing enrolled devices with new ones

6. If a max count is set and Allow to replace is selected in step 5, select Created Time from the Replace in order by dropdown to replace the oldest enrolled device with the new one

Select Last Access Time to replace the least recently used enrolled device with the new one

Click Save once the configurations have been completed and before leaving the Registration Methods page to avoid losing changes

Realm B

These are optional configuration steps to enable administrator (help desk) revocation of Push Notification enrolled device(s)

This realm must be set up for the Account Management Page post authentication action

Refer to Account Management (Help Desk) Page Configuration Guide for more information

Data

1. Follow steps 1-2 in the Data configuration steps of Realm A

The directory attribute used for Push Notification Tokens (e.g. jpegPhoto) must be the same across all SecureAuth IdP realms utilizing Push Notifications / Push-to-Accept Login Requests to ensure consistency

Post Authentication

 

2. In the Post Authentication section, select Account Management Page from the Authenticated User Redirect dropdown

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Identity Management

 

3. Click Configure help desk page to enable or disable help desk functions

Help Desk

 

4. Select Show Enabled from the Push Notification Devices dropdown to show this function on the help desk page and to enable changes (revocation)
 

 Help Desk Page PUSH Notification Enrolled Device(s) Revocation

Click Save once the configurations have been completed and before leaving the Help Desk page to avoid losing changes

Realm C

These are optional configuration steps to enable end-user self-service revocation of Push Notification enrolled device(s)

This realm must be set up for the Self-service Account Update post authentication action

Refer to Self-service Account Update page configuration for more information

Data

1. Follow steps 1-2 in the Data configuration steps of Realm A

The directory attribute used for Push Notification Tokens (e.g. jpegPhoto) must be the same across all SecureAuth IdP realms utilizing Push Notifications / Push-to-Accept Login Requests to ensure consistency

Post Authentication

 

2. Select Self Service Account Update from the Authenticated User Redirect dropdown in the Post Authentication tab in the Web Admin

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Identity Management

 

3. Click Configure self service page to enable or disable self-service functions

Self Service

 

4. Select Show Enabled from the Push Notification Tokens dropdown to show this function on the self-service page and to enable changes (revocation)
 

 Self-service Page PUSH Notification Enrolled Device(s) Revocation

Click Save once the configurations have been completed and before leaving the Self-service page to avoid losing changes

End-user Experience

End-users must enroll their mobile devices (Authenticate App) in the OATH Provisioning Realm to use Push Notification as a Multi-Factor Authentication method

 

1. When logging into a SecureAuth IdP realm in which Push Notification is enabled, the Push Notification option appears in the 2-Factor Authentication methods list

2. Select Push Notification and click Submit

3. A Push Notification is delivered to the enrolled device, shown on the home screen, with the OTP
 

 Push Notification Image Example

 

  • No labels