Documentation

Introduction

Use this guide as a reference to configure a SecureAuth IdP realm that uses the Standard 2-Factor Authentication workflow.

The Standard 2-Factor Authentication workflow prompts the end-user for the username, then a second factor option of the end-user's choice, and then the password, in that order.

This can be applied to any realm to access web, SaaS, mobile, or network applications and devices, and SecureAuth IdP out-of-the-box Identity Management (IdM) tools via 2-Factor Authentication.

SecureAuth IdP Configuration Steps
Workflow

 

1. In the Product Configuration section, select Certification Enrollment and Validation from the Integration Method dropdown

2. Select Device/Browser Fingerprinting from the Client Side Control dropdown

Be sure to map a directory field to the SecureAuth IdP Fingerprints Property

 Fingerprints Property Requirements

If using a different directory than LDAP, a stored procedure must be created to contain the Fingerprints

For LDAP data stores, the audio field is typically mapped to the Fingerprints Property in the Data tab

The Fingerprints Property can be stored as Plain Binary or in JSON format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection

For Plain Binary, these requirements must be met for the directory field that contains the fingerprint information:

  • Length: 8 kB minimum per Fingerprint Record; and if the Total FP Max Count is set to -1, then the size must be unlimited
  • Data Type: Octet string (bytes)
  • Multi-valued

For JSON, these requirements must be met for the directory field that contains the fingerprint information:

  • Length: No limit / undefined
  • Data Type: DirectoryString
  • Multi-valued

Workflow

 

3. Select Private and Public Mode from the Public/Private Mode dropdown

4. Select Default Public from the Default Public/Private dropdown

5. Select True from the Remember User Selection dropdown

6. Select Standard (User / 2nd Factor / Password) from the Authentication Mode dropdown

7. Leave the rest as Default

Custom Front End

 

8. Select Send Token Only from the Receive Token dropdown

9. Select False from the Require Begin Site dropdown

10. Leave the rest as Default

Certificate / Token Properties

 

11. Select Private Mode Cert Length from the Certificate Expiration dropdown

12. Select Cert Expiration Date from the Certificate Valid Until dropdown

13. Set the Private Mode Cert Length to the amount of days during which the certificate will be valid, e.g. 180 Days

14. Set the Public Mode Cert Length to the amount of hours during which the public certificate will be valid, e.g. 4320 Hours

15. Select Disabled from the Check CRL dropdown

Browser / Mobile Device Digital Fingerprinting

 

16. Set the Weights of each component to add or subtract significance to or from specific characteristics that will combine to create the fingerprint

The HTTP Headers and System Components weights must equal 100%

Typical configuration is shown in the image, or defaulted in the SecureAuth IdP Web Admin

17. In the Normal Browser Settings section, select No Cookie from the FP Mode dropdown

18. Leave the Cookie name prefix and Cookie length fields default or blank

19. Select False from the Match FP in cookie dropdown

20. Set the Authentication Threshold to 90-100% based on preference

21. Set the Update Threshold to 80-90% based on preference

The Update Threshold must be less than the Authentication Threshold

22. In the Mobile Settings section, select Cookie from the FP Mode dropdown

23. Leave the Cookie name prefix as the default, or set it to a preferred name

24. Set the Cookie Length to the amount of hours during which the cookie will be valid, e.g. 72 Hours

25. Select True from the Match FP in cookie dropdown

26. Select True from the Skip IP Match dropdown

27. Set the Authentication Threshold to 90-100% based on preference

28. Set the Update Threshold to 80-90% based on preference

The Update Threshold must be less than the Authentication Threshold

29. Set the FP expiration length to 0, unless there will be an expiration on the fingerprint

30. Set the FP expiration since last access to 0, unless there will be an expiration on the fingerprint based on usage

31. Set the Total FP max count to -1, unless there is a maximum amount of fingerprints that can be stored at a given time

If a maximum is to be set, a typical configuration would limit fingerprint storage to 5-8

32. Select Allow to replace from the When exceeding max count dropdown if a maximum is set in step 20

Otherwise, leave as default

33. Select Created Time from the Replace in order by dropdown if a maximum is set in step 20

Otherwise, leave as default

34. Set the FP's access records max count to 5

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Registration Methods

 

35. In the Registration Configuration section, ensure that at least one registration method is enabled for use in this realm

Click Save once the configurations have been completed and before leaving the Registration Methods page to avoid losing changes

System Info

 

36. In the Plugin Info section, select False from the Java Detection dropdown

Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes

End-user Experience