Documentation

Table of Contents


Other Resources


Introduction

Use this guide to enable Inline Initialization during the authentication process so end-users can add missing, required information in their profiles before they are allowed to access their targeted resource. 

You can set these types of fields as required for completion in a user's account:

  • Phone number(s)
  • Email address(es)
  • Knowledge Base (KB) answers
  • Static PIN

In SecureAuth IdP version 9.3, Inline Initialization lets end-users update their profiles to add specified types of email addresses and / or phone numbers required by your organization – for example: work email address, personal email address, work phone number, and mobile phone number.

 


What's new in SecureAuth IdP version 9.3

Flag up to four specific types of phone and email profile properties which require data to be defined on each pertinent realm.

Previous version of the Inline Initialization feature

In previous SecureAuth IdP versions, Inline Initialization was bypassed for profiles with a phone number and / or email address, even if the required information was not present in the user's profile, since the type of required phone / email could not be defined.

 


Prerequisites

Directory requirements for KB Inline Initialization

To use KB Inline Initialization, the following directory requirements must be fulfilled in addition to the Prerequisites listed above:

  • Service Account for SecureAuth IdP with read privileges to access the data store, and write privileges to update knowledge-based questions and answers. Contact SecureAuth Support for more information.
  • Two readable and writable attributes from the data store for use with the KBA feature. 

The selected attribute(s) will be used to store the question and answer information in the user profile. However, if using the Base64 setting, only the KB Question attribute is required. Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for more information.

On the New Experience user interface in version 9.3, you can configure an Active Directory integration or SQL Server integration to be applied to applications made from App onboarding library templates. Configure the remaining components – for example, Workflow, Multi-Factor Methods, and Adaptive Authentication tabs – on the Classic Experience user interface.

 


SecureAuth IdP Web Admin - Classic Experience configuration

Data tab

Profile Fields section

1. Map a Field to the appropriate Property for each Inline Initialization option to be included, and make Writable if required (see table):

PropertyField (examples)Writable
Phone 1 - Phone 4

"telephoneNumber" mapped to Phone 1

Y
"mobile" mapped to Phone 2Y
Email 1 - Email 4"mail" mapped to Email 1Y
"otherMailbox" mapped to Email 2Y
PIN"employeeID" mapped to PINY
KB Questions"houseIdentifier" mapped to KB QuestionsN
KB Answers"info" mapped to KB AnswersY

2. Save the configuration.

Multi-Factor Methods tab

Multi-Factor Configuration section

3. If configuring KB Inline Initialization, under Knowledge Based Settings select Enabled from the KB Questions dropdown.

4. RECOMMENDED: Select Encryption from the KB Format dropdown to ensure maximum security during the end-user authentication process.

5. Select the Number of Questions from which the end-user can choose during the authentication process.

6. Select True from the KB Conversion dropdown only if changes are being made to move from Base 64 to Encrypted settings.

7. If configuring static PIN Inline Initialization, under PIN Settings select Enabled from the PIN Field dropdown.

8. Select True from the Open PIN dropdown to store the static PIN in plain text rather than encrypted format.

9. Under Multi-Factor Settings, check the Inline Initialization box(es) to enable end-users to update the appropriate field(s) with information missing from their profiles:

a. For Phone, enable Missing Phone and check the Require Phone box corresponding to the required Phone number type. 

b. For Email, enable Missing Email and check each Require Email box corresponding to the required Email address type.

c. For KB, enable Missing KB Answers.

d. For PIN, enable Missing PIN.

10. Save the configuration.

11. Click Self-Service Settings.

Self Service page

12. Configure the Self-service page with fields that are required to be completed in the end-user profile.

a. For Phone, select Show Required from each dropdown corresponding to the required Phone number type.

NOTE: Select Hide to exclude a field from appearing on the Self-service page – in this example, Phone 3 and Phone 4.

b. For Email, select Show Required from each Email dropdown corresponding to the required Email address type.

NOTE: Select Hide to exclude a field from appearing on the Self-service page – in this example, Email 3 and Email 4.

c. For KB, select Show Required from the KBQ-KBA dropdown, and then:

  • Select the number of required KB questions from the KBQ Count dropdown.
  • Select the minimum, required Number of Answers from the dropdown.

d. For PIN, select Show Required from the PIN dropdown, and then:

  • Set Open PIN to True.

13. Save the configuration.

 


End-user experience

1. Start the login page and go through the authentication workflow.

2. The Self-service page appears since the user profile is missing information in required fields. In this example, Phone 2 and Email 2 are missing.

3. Enter the required, missing information.

4. Click Update to access the realm.

 

 

  • No labels