Documentation

Table of Contents


Integration Guides and Other Resources


7.x Integration Guides

Knowledge Base Articles

This document contains specific information for SecureAuth IdP version 7.x. If using a different version of SecureAuth IdP, refer to the 8.x, 9.0.x, or 9.1 - 9.2 space accordingly.

Introduction

Use this guide to configure and register mobile devices to use PUSH Notification as a 2-Factor Authentication registration method.

PUSH Notifications are sent directly to a mobile device and include a one-time password (OTP) to use during the 2-Factor Authentication workflow. The PUSH Notification functionality must be enabled in all realms that will offer the option; and end-users must register their mobile device(s) to receive the notifications before utilizing the registration method during login.

SecureAuth IdP builds a tunnel using Apple APN and Google GCM services to distribute custom messages to registered mobile devices.

Prerequisites

1. Download the SecureAuth IdP Mobile OTP App from the Apple App Store, Google Play Store, Blackberry World, or Windows Store.

2. Configure the OATH Seed Realm where end-users can register their device(s) for PUSH Notification.

3. Create a New Realm or access existing realm(s) in the SecureAuth IdP Web Admin to which the PUSH Notification will be applied (Realm A in the SecureAuth IdP Configuration Steps).

(Optional) 4. Create a New Realm or access an existing realm in the SecureAuth IdP Web Admin that is configured for the Account Management Page (help desk) to enable administrator PUSH Notification enrolled device(s) revocation (Realm B in the SecureAuth IdP Configuration Steps).

(Optional) 5. Create a New Realm or access an existing realm in the SecureAuth IdP Web Admin that is configured for the Self-service Account Update (end-user self-service) to enable end-user PUSH Notification enrolled device(s) self-revocation (Realm C in the SecureAuth IdP Configuration Steps).

6. Configure the following tabs in the Web Admin before configuring for PUSH Notification (and Account Management Page and Self-service Account Update):

  • User Interface – the description of the realm and SMTP connections must be defined
  • Data Store – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow  – the way in which users will access the target must be defined
  • Registration Methods – the 2-Factor Authentication methods that will be used to access the target (if any) must be defined
  • Post Authentication – the target resource or post authentication action must be defined (see Realm B and Realm C for specific Post Authentication configurations for Account Management Page and Self-service Account Update)
  • Logs – the logs that will be enabled or disabled for this realm must be defined
Realm A - SecureAuth IdP Configuration Steps
Data Store Tab

This step is for LDAP data stores only (AD and others).

If using a different directory (e.g. SQL), then the Push Notifications Tokens property must be configured as a stored procedure in the data store.

1. In the Web Admin, navigate to the Data Store tab.

2. In the Profile Fields section, map a directory field to the Push Notification Tokens property.

In typical deployments, the jpegPhotodirectory field is utilized.

3. Check the Write flag.

For the Push Notification Tokens property, these requirements must be met for the directory field that contains the PUSH Notification enrolled device(s):

  • Length: 4096 minimum
  • Data Type: Octet string (bytes)
  • Multi-valued
  • Support the Plain Binary or JSON Format as selected in the Web Admin

Click Save once the configurations have been completed and before leaving the Data Store page to avoid losing changes.

Registration Methods Tab

4. Open the Registration Methods tab.

5. In the Registration Configuration section, find the Push Notification Field dropdown and configure the following settings:

  • Push Notification Settings: Enabled
  • Device Max Count: -1 if there is no limit to enrolled devices; otherwise enter a max number of devices that can be enrolled and continue with the settings below:
    • When exceeding max count: If a Device Max Count is set above, select Allow to replace if end-users can replace existing enrolled devices with new ones
    • Replace in order by: If a Max Count is set and Allow to replace is selected, choose how devices get replaced:
      • Created Time: replace the oldest enrolled device with the new one
      • Last Access Time: replace the least recently used enrolled device with the new one

Click Save once the configurations have been completed and before leaving the Registration Methods page to avoid losing changes.

 


(optional) Realm B - Help Desk Realm Configuration

The following configuration steps are optional. They will enable the administrator (help desk) and/or user to perform revocation of PUSH Notification enrolled device(s).

This realm must be set up for the Account Management Page post authentication action.

Refer to Account Management (Help Desk) Page Configuration Guide for more information.

Post Authentication Tab Configuration

1. Open the Post Authentication tab.

2. Select Account Management Page from the Authenticated User Redirect dropdown.

An unalterable URL will be auto-populated in the Redirect To field, which will append to the domain name and realm number in the address bar (Authorized/ManageAccounts.aspx).

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes.

Identity Management

 

3. Click Configure help desk page to enable or disable help desk functions.

Help Desk

 

4. In the Push Notification Devices dropdown, select Show Enabled to show this function on the help desk page and enable the admin to make changes (revocation of devices).

 

 Help Desk Page PUSH Notification Enrolled Device(s) Revocation

Click Save once the configurations have been completed and before leaving the Help Desk page to avoid losing changes.

(optional) Realm C - Self-Service Realm Configuration

These are optional configuration steps to enable end-user self-service revocation of PUSH Notification enrolled device(s).

This realm must be set up for the User Self Service Account Update post authentication action.

Refer to Self-service Account Update Page Configuration Guide for more information.

Post Authentication Tab Configuration

 

1. Open the Post Authentication tab.

2. Select Self Service Account Update from the Authenticated User Redirect dropdown.

An unalterable URL will be auto-populated in the Redirect To field, which will append to the domain name and realm number in the address bar (Authorized/AccountUpdate.aspx).

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes.

Identity Management

 

3. Click Configure self service page to enable or disable self-service functions.

Self Service

 

4. In the Push Notification Devices dropdown, select Show Enabled to show this function on the help desk page and enable the user to make changes (revocation of devices).

 

 Self-service Page PUSH Notification Enrolled Device(s) Revocation

Click Save once the configurations have been completed and before leaving the Self-service page to avoid losing changes.

Mobile Device Enrollment Steps
End-users must enroll and register each mobile device that accepts PUSH Notification OTPs.
Device Registration


1. Download the SecureAuth IdP OTP Mobile App and open the application on the device to which the PUSH Notification will be sent.

2. To register a device, in the SETTINGS section, provide the Server URL, which is the Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance, followed by the OATH Seed Realm number, e.g. https://secureauth.company.com/secureauth998.

SecureAuth998 is the defaulted OATH Seed Realm that comes configured out-of-the-box in the SecureAuth IdP appliance; however, any realm can be configured for the OATH Seed Realm.

3. Click Start.

2-Factor Authentication Workflow

The device enrollment workflow varies depending on the workflow configuration in the OATH Seed Realm.

Shows below, as an example, is the Standard 2-Factor Authentication Workflow.

 

4. Enter the User ID and click Submit.

5. Select the 2-Factor Authentication method in which the OTP is delivered, e.g. E-mail.

6. Enter the OTP delivered via the 2-Factor Authentication method selected in step 4.

7. Enter the Password associated to the User ID provided in step 3.

Device Registration Success

 

8. The application will alert end-users that the device has been registered if the workflow is completed successfully.

End-user Experience

 

1. When logging into a SecureAuth IdP realm in which PUSH Notification is enabled, the Push Notification option appears in the 2-Factor Authentication methods list

2. Select Push Notification and click Submit

3. A PUSH Notification is delivered to the enrolled device, shown on the home screen, with the OTP

 

 PUSH Notification Image Example