Use this guide as a reference to configure a SecureAuth IdP realm that uses the Standard 2-Factor Authentication workflow.
The Standard 2-Factor Authentication (Username | Second Factor | Password in 9.0.1+) workflow prompts the end-user for the username, then a second factor option of the end-user's choice, and then the password, in that order.
This can be applied to any realm to access web, SaaS, mobile, or network applications and devices, and SecureAuth IdP out-of-the-box Identity Management (IdM) tools via Multi-Factor Authentication.
NOTE: The configuration steps vary from SecureAuth IdP 9.0.x versions. Select either 9.0.0 or 9.0.1+ to view the appropriate guidelines.
For the SecureAuth IdP 8.2 version of this document, see Standard 2-Factor Authentication Workflow Configuration
1. In the Product Configuration section, select Certification Enrollment and Validation from the Integration Method dropdown
2. Select Device/Browser Fingerprinting from the Client Side Control dropdown
Be sure to map a directory field to the SecureAuth IdP Fingerprints Property
If using a different directory than LDAP, a stored procedure must be created to contain the Fingerprints
For LDAP data stores, the audio field is typically mapped to the Fingerprints Property in the Data tab
The Fingerprints Property can be stored as Plain Binary or in JSON format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection
For Plain Binary, these requirements must be met for the directory field that contains the fingerprint information:
- Length: 8 kB minimum per Fingerprint Record; and if the Total FP Max Count is set to -1, then the size must be unlimited
- Data Type: Octet string (bytes)
- Multi-valued
For JSON, these requirements must be met for the directory field that contains the fingerprint information:
- Length: No limit / undefined
- Data Type: DirectoryString
- Multi-valued
3. Select Private and Public Mode from the Public/Private Mode dropdown
4. Select Default Public from the Default Public/Private dropdown
5. Select True from the Remember User Selection dropdown
6. Select Standard (User / 2nd Factor / Password) from the Authentication Mode dropdown
7. Leave the rest as Default
8. Select Send Token Only from the Receive Token dropdown
9. Select False from the Require Begin Site dropdown
10. Leave the rest as Default
11. Select Private Mode Cert Length from the Certificate Expiration dropdown
12. Select Cert Expiration Date from the Certificate Valid Until dropdown
13. Set the Private Mode Cert Length to the amount of days during which the certificate will be valid, e.g. 180 Days
14. Set the Public Mode Cert Length to the amount of hours during which the public certificate will be valid, e.g. 4320 Hours
15. Select Disabled from the Check CRL dropdown
16. Set the Weights of each component to add or subtract significance to or from specific characteristics that will combine to create the fingerprint
The HTTP Headers and System Components weights must equal 100%
Typical configuration is shown in the image, or defaulted in the SecureAuth IdP Web Admin
17. In the Normal Browser Settings section, select No Cookie from the FP Mode dropdown
18. Leave the Cookie name prefix and Cookie length fields default or blank
19. Select False from the Match FP in cookie dropdown
20. Set the Authentication Threshold to 90-100% based on preference
21. Set the Update Threshold to 80-90% based on preference
The Update Threshold must be less than the Authentication Threshold
22. In the Mobile Settings section, select Cookie from the FP Mode dropdown
23. Leave the Cookie name prefix as the default, or set it to a preferred name
24. Set the Cookie Length to the amount of hours during which the cookie will be valid, e.g. 72 Hours
25. Select True from the Match FP in cookie dropdown
26. Select True from the Skip IP Match dropdown
27. Set the Authentication Threshold to 90-100% based on preference
28. Set the Update Threshold to 80-90% based on preference
The Update Threshold must be less than the Authentication Threshold
29. Set the FP expiration length to 0, unless there will be an expiration on the fingerprint
30. Set the FP expiration since last access to 0, unless there will be an expiration on the fingerprint based on usage
31. Set the Total FP max count to -1, unless there is a maximum amount of fingerprints that can be stored at a given time
If a maximum is to be set, a typical configuration would limit fingerprint storage to 5-8
32. Select Allow to replace from the When exceeding max count dropdown if a maximum is set in step 31
Otherwise, leave as default
33. Select Created Time from the Replace in order by dropdown if a maximum is set in step 31
Otherwise, leave as default
34. Set the FP's access records max count to 5
Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes
35. In the Registration Configuration section, ensure that at least one registration method is enabled for use in this realm
Click Save once the configurations have been completed and before leaving the Registration Methods page to avoid losing changes
36. In the Plugin Info section, select False from the Java Detection dropdown
Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes
1. In the Device Recognition Method section, select Certification Enrollment and Validation from the Integration Method dropdown
2. Select Device/Browser Fingerprinting from the Client Side Control dropdown
Be sure to map a directory field to the SecureAuth IdP Fingerprints Property
If using a different directory than LDAP, a stored procedure must be created to contain the Fingerprints
For LDAP data stores, the audio field is typically mapped to the Fingerprints Property in the Data tab
The Fingerprints Property can be stored as Plain Binary or in JSON format, and has distinct requirements for the LDAP directory attribute mapped to the Property based on the Data Format selection
For Plain Binary, these requirements must be met for the directory field that contains the fingerprint information:
- Length: 8 kB minimum per Fingerprint Record; and if the Total FP Max Count is set to -1, then the size must be unlimited
- Data Type: Octet string (bytes)
- Multi-valued
For JSON, these requirements must be met for the directory field that contains the fingerprint information:
- Length: No limit / undefined
- Data Type: DirectoryString
- Multi-valued
3. Set the Weights of each component to add or subtract significance to or from specific characteristics that will combine to create the fingerprint
The HTTP Headers and System Components weights must equal 100%
Typical configuration is shown in the image, or defaulted in the SecureAuth IdP Web Admin
4. In the Normal Browser Settings section, select No Cookie from the FP Mode dropdown
5. Leave the Cookie name prefix and Cookie length fields default or blank
6. Select False from the Match FP in cookie dropdown
7. Set the Authentication Threshold to 90-100% based on preference
8. Set the Update Threshold to 80-90% based on preference
The Update Threshold must be less than the Authentication Threshold
9. In the Mobile Settings section, select Cookie from the FP Mode dropdown
10. Leave the Cookie name prefix as the default, or set it to a preferred name
11. Set the Cookie Length to the amount of hours during which the cookie will be valid, e.g. 72 Hours
12. Select True from the Match FP in cookie dropdown
13. Select True from the Skip IP Match dropdown
14. Set the Authentication Threshold to 90-100% based on preference
15. Set the Update Threshold to 80-90% based on preference
The Update Threshold must be less than the Authentication Threshold
16. Set the FP expiration length to 0, unless there will be an expiration on the fingerprint
17. Set the FP expiration since last access to 0, unless there will be an expiration on the fingerprint based on usage
18. Set the Total FP max count to -1, unless there is a maximum amount of fingerprints that can be stored at a given time
If a maximum is to be set, a typical configuration would limit fingerprint storage to 5-8
19. Select Allow to replace from the When exceeding max count dropdown if a maximum is set in step 18
Otherwise, leave as default
20. Select Created Time from the Replace in order by dropdown if a maximum is set in step 18
Otherwise, leave as default
21. Set the FP's access records max count to 5
22. Select Username | Second Factor | Password from the Default Workflow dropdown
23. Select Private and Public Mode from the Public/Private Mode dropdown
24. Select Default Public from the Default Public/Private dropdown
25. Select True from the Remember User Selection dropdown
Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes
26. In the Registration Configuration section, ensure that at least one registration method is enabled for use in this realm
Click Save once the configurations have been completed and before leaving the Multi-Factor Methods page to avoid losing changes
27. In the Plugin Info section, select False from the Java Detection dropdown
Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes