Documentation

Table of Contents


Other Resources


Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For supported versions of mobile apps, OTP clients, desktop browsers, and paired smartwatches, see the SecureAuth Compatibility Guidecompatibility guide


...

What's new in SecureAuth IdP version 9.3

...

  1. Go to the Data tab. 
  2. In the Membership Connection Settings section, set the following: 

    UI Text Box
    sizemedium
    typeinfo

    This step is only for LDAP directories. 

    To use a different directory (SQL, ASPNET, Oracle, and so on), then the stored procedures for these fields must be mapped to Properties in the next step. 

    Borderless_tables
    Search Attribute

    Set to the directory field. For example, sAMAccountName. 

    UI Text Box
    sizemedium
    typeinfo

    The Search Attribute directory field must be the same in the Multi-Factor App Enrollment realm and all realms using Time-based Passcodes for Multi-Factor Authentication. 

  3. In the Profile Fields section, map the following Properties to data store fields and select the Writable check box: 

    Borderless_tables
    OATH Seed

    This property is only required if OATH Seed (Single) is selected in the Multi-Factor App Enrollment section on the Post Authentication tab. 

    Map this property to a directory field that meets the following requirements:

    • DirectoryString (syntax: 2.5.5.12)
    • Upper Range of at least 4096
    • Supports Advanced Encryption, as selected from the Data Format options

    For Active Directory data stores, you can use the postalAddress field. 

    One Time OATH List

    The One Time OATH List temporarily stores a Time-based Passcode in the directory until the configured expiration to ensure that the OTP is used only once throughout its validity. 

    To use this feature, map this property to any directory field that is a DirectoryString

    For Active Directory data stores, you can use the wWWHomePage field (among many others). 

    Push Notification Tokens

    This property is required to enable the use of Push Notifications or Push-to-Accept / Symbol-to-Accept requests.

    This property can be stored as plain binary or in JSON format, and has distinct requirements for the LDAP directory attribute mapped to the property based on the Data Format selection. 

    For plain binary, map this property to a directory field containing the Push Notification Token and meets the following requirements: 

    • Length: 4096 minimum
    • Data Type: Octet string (bytes)
    • Multi-valued

    For JSON, map this property to a directory field containing the Push Notification Token and meets the following requirements:

    • Length: 4096 minimum
    • Data Type: DirectoryString
    • Multi-valued

    For typical Active Directory integrations, the Data Format is plain binary and uses the jpegPhoto field. 

    OATH Tokens

    This property is required if OATH Token (Multi) is selected in the Multi-Factor App Enrollment section on the Post Authentication tab. 

    This property can be stored as plain binary, in JSON, or JSON encrypted format, and has distinct requirements for the LDAP directory attribute mapped to the property based on the Data Format selection. 

    For plain binary, map this property to a directory field that meets the following requirements:

    • OctetString (syntax: 2.5.5.10)
    • Upper Range of at least 4096
    • Multi-valued

    For JSON or JSON encrypted, map this property to a directory field that meets the following requirements:

    • DirectoryString (syntax: 2.5.5.12)
    • Upper Range of at least 4096
    • Multi-valued

    For typical Active Directory integrations, the Data Format is plain binary and uses the registeredAddress field. 

    UI Text Box
    sizemedium
    typenote

    NOTES 

    • If the DirectoryString data type is not present, you can use UnicodeString, as long as it meets other requirements for the attribute. 
    • For SQL, ASP.net, and Oracle data stores, only the plain binary Data Format is supported for OATH Tokens and Push Notification Tokens properties (configured on the Data tab). For ODBC data stores, these two properties are not supported. 

    • For a full list of data mapping requirements, see LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping
  4. Save your changes. 
  5. Go to the Post Authentication tab. 
  6. In the Post Authentication section, set the following: 

    Borderless_tables
    Authenticated User RedirectSet to Multi-Factor App Enrollment - URL
    Redirect ToThis field is auto-populated with an URL, which appends to the domain name and realm number in the address bar. For example,Authorized/OATHProvision.aspx.

  7. In the User ID Mapping section, set the following:

    Borderless_tables
    User ID MappingSet to Authenticated User ID

  8. In the Multi-Factor App Enrollment section, choose which provisioning method you want to use in OATH Options

    • Provision user devices with a single seed generating time-based passcodes / push notifications across multiple devices, select OATH Seed (Single) 
    • Provision user devices with multiple tokens on a single device; each token containing a distinct OATH seed, select OATH Token (Multi)
  9. If you selected OATH Seed (Single) set the following: 

    UI Text Box
    sizemedium
    typeinfo

    It is recommended to use the OATH Token (Multi) option instead of OATH Seed. 

    SecureAuth has deprecated OATH Seeds in favor of OATH Tokens, however this option still available. The seed is converted to a token and there are some prerequisites for this to happen. Both OATH Seed and OATH Tokens must be mapped in the Directory Property mapping. For more information, see How to convert an OATH Seed to an OATH Token. 

    Borderless_tables
    One Time Provisioning

    Select one of these options: 

    • False - Reuse same seed – Use one seed with multiple devices. For example, each newly provisioned device reuses the same seed
    • True - Generate new seed – Restricts the use of time-based passcodes to one device at a time. For example, each newly provisioned device gets a new seed that disables the use of the old seed
    Show OTP on enrollment pageIndicate whether to show the OTP on the app enrollment page. 
    Passcode lengthSet the number of digits in a time-based passcode (6 or 8 digits).
    Passcode Change IntervalSet the time in seconds for which a time-based passcode is valid. 

  10. If you selected OATH Token (Multi) set the following: 

    Borderless_tables
    Wipe OATH Seed

    Select one of these options: 

    • False – Continue use of the already-provisoned deviceds (pre-SecureAuth IdP 8.1) 
    • True – Delete the existing OATH seed and use only an OATH token 
    Max Device Count

    Set the number of accounts / OATH tokens allowed per user profile. 

    Set to -1 if there is no limit. 

    When exceeding max count

    When a max device count is specified, select one of the following options when max count is reached: 

    • Replace – Allow replacement of accounts / OATH tokens
    • Don't replace – Requires manual removal of accounts
    Replace in order by

    To replace an account / OATH token due to exceeding maximum device count, choose the replacement method: 

    • Created Time – Replace the oldest account / OATH token with the newest one
    • Last Access Time – Replace the least frequently used account / OATH token with the newest one
    Show OTP on enrollment pageIndicate whether to show the OTP on the app enrollment page. 
    Passcode lengthSet the number of digits in a time-based passcode (6 or 8 digits).
    Passcode Change IntervalSet the time in seconds for which a time-based passcode is valid. 

  11. In the SecureAuth App - Security Options subsection, set the following: 

    Borderless_tables
    borderless_tablestables
    Require OATH PIN
    UI Text Box
    sizemedium
    typeinfo

    This feature is applicable only on SecureAuth IdP 9.3 and later AND SecureAuth Authenticate app version 5.3 and later for iOS and Android. 

    Select one of these options: 

    • True – To view the time-based one-time passcode (TOTP) on the Authenticate app, require users to provide a PIN or biometric ID (fingerpint) 
    • False – PIN is not required to view the TOTP on the Authenticate app
    PIN LengthSet the number of digits in the PIN (4, 6, 8, or 10 digits). 
    Wipe Provisioned Data afterSet the number of failed PIN attempts allowed before the application data is removed and requires re-enrollment.
    Show PIN screen afterSet the time in seconds allowed for app to remain idle before the PIN is required (30, 60, 90, 120, or 180 seconds). 

  12. Save your changes. 
  13. Optional: In the Forms Auth / SSO Token section, to configure the token and cookie properties for this realm, click the View and Configure FormsAuth keys/SSO token link. 
    For more information about configuring cookie or token settings, see Configure token or cookie settings

...