5.10 Advanced Authentication

NetIQ Advanced Authentication delivers various authentication mechanisms that enable identity assurance and proofing. You can integrate Access Manager with Advanced Authentication to enable multi-factor authentication. For more information, see Multi-Factor Authentication Using Advanced Authentication.

When a user logs in to Access Manager, the user is authenticated and redirected to the Advanced Authentication server OSP common UI page for additional authentication. After successful execution of the Advanced Authentication method (for example, Smartphone), the user is redirected to Access Manager. You can configure Advanced Authentication for both primary and secondary authentication.

You can integrate Advanced Authentication with Access Manager by using one of the following approaches:

  • Plug-in-based approach: Advanced Authentication is embedded in Access Manager.

  • OAuth-based approach: This approach uses the OAuth claims-based authentication mechanism for secure and trusted communication. Any new methods introduced in the Advanced Authentication server become dynamically available in Access Manager without making any modification in the product.

For information about differences between both approaches, see Implementation Approaches in Multi-Factor Authentication Using Advanced Authentication.

Access Manager supports the following Advanced Authentication classes:

Class

Description

Advanced Authentication Generic Class

Authenticates using any of the authentication methods. It is used for OAuth-based authentication approach.

Dynamic (Fingerprint/PKI) Class

Sends a list of chains from which a user can select a chain and authenticate. Only the chains which are enrolled in the Advanced Authentication portal are available to the user for authentication.

NOTE:Fingerprint and PKI methods can be configured using only Dynamic Class. No separate classes are available for Fingerprint and PKI methods.

Email Class

Sends an email to the user’s registered email address with an OTP that is valid for a specified time. You can use this OTP to authenticate within a certain time frame.

Emergency Password Class

Authenticates users with a temporary password.

FIDO U2F Class

Authenticates users with the help of a U2F security key.

FIDO U2F does not work if enrollment and authentication are performed on different domain names. With Access Manager and Advanced Authentication, you have two domain names: one for Identity Server and another for the Advanced Authentication server. To workaround this, proxy Identity Server and the Advanced Authentication server under the same domain name.

To create a U2F class, see Configuring a FIDO U2F Class.

HOTP Class

An event-based OTP authentication. No time frame is available for an HOTP.

Password (PIN) Class

Stores a password in Advanced Authentication that is not connected to your corporate directory. This can be a PIN or a simple password.

RADIUS Class

Forwards a user’s authentication request to a third-party RADIUS server.

Security Question Class

Allows users to enroll answers to an administrator-defined number of security questions. When you authenticate by using security questions, Advanced Authentication asks you all the security questions or a subset of the security questions.

Smartcard Class

Allows users to authenticate by using a smart card.

Smartphone Class

Allows users to authenticate by using a smartphone.

SMS Class

Sends an SMS to a user’s registered mobile number, containing OTP. The user can use this OTP to authenticate within a certain time frame.

TOTP Class

A time-based OTP authentication. This method uses a predefined time step, which is set to 30 seconds by default.

Voice Call Class

Makes a phone call on a user’s registered mobile requesting to provide a pre-defined PIN.

Voice OTP Class

Makes a phone call on a user’s registered mobile and provides an OTP. The user can use this OTP to authenticate within a certain time frame.

Configuring a FIDO U2F Class

  1. Create a path-based, multi-homing proxy service with the Advanced Authentication server as the web server. Create five paths under the proxy service with the URL paths as /account, /admin, /api, /auth, and /static.

    The published DNS name must be identical to the Identity Server domain name.

  2. Create another path-based, multi-homing proxy service with Identity Server as the web server and Advanced Authentication server as the parent server. Create a path under the proxy service with the URL path as /nidp.

  3. Configure a protected resource to the proxy services with URL paths as /account/*, /admin/*, /api/*, /auth/* and /static/* and Advanced Authentication server as the web server. Configure another protected resource to the proxy service with URL path as /nidp/* and Identity server as the web server. For more information, see Configuring FIDO U2F.

Optional Properties (KEY/Value) for Authentication Methods

NOTE:For OAuth-based authentication methods, you need to enable only login_hint, forceAuth, AA_LOGIN_FORM_PARAM_USERNAME, and AA_USERNAME_USERSTORE_ATTRIBUTE properties. The remaining properties are enabled by default for the OAuth-based authentication methods.

Property

Description

login_hint

Applicable only for the OAuth-based approach

(Optional property)

This property auto-fills the username parameter if already provided by a user. The user can then proceed to enter only the secret such as; password or OTP, whichever is applicable.

If the user has configured Access Manager as the first factor authentication, the username is auto-filled and is editable. Whereas, if Advanced Authentication is configured as first factor authentication, the username is non-editable.

forceAuth

Applicable only for the OAuth-based approach

(Optional property)

This property triggers the second-factor authentication contract for each authentication request. This property is set to true by default.

This property is useful when you want to grant the user access to multiple protected resources. However, you want the user to perform the second-factor authentication only while accessing the first protected resource. You can achieve this by setting the forceAuth property to false.

For example, a user named Alice accesses a protected resource, PR1 using an SMS OTP. She then wants to access another protected resource, PR2. PR2 requires an Email OTP to authenticate. With the forceAuth property enabled, she has to execute the Email OTP method. When you disable forceAuth, she gains access to PR2 without executing the Email OTP method.

AA_LOGIN_FORM_PARAM_USERNAME

Configure this property to use a different attribute for a user store query instead of the cn attribute. Access Manager checks the authentication request and uses the specified attribute instead of the cn attribute.

AA_USERNAME_USERSTORE_ATTRIBUTE

Configure this property to send a different value instead of the username in the authentication request to Advanced Authentication.

For example, if you want to send the email ID attribute instead of the username, then set the value of this property as mail.

For information about how to enable this property, see Enabling User Authentication Using the Email ID Attribute.

Repository Name: REPONAME

The name of the repository used for Advanced Authentication. This parameter may not be used if the default repository is selected in the Login options policy of Advanced Authentication server appliance.

Configuration File: CONFIGFILE

The name of the configuration file path. This parameter is used only if the configuration file (config.xml) is in a different location. The default location of the config.xml is /opt/novell/nam/idp/plugins/aa/.

Timeout Value: RECHECKTIMEOUT

The time out parameter that is used to prevent loops. The default value is 300 seconds. The following are minimum recommended values:

  • Email: 120 seconds

  • FIDO U2F: 30 seconds

  • HOTP: 30 seconds

  • RADIUS: 30 seconds

  • Security Question: 30 seconds

  • Smartcard: 30 seconds

  • Smartphone: 60 seconds

  • SMS: 30 seconds

  • TOTP: 30 seconds

  • Voice Call: 30-60 seconds

  • Voice OTP: 30-60 seconds

Error Info JSP Page: ERRORJSP

The name of the JSP page that stores the error logs. This is for critical errors and failures related to the authentication process. The default file is PluginErrorPage.jsp. The file is located in /opt/novell/nids/lib/webapp/jsp.

LDAP Authentication Page: LDAPJSP

The name of the LDAP authentication page. This parameter is used for customization. It allows you to customize the LDAP login page for each method. The default file is LdapAuth.jsp, The file is located in /opt/novell/nids/lib/webapp/jsp.

Method Page: METHODJSP

The name of the method page. This parameter is used for customization. It allows you to customize the Method page for each method. The default file is <MethodName>Auth.jsp. The file is located in /opt/novell/nids/lib/webapp/jsp.

LDAP Password Sync Page: LDAPSYNCJSP

The name of the LDAP password synchronization page. The default file is LDAPSyncPage.jsp. The file is located in /opt/novell/nids/lib/webapp/jsp.

Max Password Length: PWDMAXLENGTH

This parameter restricts the maximum length of a password. The default value is 100 characters. This parameter can be used only for YubiKey tokens (FIDO U2F class)

Advanced Authentication Enrollment URL: ENROLLURL

This parameter contains the URL of the Advanced Authentication Self-Service Portal. The default value is https://<NetIQAdvancedAuthenticationFramework_server_address>:<server_port>/account.

Email Attribute: EMAIL_ATTR

(Applicable only for Dynamic class) This parameter reads and masks the user’s email address during authentication.

Mobile SMS Attribute: SMS_MOBILE_ATTR

(Applicable only for Dynamic class) This parameter reads the user’s mobile number to send SMS. It masks the mobile number.

Voice Call Telephone Attribute: VOICE_TEL_ATTR

(Applicable only for Dynamic class) This parameter reads the user’s telephone number to make voice call. It masks the telephone number.

Voice OTP Telephone Attribute: VOICE_OTP_TEL_ATTR

(Applicable only for Dynamic class) This parameter reads the user’s telephone number to send voice OTP. It masks the telephone number.

Event Used: EVENTNAME

(Applicable only for Dynamic class) The name of the event used, by default the event name is nam.

Skip Authentication Chain: SKIPCHAINS

(Applicable only for Dynamic class) This parameter skips the authentication chain selection and will always use the top chain from the list.

MAXRETRY

(Applicable only for Smartphone or Voice Call classes for the OAuth Resource Owner Credential authentication flow)

The number of times Access Manager processes a response from Advanced Authentication for user authentication before timeout. Specify a value from 12 to 36.

The default value is 12.

RETRYTIMEOUT

(Applicable only for Smartphone or Voice Call classes for the OAuth Resource Owner Credential authentication flow)

The timeout period of each retry when Access Manager processes a response from Advanced Authentication for user authentication. Specify a value from 5000 to 10000 milliseconds.

The default value is 5000 milliseconds.

DEBUG

This parameter gathers additional information from a log file. It adds data from the server requests and server responses to the log file. To enable debug logging, set the value to 1.

Enabling User Authentication Using the Email ID Attribute

Instead of username, users can log in using the email ID for first and second-factor authentication. Perform the following steps to configure email ID for user authentication:

  1. Create a Secure Name/Password - Form method. For more information about creating a method, see Configuring Authentication Methods.

  2. Add the Query property to the method.

    Under Properties, click New, and specify the following details:

    Property Name: Query

    Property Value: (&(objectclass=person)(mail=%Ecom_User_ID%))

  3. Create an Advanced Authentication method (OAuth-based or Plugin-based). For more information about creating a method, see Configuring Authentication Methods.

  4. Add the following properties to the method:

    Under Properties, click New and specify the following details:

    Property Name

    Property Value

    AA_LOGIN_FORM_PARAM_USERNAME

    mail

    AA_USERNAME_USERSTORE_ATTRIBUTE

    mail

    Query

    (Add this property only for the Plugin-based methods)

    (&(objectclass=person)(mail=%Ecom_User_ID%))

    NOTE:Enabling AA_LOGIN_FORM_PARAM_USERNAME property is not mandatory. Enable it if the first-factor authentication method uses the Ecom_User_ID attribute.

  5. Create a contract to include both the methods you created in the preceding steps. For more information about creating a contract, see Configuring Authentication Contracts.

  6. In the Advanced Authentication administration portal, click Repositories > Edit > Advanced Settings.

    1. Under User lookup attributes, click Add and then specify mail.

      NOTE:Ensure that mail is specified on the topmost field.

    2. Under User name attributes, click Add and then specify mail.

      NOTE:Ensure that mail is specified on the topmost field.

    3. Click Save.

  7. Click Policies > Login options.

  8. Turn on Email as login name and click Save.