OSP and Access Manager can provide two-factor authentication for the Identity Governance authorized users. Two-factor authentication for OSP requires that you have NetIQ Advanced Authentication. Access Manager can provide two-factor authentication using time-based one-time password (TOTP). Use the following information to configure either OSP or Access Manager for two-factor authentication for the Identity Governance authorized users.
To configure OSP to use two-factor authentication for the Identity Governance authorized users, you must have Advanced Authentication installed and configured in your IT environment. Use the following information to configure OSP for two-factor authentication.
Before configuring any servers for two-factor authentication, ensure the following conditions exist:
Advanced Authentication is installed and configured
The server time where you installed OSP is in synchronization with the Identity Governance servers and the Advanced Authentication servers
Each server can correctly resolve the DNS name of the other servers
Advanced Authentication allows you to increase security in your environment by providing multiple ways for advanced authentication. This solution allows you to add two-factor authentication to Identity Governance to add an additional layer of security. You must configure Advanced Authentication to communicate with OSP for the two-factor authentication to work.
This section assumes you have a good working knowledge and understanding of Advanced Authentication. For more information, see the Advanced Authentication documentation.
To configure Advanced Authentication for two-factor authentication:
Log in to the Advanced Authentication Administration portal using administrator credentials. For more information, see Logging In to the Advanced Authentication Administration Portal
.
Create a repository for the LDAP identity service for OSP. For more information, see Adding an LDAP Repository
.
(Optional) To change default attributes or collect a new attribute, change the Advanced Settings. For more information, see Advanced Settings
.
Find the new repository that you just created, then click Edit > Full synchronization to synchronize the users and groups from the LDAP server.
Define the method for two-factor authentication of EMail OTP and LDAP Password. For more information, see:
Configure the policy for the mail sender for the Email OTP method. For more information, see Mail Sender
.
Create a chain to make the authentication methods available for OSP. For more information, see Creating a Chain
.
Create an event to define the type of authentication event you use. You can use an existing event or create a custom event. For more information, see Configuring Events
.
Ensure that you have created the methods, chain, and events in Advanced Authentication before proceeding. For more information, see Configure the Advanced Authentication Server for Two-Factor Authentication.
To complete the two-factor authentication configuration, you must configure OSP to accept the authentications from Advanced Authentication.
Run the Identity Governance Configuration Update utility. For more information, see Section 15.1.5, Using the Identity Governance Configuration Update Utility.
Click the Authentication tab, and then click Show Advanced Options.
Under Authentication Method, select the Enable two factor authentication option.
Click the Second factor tab, then fill out the following fields:
Specify the repository-qualified name of the Advanced Authentication administrator account that OSP uses to interface with Advanced Authentication. Typically, the account is in the LOCAL repository.
The default Advanced Authentication administrator account is named admin. If you used this account, then the Admin name value is:
LOCAL\admin (repository name\admin name)
Specify the password of the Advanced Authentication administrative user you specified above.
Specify the name of the repository in Advanced Authentication you created in Configure the Advanced Authentication Server for Two-Factor Authentication. This repository corresponds to the LDAP identity service for Identity Governance.
Click Enter host name or address, then specify the DNS name or IP address of the Advanced Authentication server. If you use a different port than 443, specify that port as well.
(Conditional) If you have clustered the Advanced Authentication server, then click Add, and specify each DNS name or IP address for each server in the cluster with the corresponding port.
An Advanced Authentication endpoint is an identifier and secret that ensures that it is an authorized entity performing authentication with the Advanced Authentication server.
If no endpoint data is found in the configuration (or if the endpoint data in the configuration cannot be resolved with the Advanced Authentication server) then the Identity Governance Configuration Update utility selects Create new endpoint.
You must specify a name and description for the new endpoint for Advanced Authentication. The name and description appear in the Endpoints section of the Advanced Authentication Administration portal.
If you have already created an endpoint, and the endpoint information is in the configuration, and Identity Governance can resolve the endpoint data with the Advanced Authentication server, then the Identity Governance Configuration Update utility does not select the Create new endpoint option and it displays the endpoint identifier and a representation of the endpoint secret.
If you want to require all users to supply a second authentication factor at all times, then select All users, all the time.
Otherwise deselect the option, then specify conditions for your environment using the following information:
When you deselect All users, all the time, the User Login Condition editor appears. This editor allows you to configure an expression that defines under which conditions Identity Governance uses the second factor authentication.
For example, if users do not have mobile devices then you should use Email OTP as a second factor authentication.
You build a login condition of expressions that evaluate various operands including user LDAP attributes, server attributes like time-of-day, date, and HTTP request values like originating IP address, session attributes like session age, and so forth. You can negate the expressions and combine the expressions using logical AND and OR operators.
Use this advanced option to enable and disable the available second factor methods and define the relative priority of each method you want to set.
If you disable a method by deselecting the box next to the method name, then that method is not available for authentication even if a user is enrolled in that method.
Identity Governance uses the relative priority of second factor methods to determine which method it should use if a user is enrolled in more than one method.
For example, using the default values configuration the Email OTP has a higher priority than the LDAP password method. Therefore, even if a user has enrolled in both methods, Identity Governance selects the Email OTP method for that user. You can change the behavior such that Identity Governance selects the LDAP password by making the TOTP priority higher than Email OTP.
NOTE:Email OTP methods do not need enrollment to be available for a user. It is enabled by default.
Click OK to save the configuration, then the Identity Governance Configuration Update utility automatically closes.
After you configure Advanced Authentication and Identity Governance for two-factor authentication, you can test the methods to ensure that they work.
Log in to the Advanced Authentication server as an end user.
View the Enrolled and Not Enrolled methods.
Enroll the methods for the test user by clicking on the appropriate method, then click Test.
Ensure that the test is successful, then save the method for the user.
Log in to Identity Governance and OSP redirects you to use the second factor authentication.
Access Manager provides two-factor authentication through the use of time-based one-time password (TOTP) or it provides multi-factor authentication if you have integrated Access Manager with Advanced Authentication. If Access Manager provides the OAuth 2 authentication for the authorized users instead of OSP, there are no additional configuration steps required for two-factor authentication. You would configure Access Manager to provide two-factor or multi-factor authentication for the authorized users. For more information see:
Two-Factor Authentication Using Time-Based One-Time Password
in the NetIQ Access Manager 5.0 Administration Guide