You can specify the user mobile number and user email address attributes to be used by the Starling push notifications.
Modifications to the Starling schema attributes configuration are global and apply to all Safeguard Authentication Services clients in the forest. For users configured to use Starling, this could cause user logins to fail.
To configure custom LDAP attributes for use with Starling push notifications
Enter the LDAP display name for one or both of the Starling attributes used by the Starling push notifications:
Once Starling Two-Factor Authentication is enabled (that is, Safeguard Authentication Services is joined to Starling and users are authorized to use Starling Two-Factor Authentication), anytime an authorized user attempts to log in to an integrated Unix-based host, they will see an additional login screen informing them that an additional authentication step is required.
The default prompt contains the following:
Enter a token or select one of the following options:
Token or option (1-3) [1]: <Token or option number>
This default prompt can be modified in vas.conf.
[STARLING] OPTIONS
The behavior of QAS Starling can be modified by using the following options in the [starling] section.
[starling]
prompt = <boolean>
prompt = <message-text>
Default value: "Enter a token or select one of the following options:\n\n 1. Starling Push\n 2. Phone
call\n 3. Send an SMS\n \nToken or option (1-3)[1]: "
This is the message that is initially displayed during a Starling authentication.
This prompt can span multiple lines, line separation is specified by adding \n to the prompt string.
NOTE: Changing the prompt will not change what is accepted as input.
[starling]
prompt = "Enter 1 for a push request, 2 for a phone call, 3 for a txt, or enter a token.\n "
NOTE: In order to display the prompts, the application must be able to handle pam conversations, such as sshd(keyboard-interactive). If the application can not handle pam conversations, such as sshd(password), a push authentication is sent instead of a prompt.
Unjoining Safeguard Authentication Services from Starling disables Starling Two-Factor Authentication in Safeguard Authentication Services.
To unjoin Safeguard Authentication Services from Starling
A Starling Organization Admin account or Collaborator account can rejoin Safeguard Authentication Services at any time.
To disable Starling 2FA for a specific PAM service, edit the PAM configuration file (/etc/pam.conf or /etc/pam.d/<service>). Modify the auth pam_vas line for the desired service.
To disable Starling 2FA for a specific PAM service
As root, add the following line to the PAM configuration file, on the first auth pam_vas line for the service:
disable_starling
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center