Joining Authentication Services to Starling adds Authentication Services to the One Identity Hybrid service allowing you to use features from Starling Two-Factor Authentication.
To join Authentication Services with Starling
Use the Product TIMs drop-down to select a valid Authentication Services with One Identity Hybrid subscription license.
Click Join to Starling.
NOTE: The following additional information may be required:
After the join has successfully completed, you will be returned to the Authentication Services Control Center and the Starling Two-Factor Authentication Join settings pane will display the following:
Once Starling Two-Factor Authentication is enabled (that is, Authentication Services is joined to Starling and users are authorized to use Starling Two-Factor Authentication), anytime an authorized user attempts to log in to an integrated Unix-based host, they will see an additional login screen informing them that an additional authentication step is required.
The default prompt contains the following:
Enter a token or select one of the following options:
Token or option (1-3) : <Token or option number>
This default prompt can be modified in vas.conf.
The behavior of QAS Starling can be modified by using the following options in the [starling] section.
prompt = <boolean>
prompt = <message-text>
Default value: "Enter a token or select one of the following options:\n\n 1. Starling Push\n 2. Phone
call\n 3. Send an SMS\n \nToken or option (1-3): "
This is the message that is initially displayed during a Starling authentication.
This prompt can span multiple lines, line separation is specified by adding \n to the prompt string.
NOTE: Changing the prompt will not change what is accepted as input.
prompt = "Enter 1 for a push request, 2 for a phone call, 3 for a txt, or enter a token.\n "
NOTE: In order to display the prompts, the application must be able to handle pam conversations, such as sshd(keyboard-interactive). If the application can not handle pam conversations, such as sshd(password), a push authentication is sent instead of a prompt.
Unjoining Authentication Services from Starling disables Starling Two-Factor Authentication in Authentication Services.
To unjoin Authentication Services from Starling
A Starling Organization Admin account or Collaborator account associated with the Starling One Identity Hybrid subscription can rejoin Authentication Services at any time.
To disable Starling 2FA for a specific PAM service, edit the PAM configuration file (/etc/pam.conf or /etc/pam.d/<service>). Modify the auth pam_vas line for the desired service.
To disable Starling 2FA for a specific PAM service
As root, add the following line to the PAM configuration file, on the first auth pam_vas line for the service: