Chat now with support
Chat with Support

Cloud Access Manager 8.1.4 - Configuration Guide

Configuring a front-end authentication method Adding a web application Configuring step-up authentication Managing your SSL certificate Changing the Cloud Access Manager service account password Reporting Customizing One Identity Cloud Access Manager

Configuring front-end authenticators

If your users are authenticating using one of the Directory Authenticators (Active Directory or one of the LDAP type authenticators), you can configure Cloud Access Manager to use a second factor of authentication in addition to a password. The secondary authentication methods available are:

The configuration options for these methods are described in the following sections.

RADIUS server

Complete the RADIUS Connection Settings to allow Cloud Access Manager to connect to an authentication service using the Remote Authentication Dial-In User Service (RADIUS) protocol. Please refer to the table below for a detailed explanation of each feature.

Table 11: RADIUS connection settings
Field Functionality

Hostname/IP Address (including port)

Enter the fully-qualified domain name or the IP address of your authentication service host and the UDP port number on which the authentication service is listening. The IANA-registered port number for RADIUS is 1812.

For example radius.example.com:1812

Shared Secret

Enter the password or passphrase used to encrypt sensitive information in the RADIUS traffic sent to the authentication service. The authentication service must be configured with the same shared secret.

Challenge/Response Server

Many RADIUS authentication services are capable of maintaining an authentication session with multiple requests and responses. This allows challenge-response authentication tokens to be used, as well as other features like password expiry and token time window resynchronization. If your authentication service supports challenge/response mode, then select the Challenge/Response Server box.

Attribute to use for RADIUS username

Enter the name of the Active Directory attribute whose value is to be relayed to the RADIUS authentication service to identify the user. The default, sAMAccountName, contains the login username.

Test Connection

To determine whether Cloud Access Manager has connectivity to the RADIUS authentication service.

Smart card

The configuration procedure is similar whether you are using smart card as a primary or secondary factor authentication method. The following steps describe how to configure Cloud Access Manager for smart card authentication:

  1. Select the Enable certificate revocation list checking box. This will prompt Cloud Access Manager to check the Certificate Authority's Certificate Revocation List (CRL) to ensure the user's certificate has not been revoked. If the user's certificate has been revoked, the login request will be denied.
  2. Cloud Access Manager must redirect the user's browser to another port in order to perform an X.509 certificate authentication. The default port is 8443. If port 8443 is already in use by another service on the Cloud Access Manager host, you can choose a different port number.
  3. Export the certificate from your Certificate Authority in .pem or base-64 encoded format, then copy it to the Cloud Access Manager Secure Token Server (STS) host and upload it using the Browse... control.

For detailed instructions on smart card configuration, please refer to Configuring smart card authentication.

Starling 2FA

Starling 2FA is a cloud based authentication service that allows users to self-register and then access their one time passwords on both mobile and desktop devices. For further information on accessing Starling 2FA and using Cloud Access Manager to authenticate Starling 2FA users, please refer to Configuring each application.

To use Starling 2FA in Cloud Access Manager, you first need to join Cloud Access Manager to Starling. See Joining Cloud Access Manager to One Identity Starling for more information.

Table 12: Starling 2FA
Field Functionality
Attribute to use for mobile phone number

Enter the name of the attribute from the primary directory (Active Directory / LDAP) whose value is to be relayed to the Starling 2FA authentication service to identify the user. The default attribute is mobile, this usually contains the user's mobile telephone number. If you are using Azure Active Directory then you will need to select telephoneNumber as the attribute.

Default country code for phone numbers

Select the country for which mobile telephone numbers can be specified without the country code prefix. If you have telephone numbers in your directory that are not in the default region they must begin with a plus sign followed by the numeric region code.

Enable push notifications

Select whether to use push notifications. If this is selected then users will be sent a notification message that they will need to approve to authenticate rather than having to enter a one-time password. All users will be required to install the Starling 2FA application on either a mobile device or as a Windows desktop application to be able to receive and acknowledge notifications.

Message to display as part of push notification

A message that will be displayed to the user as part of the notification message.

Related Documents