OTP Tab
The OTP tab allows you to configure the authentication mode of the OTP authentication method.
This authentication method must be enabled for users in the Authentication tab (see Authentication Tab), and for access points in the Security Services tab (see Security Services Tab).
Online
In this mode, an EAM Controller must be available when the user authenticates by OTP on his/her workstation. The EAM Controller checks the OTP and gives back to the workstation the user password so that the session can open.
The user’s primary password is stored in the directory.
Online and offline
In this mode, the user’s primary password is stored in the directory and in the workstation cache.
For the offline mode to work properly, the cache must exist on the user’s workstation(s); which means that the user must have logged on at least once on the workstation he/she wants to use.
- If the workstation is connected to the network, the EAM Controller checks the OTP as in the "online" mode and the user’s password stored in the directory is used to open the session.
- If the workstation is disconnected from the EAM Controller, the OTP is verified locally and the user’s password stored in the cache is used to open the session.
Ask OTP authentication every x days
For the OTP cache to be properly built for offline mode, the user must authenticate periodically on his/her workstation.
Primary password must be provided for OTP authentication
Forces the user to provide the OTP as well as his primary password to authenticate.
Mobile Device Tab
Subject
This tab enables you to authorize users to access, with a mobile device, the QRentry feature which enables them to access their:
- Web, personal and Store application(s) with SSO.
- Computer(s) in normal or emergency access. This emergency access provides a Self-Service Password Request option.
For a complete description of QRentry, please refer to QRentry User’s Guide.
Tabbed panel description
Security Tab
|
Item |
Description | ||||
|
Users can enroll their mobile device |
This check box enables the users associated with the user security profile to enroll their mobile device for QRentry.
| ||||
|
Launch enrollment wizard if necessary |
This check box allows you to start automatically the enrollment wizard on the user’s computer except if: His/her mobile device is already enrolled. He/she has deactivated the wizard automatic start. | ||||
|
Maximum number of devices per user |
Self-explanatory | ||||
|
Verify the Unique Identifier of the device during enrolment |
When this option is selected, the Unique Identifier (a.k.a IMEI) of the user’s mobile device is checked upon the enrolment process. This allows you to restrict the set of mobile devices a user can use.
| ||||
|
Required protection level |
Protection method of QRentry start on the user’s mobile device:
Notes:
| ||||
|
Update configuration when application starts |
The configuration is updated each time the application starts. | ||||
|
Update configuration every x days |
The configuration is updated every x days. | ||||
|
Upload Audit events immediately |
Each time the web server is reachable, the audit events are uploaded immediately. | ||||
|
List of Servers |
List of the web servers that can be reached by the mobile device to download the Enterprise SSO configuration and upload audit events. |
Authentication Manager Tab
|
Item |
Description |
|
Required protection level |
Protection method of the authentication on the user’s mobile device: None: everybody can authenticate. Requires a dedicated secret: the user must assign a PIN to QRentry and then use it to authenticate. Biometrics: the user must authenticate with his fingerprints (previously enrolled in his mobile device) to authenticate. If the biometric authentication does not work, he will have to enter a PIN (at first request, the user will have to assign a PIN to QRentry). Notes: The biometrics used by QRentry is compatible with specific models of mobile devices. To get the list of these devices, refer to the One Identity EAM Release Notes. The user can modify his PIN later on; for more information refer to QRentry User’s Guide. |
|
Users can authenticate using their device |
Only when on-line: the user’s computer must be connected to the EAM controller. Only when off-line: the authentication process is done using the cache data stored on the user’s workstation. To use the cache, the user must first authenticate at least once in connected mode. Always: if the cache is: Available: it is used to authenticate the user. Unavailable: the E-SSO controller is used if the mobile device is connected to the network. If it is not, then the user cannot authenticate. |
|
Length of mobile device secret code |
Length of the OTP displayed by QRentry on the mobile device. |
|
User can reset the primary password and use it for x hours |
When this option is selected, the user can reset his/her primary password after logging on using his/her mobile device. When you select: This password is only valid locally: the password is reset only on the current computer and is valid for the number of hours you enter. This password is valid on all workstations (requires network): if the user is: Authorized to authenticate with password, the primary password is reset and the new password has no limit of duration. Not authorized to authenticate with password, a temporary password is created and is valid for the number of hours you enter. Note: if you enter 0 hour, the primary password is reset and the new password has no limit of duration. |
|
Allow Workstation Remote Control on the device |
Users can use the Enrolled Computers feature of QRentry to take control of their computer(s). |
|
Local Administrator Access > Required protection level |
Protection method of QRentry start on the local admin’s mobile device to access a user’s computer: None: the admin can access QRentry. Requires a dedicated secret: the admin must assign a PIN to QRentry and then use it to access the application. Biometrics: the administrator must authenticate with his fingerprints (previously enrolled in his mobile device) to access the application. If the biometric authentication does not work, he will have to enter a PIN (at first request, the user will have to assign a PIN to QRentry). Notes: The biometrics used by QRentry is compatible with specific models of mobile devices. To get the list of these devices, refer to the One Identity EAM Release Notes. The administrator can modify his PIN later on; for more information refer to QRentry User’s Guide. |
Enterprise SSO Tab
|
Item |
Description |
|
Allow use of SSO on the mobile device |
This check box enables the users associated with the user security profile to use Enterprise SSO on their mobile device. |
|
Required protection level |
Protection method of Enterprise SSO with the user’s mobile device: None: everybody can access Enterprise SSO. Requires a dedicated secret: the user must assign a PIN to QRentry and then use it to use Enterprise SSO. Biometrics: the user must authenticate with his fingerprints (previously enrolled in his mobile device) to use Enterprise SSO. If the biometric authentication does not work, he will have to enter a PIN (at first request, the user will have to assign a PIN to QRentry). Notes: The biometrics used by QRentry is compatible with specific models of mobile devices. To get the list of these devices, refer to the One Identity EAM Release Notes. The user can modify his PIN later on; for more information refer to QRentry User’s Guide. |
|
Offline mode is allowed for x days |
Enterprise SSO works without the network. However, for security reasons, you can force the device to connect to the network at least once every x days by selecting this check box. If no connection is established during that period of time, Enterprise SSO data is deleted. Note: if you enter 0, Enterprise SSO will try to connect each time you perform SSO with your mobile device. |
Displaying User Security Profile Usage Logs
Subject
The Applies to tab enables you to display the list of users who are directly linked to the selected security profile.
Procedure
- In the tree structure of the Directory panel, select the user security profile for which you want to display usage.
- Select the Applies to tab.
- The list of users linked to this security profile appears.
- The list of users linked to this security profile appears.
- Double-click a user to go directly to his profile.
Displaying User Security Profile Event Logs
Displaying User Security Profile Event Logs
Subject
The Events tab allows you to display all the events that are directly or indirectly linked to the selected object for a defined period (the last two days by default). This report contains both user actions and administration actions log entries.
Restriction
The Events tab only appears if you have the following administration role:
- In classic administration mode: "Auditor".
- In advanced administration mode, your role must contain the following administration right: "Audit: Visualization".
|
|
NOTE: For more information on administration roles, see Section Managing administrators. |
Procedure
- In the tree structure of the Directory panel, select the user security profile for which you want to display events.
- Click the Events tab.
- In the Filter area, set a period of time to filter the log entries and click Apply (for more information on event logs see Section Managing audit events).