Chat now with support
Chat with Support

Password Manager 5.8.2 - Administrator Guide (AD LDS edition)

About Password Manager Getting Started Upgrading Password Manager to 5.8.1 Password Manager Architecture Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow Overview Custom Workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings Password Policies One Identity Hybrid Subscription One Identity Starling Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Glossary

Authentication Activities

Authentication Activities

This section describes workflow activities that provide different authentication options.

Authentication Methods

Authentication Methods

Use this activity to select which authentication methods to display in the User site. The three types of authentication methods available to select for the administrator are as follows:

  • Q&A
  • Mobile
  • Email

IMPORTANT: The administrator can select any one of the activities selected in the registration method, to make it default mode for authentication for the users on the User site. Select one of the settings radio buttons from the right side to make it default authentication method.
 

NOTE: When the administrator select registration method(s), only the respective authentication methods are visible to the administrator in Authentication methods. See Register
Q&A

Use this activity to authenticate a user with the personal Questions and Answers profile. In this activity, the administrator can specify how many questions from the Questions and Answers profile the user must answer for authentication.

Mobile

Use this activity to authenticate a user with a mobile device. There are three methods to authenticate the users using a mobile device.

Email

Authenticate via Passcode: Use this activity to authenticate the users with a passcode. The administrator can configure passcode length and expiry time limit for the passcode.

Authenticate with Q&A Profile

Authenticate with Q&A Profile

Use this activity to authenticate a user with a personal Questions and Answers profile. In this activity you can specify mandatory and helpdesk questions from user’s Q&A profile that a user must answer to be authenticated.

IMPORTANT: If the questions you selected in this activity are not found in the user’s Q&A profile, the user will not be authenticated and the workflow containing this activity will not be performed for this user.

You can select one of the following authentication methods:

  • Answers to the specified questions (user’s answer is shown). In this mode, a helpdesk operator will ask a user for complete answers to the specified questions, and then compare them to the answers displayed on the identity verification page.

    IMPORTANT: This option cannot be used if user answers to mandatory questions are not stored using reversible encryption. To store answers using reversible encryption, select the corresponding option in the Q&A profile settings. For more information, see Configuring Q&A Profile Settings.
  • Answers to the specified questions (user’s answer not shown). In this mode, a helpdesk operator will ask a user for complete answers to the specified questions, and enter the answers on the identity verification page.
  • Random characters of answers to the specified questions. In this mode, a helpdesk operator will ask a user to tell the specified number of characters in the user's answer to a specified question, and then type in those characters in the appropriate positions on the identity verification page.

Authenticate via Phone

Authenticate via Phone

Use this activity to include phone-based authentication in a helpdesk workflow. If your license includes phone-based authentication service, you will be able to configure and use this activity.

If your license does not include phone-based authentication service and you want to use this service, you can access the Support Portal at https://support.oneidentity.com/.

Before enabling phone-based authentication, make sure that users’ phone numbers stored in AD LDS are in a correct format. The phone number must meet the following requirements:

  • The number starts with either 00 or + followed by a country code and subscriber’s number. For example, +1 555-789-1314 or 00 1 5554567890.
  • The number can have extensions. For example, the number +1 555 123-45-67 ext 890.
  • Digits within the number can be separated by a space, hyphen, comma, period, plus and minus signs, slash (/), backward slash (\), asterisk (*), hash (#), and a tab character.
  • The number can contain the following brackets: parentheses (), curly braces {}, square brackets [], and angle brackets <>. Only one set of brackets is allowed within the number. The opening bracket must be in the first half of the number. For example, the number +15551234(567) will be considered invalid.

The USA numbers may not start with 00 or + sign, if they comply with all other requirements and contain 11 digits. For example, the number 1-555-123-3245 will be considered valid.

This activity has the following settings:

  • Authentication method. You can specify whether you want users to receive a call or an SMS with a one-time PIN code by selecting a corresponding option. You can also allow helpdesk operators to offer users to choose the authentication method by selecting the Allow users to choose between an automated voice call and SMS option.
  • SMS template. Enter the text message that will contain a one-time PIN code and will be sent to users during phone authentication.
  • telephoneNumber, homePhone, mobile and other attributes. Select one or several attributes of a user account from which telephone numbers will be used during phone-based authentication. You can also specify other attributes.

You can test the configured settings by clicking the Test settings button and entering the phone number to which a one-time PIN code will be sent.

Related Documents