立即与支持人员聊天
与支持团队交流

Defender 6.5.1 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Push Notifications Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Delegating Defender roles or tasks

The Defender Integration Pack for Active Roles installs a number of additional predefined Access Templates. These Access Templates fall into the following two categories:

  • Role-oriented  Allow you to delegate specific Defender roles, such as Defender administrator or helpdesk operator. In the Active Roles console, you can find these Access Templates in the Configuration/Access Templates/Defender container.
  • Task-oriented  Allow you to delegate granular Defender tasks or provide full control over specific Defender components. For example, you can use these Access Templates to delegate such tasks as assign a token, program a token, and test a token. In the Active Roles console, you can find these Access Templates in the Configuration/Access Templates/Defender/Advanced container.

To delegate Defender roles or tasks by using Access Templates

  1. Open the Active Roles console.
  2. In the left pane, expand the Active Directory node, right-click the domain you want, and then on the shortcut menu click Delegate Control.
  3. In the dialog box that opens, click the Add button and step though the wizard.
  4. In the Access Templates step, select the Access Templates you want to use, and then click Next.
    • The Access Templates you can use to delegate Defender roles are located in the Access Templates/Defender container.
    • The Access Templates you can use to delegate granular Defender tasks are located in the Access Templates/Defender/Advanced container.
  5. In the Inheritance Options step, keep the default settings, and then click Next.
  6. In the Permissions Propagation step, select the Propagate permissions to Active Directory check box.
  7. Complete the wizard to delegate the roles or tasks.

Upgrading Defender Integration Pack for Active Roles

To upgrade Active Roles Integration Pack

  1. On the computer that has a previous version of Active Roles Integration Pack installed, run the ActiveRolesIntegrationPack.exe file.

    In the Defender distribution package, you can find the ActiveRolesIntegrationPack.exe file in the Setup folder.

  2. Complete the Active Roles Integration Pack Setup Wizard.
  3. After upgrading restart Active Roles Administration Service.

To upgrade Active Roles Admin Service Integration Pack

  1. On the computer that has a previous version of Active Roles Admin Service Integration Pack installed, run the ActiveRolesAdminServiceIntegrationPack.exe file.

    In the Defender distribution package, you can find the ActiveRolesAdminServiceIntegrationPack.exe file in the Setup folder.

  1. Complete the Active Roles Admin Service Integration Pack Setup Wizard.

Uninstalling Defender Integration Pack for Active Roles

To uninstall Defender Integration Pack for Active Roles

  1. Uninstall Defender Integration Pack for Active Roles.
  2. Uninstall Defender Integration Pack for Active Roles Administrative Service.
NOTE: Ensure that you uninstall the Defender Integration Packs for Active Roles in the sequence mentioned above.

To uninstall the Defender Integration Pack for Active Roles

  1. Open the list of installed programs (appwiz.cpl).
  2. In the list, click to select the ActiveRolesIntegrationPack.exe entry.
  3. At the top of the list, click the Uninstall button and step through the wizard that starts.
    NOTE: Optionally click Change at the top of the list. In the Change, Repair, or Remove Installation step, click the Remove button.
  1. Complete the wizard.

To uninstall the Defender Integration Pack for Active Roles Administration Service

  1. Open the list of installed programs (appwiz.cpl).
  2. In the list, click to select the ActiveRolesAdminServiceIntegrationPack.exe entry.
  3. At the top of the list, click the Uninstall button and step through the wizard that starts.
    NOTE: Optionally click Change at the top of the list. In the Change, Repair, or Remove Installation step, click the Remove button.
  1. Complete the wizard.

Push Notifications

A notification is a message that displays outside the contextual UI to provide the user with critical reminders or other information from a particular app on the mobile devices. Users can tap the notifications to open the app or take a predefined action directly from the notification. Push notifications for in-house and external (OneLogin) applications allow users in your organization to receive important notification messages on their compatible mobile devices.

NOTE: In case of both PUSH types token are assigned to the user, OneLogin token will get the precedence to receive the notification.

How the Defender Push Notification Works

The pushnotification feature is supported and configurable on both Android (version 8 or later) and iOS (iOS 10 or later) devices. The following sections describe the key Admin and User actions for using push notifications.

NOTE:Push notifications will not be triggered during authentication in offline mode.

Admin

User actions

  • From Defender 6.2 onwards, the pushnotification is implicitly triggered when user initiates the login authentication process to Defender eliminating the need to enter keyword PUSH in token field in first login attempt. The existing functionality with type in keyword PUSH works if the first login attempts fails to authenticate or times out.

  • The notification seeks a user response in form of Approve or Deny for access to the resources. Based on the user's response, the respective action takes place and the notification cycle completes.

  • In case of a timeout, the user can also use can use "push" keyword/passcode/Gridsure PIP.

  • Users activate the newly created token from the 6.1.0 release.

User friendly UX

DDL Client Authentication Process (Applicable from Defender 6.2) 

  1. When user initiates the Login process, the page asks for credentials only (username and password) and no passcode.

  2. The DSS automatically identifies if the user has a Defender Soft Token/OneLogin token configured on Android/iOS. In such case, the application sends a push notification to Defender Soft Token App/OneLogin Protect App. In presence of both tokens, priority will be given to OneLogin Push Notifications.

  3. If the user approves the push notification on Defender Soft Token App/OneLogin Protect app, they are prompted to next authentication login process to complete the cycle.

  4. If the user denies the push notification any time during the authentication process on OneLogin Protect app/Defender Soft Token App, the current login process gets canceled, and the user is redirected to the first Page to re-initiate the Login Process.

  5. If the user neither approves nor deny the push notification on OneLogin Protect app/Defender Soft Token App, then the notification times out for that request and user will be able to select one of the two options (if Authentication method is only Token of any policy) to continue with the authentication process as below:

    1. User can trigger the push notification again by clicking on SUBMIT button.

    2. Or user can enter "push" (without quotes, case insensitive) passcode/keyword in passcode field or use Gridsure PIP for authentication.

  6. When DSS identifies that a user does not have Android or iOS token configured, application will prompt the next authentication action (according to the token and Policy selected) on screen for user to complete the login process.

  7. If User has selected “Remember password option” under GINA settings, login screen will be prompted with pre-filled password in read only with enabled Submit button to continue the authentication process. Applicable only on the second login attempt, after denial/timeout of first login request.

EAP Client Authentication Process (Applicable from Defender 6.2) 

  1. When user initiates the Login process, the page asks for credentials only (username and password) under Networks in EAP client.

  2. The DSS automatically identifies if the user has a Defender Soft Token/OneLogin Token on Android or iOS configured and sends a PUSH notification to OneLogin Protect app/Defender Soft Token App while displaying a message confirming the notification sent process.

  3. If the user approves the push notification on OneLogin Protect app/Defender Soft Token App, they are prompted to next authentication login process to complete the cycle.

  4. If the user denies the push notification any time during the authentication process on OneLogin Protect app/Defender Soft Token App, the current login process gets canceled, and user has to re-initiate the login process.

  5. If the user neither approves nor deny the push notification on OneLogin Protect app/Defender Soft Token App, then the notification times out for that request. The user can now select one of the two options (if Authentication method is only Token for any policy) to continue with the authentication process as below:

    1. User can trigger the push notification again by clicking the RESEND button.

    2. Or user can enter "push" (without quotes, case insensitive) passcode/keyword in passcode field.

  6. If DSS identifies that a user does NOT have Android or iOS Token, application will prompt the next authentication action (according to the token and Policy selected) on screen for user to complete the login proces

  7. In case no response is received from the user on the Defender Soft Token App then the request times out and user can select between two options to continue the authentication process as below:

    1. User can trigger the push notification again by clicking on RESEND button.

    2. Or user can click the Sign in with another option button and enter "push" (without quotes, case insensitive) passcode/keyword in passcode field.

  8. GridSure Token is not supported with EAP Client.

ISAPI Client Authentication Process (Applicable from Defender 6.2) 

  1. When user initiates the login process, the page simply asks for ‘username’.

  2. If DSS detects dual Defender Soft Token/OneLogin Token on Android/iOS, application will send a Push Notification to OneLogin Protect app/ Defender Soft Token App.

  3. In the meantime, a waiting page is displayed on the ISAPI client with a message, "Defender needs to verify your identity. We sent a notification to your Defender Soft Token app. Please respond on your device to continue."

    NOTE:The waiting page also displays the ‘Sign in with another option’ button. The user can choose to sign in with token with out waiting for the push notification to be responded/timed-out.

  4. If the user approves the push notification on OneLogin Protect app/Defender Soft Token App, they are prompted to the next authentication login process to complete the cycle.

  5. If the user denies the push notification any time during the authentication process on OneLogin Protect app/Defender Soft Token App, the current login process gets canceled, and user is redirected to a page displaying a message regarding verification denial.

    NOTE:The Ok button on the verification denial page can be used to re-initiate the login process.

  6. In case no response is received from the user on the OneLogin Protect app/Defender Soft Token App then the request times out and user can select between two options to continue the authentication process as below:

    1. User can trigger the push notification again by clicking on RESEND button.

    2. Or user can click the Sign in with another option button and enter "push" (without quotes, case insensitive) passcode/keyword/Gridsure PIP in passcode field.

  7. If DSS identifies that a user does NOT have Android or iOS Token, application will prompt the next authentication action (according to the token and Policy selected) on screen for user to complete the login process.

Push notification timeout configurable

  • The Push Notification verification timeout is a configurable value.

  • On a computer where Defender Security Server is installed, use Registry Editor to create the following value at:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\PassGo Technologies\Defender\DSS Active Directory Edition

    Value type: REG_DWORD

    Value name: NOTIFICATIONTIMEOUT

    Value data: XX

    NOTE:

    • The value can range between decimal 1 to 30. Any other value beyond this range is invalid and will set the default timeout to 30 seconds.

    • In case if the registry key for the timeout is not found (not added), then the default timeout of 30 seconds is set.

    • The server will wait till the timeout seconds before sending the response back to client.

Defender push notifications can be disabled

  • To turn the notifications off, the user needs to manually create the following registry value at:

      Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\PassGo Technologies\Defender\DSS Active Directory Edition

      Value type: REG_DWORD

      Value name: PushOff

      Value data: XX

  • The value can be either 0 or 1. Any other value beyond this range is invalid and will set the defaul t push notification on. In case if theregistry key for the PushOff is not found (not added), then the default push notification on is set.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级