立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Sessions 6.5.0 - Starling Two-Factor Authentication- Tutorial

[starling_auto_provision]

This section contains the options related to auto-provisioning your Starling 2FA account. To turn on auto-provisioning, you have to specify both attributes.

To be able to use auto-provisioning, you must configure the [ldap_server] section.

NOTE:

Prerequisite for end-users: Starling 2FA Android Application installed on the end-user's phone. If the Application is not yet installed, at the first authentication attempt, the end-user will receive instructions through text message about installing the Application. After finishing the installation, they can re-initiate the authentication process.

Declaration
[starling_auto_provision]
email_attribute=<LDAP-attribute-of-user-email-address>
phone_attribute=<LDAP-attribute-of-user-phone-number>
email_attribute
Type: string
Required: no
Default: N/A

Description: The LDAP attribute name of the user's email address.

phone_attribute
Type: string
Required: no
Default: N/A

Description: The LDAP attribute name of the user's phone number. Make sure that the phone numbers in LDAP adhere to the following formatting rules:

  • The phone number must start with the + character and the country code, for example, +11234567890.

  • The phone number must not include any other characters, that is, must not include hyphen (-), space, or any other separator characters.

Otherwise, SPS cannot parse the phone number and therefore authentication will be unsuccessful (the log will contain an error indicating issues with invalid user).

[auth]

This section contains the options related to authentication.

Declaration
[auth]
prompt=Press Enter for push notification or type one-time password:
disable_echo=yes
prompt
Type: string
Required: no
Default: Press Enter for push notification or type one-time password:

Description: SPS displays this text to the user in a terminal connection to request an OTP interactively. The text is displayed only if the user uses an OTP-like factor, and does not send the OTP in the connection request.

disable_echo
Type: boolean (yes|no)
Required: no
Default: no

Description: For better security, you can hide the characters (OTP or password) that the user types after the prompt. To hide the characters (replace them with asterisks), set disable_echo to yes.

[connection_limit by=client_ip_gateway_user]

This section contains the options related to limiting parallel sessions.

Declaration
[connection_limit by=client_ip_gateway_user]
limit=0
limit
Type: integer
Required: no
Default: 0

Description: To limit the number of parallel sessions the gateway user can start from a given client IP address, configure limit. For an unlimited number of sessions, type 0.

[authentication_cache]

This section contains the settings that determine how soon after performing a 2FA/MFA authentication the user must repeat the authentication when opening a new session.

After the first Starling 2FA authentication of the user, SPS will not request a new Starling 2FA authentication from the user as long as the new authentications happen within soft_timeout seconds from each other. After the hard_timeout expires (measured from the first Starling 2FA login of the user), SPS will request a new Starling 2FA authentication.

In other words, after opening the first session and authenticating on Starling 2FA, the user can keep opening other sessions without having to authenticate again on Starling 2FA as long as the time between opening any two sessions is less than soft_timeout, but must authenticate on Starling 2FA if hard_timeout expires.

Declaration
[authentication_cache]
soft_timeout=15
hard_timeout=90
conn_limit=5
soft_timeout
Type: integer [in seconds]
Required: yes, if you want caching
Default: N/A

Description: The time in seconds after which the SPS plugin requires a new Starling 2FA authentication for the next new session of the user, unless the user successfully authenticates another session within this period.

hard_timeout
Type: integer [in seconds]
Required: yes, if you want caching
Default: N/A

Description: The time in seconds after which the SPS plugin requires a new Starling 2FA authentication for the next new session of the user. The time is measured from the last Starling 2FA authentication of the user.

conn_limit
Type: integer [number of]

Description: The cache can be used conn_limit times without multi-factor authentication. If the number of logins exceeds this number, the plugin will request multi-factor authentication again. If this parameter is not set, the number of logins from cache are unlimited.

相关文档