Two-factor Authentication

To strengthen user logon security, AD360 supports two-factor authentication. Once enabled, AD360 will require users to authenticate using one of the authentication mechanisms below in addition to the Active Directory credentials whenever they log in.

Setting up 2-factor authentication

Email Verification

When this option is selected, AD360 sends a verification code via email to the user’s email address. The user has to enter the verification code to successfully login.

Configuration steps

  1. Configure mail server settings if not done already.
  2. Enter a Subject for the email.
  3. Enter the Message in the box provided.
  4. Set the priority as per your requirement.
  5. Click Macros link at the bottom to insert them in the email message.
  6. Once you are done, click Save Settings.

    Two-factor Authentication email verification

Once enabled, users will be asked to enroll for two-factor authentication by entering their email address during login. 

SMS Verification

When this option is selected, AD360 sends a verification code via SMS to the user’s mobile number. The user has to enter the verification code to successfully login.

Configuration steps

  1. Configure SMS server settings if not done already.
  2. Enter the Message in the box provided.
  3. Click Macros link at the bottom to insert them in the SMS.
  4. Once you are done, click Save Settings.

    Two-factor Authentication sms verification

Once enabled, users will be asked to enroll for two-factor authentication by entering their mobile number during login.

Google Authenticator

Google Authenticator adds an extra layer of protection to verify users' identity when they attempt to log into the product. Users will be required to enter a six-digit security code generated by the Google Authenticator app to verify their identity.

Configuration Steps:

  1. Click Enable Google Authenticator.
  2. Click Save Settings.

Once enabled, users can enroll themselves for two-factor authentication using the Google Authenticator app when they log into the application.

RSA SecurID

RSA SecurID is a 2FA mechanism developed by RSA Security LLC to allow users to securely access network resources. Users can use the security codes generated by the RSA SecurID mobile app, hardware tokens, or passcodes received via email or SMS to log on to AD360.

RSA SecurID has deprecated authentication via an SDK for Java, so it is advised to adopt authentication via a REST API.

Prerequisites

Steps to configure RSA SecurID for SDK integration

  1. Ensure that the required JAR files listed below are present in the <AD360_install_directory>/lib folder.
    • authapi-8.6.jar
    • log4j-1.2.12rsa-1.jar
    • cryptojcommon-6.1.3.3.jar
    • jcmFIPS-6.1.3.3.jar
    • cryptojce-6.1.3.3.jar

    Note: These JAR files pertain to the latest version of Authentication Agent SDK for Java (version 8.6).

    If the files are not present, obtain the latest JAR files from RSA SecurID and add them to the <AD360_install_directory>/lib folder.

  2. In the RSA admin console, navigate to Access > Authentication Agents > Generate Configuration File.
  3. Click Generate Config File to download the AM_Config.zip file.
  4. Extract the sdconf.rec file from the ZIP file.
  5. In AD360, navigate to Admin > Logon Settings > Two-Factor Authentication > RSA SecurID.
  6. Check the Enable RSA SecurID box.
  7. For Integration Type, select SDK.
  8. Click Browse and select the sdconf.rec file.
  9. Click Save.

Two-factor Authentication RSA verification

Once enabled, users will be asked to verify their identity with their SecurID token's passcodes for logon.

Steps to configure RSA SecurID for REST API integration

  1. In the RSA admin console, navigate to Setup > System Settings.
  2. Under Authentication Settings, click RSA SecurID Authentication API.
  3. Copy the Access ID, Access Key, and Communication Port details.
  4. In AD360, navigate to Admin > Logon Settings > Two-Factor Authentication > RSA SecurID.
  5. Check the Enable RSA SecurID box.
  6. For Integration Type, select REST API.
  7. Two-factor Authentication RSA verification

  8. Enter the hostname of RSA Authentication Manager in the API Host Name field.
  9. Paste the port number and access key obtained in Step 3 in the Port and Access Key fields, respectively.
  10. Enter the authentication agent's name (i.e., the hostname of the AD360 server) in the Client Id field.
  11. Two-factor Authentication RSA verification

  12. Check the Secure API requests to RSA server with HMAC Authentication box to verify the integrity of the authentication requests. Please follow the steps mentioned under "HMAC prerequisites" before enabling HMAC authentication.
  13. Enter the access ID copied in Step 3 in the Access Id field.
  14. Click Test Connection and Save.
Note: Please ensure that all the users are associated with the configured authentication agent (the AD360 server) and have enrolled in RSA Authentication Manager with the same username and SecurID tokens assigned to them.

Steps to configure the AD360 server as an authentication agent

  1. Log on to your RSA admin console (e.g., https://ad360-rsa.testdomain.com/sc).
  2. Navigate to Access > Authentication Agents > Add New.
  3. Two-factor Authentication RSA verification

  4. Enter the hostname of the AD360 server in the Hostname field and click Resolve IP to establish a connection between the SecurID SECURITY CONSOLE and the AD360 server.
  5. Click Save to add the AD360 server as an authentication agent.
  6. Two-factor Authentication RSA verification

HMAC prerequisites

Hash-based message authentication code (HMAC) is used to validate the authentication requests that are exchanged between authentication agents and the RSA SecurID Authentication API.

  1. Log on to the appliance with the Secure Shell client or access the appliance on a virtual machine with the VMware vSphere Client, Hyper-V Virtual Machine Manager, or Hyper-V Manager.
  2. To verify authentication requests by implementing HMAC, type the following:

    ./rsautil store –a update_config

    auth_manager.rest_service.authorization.mode 1 GLOBAL 501

  3. To use only the RSA SecurID Authentication API's access key for authentication, type the following:

    ./rsautil store –a update_config

    auth_manager.rest_service.authorization.mode 0 GLOBAL 501

Duo Security

If your organization uses Duo Security for two-factor authentication, it can be integrated with AD360 to secure logins. Users can approve or deny the AD360 login requests using a push notification or by entering the six-digit security code generated by the Duo mobile app. Authentication via Duo Security can be configured in two ways in AD360: Web v2 SDK and Web v4 SDK.

Web v2 SDK uses a traditional Duo prompt which will be displayed in an iframe in AD360, whereas Web v4 SDK uses Duo's OIDC-based universal prompt with a redesigned UI that redirects users to Duo for authentication.

Duo Security has phased out Web v2 SDK, so it is recommended to switch to Web v4 SDK, which features the new Universal Prompt.

Prerequisites

Web v4 SDK configuration steps

Note: It is required to have a secure connection to set up the Web v4 SDK authentication. Please make sure that you have enabled HTTPS connection.

  1. Log in to your Duo Security account (e.g., https://admin-325d33c0.duosecurity.com) or sign up for a new account and log in.
  2. Go to Applications and click Protect an Application.
  3. Duo Security Configuration

  4. Search for Web SDK and click Protect.
  5. Duo Security Configuration

  6. Copy the Client ID, Client secret, and API hostname values.
  7. Duo Security Configuration

  8. In AD360, navigate to Admin > Logon Settings > Two-Factor Authentication > Duo Security.
  9. Check the Enable Duo Security box and select Web v4 SDK as the Integration Type.
  10. Duo Security Configuration

  11. Paste the Client ID, Client secret, and API hostname obtained from the Duo Admin Panel in the respective fields.
  12. Enter the same username pattern used in Duo Security in the Username Pattern field.
  13. Click the Advanced Settings like if you would like to configure Auth API. Paste the Integration key and Secret key in the respective fields. To learn how to get the Integration key and Secret key, click here.
  14. Click Save.

Web v2 SDK configuration steps

  1. Log in to your Duo Security account (e.g., https://admin-325d33c0.duosecurity.com) or sign up for a new account and log in.
  2. Go to Applications and click Protect an Application.
  3. Duo Security Configuration

  4. Search for Web SDK and click Protect.
  5. Duo Security Configuration

  6. Copy the Integration key, Secret key, and API hostname values.
  7. Duo Security Configuration

  8. In AD360, navigate to Admin > Logon Settings > Two-Factor Authentication > Duo Security.
  9. Check the Enable Duo Security box and select Web v2 SDK for Integration Type.
  10. Duo Security Configuration

  11. Paste the Integration key, Secret key, and API hostname obtained from the Duo Admin Panel in the respective fields.
  12. Enter the same username pattern used in Duo Security in the Username Pattern field.
  13. Click the Advanced Settings like if you would like to configure Auth API. Paste the Integration key and Secret key in the respective fields. To learn how to get the Integration key and Secret key, click here.
  14. Click Save.

Configuring Auth API in Duo Security

Configuring the Auth API in Duo Security is optional. Auth API configuration is used to verify the user's enrollment with Duo Security. If Auth API is not configured, then on deleting a user's enrollment in Duo Security, it is mandatory to manually remove the user's enrollment in AD360 too. If not, the user will be added back to Duo Security when it is used for authentication in AD360.

To get the Integration key and Secret key,

  1. Login to Duo Security portal.
  2. Navigate to Applications and click Protect An Application.
  3. Search for Auth API. Click Protect this Application.
  4. Copy the Integration key and Secret key.

Steps to migrate to the new Universal Prompt

  1. In the Duo Admin Panel, select the Web SDK application, which was previously configured for AD360, and copy the Integration key, Secret key and API hostname values.
  2. Scroll down to the Universal Prompt section. The App Update Ready message will be displayed, indicating that Universal Prompt can now be activated for AD360.
  3. Duo Security Configuration

  4. In AD360, navigate to Admin > Logon Settings > Two-Factor Authentication > Duo Security.
  5. Click Web v4 SDK and paste the Integration key, Secret key, and API hostname values in the Client ID, Client Secret, and API Host name fields respectively.
  6. Once the Web v4 SDK is configured in AD360 and a user authenticates through the frameless Duo v4 SDK, the App Update Ready message in Duo Admin Panel will be updated and the New Prompt Ready message will be displayed.
  7. Duo Security Configuration

  8. Select Show new Universal Prompt to activate the universal prompt for AD360.

RADIUS Authentication

Remote Authentication Dial-In User Service (RADIUS) is an industry standard client/server authentication protocol that enhances security by protecting networks from unauthorized access.

RADIUS based two-factor authentication for AD360 can be configured in just two simple steps.

Configuration steps

Step 1: Integrate RADIUS with AD360

  1. Log in to RADIUS server.
  2. Navigate to clients.conf file.(/etc/raddb/clients.conf).
  3. Add the following snippet in the clients.conf file.

    client AD360ServerName
    {
    ipaddr = xxx.xx.x.xxx
    secret = <secretCode>
    nastype = other
    }

  4. Restart RADIUS server.

Step 2: Configure AD360 for RADIUS

Note: Username Pattern is case sensitive. Please make sure you select the exact pattern (uppercase or lowercase) you use in your RADIUS server.

Microsoft Authenticator

Administrators can add Microsoft authenticator as an additional factor for verifying identities during login.

Configuration steps

Once enabled, users can enroll themselves for two-factor authentication using the Microsoft Authenticator app when they log in to the application.

Custom TOTP Authenticator

In addition to the authenticators mentioned above, you can also add a custom TOTP authenticator as a means of verifying identities, provided the application satisfies the following criteria:

Configuration steps

  1. Select Enable Custom TOTP Authenticator.
  2. Enter the name of the authenticator application.
  3. Select the Passcode Length and the Passcode Expiration Time from the available options.
  4. Select the Password Hashing Algorithm of the TOTP authenticator.
  5. Provide the format in which the username will be displayed in the authenticator.
  6. Select the logo of the authenticator. The supported formats for the image are PNG, JPG, JPEG, BMP, and GIF. Please ensure the dimensions of the logo does not exceed 45x45 pixels and the size is less than 2MB.
  7. Click Save.

custom-totp-authenticator

Note: If the values for the passcode hashing algorithm, passcode expiration time, or the passcode length fields are modified, the user enrollment data for the configured Custom TOTP Authenticator will be deleted. The enrollment data will also be deleted when this configuration is disabled.

Once enabled, users can enroll themselves for two-factor authentication using the Custom TOTP Authenticator when they next log in to AD360.

Backup Verification Codes

Backup verification codes allow users to log in when they don’t have access to their phone or face issues with one of the second-factor authentication method. When enabled, a total of five codes will be generated. A code once used will become obsolete and cannot be used again. Users also have the option to generate new codes.

Enabling backup verification code

Registering for backup verification code

Using the backup verification code to login

Managing users for two-factor authentication

As an admin, you can view which authentication method users have enrolled for and remove users’ enrollment for two-factor authentication using the Manage Users option.

To do so, follow the steps below:

To personalize two-factor authentication method for users

The users enrolled for two-factor authentication can modify their preferred authentication method and manage trusted browsers by following the steps below:

Don't see what you're looking for?

  •  

    Visit our community

    Post your questions in the forum.

     
  •  

    Request additional resources

    Send us your requirements.

     
  •  

    Need implementation assistance?

    Try onboarding

     

Copyright © 2023, ZOHO Corp. All Rights Reserved.