Authentication Service configuration overview
Most of the configuration associated with the authentication service and the supported authentication mechanisms is pre-configured on the appliance. In most scenarios, this configuration is adequate. However, some scenarios require customization to meet your requirements. We can configure the following components to customize the authentication support:
- Point of contact settings.
- Authentication mechanism settings.
- Template pages
Point of contact settings
We can configure the point of contact in the Advanced Configuration settings of the local management interface. See the configuration settings that begin with poc in Manage Advanced Configuration. This version of the ISAM simplified the configuration required for the authentication service. Previous versions relied on a list of preconfigured authentication callbacks to determine the authentication flow. The addition of the new authentication policy format eliminated the need to rely on the authentication level value to determine the order of execution of the authentication mechanisms. The execution of an authentication event now depends on the content of the authentication policy. We can configure the Authentication Service to allow reauthentication. If enabled, the Authentication Service runs all the authentication mechanisms included on the authentication policy regardless of a pre-existing authentication session.
- Access policy scenario configuration
- This scenarios is almost fully configured after completing deployment and run activation and isamcfg. To enable this scenario:
- Create an access policy that references any of the authentication policies that are provided.
- Attach the access policy to the resource to protect.
No further configuration is needed.
- Web Gateway Appliance step-up authentication scenario
This scenario requires a set of manual steps to enable after completing deployment, and running activation and isamcfg. This scenario relies on an ACL or POP on the point of contact configuration to initiate the policy execution. The user must complete an authentication policy flow when the policy requires the user step up to a higher authentication. This setup is specific to and dependent on the point of contact technology we are using in the environment.
- Web Gateway Appliance authentication scenario
- This scenario requires a set of manual steps to enable it after completing deployment and running activation and isamcfg. This scenario relies on an ACL or POP on the point of contact configuration to initiate the policy execution. The user must complete an authentication policy flow when the policy requires the user authenticate. This setup is specific to and dependent on the point of contact technology we are using in the environment.
Authentication mechanism settings
We can modify authentication mechanism settings through the local management interface.
- Configure a TOTP one-time password mechanism
- Configure an HOTP one-time password mechanism
- Configure an RSA one-time password mechanism
- Configure a MAC one-time password mechanism
- Configure consent to device registration
- Configure an HTTP redirect authentication mechanism
- Configure username and password authentication
- Configure an End-User License Agreement authentication mechanism
- Configure a Knowledge Questions authentication mechanism
For advanced customization of the authentication service or the one-time password generation, delivery, and verification, we can customize the mapping rules. See Manage mapping rules.
Template configuration
Many HTML pages and XML documents are provided to interact with our users. The pages prompt users for authentication information, provide them with one-time passwords, or notify them of errors during authentication. See Manage template files.
Parent topic: Authentication