Configure CA Auth ID PKI Authentication Policy

CA Strong Authentication Administration Guide › Managing Global CA AuthMinder Configurations › Configuring Profiles and Policies › Configuring CA Auth ID PKI Settings › Configure CA Auth ID PKI Authentication Policy

Configure CA Auth ID PKI Authentication Policy

You can use a CA Auth ID PKI policy to specify the following attributes related to CA Auth ID PKI-based authentication:

User status: The status of the user, which can be active or inactive.
Note: If the user status check is enabled, then the authentication for users in inactive state results in failure.
Lockout criteria: The number of failed attempts after which the user’s credentials are locked out.
Unlocking criteria: The number of hours after which a locked CA Auth ID PKI credential can be used to log in again. This feature can drastically reduce the number of requests for resetting the credential.
Using expired CA Auth ID PKI: The number of days a user is allowed to authenticate successfully with their expired CA Auth ID PKI credential.
Expiry warning settings: The number of days before the warning is sent to the calling application about the user’s impending CA Auth ID PKI credential expiration.

Note: Exercise caution while using these options.

Follow these steps:

Click the Services and Server Configurations tab on the main menu.
Verify that the CA Strong Authentication tab in the submenu is active.
Under the ArcotID section, click the Authentication link to display the CA Auth ID Authentication Policy page.
Edit the fields in the Policy Configuration section, as required.
- Policy Configurations:
Create
If you choose to create a new policy, then:
- Select the Create option.
- Specify the Configuration Name of the new policy in the field that appears.
Update

If you choose to update an existing policy, then select the policy that you want to update from the Select Configuration list that appears.

Copy Configuration

Enable this option if you want to create the policy by copying the configurations from an existing policy.

Note: You can also copy from configurations that belong to other organizations that you have scope on.

Available Configurations

Select the policy from which the configurations will be copied.

Lockout Credential After

Specify the number of failed attempts after which the user credential will be locked.

Check User Status Before Authentication

Select this option if you want to verify whether the user status is active, before authenticating them.
Expand the Advanced Configurations section by clicking the [+] sign.
Edit the fields in the section, as required.
- Advanced Configurations:
Issue Warning

Specify the number of days before the warning is sent to the calling application about the user’s impending CA Auth ID PKI credential expiration.

Allow Successful Authentication

Specify the number of days for which the users can use an expired CA Auth ID PKI credential to successfully log in.

Enable Automatic Credential Unlock

Select this option if you want a locked credential to be automatically unlocked after the time you specify in the Unlock After field.

This field is valid only if you specify the corresponding value in the Lockout Credential After field.

Note: The credential does not get automatically unlocked after the unlock period. The credential has to be used for successful authentication after the unlock period to get it unlocked.

Unlock After

Specify the number of hours after which a locked credential can be used again for authentication.

Challenge Validity (in Seconds)

Specify the duration for which the CA Auth ID PKI challenge has to be valid.
- Multiple Credential Options:
Usage Type for Verification

If you want users to authenticate with the particular CA Auth ID PKI, then enter the name of its usage type in this field.

If you do not specify the usage type, then the usage type mentioned in the default CA Auth ID PKI authentication policy is used.
Click Save.
Refresh all deployed CA Strong Authentication instances. See Refresh a Server Instance for instructions about the procedure.