The RSA Ace/SecureID authentication schemes authenticate users logging in with ACE credentials, which include the user names, PINs, and TOKENCODEs. ACE user names and passwords reside in an ACE/Server user store, and an ACE/Server administrator can change these credentials. SecureID tokens generate single-use TOKENCODEs.
The following SecurID authentication schemes are available:
This scheme authenticates users who are logging in with RSA SecureID hardware tokens. The scheme accepts a user name and password. The password is the user’s token PIN followed by the dynamic code.
Note: Use the LDAP directory attribute 'uid' to map to the userid of the user on the Ace Server, otherwise the SecurId Template authentication scheme fails to authenticate the user. Use the SecurID HTML Forms Template when mapping LDAP directory attributes other than uid to the userid on the Ace Server.
This scheme includes HTML forms support. The HTML forms lets users identify themselves and reactivate their accounts after they have been disabled because they entered their PIN or token information incorrectly.
The RSA ACE/SecurID scheme authenticates users who are not allowed to change their ACE PIN or users who are not in the NextTokenCode mode. However, users who change their PIN and users who are in the NextTokenCode mode are authenticated through the RSA ACE/SecurID scheme with HTML form. Both schemes are based on ACE/Server - Ace/Agent model and require RSA/SecurID (tokens) and RSA/ACE (server software) products.
The RSA ACE/Server works with RSA SecurID tokens to authenticate user identities through valid RSA Ace/Agents. Further, RSA supports Web Agents and custom Agents. The SecurID authentication schemes act as custom ACE/Agents and use ACE/SDK and libraries.
The ACE/Server, however, has its own policy in handling user credentials and stores this information in the ACE user store. The policy includes several requirements and limitations for each user, which the ACE administrator can change at any time. The administrator configures users to authenticate by either PIN or TOKENCODE. If users are configured to authenticate by PIN, the system does not require a TOKENCODE. If users are configured to authenticate with a TOKENCODE, the TOKENCODE and PIN are required. In addition, users can be required to set a new PIN while trying to authenticate. Under this "new PIN mode", the old and new PINs are required.
To authenticate users, the SecureID authentication schemes require mapping between the ACE server and the users in the user store. This mapping is represented as an authentication scheme object attribute in the policy store.
The enhancement to the RSA ACE/SecurID Scheme with HTML form affects the "new PIN mode".
The following figure shows how the RSA ACE/Server interacts with the Policy Server:
The flow is as follows:
The PIN can be rejected under the following conditions:
In the previous figure, authentication includes presenting back-end PIN policy-related messages on the HTML form. The SecurID Authentication scheme does the PIN policy validation before sending a new PIN to the ACE/Server. The ACE SDK has a set of functions that can retrieve the following PIN attributes:
Based on this information, the PIN is validated and the appropriate error messages are constructed and presented to the user. The validation is done in the following order:
The only relevant portion of the policy is made available to users in these new error messages. The following shows an example of how these new messages can appear:
If a sample user, Joe, has a PIN of 5 to 8 digits long but enters a new PIN "poem", then the following error message displays:
Your new PIN is too short. PIN must contain at least 5 character(s).
If the next specified PIN is "novel", the message is:
Your new PIN may not have alphabetic characters.
If the next specified PIN is "123412341234," the message is:
Your new PIN is too long. PIN must contain 8 or fewer character(s).
Despite the successful PIN validation by the SecureID authentication scheme, the ACE/Server can reject a new PIN. In this case, the user is asked for a new set of credentials, but no reason is given. Further, in the enhanced SecurID authentication scheme, the user is automatically granted access to the target web page after a successful PIN change.
To configure a SecurID authentication scheme, do the following procedures:
Be sure that the following prerequisite is met before configuring a SecureID authentication scheme:
Configuring the ACE paths prevents the authentication request that the Policy Server sends to the ACE Server from failing.
Note: The SM_ACE_FAILOVER_ATTEMPTS environment variable has been removed. This variable was used to set the failover attempts to the ACE server.
You can use a SecurID authentication scheme to authenticate users logging in with ACE credentials.
Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
Follow these steps:
Verify that the Create a new object of type Authentication Scheme is selected.
Click OK
The authentication scheme is saved and can be assigned to a realm.
To configure a SecurID HTML Form authentication scheme, do the following procedures:
Complete following prerequisites before configuring a SecureID HTML Form authentication scheme:
Note: The .unauth file is not required if the .fcc file uses the smerrorpage directive.
These files are installed automatically when you configure a Web Agent.
You can use a SecurID HTML Form authentication scheme to use a custom HTML form to authenticate users logging in with ACE credentials.
Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
Follow these steps:
Verify that the Create a new object of type Authentication Scheme is selected.
Click OK
The authentication scheme is saved and can be assigned to a realm.
If you protect a realm with the SecurID HTML Form scheme, users who are suspended due to improper logins can attempt to activate their accounts using a number of customizable HTML forms. You can modify the layout and wording of these forms, but you must not modify the tags that gather user information.
The forms provided with the Policy Server include the following:
This form is where users enters a username and passcode to login.
This template requests multiple tokencodes to confirm that the user is in possession of a working SecurID token.
The Policy Server uses the following forms when an administer creates a user account, and that user logs in. Through the forms, a user creates a PIN, or has the Policy Server generate a random PIN.
For new users, or users whose accounts have been suspended (due to too many invalid login attempts), this template prompts the user to acquire a new PIN. This template accepts the user’s original username and passcode, but instead of granting access to a protected resource, it redirects the user to another form where the user can receive or create a new PIN.
This template allows a user to indicate if the system should generate a new PIN, or if the user wants to enter a new PIN.
This template allows a user to enter a new PIN. The user must provide a valid username and passcode along with the new PIN. In this template, $USRMSG$ is replaced with instructions for creating a PIN number. For example:
PINs must be between 4 and 8 characters in length.
This template indicates that a new system-generated PIN has been created. In this template, the system generated PIN replaces the $USRMSG$ variable.
When a user clicks Continue, the user is immediately prompted to log in using the new PIN.
|
Copyright © 2014 CA.
All rights reserved.
|
|