To strengthen user logon security, ADSelfService Plus supports two-factor authentication. Once enabled, ADSelfService Plus will require users' to authenticate using one of the authentication mechanisms below in addition to the Active Directory credentials whenever they log in.
Set up 2-factor authentication
Go to Admin → Customize → Logon Settings and click the Two-factor Authentication tab.
Select Enable Two-factor Authentication.
Now select one of the authentication methods.
Enter the required details and click Save.
RSA SecurID, formerly referred to as SecurID, is a mechanism developed by Security Dynamics (later RSA Security and now RSA, The Security Division of EMC) for performing two-factor authentication for a user to a network resource. Users can use the security codes generated by the RSA SecurID mobile app or Hardware tokens or tokens received in their mail or mobile to log in to ADSelfService Plus.
Steps to Integrate RSA SecurId with ADSelfService Plus
Log in to your RSA admin console (e.g., https://adssp-rsa.csez.zohocorpin.com/sc).
Go to Applications. Under Authentication Agents, Click Add New.
Add ADSelfService Plus Server as an Authentication agent and click Save.
Go to Applications. Under Authentication Agents, Click Generate Configuration File.
Download AM_Config.zip (Authentication Manager config).
Extract sdconf.rec from the zip to <ADSSP-installation-dir>/bin. If there is a file named securid ( node secret file ), copy it too.
That's it ! You are now ready to use RSA SecurId with ADSelfService Plus.
Troubleshooting: Log in to your RSA admin console and go to Reporting tab. Under Real time Activity Monitors, click Authentication Activity Monitor. Now click Start Monitor.
When this option is selected, ADSelfService Plus sends a verification code via email and SMS to the user's registered email address and mobile number. The user has to enter the verification code to successfully login.
The email address and mobile number used for sending the verification code will be taken from the users' enrollment data as well as from Active Directory.
To specify which attributes are to be used to fetch the email address and mobile number from AD:
Go to Admin → Product Settings → Server Settings → Mail/Mobile attributes
Select a domain and then select the attribute type (mail or mobile).
Select the attributes. To add another attribute click Add more.
You can select both email and SMS for sending the verification codes or any one.
Email Verification Code
Make sure you've configured the Mail Server
Customize Subject and Message.
SMS Verification Code
Make sure you've configured the SMS Server
Duo Security is a two-step verification service that provides additional security while accessing applications. Users can use the six digit security codes generated by the Duo mobile app to log in to ADSelfService Plus.
Steps to Integrate Duo Security with ADSelfService Plus
Log in to your Duo Security account (e.g., https://admin-325d33c0.duosecurity.com) or Sign up for a new one and login.
Go to Applications. Click Protect an Application.
Search for Web SDK. Click Protect this Application.
Copy Integration key, Secret key and API hostname to ADSelfService Plus and Save.
Note: If you are using older versions of Internet Explorer, then add the API hostname (e.g., https://api-325d33c0.duosecurity.com) and admin console (e.g., https://admin-325d33c0.duosecurity.com) as a trusted or intranet site.
Remote Authentication Dial-In User Service (RADIUS) is an industry standard client/server authentication protocol that enhances security by protecting networks from unauthorized access.
RADIUS based two-factor authentication for ADSelfService Plus can be configured in just two simple steps.
Step 1: Integrate RADIUS with ADSelfService Plus
Log in to RADIUS server.
Navigate to clients.conf file.(/etc/raddb/clients.conf).
Add the following snippet in the clients.conf file.
ipaddr = xxx.xx.x.xxx
secret = secretCode
nastype = other
Restart RADIUS server.
Step 2: Configure ADSelfService Plus for RADIUS
Log in to ADSelfService Plus console using administrator credentials.
Navigate to Configuration → Policy Configuration → Advanced Settings.
Login TFA tab.
Select Enable Two Factor Authentication option.
Select RADIUS Authentication option.
Enter the IP address or the name of the RADIUS server.
Enter the port number for RADIUS authentication.
Select the protocol used for RADIUS authentication from the drop-down list.
Provide the security key that was added to the clients.conf file in RADIUS server.
Set the RADIUS user name pattern.
Set a duration for authentication request time-out duration.
Note: Username Pattern is case sensitive. Please make sure you select the exact pattern (uppercase or lowercase) you use in your RADIUS server.
Once configured, users will have to provide their RADIUS passwords, in addition to their domain passwords, to gain access to ADSelfService Plus.