To strengthen user logon security, ADSelfService Plus supports two-factor authentication. Once enabled, ADSelfService Plus will require users' to authenticate using one of the authentication mechanisms below in addition to the Active Directory credentials whenever they log in.
Set up 2-factor authentication
RSA SecurID, formerly referred to as SecurID, is a mechanism developed by Security Dynamics (later RSA Security and now RSA, The Security Division of EMC) for performing two-factor authentication for a user to a network resource. Users can use the security codes generated by the RSA SecurID mobile app or Hardware tokens or tokens received in their mail or mobile to log in to ADSelfService Plus.
Steps to Integrate RSA SecurId with ADSelfService Plus
Log in to your RSA admin console (e.g., https://adssp-rsa.testdomain.com/sc).
Go to Applications. Under Authentication Agents, Click Add New.
Add ADSelfService Plus Server as an Authentication agent and click Save.
Go to Access. Under Authentication Agents, Click Generate Configuration File.
Download AM_Config.zip (Authentication Manager config).
Extract sdconf.rec from the zip to <ADSSP-installation-dir>/bin. If there is a file named securid ( node secret file ), copy it too.
That's it ! You are now ready to use RSA SecurId with ADSelfService Plus.
Troubleshooting: Log in to your RSA admin console and go to Reporting tab. Under Real time Activity Monitors, click Authentication Activity Monitor. Now click Start Monitor.
When this option is selected, ADSelfService Plus sends a verification code via email and SMS to the user's registered email address and mobile number. The user has to enter the verification code to successfully login.
The email address and mobile number used for sending the verification code will be taken from the users' enrollment data as well as from Active Directory.
To specify which attributes are to be used to fetch the email address and mobile number from AD:
You can select both email and SMS for sending the verification codes or any one.
Email Verification Code
Make sure you've configured the Mail Server
Customize Subject and Message.
SMS Verification Code
Make sure you've configured the SMS Server
Duo Security is a two-step verification service that provides additional security while accessing applications. Users can use the six digit security codes generated by the Duo mobile app to log in to ADSelfService Plus.
Steps to Integrate Duo Security with ADSelfService Plus
Log in to your Duo Security account (e.g., https://admin-325d33c0.duosecurity.com) or Sign up for a new one and login.
Go to Applications. Click Protect an Application.
Search for Web SDK. Click Protect this Application.
Copy Integration key, Secret key and API hostname to ADSelfService Plus and Save.
Note: If you are using older versions of Internet Explorer, then add the API hostname (e.g., https://api-325d33c0.duosecurity.com) and admin console (e.g., https://admin-325d33c0.duosecurity.com) as a trusted or intranet site.
Remote Authentication Dial-In User Service (RADIUS) is an industry standard client/server authentication protocol that enhances security by protecting networks from unauthorized access.
RADIUS based two-factor authentication for ADSelfService Plus can be configured in just two simple steps.
Step 1: Integrate RADIUS with ADSelfService Plus
ipaddr = xxx.xx.x.xxx
secret = secretCode
nastype = other
Step 2: Configure ADSelfService Plus for RADIUS
Note: Username Pattern is case sensitive. Please make sure you select the exact pattern (uppercase or lowercase) you use in your RADIUS server.
Once configured, users will have to provide their RADIUS passwords, in addition to their domain passwords, to gain access to ADSelfService Plus.