Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Multifactor Authentication for CTE GuardPoints

Setting up Multifactor Authentication with a One-Time-Password

search

Please Note:

printsuggest an editpdf paneldownload

Setting up Multifactor Authentication with a One-Time-Password

CipherTrust Transparent Encryption Multifactor Authentication supports KeyCloak OTP through direct grant flow. This topic explains how to configure OTP support in KeyCloak.

copy link to clipboardPrerequisites

copy link to clipboardEnabling OTP Authentication in KeyCloak

  1. Log in to the KeyCloak Admin Console. See KeyCloak documentation for more information.

  2. Select Authentication from the menu for your CTE realm, e.g. cte-linux. This is the area where you can configure the different credential types.

  3. Select the Browser Flow:

    a. Conditional OTP: Required

    b. Condition: User configured: Required

    c. OTP Form: Required

  4. Modify, clone, or create a new Direct Grant flow:

    Option 1:

    Modify the built-in direct grant flow, or clone a direct grant flow, by clicking Action > Duplicate.

    Update the flow as the follows:

    a. Username Validation: Required

    b. Password: Disabled

    c. Direct Grant: Conditional OTP: Required

    d. Condition: User configured: Required

    e. OTP: Required

    Option 2:

    Create a new direct grant flow:

    a. Select Create Flow

    b. Fill out the Name and Description

    c. Select flow type: Basic Flow

    d. Select Add step

    e. Select Username Validation: Required

    f. Select Add step

    g. Select OTP: Required

  5. Bind the generated direct grant flow to the client defined for CTE Linux:

    a. Choose the client setup for CTE Linux, and select Advanced

    b. Select Browser Flow: Browser

    c. Select Direct Grant Flow: <the new direct grant>

copy link to clipboardConfiguring OTP Policy

CTE Linux Multifactor Authentication only supports time-based OTP, which is the default KeyCloak OTP policy. To verify the policy configuration:

  1. Navigate to the CTE realm > Authentication.

  2. Select Policies > OTP Policy.

  3. Ensure that Time-based is selected.

    Note

    Counter-based is NOT supported with CipherTrust Transparent Encryption.

  4. Change other configurations as needed.

    Note

    Google authenticator only supports the algorithm: SHA1.

copy link to clipboardSetting Up User's OTP Authenticator

  1. Add a user that has permissions to access CTE clients.

  2. The user must install an authenticator that is able to provide an OTP token on their mobile phone.

    Note

    Thales recommends using Google Authenticator.

  3. Instruct the user to login through a web browser to the CTE realm account. See KeyCloak documentation for more information.

  4. Once authenticated, the OTP token form displays.

  5. The user needs to finish the setup of OTP authentication in the OTP token form.

copy link to clipboardConclusion

After a successful setup, the local users of the CTE Linux hosts can perform OTP authentication through voradmin mfa login or SSH login.

On this page