Enable Push OTP and MobilePASS+

For Push OTP to be permitted during authentication, the Push OTP feature must be enabled, and the user must have a token on the MobilePASS+ application. To receive Push notifications on their mobile devices, the user must have permitted MobilePASS+ Push notifications.

Push OTP for SAS PCE

The customers must run their SAS PCE instances under a valid certificate from a public certificate authority (such as DigiCert, VeriSign, GoDaddy). Self-signed or non public signed certificates will not work. Without a valid public trusted certificate, the self-enrollment process of MobilePASS+ tokens will fail.

This feature allows SAS on-premise customers to use Push-enabled OTP tokens to receive OTP via push service of SAS Cloud. The Push feature is supported with MobilePASS+ on iOS, macOS, Chrome, Android and Windows 10 desktop and mobile platforms. All SafeNet authentication agents, namely NPS Agent, Windows Logon Agent, Token Validator Proxy Agent, AD FS Agent, and FreeRADIUS Agent, supporting Push for SAS Cloud, will also work for SAS PCE.

Once the onboarding process is complete, the customer needs to configure, and enable the Push feature and as part of configuration settings, deploy the client certificates (issued by Thales Group) in their SAS PCE server. The configuration of client certificates is required for mutual authentication between SAS PCE and Out-of-band Server (OOBS)/SAS Push Service (SPS) servers of SAS Cloud. The configuration process involves the following steps:

1. Deploy client certificates
2. Import push server settings

Onboarding for MobilePASS+ enrollment will require Thales Group-issued client certificates, for which the Certificate Requisition Form must be filled.

Deploy client certificates

Deploying client certificates in the customer’s SAS environment involves importing P12 certificates. The administrators first needs to export their client certificates (as issued by Thales Group) into the P12 format. The P12 certificates can then be imported at Computer Account > Personal > Certificates of the Windows Certificate Store. If the administrator wants to check OOBS and SPS endpoints via a web browser, the administrator can import P12 certificates into the current user account.

In addition, the SAS administrator needs to enable Read permission for NETWORK SERVICE account to ensure that the private key of the imported client certificates is accessible by OOBS and SPS components. Enable the permission by following the steps:

1. Navigate to Microsoft Management Console > Certificates > Computer account.
2. Select a certificate, right-click and select All tasks > Manage private keys.
3. Allow Read permission for NETWORK SERVICE account.

Follow the above steps for all available certificates.

Enable Push OTP communication with MobilePass+

Go to System and setup the Push OTP communication by clicking on Enable Push OTP communication with MobilePass+ checkbox, then Apply the changes.

Import push server settings

To import required push settings in the customer’s SAS environment, the administrators will be provided with an encrypted push settings file and an encryption password. The SAS administrator can securely populate the SAS Push OTP settings into their SAS instance by following the steps:

1. Navigate to System > Communications > Push OTP Settings.
2. Navigate to Import Push OTP Settings section, and click Choose File button to browse and select the encrypted settings file (PushSettings-{domainName}.xml) for import from the provided certificate package.
3. Copy encryption password from MSM_PASSWORD/FileKey column in {DomainName}.README.txt file to the File Key field.
4. Click Import to populate Push OTP settings.

5. Click Apply to save the Push OTP settings into the database.

   The Test button can be used to test the connectivity between SAS PCE and OOBS/SPS servers.

   

Once the client certificates are configured in the customer's SAS environment, the push functionality needs to be enabled from the SAS console.

Renew client certificate

Installation of certificate

To install the certificate, follow the process described in Deploying client certificates. This step is only for existing customers, and not for new customers (whose certificate is about to expire).

After certificate installation, the OTP Push setting can be updated in either of two ways:

1. Update SERIAL in SAS administrator
2. Import Push OTP setting using XML file

Update SERIAL in SAS administrator

1. Login with SAS administrator.
2. Navigate to System > Communications > Push OTP Settings.
3. Open the {DomainName}.README.txt ( Readme file is available inside certificate package).
4. Get the CERT_SERIAL from {DomainName}.README.txt.
5. Update the CERT_SERIAL in Push OTP Settings field OOBS Client Certificate Serial Number & SPS Client Certificate Serial Number.
6. Click on Apply.

7. Click on Test (Success message appears).

   

Enable Push functionality

1. Enable push functionality by selecting the Enable Push OTP communication with MobilePASS+ check box available at POLICY > Token Policies > Software Token Push OTP Setting.

2. Configure which tokens or devices needs to be enabled for Push by navigating to POLICY > Token Policies > Software Token & Push OTP Setting.

   Note

   • The SAS PCE customers should enroll (new customers) or re-enroll (existing customers) their MobilePASS+ tokens after they have set up their SAS PCE server enabling the Push OTP feature and connected to the Thales Group push service. Only MobilePASS+ tokens that are enrolled when SAS PCE is connected to the Thales Group push service becomes push capable.

   • For Push OTP functionality to work, outbound connectivity to the internet is required from SAS PCE, SafeNet agents, and MobilePASS+ tokens.

Enable the allowed targets and Push notifications

Push OTP functionality is enabled by default for newly created accounts, and disabled by default for upgraded accounts. Push OTP is independent per Virtual Server and can be enabled (or disabled) at any time. When Push OTP is disabled on the Virtual Server side, the MobilePASS+ application does not ask the user to grant push permissions.

For Push OTP to be permitted during authentication, the user must have a token enrolled in the MobilePASS+ application. The settings that you enable in this policy determine which targets are presented to users during the self-enrollment of MobilePASS tokens. You can restrict the OS types on which MobilePASS tokens are allowed to be activated or enrolled.

The enhanced approval workflow significantly accelerates the authentication process for MobilePASS+ (version 1.4 or higher) tokens. It enables users to manage push login requests without unlocking their mobile device.

Complete these steps on any Virtual Server that should support Push OTP:

1. On the SAS console, select Policy > Token Policies.

2. Select Software Token & Push OTP Settings.

3. Select Enhanced approval workflow.

   If Enhanced approval workflow is enabled, users with incompatible versions of MobilePASS+ receive an error message when the application opens. You can disable the enhanced approval workflow at any time, to restore full functionality with earlier MobilePASS+ versions.

4. For each Operating System and Device Type platform, select a MobilePASS application.

   For iOS, Android, and Windows 10 Desktop/Tablet, you can choose between MobilePASS 8 and MobilePASS+. You can select one MobilePASS application per OS type. For example, you can enable either MobilePASS+ or MobilePASS 8 for iOS, but not both.

5. For each platform that uses MobilePASS+, in the Push Notifications column, select either Enabled or Disabled.

   It is highly recommended that you either enforce a device PIN or enable a PIN setting in the MobilePASS token template, so that only the device owner or token assignee can approve a push request.

6. Click Apply.

   You can enroll a new MobilePASS+ token in parallel to an existing MobilePASS 8 token.

Set the Push OTP Rejection Policy (optional)

Push notifications are sent to only registered devices with currently active, push-enabled tokens. You can set this user policy so that, if a user receives a push notification that they did not initiate and rejects the notification, they are sent a push notification rejection alert (see the example below). If the user’s account gets locked due to this Push OTP rejection, the body of the push notification rejection alert is appended to the user lockout alert that is sent to the user.

You can customize the contents of the alert email in Comms > Communications > Email Messages. See Customize the rejection alert for the user.

1. On the SAS console, select Policy > User Policies.

2. Select Push OTP Rejection Policy.

3. Select Alert user on OTP push notification rejected, and then click Apply.

   

   The following is an example of a push notification rejection alert that is sent to a user:

   

Set the Operator policy

You can optionally send a push notification rejection alert to the Operator if a user rejects a push notification that they did not initiate. The Operator can then investigate the log files if necessary.

You can customize the contents of the alert email in Comms > Communications > Email Messages. See Customize the rejection alert for the internal operator.

1. On the SAS console, select Policy > Role Management > Alert Management.

2. Click the corresponding Edit hyperlink for a role.

3. Select Push Notification Rejection Operator Alert for the desired delivery methods, and then click Apply.

   

   The following is an example of a push notification rejection alert that is sent to an Operator: