Configure applications for push OTP
Any application that is integrated through SafeNet RADIUS Service (FreeRADIUS), SafeNet SAML Service, SafeNet Agent for AD FS, or SafeNet Agent for NPS 2.0 can support push OTP. The agents provide two user interaction models:
-
Rich user experience, which is provided by the SafeNet SAML Service and SafeNet Agent for AD FS
-
Simple mode, which is provided by the SafeNet RADIUS Service
Some of the web-based RADIUS clients (for example, F5, NetScaler, Citrix, etc.) require application integration. Refer to the appropriate integration guide for details (see the list in Application integration).
Agents with rich user experience
SafeNet SAML Service and agents such as AD FS provide a rich user experience, compared to the simple mode in the RADIUS integration.
With the rich user experience, logging into a protected application redirects the user to a modified login screen, which presents options to choose between push or manual passcode entry. In addition, users have the ability to cancel a push notification.
The passcode triggers to override push OTP apply to the push behavior for AD FS Agent and SAML login. The passcode triggers are described in Triggering push notifications in the agent.
SafeNet SAML Service configuration
A SAML service can be customized to change how push OTP is displayed on the SAML login page.
In the STA Token Management console, enable and customize push OTP text for the SAML login page.
-
On the STA Token Management console, select Comms > SAML Service Providers.
-
Select SAML 2.0 Settings.
-
To display controls on the SAML login page for selecting between push OTP and manually entering the OTP, under User Login Settings, select the Enable Push/Manual OTP Selector check box.
-
To customize the SAML login page, modify the following descriptors under Login UI Customizations:
-
Push/Manual OTP Selector Text: Enter the text to replace “I want to:.”
-
Push OTP Button Text: Enter the text to display for the option to use push OTP.
-
Manual OTP Button Text: Enter the text to display for the option to use a manual OTP.
-
-
Customize the remaining push OTP processing, cancellation, and authentication descriptors, as needed.
If the Enable Push/Manual OTP Selector option is disabled, the user can still trigger push or another challenge and response method with an empty passcode. Refer to Triggering push notifications in the agent for details.
SafeNet Agent for AD FS configuration
-
Install the new SafeNet Agent for AD FS v2.0 with push OTP support.
-
Configure the SafeNet Agent for AD FS to use push OTP.
-
Select Start > All Programs > SafeNet > Agents > ADFS Agent (run as administrator).
-
On the MFA Plug-In Manager window, click the Policy tab.
-
Under Default OTP Policy, click Push Challenge, and then click Apply.
By choosing the Push Challenge option, the AD FS integration automatically promotes push. The user is presented with the option to use either push or manual passcode entry.
-
SafeNet RADIUS Service
This type of application integration presents a simple user experience, which cannot be modified. Note the following behavioral changes:
-
Unlike the AD FS Agent, the login screen cannot be modified. Therefore, users are not presented with options to either select push or use manual passcode entry. To trigger push OTP, users need to be instructed to leave the password field empty, or type any 1-character passcode on the login screen.
-
When deploying push OTP (and it is enabled for the virtual server), if your users previously used GrIDsure or SMS, after they enroll a token on MobilePASS+, they have the option to authenticate either with push OTP or with another authentication method by using a passcode trigger. Refer to Triggering push notifications in the agent for details.
Passcode triggers are not case-sensitive.
RADIUS configuration
The only configuration requirement to support the SafeNet RADIUS Service is to set the RADIUS timeout value to at least 60 seconds on the client machine.
Agents with simple mode user experience
This type of application integration presents a simple user experience, which cannot be modified. Note the following behavioral changes:
-
Unlike the AD FS Agent, the login screen cannot be modified. Therefore, users are not presented with options to either select push or use manual passcode entry. To trigger push OTP, users need to be instructed to leave the password field empty or to type any 1-character passcode on the login screen.
-
When deploying push OTP (and it is enabled for the virtual server), if your users previously used GrIDsure or SMS, after they enroll a token on MobilePASS+, they have the option to authenticate either with push OTP or with another authentication method by using a passcode trigger. Refer to Triggering push notifications in the agent for details.
Passcode triggers are not case-sensitive.
SafeNet Agent for NPS 2.0 configuration
-
Install SafeNet Agent for NPS 2.0 with push OTP support.
-
Configure the SafeNet Agent for NPS 2.0 to use push OTP.
-
In the STA Token Management console, in Policy > Token Policies, enable push notifications.
-
In Policy > Token Policies, set MobilePASS+ as an allowed target.
-
-
Set the NPS 2.0 timeout value on the client machine such that the product of ((time-out) x (number of retransmissions)) is at least 60 seconds.
For example, if retransmissions is set to 6, then set time-out to 10 seconds or greater.