PhenixID MFA Admin

PhenixID MFA Administration is a tool used by administrators for managing PINs and different kind of tokens on behalf of other users.

The following user attributes can be searched/managed:

  • Username (search only)
  • First name
  • Last name
  • Email
  • Mobile

The following token types are supported:

  • Prefetch tokens (list of static OTPs assigned to a user)
  • Software tokens (PhenixID Pocket Pass, Google Authenticator etc)
  • Hardware tokens (OATH)
  • PhenixID One Touch

Guide

Start guide clicking the '+' sign next to the MFA Admin menu item

User store

Select existing or create a new user store connection. The user store is the (LDAP) directory where your users are stored.

Follow this guide if you choose to create a new connection

User store

LDAP search settings

Configure how your user store is searched for users and administrators.

Configuration

  • Search base: The search base to use when searching for users. Used for both authentication and searching for users to manage. Enter manually or browse directory by selecting Choose (see below).
  • User identifier attribute: LDAP attribute uniquely identifying users. Used for authentication and search
  • Administrator role detection attribute: Attribute used for administrator role detection. If not specified, all users in the configured store can use the application (not recommended).
  • Administrator role detection value: Value used for administrator role detection.

Administrator role detection attribute and value are used for creating a search filter matching administrators only to restrict who can use this application.

LDAP search settings

Use LDAP browser to select a base DN for search

Attribute settings

Configure visible and editable user attributes and how to map them to LDAP entries.

Attribute settings

Features

Enable application features.

Note: One Touch feature is only available if the One Touch backend components are configured and enabled using the One Touch guide.

Features

PIN management

Configure PIN support. PINs are 4 digit codes to be used for adding extra security when authenticating users. PINs are often used in combination with OTPs.

Configuration:

  • Attribute: the LDAP attribute for storing the PIN. PIN will be stored in this attribute as a salted hash.

Note: To use PINs, you need enable PIN support in your authentication guide(s)

PIN management

Prefetch OTP management

Configure prefetch OTP. Prefetch OTPs are OTPs generated and distributed in advance to a user.

OTPs are generated in a batch and the same validity time applies for all OTPs in a batch. A user can only have one batch of OTPs assigned at a given time.

List of prefetch OTPs can be printed or sent to the user using email or SMS.

OTPs can be revoked at any time.

Configuration

  • OTP length: length of OTPs to generate. Can be of any length, the longer the more secure.
  • Number of OTPs: Number of OTPs to generate in a batch.
  • Require OTPs to be used in the defined order: Enable/disable the requirement to use the OTPs in the order they are defined in the batch.
  • Number of days OTPs are valid: The number of days the generated OTPs are valid and can be used for authentication.
  • Enable SMS: Enable/disable support for distributing OTPs to user via SMS *
  • Enable mail: Enable/disable support for distributing OTPs to user via mail *

*) Requires Messaging module - will be configured if not already existing

Prefetch OTP management

Pocket Pass

Configure Pocket Pass. Assign and revoke end user software tokens like PhenixID Pocket Pass and Google Authenticator used for multifactor authentication.

In the current version only time based, 6 digits OTP are supported.

Configuration

  • Issuer: Display name of token issuer. Visible in token application. Use your organisation name.
  • Validity days: The number of days the token is valid and can be used for authentication.
  • Enable online key provisioning:
  • Enable SMS: Enable/disable support for distributing token activation urls to user via SMS *
  • Enable mail: Enable/disable support for distributing token activation urls to user via mail *

*) Requires Messaging module - will be configured if not already existing

Pocket Pass

Hardware tokens management

Configure hardware tokens. Assign and revoke end user hardware (physical) tokens used for multifactor authentication.

Requires hardware token manager to be configured. Will be configured if not already existing.

Configure validity period for hardware tokens (optional)

Messaging

Configure messaging for sending SMS and email.

One Touch

Confirmation of enabled One Touch. One Touch is configured in a separate guide.

One Touch

Network settings

If online key provisioning for Pocket Pass or One Touch is enabled, you need to configure the server external URL. Details here.

Network settings

Finish

Guide is finished, click Create to create your MFA Admin configuration. After create you can edit your settings by selecting the configuration in the left side menu below MFA Admin

Finish

Edit settings

Edit configuration by selecting MFA Admin in the left side menu.

Use Save to save your changes (applies to all tabs) and Delete to delete this configuration.

When changes are save, the server will immediately refresh to reflect your changes (including delete).

Note: Delete will not remove possibly shared configuration like connection and handware token manager.

Edit settings

General

Use the link on the right to open MFA Admin in a new browser window. Please note that depending on how your network is configured, the link may not work.

General

LDAP Settings

Edit LDAP search settings

LDAP Settings

Attributes

Edit attribute names and mappings

Attributes

Pin Code

Edit PIN code attribute

Pin Code

Prefetch OTP

Edit settings for prefetch OTPs

SMS/main is only available if messaging is enabled.

Prefetch OTP

Pocket Pass

Edit Pocket Pass settings

  • Settings URL: HTTP URL to Pocket Pass settings file containing profile theme etc. URL must be reachable by your Pocket Pass clients.
Pocket Pass

Hardware token

Edit hardware token settings.

Hardware token

One Touch

Edit One Touch settings

More information about server external URL.

One Touch backen functionality is configured in a separate guide.

One Touch

Messaging

Enable messaging and configure service credentials

SMS gateway credentials

  • SMS username
  • SMS password

Note: Contact PhenixID Support to receive your SMS gateway credentials

Mail configuration

  • Mail host: Host for sending SMTP mail
  • Mail port: Port for sending SMTP mail
  • Mail sender address: The sender address (email address)
  • Mail username: SMTP service username
  • Mail password: SMTP service password

Note: PhenixID does not provide an SMTP service. To send SMTP emails you'll need to provide your own SMTP service.

Messaging

Advanced

Custom listener lets you configure a specific HTTP listener for the MFA Admin application. Use this setting if you want MFA Admin to use a different than default.

  • Port: The port number to use. Must be a valid port number. The port must be unused or already in use for HTTP by the current server instance. If reusing an already used port, the listener will inherit SSL/TLS setting from the already started port.
  • Use SSL/TLS: Enable SSL on port. Requires an SSL certificate. For One Touch and Pocket Pass to function properly, the server SSL certificate chain must be trusted by the devices.
Advanced

Multiple MFA Admin applications

Some environments might have a use for multiple MFA admin applications.

The scenario guide will support the configuration, but an extra first panel will be presented during the configuration. This first panel will contain the properties to differentiate this webapp from the default one.

Config additional MFA Admin

Additional MFA Admin configured