PhenixID MFA Admin
PhenixID MFA Administration is a tool used by administrators for managing PINs and different kind of tokens on behalf of other users.
The following user attributes can be searched/managed:
- Username (search only)
- First name
- Last name
- Mobile
The following token types are supported:
- Prefetch tokens (list of static OTPs assigned to a user)
- Software tokens (PhenixID Pocket Pass, Google Authenticator etc)
- Hardware tokens (OATH)
- PhenixID One Touch
Guide
Start guide clicking the '+' sign next to the MFA Admin menu item
User store
Select existing or create a new user store connection. The user store is the (LDAP) directory where your users are stored.
Follow this guide if you choose to create a new connection
LDAP search settings
Configure how your user store is searched for users and administrators.
Configuration
- Search base: The search base to use when searching for users. Used for both authentication and searching for users to manage. Enter manually or browse directory by selecting Choose (see below).
- User identifier attribute: LDAP attribute uniquely identifying users. Used for authentication and search
- Administrator role detection attribute: Attribute used for administrator role detection. If not specified, all users in the configured store can use the application (not recommended).
- Administrator role detection value: Value used for administrator role detection.
Administrator role detection attribute and value are used for creating a search filter matching administrators only to restrict who can use this application.
Use LDAP browser to select a base DN for search
Attribute settings
Configure visible and editable user attributes and how to map them to LDAP entries.
Features
Enable application features.
Note: One Touch feature is only available if the One Touch backend components are configured and enabled using the One Touch guide.
PIN management
Configure PIN support. PINs are 4 digit codes to be used for adding extra security when authenticating users. PINs are often used in combination with OTPs.
Configuration:
- Attribute: the LDAP attribute for storing the PIN. PIN will be stored in this attribute as a salted hash.
Note: To use PINs, you need enable PIN support in your authentication guide(s)
Prefetch OTP management
Configure prefetch OTP. Prefetch OTPs are OTPs generated and distributed in advance to a user.
OTPs are generated in a batch and the same validity time applies for all OTPs in a batch. A user can only have one batch of OTPs assigned at a given time.
List of prefetch OTPs can be printed or sent to the user using email or SMS.
OTPs can be revoked at any time.
Configuration
- OTP length: length of OTPs to generate. Can be of any length, the longer the more secure.
- Number of OTPs: Number of OTPs to generate in a batch.
- Require OTPs to be used in the defined order: Enable/disable the requirement to use the OTPs in the order they are defined in the batch.
- Number of days OTPs are valid: The number of days the generated OTPs are valid and can be used for authentication.
- Enable SMS: Enable/disable support for distributing OTPs to user via SMS *
- Enable mail: Enable/disable support for distributing OTPs to user via mail *
*) Requires Messaging module - will be configured if not already existing
Pocket Pass
Configure Pocket Pass. Assign and revoke end user software tokens like PhenixID Pocket Pass and Google Authenticator used for multifactor authentication.
In the current version only time based, 6 digits OTP are supported.
Configuration
- Issuer: Display name of token issuer. Visible in token application. Use your organisation name.
- Validity days: The number of days the token is valid and can be used for authentication.
- Enable online key provisioning:
- Enable SMS: Enable/disable support for distributing token activation urls to user via SMS *
- Enable mail: Enable/disable support for distributing token activation urls to user via mail *
*) Requires Messaging module - will be configured if not already existing
Hardware tokens management
Configure hardware tokens. Assign and revoke end user hardware (physical) tokens used for multifactor authentication.
Requires hardware token manager to be configured. Will be configured if not already existing.
Configure validity period for hardware tokens (optional)
Messaging
Configure messaging for sending SMS and email.
Network settings
If online key provisioning for Pocket Pass or One Touch is enabled, you need to configure the server external URL. Details here.
Finish
Guide is finished, click Create to create your MFA Admin configuration. After create you can edit your settings by selecting the configuration in the left side menu below MFA Admin
Edit settings
Edit configuration by selecting MFA Admin in the left side menu.
Use Save to save your changes (applies to all tabs) and Delete to delete this configuration.
When changes are save, the server will immediately refresh to reflect your changes (including delete).
Note: Delete will not remove possibly shared configuration like connection and handware token manager.
General
Use the link on the right to open MFA Admin in a new browser window. Please note that depending on how your network is configured, the link may not work.
LDAP Settings
Edit LDAP search settings
Attributes
Edit attribute names and mappings
Pin Code
Edit PIN code attribute
Prefetch OTP
Edit settings for prefetch OTPs
SMS/main is only available if messaging is enabled.
Pocket Pass
Edit Pocket Pass settings
- Settings URL: HTTP URL to Pocket Pass settings file containing profile theme etc. URL must be reachable by your Pocket Pass clients.
Hardware token
Edit hardware token settings.
One Touch
Edit One Touch settings
More information about server external URL.
One Touch backen functionality is configured in a separate guide.
Messaging
Enable messaging and configure service credentials
SMS gateway credentials
- SMS username
- SMS password
Note: Contact PhenixID Support to receive your SMS gateway credentials
Mail configuration
- Mail host: Host for sending SMTP mail
- Mail port: Port for sending SMTP mail
- Mail sender address: The sender address (email address)
- Mail username: SMTP service username
- Mail password: SMTP service password
Note: PhenixID does not provide an SMTP service. To send SMTP emails you'll need to provide your own SMTP service.
Advanced
Custom listener lets you configure a specific HTTP listener for the MFA Admin application. Use this setting if you want MFA Admin to use a different than default.
- Port: The port number to use. Must be a valid port number. The port must be unused or already in use for HTTP by the current server instance. If reusing an already used port, the listener will inherit SSL/TLS setting from the already started port.
- Use SSL/TLS: Enable SSL on port. Requires an SSL certificate. For One Touch and Pocket Pass to function properly, the server SSL certificate chain must be trusted by the devices.