Select existing or create a new user store connection. The user store is the (LDAP) directory where your users are stored.

Follow this guide if you choose to create a new connection

Configure how your user store is searched for users and administrators.

Configuration

• Search base: The search base to use when searching for users. Used for both authentication and searching for users to manage. Enter manually or browse directory by selecting Choose (see below).
• User identifier attribute: LDAP attribute uniquely identifying users. Used for authentication and search
• Administrator role detection attribute: Attribute used for administrator role detection. If not specified, all users in the configured store can use the application (not recommended).
• Administrator role detection value: Value used for administrator role detection.

Administrator role detection attribute and value are used for creating a search filter matching administrators only to restrict who can use this application.

Use LDAP browser to select a base DN for search

Configure visible and editable user attributes and how to map them to LDAP entries.

Enable application features.

Note: One Touch feature is only available if the One Touch backend components are configured and enabled using the One Touch guide.

Configure PIN support. PINs are 4 digit codes to be used for adding extra security when authenticating users. PINs are often used in combination with OTPs.

Configuration:

• Attribute: the LDAP attribute for storing the PIN. PIN will be stored in this attribute as a salted hash.

Note: To use PINs, you need enable PIN support in your authentication guide(s)

Configure prefetch OTP. Prefetch OTPs are OTPs generated and distributed in advance to a user.

OTPs are generated in a batch and the same validity time applies for all OTPs in a batch. A user can only have one batch of OTPs assigned at a given time.

List of prefetch OTPs can be printed or sent to the user using email or SMS.

OTPs can be revoked at any time.

Configuration

• OTP length: length of OTPs to generate. Can be of any length, the longer the more secure.
• Number of OTPs: Number of OTPs to generate in a batch.
• Require OTPs to be used in the defined order: Enable/disable the requirement to use the OTPs in the order they are defined in the batch.
• Number of days OTPs are valid: The number of days the generated OTPs are valid and can be used for authentication.
• Enable SMS: Enable/disable support for distributing OTPs to user via SMS *
• Enable mail: Enable/disable support for distributing OTPs to user via mail *

*) Requires Messaging module - will be configured if not already existing

Configure Pocket Pass. Assign and revoke end user software tokens like PhenixID Pocket Pass and Google Authenticator used for multifactor authentication.

In the current version only time based, 6 digits OTP are supported.

Configuration

• Issuer: Display name of token issuer. Visible in token application. Use your organisation name.
• Validity days: The number of days the token is valid and can be used for authentication.
• Enable online key provisioning:
• Enable SMS: Enable/disable support for distributing token activation urls to user via SMS *
• Enable mail: Enable/disable support for distributing token activation urls to user via mail *

*) Requires Messaging module - will be configured if not already existing

Configure hardware tokens. Assign and revoke end user hardware (physical) tokens used for multifactor authentication.

Requires hardware token manager to be configured. Will be configured if not already existing.

Configure messaging for sending SMS and email.

Confirmation of enabled One Touch. One Touch is configured in a separate guide.

If online key provisioning for Pocket Pass or One Touch is enabled, you need to configure the server external URL. Details here.

Guide is finished, click Create to create your MFA Admin configuration. After create you can edit your settings by selecting the configuration in the left side menu below MFA Admin

Use the link on the right to open MFA Admin in a new browser window. Please note that depending on how your network is configured, the link may not work.

Edit LDAP search settings

Edit attribute names and mappings

Edit PIN code attribute

Edit settings for prefetch OTPs

SMS/main is only available if messaging is enabled.

Edit Pocket Pass settings

• Maximum number of allowed tokens: Limit how many tokens a user can enroll. Leave blank for unlimited.
  
• Settings URL: HTTP URL to Pocket Pass settings file containing profile theme etc. URL must be reachable by your Pocket Pass clients.

Edit hardware token settings.

Edit One Touch settings

• Maximum number of allowed tokens: Limit how many tokens a user can enroll. Leave blank for unlimited.
• External URL: The server external URL used by external devices.More information about server external URL.
• Use push: Enable One Touch push notifications

One Touch backend functionality is configured in a separate guide.

Enable messaging and configure service credentials

SMS gateway credentials

• SMS username
• SMS password

Note: Contact PhenixID Support to receive your SMS gateway credentials

Mail configuration

• Mail host: Host for sending SMTP mail
• Mail port: Port for sending SMTP mail
• Mail sender address: The sender address (email address)
• Mail username: SMTP service username
• Mail password: SMTP service password

Note: PhenixID does not provide an SMTP service. To send SMTP emails you'll need to provide your own SMTP service.

HTTP configuration allows for running the application with custom http settings

• HTTP Configuration: Sets the reference to the HTTP connection. 
• Enable two-factor: Enable MFA on the application.  Currently token and sms is supported as second factor through configuration. Support is available for other authentication methods. Contact support for more information.