DIGIPASS Authentication for TAM - Vasco

More documents

Recommendations

Info

11 DIGIPASS Authentication for TAM DIGIPASS Authentication for TAM For more information on these attribute, please refer to VASCO documentation and/or the DIGIPASS CDAS Installation & Administration Guide. 5.2 REPOSITORY FAIL-OVER Validation of the user’s pin code is done by the CDAS using the VACMAN Controller API. It is a stand-alone library that takes the user’s pin code and the BLOB that is currently associated with the user’s token. To avoid replay of pin codes and to allow for token synchronization, the CDAS should always be able to get hold of the latest BLOB. Therefore, the DIGIPASS CDAS foresees an LDAP fail-over mechanism. This mechanism is shown in the following figure: To make sure that the DIGIPASS CDAS is always able to fetch the most up-to-date BLOB, it is able to talk in fail-over mode to LDAP. It will always try the first mentioned LDAP server first; if that server fails it will try the next LDAP, and so on until it has tried all known LDAP servers. If no working LDAP server can be found, the authentication request will fail. The CDAS should however also make sure that the updated BLOB gets written back to LDAP. As such it would be best practice to work with a multi-master LDAP cluster. However, as this is not always possible, the CDAS can be configured to continue with the authentication process even if it cannot write the BLOB back into LDAP. As long as this situation is not persistent, the token will be synchronized (if needed) at a later stage. Anyhow, the CDAS will also report BLOB update failures in its log file. 5.3 SECURITY CONSIDERATIONS The DIGIPASS CDAS can be configured to talk LDAP over SSL with the LDAP servers. It will bind to LDAP using a (configurable) user with appropriate credentials to read and write the token information. 5.4 TOKEN INITIALISATION The DIGIPASS CDAS comes with a command line tool for initializing tokens. This tool takes two input files: DPX file “TAM user to token” mapping file
12 DIGIPASS Authentication for TAM DIGIPASS Authentication for TAM The DPX file is delivered by VASCO together with the tokens. It contains all the token related information that goes into the LDAP server. The second file contains an entry for each existing TAM user that needs a new or updated token. The tool basically generates the DIGIPASS subentry as shown above. 5.5 THE DIGIPASS CDAS PROCESS The DIGIPASS CDAS is fully in line with the CDAS specification as listed in the WebSEAL Developers Reference guide. This means that it supports the following functions: xauthn_initialize() xauthn_shutdown() xauthn_authenticate() xauthn_change_password() Although the DIGIPASS CDAS can be used where step-up authentication is needed, it should be noted that in some cases the selection of the authentication mechanism is not necessarily controlled by the required authentication levels but merely by the fact that a user possesses a token or not. In such a case the DIGIPASS CDAS can be configured to support both username/password and one-time password. This is controlled by setting the LDAP attribute employeeType, as shown by the following screen dump.
Page 1 and 2: WHITEPAPER DIGIPASS Authentication
Page 3 and 4: Table of Contents 2 DIGIPASS Authen
Page 5 and 6: 1 Preface 4 DIGIPASS Authentication
Page 7 and 8: 6 DIGIPASS Authentication for TAM D
Page 9 and 10: 8 DIGIPASS Authentication for TAM D
Page 11: 10 DIGIPASS Authentication for TAM
Page 15 and 16: 14 DIGIPASS Authentication for TAM

DIGIPASS Authentication for TAM - Vasco

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?