Alified Authentication Server
This documentation applies to Alified Authentication Server v.1.8.1
Table of Contents
- Alified Authentication Server
Abrevations
Thru out the documentation, the following abbreviations are used:
| Abbreviation | Description |
|---|---|
| AAS | Alified Authentication Server |
| EUP | End User Portal Portal |
| MFA | Multi Factor authentication |
| OTP | One Time password |
| ADFS | Active Directory Federation Services |
| [some text] | Is used to specify that the complete block including "[" and "]" should be replaced by a user specified value |
Requirements
AAS is build to be utilizing as few resources as possible. However, the use of the different features will require more or less resources in form of CPU and RAM. The default configuration with 1 CPU and 1GB RAM will support < 50.000 MFA users (RADIUS and ADFS adapter). Activating the EUP and SSPR features increase the load on the appliance and might depending the amount of traffic need additional CPU and RAM resources. The default configuration with a single node will probably support at least 10.000 ADFS / SSPR users but this has baselined in each environment.
The time out setting for the administrative portal is 30 minutes.
To set up a two node cluster, the nodes must be able to communicate using TCP port 3306 as destination port.
Supported hypervisors
AAS supports the following hypervisors:
- VMWare ESX/vSphere > 5.0.0
- Citrix Hypervisor (aka. XenServer) > 6.2
- Microsoft HyperV > 2012
- Azure
Quick start
To get up and running in a short time, the basic steps is to:
- Import the appliance to your hypervisor of choice.
- Configure network settings using the hypervisor console ot web based GUI. Don't forget to configure at least one working NTP server.
- Aquire a license from your Alified representative by supplying the HostID of a single or master node.
- Apply the license code.
- Verify General settings and enter a Appliance LDAP admin group.
- Configure LDAP backend settings.
- If you want to enable the mail based daemon, Google Authentication code distribution using email and/or administrative email alerts, complete the Mail settings configuration.
- Configure and enable at least one RADIUS daemon.
- Add one or more RADIUS clients.
- Configure at least one user to use the configured authentication method or methods.
Appliance configuration and usage
Log on to the administrative portal by accessing one of the appliances using http://[ip-address] or https://[ip-address] of the appliance. The ip-address can be found using either the hypvervisor console or the virtual console of the Alified VM.
Dashboard
The dashboard displays an overview of the current authentication metrics as well as some appliance and cluster status. All metrics on the dashboard but the Authentication metrics graph are updated every 10 seconds.
Top row
The top row displays appliance status, current used and available licenses, successful and failed logins. You can go directly to the full log by clicking on any of the green (success) or red (failed) boxes.
Appliance status line
The appliance status line displays the local appliance status metrics as CPU load, memory and disk usage. It also displays the time collected from the current appliance which can be usable since all time based authentication methods as Google / Microsoft Authenticator and hardware and software tokens are time sensitive.
Authentication metrics
The Authentication metrics frame displays a graph of authentication success rate. The displayed time frame can be adjusted using the drop down box at the top right of the frame.
Real time activity
The Real time activity frame displays the last 10 log entries.
Users
To support a lot of different usage scenarios, AAS can fetch user information from different sources.
- Local users
- LDAP users
- External database users
- WebAuth users
NOTE When deleting a user, ALL log entries liked to that user will also be deleted.
The Users menu allows you to perform user based operations. The search field searches both the local database as well as the LDAP backend.
User card
The user card is displayed when a users is searched for or opened by using the edit button in the List all users table. In the user card, and administrator can change which MFA features a user will have access to as well as entering tags or delete the user from the local database.
The header of the user card will state if the user account is a local only user or fetched using LDAP.
If Authenticator is enabled, an administrator can download a .PDF file or choose to send the same .PDF with enrollment information to the user using e-mail. This requires that e-mail settings is configured and that the user has an e-mail address specified or fetched using LDAP.
Tags
A user can have one or more tags to be used to group users. The tags field a free text field and tags can be entered in any formate suitable.
Local users
Local users are stored in the local database of the appliance(s). Local users don't validate to a back end user source and can be used to supply an "island" authentication source using the supported authentication methods.
Import users
It is possible to import a list of user and optional automatically enable Authenticator for all imported users.
| Option | Description |
|---|---|
| Enable Authenticator by default | Check this to enable Authenticator for all imported users |
| Enable send e-mail by default | Check this to send an enrollment e-mail to all imported users with an e-mail address. |
| Add optional header text to e-mail | Add this text as a message heading |
| Optional attachment | Attach this file to the message (could be enrollment instructions) |
| Select a CSV user file | Select the .CSV file to import |
Note that there is a link to a sample .CSV file at the bottom of the page.
Add local user
A local user can be added using the Add local user button in the Users menu.
NOTE A local users doesn't have a "normal" password. A local users expects to use the generated MFA as password.
When adding a local users, the only mandatory field is the username.
| Option | Description |
|---|---|
| Enter username | Enter the users username |
| Enter e-mail address | Enter en optional user e-mail address |
| Enter mobile phone | Enter an optional mobile phone number used for SMS MFA |
| Enter tags | Enter optional user tag(s) |
| Enable Authenticator | Enable Authenticator for the new user |
| Send e-mail with enrollment information | Send enrollment information to the user using e-mail |
List all users
The List all users button opens a searchable list of all users registered in the local database.
The Show Authenticator keys button makes the Authenticator seeds for the currently visible users.
Logs
Using the logs menu selection, an administrator can access the detailed authentication logs. You can step thru the different log pages as well ass search to complete log database using the search bar.
Licensing
To enable the different features of AAS, you need to install a valid license key. You can add as many license keys as you want. The total amount of licenses for each feature will be aggregated. If the appliance cannot find a valid license, all services are stopped.
NOTE If AAS services is stopped due to missing licenses, it can take up to one minute for the appliance to detect the new license and start it's services.
All license keys are linked to the Host ID that are displayed in the Licensing menu selection. The Host ID is unique for each AAS node.
Licensing are applied to the Master node in a HA setup. The Slave node will piggy back on the master nodes licenses and no additional licenses are required to run a active active cluster setup.
To ass a new license, press the Add new button and enter the license key you have received.
NOTE Until a valid license is installed, there will be limited menu options available.
Appliance management
Restore a configuration backup
Here you can restore a previous downloaded backup archive.
NOTE Restoring a backup completely reverts all configuration, user settings and logs to the point of when the backup was created!
Reboot Appliance
This reboots the entire appliance.
Restart server daemons (services)
Restart all services including RADIUS and HTTP / web services.
Backup configuration
Create and download a backup archive.
Change local admin Password
Change the local admin account password.
Update appliance FW
Upload and apply a new firmware. Make sure to apply this to the master node first.
Settings
The settings menu contains sub menus with settings which is common for all or most features of the appliance.
General settings
| Option | Description |
|---|---|
| Site name | Site name that will displayed as the Authenticator source and as name at login and usage of the User Portal |
| Admin site URI alias | If you want or need to access the administrative portal using a sub or virtual path/directory, the virutla path name can be configured here. |
| Appliance LDAP admin group | Name of LDAP group with administrators with access to the administrative portal. Specified as the "real" name like: MFA Admins |
| Appliance Timezone | Choose the desired timezone for log time and dates. |
| HOTP Token look ahead | When using HOTP (counter based) hard or software based tokens, this number represents the number of "failed" logon attempts a user can make before the token becomes out of sync. |
| Enable automatic license recycling (1 year) | Check this to automatically delete users (and linked log entries) for users that hasn't used the service in the last 12 month. |
User Portal settings
This menu controls the End User Portal settings.
NOTE You cannot use the same ports for the EUP as the administrative portal.
| Option | Description |
|---|---|
| Enable user portal | Check this to enable the EUP |
| Web server HTTP port | Specify which port to use for the EUP |
| Web server URI Alias | If you need to access the EUP using a virtual url or path, enter the name of the virtual alias here. |
| Whitelisted IP-addresses | List a comma separated list of ip's and or networks that can log on to the EUP using username and password only (without MFA) |
| Blacklisted IP-addresses | List any ip-address and or network here that will force use of MFA for log on. |
| Upload custom background | Select a custom background image for the EUP to Upload |
| Delete custom background | check this to delete the custom background image and revert to the default background image. |
| Upload custom logo | Select a custom EUP logo to Upload |
| Header text for Authenticator enrollment | Enter text to be displaed at the home page of the EUP |
| Delete custom logo | Check this to delete the custom logo |
Network settings
| Option | Description |
|---|---|
| Hostname FQDN | The fully qualified hostname (FQDN) of the current host. ex. alified01.domain.local |
| IP-address | Configure a static ip-address of the current appliance. Leave empty to use DHCP |
| Subnet mask | The subnet mask of the attached network |
| Default gateway | Appliance default gateway |
| DNS server 1 | DNS server 1 |
| DNS server 2 | DNS server 2 |
| NTP server 1 | NTP server 1 |
| NTP server 2 | NTP server 2 |
| Syslog server (optional) | Enter ip-address of a syslog server to forward log messages |
HA settings
AAS can be configured in single mode or in a two node active / active cluster. All state, user and log information is replicated in real time between the both nodes in cluster setup so there is no need to configure persistence in a load balanced setup.
In a cluster setup, only the master node has to be licensed. The Slave node uses the licenses of the Master node.
To configure HA between two nodes:
- Choose which node that should have the Master node and set it's role to master.
- Enter the hostname (can be either the short name or FQDN) of the Slave node.
- Enter the ip-address of the Slave node.
- Save the configuration.
Head over to the slave node and:
- Set it's role to slave.
- Enter the hostname (can be either the short name or FQDN) of the Master node.
- Enter the ip-address of the Master node.
- Save the configuration.
- Press the Intialize Slave button.
The Slave node now fetches information from the Master node and if successful, the HA Status on both the Master and Slave node till state HA initialized.
If the HA Status don't states HA initialized, please make sure the both nodes can communicate over TCP 3306.
LDAP backend settings
AAS uses LDAP over TCP port 389. There is an option to disable TLS but we strongly advice against it.
| Option | Description |
|---|---|
| LDAP server IP | IP-address of LDAP server or load balanced LDAP servers. |
| LDAP user | LDAP bind user in UPN format. ex. svc_ldap@domain.local |
| LDAP password | Password for the LDAP user |
| LDAP base path | LDAP base path in distinguished name (DN) format. ex. DC=domain, DC=local |
| LDAP user attribute | LDAP user attribute to use as user in local database |
| LDAP sms attribute | LDAP attribute that holds the user mobile phone number |
| LDAP BankID attribute | LDAP attribute that holds the user ssn (Only used with Swedish BankID) |
| LDAP domain | LDAP domain in domain format. ex. domain.local |
| Use TLS | Enable or disable use of TLS for LDAP communication |
NOTE You can only use ONE ip-address for LDAP server.
SMS providers
AAS uses external SMS service providers to send OTP's using text messages. These providers are accessed using a HTTP(s) calls.
Each SMS prover is assigned a weight value. Providers with the same value will be accessed in a round robin scheme and if more than one provider is configured but with different weight values, the providers will be access in a failover scheme where to lowest value will be more preferred than a higher value.
You add provers by pressing the Add new button a the SMS providers menu. From the SMS providers menu, you can add, edit and delete SMS providers.
JSON REST with header basic auth
This provider type sends a JSON payload with the username and password. It authenticates to the API using a basic header bearer. This method is used by for example Generic Mobile.
| Option | Description |
|---|---|
| Provider | The name of the provider |
| URL | The API endpoint URL |
| Weight | Provider weight used to select provider selection scheme |
| Username | API username |
| Password | API password |
| Sender | Name of sender inte the text message |
| OTP Text | Text to prefix the OTP passcode with |
POST data
- URL Path:
/SmsGateway/api/v1/Message - Auth header:
Authorization - Basic [base64 encoded username:password]
JSON payload
{
"From": "[username]",
"To": "[phone number]",
"Text": "[OTP Text]",
}HTTP POST
When configuring a HTTP POST provider, you configure the field names that the API endpoint expects.
| Option | Description |
|---|---|
| Provider | The name of the provider |
| URL | The API endpoint URL |
| Weight | Provider weight used to select provider selection scheme |
| Message arg | POST field for the message text |
| Number arg | POST field for the recipient number |
| OTP Text | Text to prefix the OTP passcode with |
HTTP GET
When configuring a HTTP GET provider, you configure url query parameters that the API endpoint expects.
| Option | Description |
|---|---|
| Provider | The name of the provider |
| URL | The API endpoint URL |
| Weight | Provider weight used to select provider selection scheme |
| Message arg | GET parameter for the message text |
| Number arg | GET parameter field for the recipient number |
| OTP Text | Text to prefix the OTP passcode with |
Other SMS Settings
The Other SMS Settings frame displays generic SMS configuration parameters.
| Option | Description |
|---|---|
| Auto provision users for SMS | Enables a user to auth enroll for the SMS service. If disabled, an administrator must enable users one by one to be able to use SMS MFA. |
| SMS OTP timeout | Number of seconds a SMS OTP is valid |
| SMS OTP length | Consgiures how meny didgets a SMS OTP will be |
Mail settings
Configure mail setting to be able to send enrollment information to users, administrative messages and usage reports.
| Option | Description |
|---|---|
| Test your settings | Enter an e-mail address and press Send to try your saved mail settings. NOTE You have to save the configuration before testing it |
| SMTP server | Enter the ip-address or hostname of a valid SMTP server |
| SMTP port | Enter the TCP port of the SMTP server (usually 25) |
| SMTP user (optional) | If the SMTP server requires authentication, enter the username to use to log on to the SMTP server |
| SMTP password (optional) | If the SMTP server requires authentication, enter the password to use to log on to the SMTP server |
| SMTP from name | Enter the name whih will be displayed as the sender of messages from AAS |
| SMTP from address | Enter the e-mail address to use as sender (and reply to) address of messages from AAS |
| Administrators e-mail addresses (separate with ,) | Enter one or more administator e-mail address(s) who should receive administrative messages and usage reports |
| Force SMTP to use TLS | Force SMTP to use TLS |
BankID settings
The settings in the BankID settings menu are specific the Swedish BankID service.
BankID
| Option | Description |
|---|---|
| Provider | AAS support BankID, CGI and Svensk e-identitet as BankID providers. |
| Environment | Choose if you want to access the test/development API or production |
| API User / ServiceId | Enter the API usernme or service id |
| API Password | Enter the API password |
| API Secret | Enter the API secret |
| External IP | Enter the external ip that will be seen by the BankID API |
When using the native BankID API, you will be provided with two authorization certificates. The certificates for the test environment is common for all customers but you will have to upload your certificates used for production. The certificates has to be in .PEM format and without a key password.
CGI
| Option | Description |
|---|---|
| Provider | AAS support BankID, CGI and Svensk e-identitet as BankID providers. |
| Environment | Choose if you want to access the test/development API or production |
| API User / ServiceId | Enter the API usernme or service id |
| API Password | Enter the API password |
| API Secret | Enter the API secret |
| External IP | Enter the external ip that will be seen by the BankID API |
MFA
Using the MFA menu, an administrator can configure all MFA specific settings.
Manage HW/SW tokens
Using the Manage HW/SW tokens menu, you can manage user hardware and software tokens.
Unassign releases a token from a user and makes it available for assignment to another user.
Delte completely removes the token from the token database.
Add new HW/SW token
Using the Manage HW/SW tokens menu you can manually add hardware and / or software tokens. By pressing the Add new you can enter the token information or using the button Generate SW token to create a new software token with a random seed.
NOTE Make sure to select the correct token Type.
| Option | Description |
|---|---|
| Serial | Enter token serial name. If using software tokens, this will automatically be the next available serial number |
| Model | This is a free text field used to identify the token models |
| SEED | Enter the token secret seed |
| Type | Select TOTP (Time based) or HOTP (counter based) |
Manage grids
Grid tokens are generated in advance and then assigned to end users. By pressing Add new, you will be able to enter the number of new grids to create.
In the Grids frame, an administrator have the option to unassign a grid from a user as well ass completely remove a grid from the grids database or download the grid as a .PDF document.
RADIUS clients
| Option | Description |
|---|---|
| IP address | The ip-address of the RADIUS client |
| Secret Key | The RADIUS secret key for the RADIUS client |
| Prompt | The password prompmt sent to the client if the MFA method is of the type Challenge Response |
| Use LDAP auth | Applies to Challenge Response MFA methods. If configured, AAS uses the users username and password to authenticate agains the LDAP server as an extra level of security. |
RADIUS daemons
From the RADIUS daemons menu, an administrator can configure which MFA methods that will be available and optionally set the listening port for each of them.
| Option | Description |
|---|---|
| Daemon | The name of the RADIUS daemon |
| Challenge / Response | Displays if the RADIUS daemon is Challenge Response based |
| Port | The listening port of the specific RADIUS daemon |
| LDAP Group | Enter a LDAP group in distinguished name (DN) format ex. DC=domain, DC=local to select a LDAP group that users must be a member of to be able to use the current RADIUS daemon / MFA method |
| Enabled | If the specific RADIUS daemon / MFA method is enabled |
SQL backend settings
AAS can do backend authentication using a native SQL query to an external Microsoft SQL or mySql / MariaDB database.
| Option | Description |
|---|---|
| Enable SQL backend | Check to enable the SQL backend feature |
| Database server type | Select Microsoft SQL or MySQL |
| Database server name or IP | Enter the hostname or ip-address of the backend database server |
| Database server port | Enter the port used by the backend database server |
| Database name | Enter the name of the database to connect to |
| Database user name | Enter a database username that have at least read access to the specified database |
| Database password | Enter the database user password |
| SQL Query | Enter the SQL query used to fetch the user information |
| Hashed passwords (PBKDF2) | Check is passwords are stored as PBKDF2 hashes in the backend database |
| SQL pwd hash format | Here you can specify the format of the PBKDF2 hash |
SQL Query
The SELECT query must return a single line with the following column names:
The SELECT query takes one single input which is the username. Insert the username in the SELECT query as $username.
| Column name | Description |
|---|---|
| username | The returned username to match against AAS local database |
| password | The user password in clear text or if enabled, as a PBKDF2 hash |
| mobile | The user mobile phone number if text message based MFA is used |
WebAuth settings
AAS can do backend authentication using a WebAuth based API. WebAuth uses JSON payloads for both request and response.
| Option | Description |
|---|---|
| WebAuth URL | Enter the URL of a WebAuth based authentication backend API. |
WebAuth request format
{
"auth":
{
"username": "[username]",
"password": "[password]"
}
}WebAuth response format
The result key must be accept for a successful authenticaton and reject for a failed authentication.
{
"authresponse":
{
"result": "",
"email": "",
"mobile": "",
"phone": ""
}
}API settings
Using the API settings menu, and administrator can configure API settings.
| Option | Description |
|---|---|
| ADFS Servers | Enter a comma (,) delimited list of ip-address of ADFS servers that will use the ADFS plugin. |
SSPR
The SSPR menu is used to configure SSPR features.
SSPR settings
| Option | Description |
|---|---|
| Enable SSPR | Check to enable the SSPR features |
| Enable BankID | Check to enable BankID as MFA method for password reset |
Self Service Password Reset
AAS has two different features for user self service password reset.
- Password Change
- Password Reset
All SSPR features requires the LDAP service account to have rights to change other users password
Password Change
Password Change is a feature which allows end users to change their password using a web based portal as long as they still know their current password.
The Password Change feature is available on the same IP address and port as the administrative portal (80, 443). The URL to the Password Change feature are: /pwd/change
Password Reset
Password Reset is a feature which allows end users to reset a lost password using any of the configured MFA methods supported by AAS. The URL for Password Reset is available at: /pwd/reset and are using port 82 (unencrypted) and 8444 (encrypted).
End User Portal
The End User Portal is a web portal where the end users can enroll configured MFA features them self. The EUP is optional and is configured at Settings/User Portal settings.
The EUP defaults to a forms based login page. It will also accept login using the following methods:
HTTP Basic
- Use: username and password as logon parameters.
POST
- Use: username and password as POST fields.
GET
- Use: ?username=[username]&password=[password] as get parameters.
REST API
AAS has a API that can be used to interface the Appliance and integrate it with other services.
The API is accessible on the same ip-address and port as the administrative portal (80, 443) and the base path is: /api/v1
The API has it's own documentation which is available at /api/v1/docs
NOTE Currently, only the public unauthenticated parts of the API is accessible. The ADFS PLugin uses ip whitelisting to provide the best performance possible.
ADFS Plugin
AAS comes with an ADFS plugin which can be installed in an ADFS infrastructure to allow the use of Alifieds MFA methods and configuration.
To be able to use the plugin, configure AAS using the MFA/APIsettings menu to allow specified ADFS server to use the plugin with your AAS environment.
When installing the ADFS plugin, it will ask you for a server address. This is the ip-address or server name of the AAS server or in a cluster setup, a load balanced ip / vip of the AAS nodes.
The ADFS plugin reads the user configuration for each user at logon and presents the available MFA methods.
Guides
First time setup
Importing the virtual appliance
VMware
- Download and unzip the installation package.
- Choose to import .OVF and import the appliance to you environment.
Citrix Hypervisor
- Download and unzip the installation package.
- Choose to import .XVA and import the appliance to you environment.
Microsoft HyperV
- Download and unzip the installation package.
- Choose to import .VMDK and import the appliance to you environment.
When you have imported the appliance to your hypervisor of choice, you have two options.
- Access the appliance console using the hypervisors admin console.
- Access the appliance web GUI using it's ip-address acquired using DHCP. (IF DHCP isn't available on the attached network, the only option is to use the appliance console). NOTE NTP configuration is crucial for reliable Google Authenticator, Software token and TOTP hardware token support.
Configure using the appliance console
- Log on to the console using the setup user and password:
- Console setup user: setup
- Console setup password: alifiedotp
- You will be presented with a setup menu where you can configure the appliance network settings.
- Remember to save the config and reboot the appliance to apply the new settings.
- When the appliance has finished rebooting, all other configuration is made using the web based GUI.
Configure using the appliance web GUI
- To be able to perform the first time setup using the web GUI, the attached network must have DHCP available.
- Get the appliance ip-address from your hypervisors console.
- Access the web GUI byt the appliance ip-address (http://a.b.c.d).
- Log on to the web GUI using the default appliance username and password:
- Web GUI default username: admin
- Web GUI default password: alifiedotp
- Access Network Settings under the Settings menu and complete network configuration.
- Reboot the appliance to enable the new settings.
BankID and RADIUS
Using BankID as MFA requires some specific considerations.
A RADIUS server normally responds to a authentication request within a few milliseconds or in worst case seconds. BankID by nature works in an other way.
When using BankID over RADIUS, the authentication request are sent to the server which then waits for the BankID backend to report if the authentication was successful or not. This means that you have to configure the RADIUS client to have a long time out (60-90 seconds is usually a good value) and to not send any retries.