Note
Changes to Policy settings will not take effect immediately on all Identikey Servers unless Replication is used to synchronize the Identikey Servers. Where Replication is not used, changes to Policy settings will take effect when each Identikey Server is restarted, once the Policy change is available to it in its data store. Alternatively, if there is no restart, the cache of Policy settings will refresh from the data store after approximately every 15 minutes.
Table 38: Policy Fields
Field Name Description
Description This description can be entered to record the purpose of the Policy.
Inherits from Policy Contains the Name of the Policy from which settings will be inherited, referred to as the 'parent Policy'. Settings are inherited individually, depending on the value in the Policy field;
they inherit the parent Policy value in the following cases:
Choice lists/radio buttons – if the selected value is Default Text fields – if the field is blank
Numeric fields – if the field is blank (not 0) List fields – if the list is empty
The Show Effective Policy Settings... button can be used to display the result of inheriting settings combined with settings on the current Policy.
Local Authentication Specifies whether authentication requests using the Policy will be handled by the Identikey Server using Local Authentication (see the Authenticating Users section in the Product Guide for more details on Local Authentication and Back-End Authentication).
When Local Authentication is used, there are two factors that determine whether Digipass authentication is used – any Policy restrictions on Digipass Types and/or Applications that can be used and whether the Digipass User account has any assigned Digipass that meet the restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, they cannot use Digipass authentication under that Policy.
This setting also affects the Provisioning Registration process (see the Software Digipass Provisioning section in the Product Guide).
Options:
Default Use the setting of the parent Policy.
None The Identikey Server will not carry out Local Authentication under this Policy. They may be handled using Back-End Authentication, or not handled at all by the Identikey Server.
Digipass/Password The Identikey Server will always carry out Local Authentication under this Policy, using Digipass authentication if possible, otherwise the static password. Back-End Authentication may also be utilized.
Digipass Only The Identikey Server will always carry out Local Authentication
Field Name Description
under this Policy, using Digipass authentication. If Digipass authentication is not possible, the user cannot log in. Back-End Authentication may also be utilized.
Back-End Authentication Specifies whether authentication requests using the Policy will be handled by the Identikey Server using Back-End Authentication (see the Authenticating Users section in the Product Guide for more details on Local Authentication and Back-End Authentication).
This setting also affects the Provisioning Registration process (see the Software Digipass Provisioning section in the Product Guide).
Options:
Default Use the setting of the parent Policy.
None Back-End Authentication will not be used.
If Needed The Identikey Server will utilize Back-End Authentication but only in certain cases:
Dynamic User Registration Self-Assignment
Password Autolearn
Requesting a Challenge or Virtual Digipass OTP, when the Request Method includes a Password
Static password authentication, when verifying a Virtual Digipass password-OTP combination or during the Grace Period
Provisioning Registration
Always The Identikey Server will utilize Back-End Authentication for every authentication and Provisioning Registration request.
Back-End Protocol Specifies the protocol to be used for Back-End Authentication.
If you have your own Back-End Authentication Engines, they will have Protocol names to identify them. The name for the required Engine must be defined in the Back-End Protocol for the Policy.
The following standard options are available:
Windows Authentication using the Windows operating system (this is only available when the Identikey Server runs on Windows).
RADIUS Authentication using a RADIUS server.
e-Directory Authentication using Novell's e-Directory.
ADAM Authentication using a Microsoft ADAM server.
Active Directory Authentication using Microsoft's Active Directory.
Created On The date and time that the Policy was created. Read-only.
Last Modified On The date and time that the Policy was last modified. Read-only.
Dynamic User Registration Specifies whether the Dynamic User Registration (DUR) feature is enabled for the Policy. If this feature is used, when the Identikey Server receives an authentication request for a User for the first time and Back-End Authentication is successful, it will create a Digipass User account automatically. If DUR is used in conjunction with Auto-Assignment, a Digipass will be assigned to the new User account immediately.
Field Name Description
This setting also determines whether the Provisioning Registration process is allowed to perform DUR or not.
Password Autolearn Specifies whether the Password Autolearn feature is enabled for the Policy. This feature enables the Identikey Server to update the password stored in the Digipass User account when Back-End Authentication is successful.
This setting also determines whether the Provisioning Registration process will update the password after successful Back-End Authentication or not.
Stored Password Proxy Specifies whether the Stored Password Proxy feature is enabled for the Policy. This feature can be used in conjunction with the Back-End Authentication Always setting and the Password Autolearn feature. With this combination, even though a Back-End Authentication check is done every login, it is done using the password stored in the Digipass User account.
Therefore the User does not have to enter it during their login, unless it has changed in the Back-End System. This mode of operation is referred to as Password Replacement.
Default Domain The default Domain in which the Identikey Server should look for and create Digipass User accounts, if a Domain is not specified by the user credentials. The process of resolving the User ID and Domain name is described in the User ID and Domain Resolution section in the Product Guide and in 3.5.1.2 Identifying the Domain for a Login Attempt of this document.
User Lock Threshold This indicates the number of consecutive failed login attempts that will cause a Digipass User account to become Locked. For example, if the User Lock Threshold is 3, the account will become Locked on the third failed login attempt. Unlocking the account requires administrator action.
Note that not all kinds of login failure will result in locking. For example, if the UserId is incorrect or the account is Disabled, the failure would not count towards the lock threshold.
Locking is used mainly for incorrect OTPs and static passwords.
The locking mechanism is also used for Provisioning and Signature Validation.
Windows Group Check Specifies whether and how the Windows Group Check feature is to be used. This feature is typically used for a staged deployment of Digipass when the Auto-Assignment method is used. It can also be used when only some Users are required to use Digipass or when only some Users will be permitted access and they have to use Digipass.
Options:
Default Use the setting of the parent Policy.
No check Do not use the Windows Group Check feature.
Pass requests for users not in listed groups back to host system
Use the Windows Group Check so that any Users who are not in one of the listed groups are ignored by the Identikey Server.
Use of this setting for Provisioning or Signature Validation will have the same effect as the Reject... setting.
Reject requests for users not in listed group
Use the Windows Group Check so that any Users who are not in one of the listed groups are rejected by the Identikey Server.
Use only Back-End
Authentication for users not in listed groups
Use Back-End Authentication only for any Users who are not in one of the listed groups.
Use of this setting for Provisioning or Signature Validation
Field Name Description
will have the same effect as the Reject... setting.
Group List This lists the names of the Windows Groups to be checked according to the Windows Group Check radio button setting. There are some important limitations of this check:
Certain built-in Active Directory groups such as Domain Users and Everyone will not be checked. The check is intended to be used with a new group created specifically for this purpose.
Nested group membership will not be detected by the check.
There is no Domain qualifier for a group. The named group must be created in each Domain where User accounts exist that need to be added to the group.
A local machine group can be used also.
Assignment Mode Specifies the method of automated Digipass Assignment that will be used for this Policy, if any. There are two methods, Auto-Assignment and Self-Assignment.
Auto-Assignment is used in conjunction with Dynamic User Registration (DUR). When DUR occurs, the next available Digipass is assigned to the new Digipass User account. A Grace Period is set for the Digipass according to the Grace Period setting in the Policy.
Self-Assignment is typically used with DUR also, but if the Digipass User accounts are created first by the administrator, DUR is not necessary. In the Self-Assignment mode, a User is able to assign themselves a Digipass by entering the Serial Number, a valid OTP from the Digipass and their static password. There is no Grace Period associated with
Self-Assignment, because the User has to use the Digipass to perform Self-Assignment.
In both cases, any Applicable Digipass restrictions for the Policy apply. For example, it will not be permitted to self-assign a DP300 if the Policy restricts Digipass Types to DPGO3 and DPGO1. In addition, if the User already has a Digipass assigned that meets the Policy restrictions, they will not be able to self-assign another Digipass.
This setting is not applicable to Provisioning or Signature Validation.
Options:
Default Use the setting of the parent Policy.
Auto-Assignment Use the Auto-Assignment method.
Self-Assignment Use the Self-Assignment method.
Neither Do not use either method of automated assignment.
Grace Period Default time period (in days) to give Users between Auto-Assignment of a Digipass and the date they must start using their Digipass to login. Before that time they can still use a static password (unless the Local Authentication setting is Digipass Only). However, the first time that an OTP is used to log in, the Grace Period is ended at that point if it has not already ended.
This setting does not affect manual assignment by an administrator or Provisioning.
Serial No. Separator The character (or short sequence of characters) that will be included at the end of the Digipass Serial Number during a Self-Assignment login. It allows the Identikey Server to easily recognize that a Self-Assignment attempt is being made and extract the Serial Number from the credentials.
Search Upwards in Org. Unit hierarchy
This controls the search scope for an available Digipass for Auto-Assignment or Provisioning Registration, or for a specific Digipass for Self-Assignment.
This setting does not affect manual assignment by an administrator.
Field Name Description Options:
Default Use the setting of the parent Policy.
No The search scope is only the Organizational Unit in which the User account belongs. If the User does not belong to an Organizational Unit, the search will look for Digipass that also do not belong to an Organizational Unit.
Yes The search will start in the User account's Organizational Unit, but if necessary it will then move upwards through the Organizational Unit hierarchy until it reaches the top. See the Location of Digipass Records topic in the Product Guide for more information.
Application Names The Policy can specify a restriction on which Digipass Applications may be used when it is effective. If the list is empty, there is no restriction. If there are one or more entries, they will indicate the Application Names that are permitted.
Application Type The Policy can restrict which Digipass Application Type (eg. Response Only, Challenge/Response) may be used when it is effective.
Options:
Default Use the setting of the parent Policy.
No Restriction Digipass Application Type is not restricted.
Response Only Only Digipass Applications of Type RO (Response Only) or MM (Multi-Mode) may be used.
Challenge/Response Only Digipass Applications of Type CR (Challenge/Response) or MM (Multi-Mode) may be used.
Signature Only Digipass Applications of Type SG (Signature) or MM (Multi-Mode) may be used.
Multi-Mode Only Digipass Applications of Type or MM (Multi-Mode) may be used.
Digipass Types The Policy can specify a restriction on which Digipass Types may be used when it is effective.
If the list is empty, there is no restriction. If there are one or more entries, they will indicate the Digipass Types that are permitted.
Allow PIN change Specifies whether Digipass Users will be allowed to change their Server PIN during authentication requests to which the current Policy applies. Normally this setting is enabled, but it can be used to prevent PIN changes if required.
1-Step Challenge/Response – Permitted
Controls whether 1-step Challenge/Response logins will be enabled for the current Policy and, if so, where the challenge should originate.
In order to enable 1-step Challenge/Response, you also need to set the Challenge Check Mode (see below).
Note that 1-step Challenge/Response is not applicable in a RADIUS environment.
Options:
Default
No 1-step Challenge/Response may not be used.
Field Name Description
Yes – Server Challenge 1-step Challenge/Response may be used provided that the Identikey Server that verifies the response generated the challenge.
Yes – Any Challenge 1-step Challenge/Response may be used with any random challenge.
1-Step Challenge/Response – Challenge Length
Specifies the length of the challenge (excluding a check digit) which should be generated for 1-step Challenge/Response logins.
1-Step Challenge/Response – Add Check Digit
A check digit may be added to the generated challenge. This allows the Digipass to identify invalid Challenges more quickly.
2-Step Challenge/Response – Request Method
The method by which a User has to request a 2-step Challenge/Response login.
This is the only mode of Challenge/Response available in a RADIUS environment.
The 'request' is made in the password field during login. The request will fail if the User does not have a Challenge/Response-capable Digipass assigned. This includes Digipass
Applications of Type CR, SG and MM.
Options:
Default Use the setting of the parent Policy.
None Do not use 2-step Challenge/Response.
Keyword Use the Request Keyword. This is permitted to be blank.
Password Use the static password.
KeywordPassword Use the Request Keyword followed by the static password. No separator characters or whitespace should be between them.
PasswordKeyword Use the static password followed by the Request Keyword. No separator characters or whitespace should be between them.
2-Step Challenge/Response – Request Keyword
Defines the Keyword that a User must enter to request a 2-step Challenge/Response login, if a method using a Keyword is selected in the Request Method.
This is permitted to be blank.
Primary Virtual Digipass – Request Method
The method by which a User has to request a Primary Virtual Digipass login.
The 'request' is made in the password field during login. The request will be ignored if the User does not have a Primary Virtual Digipass assigned.
Options:
Default Use the setting of the parent Policy.
None Do not use Primary Virtual Digipass.
Keyword Use the Request Keyword. This is permitted to be blank.
Password Use the static password.
KeywordPassword Use the Request Keyword followed by the static password. No separator characters or whitespace should be between them.
PasswordKeyword Use the static password followed by the Request Keyword. No separator characters or whitespace should be between them.
Primary Virtual Digipass – Request Keyword
Defines the Keyword that a User must enter to request a Primary Virtual Digipass login, if a method using a Keyword is selected in the Request Method. This is permitted to be blank.
Field Name Description Backup Virtual Digipass –
Enable Backup VDP
Specifies whether and how the Backup Virtual Digipass feature can be used when this Policy is effective. Note that in order for the Backup Virtual Digipass feature to function, it must also be activated in the DPX file for the Digipass.
Options:
Default Use the setting of the parent Policy.
No Backup Virtual Digipass is not permitted.
Yes - Permitted Backup Virtual Digipass is permitted, but not mandatory.
The Time Limit is not applicable when using this option, but the Max. Uses/User limit is.
Yes – Time Limited Backup Virtual Digipass is permitted, but not mandatory.
Both the Time Limit and the Max. Uses/User limit will be in effect.
Yes - Required Backup Virtual Digipass is mandatory.
The Time Limit is not applicable when using this option, but the Max. Uses/User limit is.
Backup Virtual Digipass – Time Limit
When the Enable Backup VDP setting is Yes – Time Limited, the Time Limit setting indicates the number of days for which the Backup Virtual Digipass feature may be used by a User, once they start using it.
The Backup Virtual Digipass Enabled Until setting on the Digipass record will be set automatically the first time that the User requests a Backup Virtual Digipass OTP, using the Time Limit defined in the Policy. Once this date has expired, it requires administrator intervention either to extend it or to reset it to blank for the next time that the User needs to use Backup Virtual Digipass.
Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they will have a separate limit for each one.
Backup Virtual Digipass – Max. Uses/User
The maximum number of uses of the Backup Virtual Digipass feature permitted for each User, if they do not have a specific limit set for them.
If the Backup Virtual Digipass Uses Remaining on the Digipass record is blank and there is a Max. Uses/User limit defined in the Policy, the Uses Remaining will be set automatically the first time that the User requests a Backup Virtual Digipass OTP.
Once the Uses Remaining has reached zero, Backup Virtual Digipass can no longer be used with this Digipass, unless the administrator increases it or resets it to blank.
Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they will have a separate limit for each one.
Backup Virtual Digipass – Request Method
The method by which a User has to request a Backup Virtual Digipass login.
The 'request' is made in the password field during login. The request will be ignored if the User does not have a Digipass assigned that is activated for the Backup Virtual Digipass feature, or if other Policy or Digipass settings do not permit Backup Virtual Digipass use.
The 'request' is made in the password field during login. The request will be ignored if the User does not have a Digipass assigned that is activated for the Backup Virtual Digipass feature, or if other Policy or Digipass settings do not permit Backup Virtual Digipass use.