Enterprises are protecting the most sensitive information using another authentication mechanism in addition to just username and password. I worked recently with PhoneFactor who is a vendor of a software that provides 2nd factor authentication.
We use CA Siteminder for our application security purposes. Integrating PhoneFactor with Siteminder looks easy but we took a little time to figure it out.
Test URL: http://finance.domain.com/SuperSecure
Phone Factor AD Group: PF_AD_Group
Requirement: When ever a user in PF_AD_Group tries to access http://finance.domain.com/SuperSecure, Siteminder should send authentication request (RADIUS) to PhoneFactor software. PhoneFactor should call user, match the voiceprint to complete the 2nd factor. For users who are not in PF_AD_Group, PhoneFactor does not need to perform 2nd factor authentication.
- Setup PhoneFactor to receive RADIUS auth requests from Siteminder
- In Siteminder
- Setup PhoneFactor_AS Authentication Scheme
RADIUS Server Template
RADIUS Server IPADDRESS
Port
SharedSecret
- Setup PhoneFactorLDAP_UD
SERVER: PhoneFactor Server
- For Domain finance.domain.com
Add userDirectory PhoneFactorLDAP_UD (use this directory for Authentication)
Add userDirectory LDAP_UD (use this directory for Authorization)
For realm /SuperSecure
Use PhoneFactor_AS as Authentication Scheme
in Advanced -> Directory Mapping -> Map PhoneFactorLDAP_UD & LDAP_UD to perform authentication and authorization respectively.
(If applications require authorization and mapping is set to default, then PhoneFactor will just authenticate and send back the response. Siteminder will reject access and give an error as TimedOut. Or sometimes PhoneFactor will continuously call the user.)
No comments:
Post a Comment