KB_160118: How to configure the IDENTIKEY Authentication Server Message Delivery Component to work with Virtual DIGIPASS.5/15/2017 11:59:05 AM
The Message Delivery Component (MDC) needs to be configured before Virtual DIGIPASS can be sent or received by the end users. This KB article explains how to set up the Email Delivery method. However, Virtual DIGIPASS can also be delivered via SMS (no longer secure) and voice.
A few things must be done in order to end up with a functional Virtual DIGIPASS delivery system.
Once the Virtual DIGIPASS have been successfully imported into IDENTIKEY Authentication Server (IAS) and assigned to their respective users, the MDC must be configured. Afterwards, the respective policy must be configured in the IAS Web Administration. Additionally, one must ensure that port 25 (SMTP) is not blocked by the firewall.
It is best to start by configuring the Message Delivery Component. You can do so by logging on to the server where IAS is installed and searching for “MDC”.
The General tab can be left alone for the most part, unless you need to set up SSL and configure the Cipher Suite Security Level. You can also enable tracing and log rotation from this screen in order to assist with any troubleshooting.
Once you click on the Email Delivery tab, you will be presented with the following screen. You will have to create a new Profile and enter the IP address/hostname of the SMTP Host that will be used for sending the actual messages. In this example, the mail server is running locally, so 127.0.0.1 is used to indicate localhost. If you choose to give the profile a name, this name must match the name specified in the respective policy inside the IAS Web Administration.
Once the MDC configuration is complete, you want to make sure that you are able to test the delivery mechanism from the configuration tool before proceeding onto the next step. Once you input a valid email address and click Send, you should see the following message:
The final configuration has to take place inside the IAS Web Administration. Once you’ve successfully logged on with an admin account, navigate to the Policy that will be used to handle the authentications. Click on the Virtual DIGIPASS tab and choose “Email” for the Delivery Method. If you’ve specified a Profile Name in the MDC Configuration, make sure you enter the same name here as well.
The default delivery method is via a keyword. The default keyword is “otp”. This means that when a user wants to log in using their Virtual DIGIPASS, they will enter the keyword “otp” in the password field. This will trigger the MDC to send out an OTP to the target user, as long as they have a valid email address specified in their User Attributes.
Note: if you only use PIN+OTP and there is no back-end sync being done/no static passwords are being set, you will have to use the KeywordOnly method. In this scenario, you will request the OTP with the keyword and in a second step enter just the OTP.
At this point, you can test the implementation by requesting the Virtual DIGIPASS with the selected method.
Once you receive the OTP, you can log in as normal (for example, AD password+OTP).
Applies to: IDENTIKEY Authentication Server, Message Delivery Component, Virtual DIGIPASS
KB 160118– 15/05/2017
© 2017 VASCO Data Security. All rights reserved.