POLICIES – Policy (tab)

Table: POLICIES – Policy tab
Field name Description
Description A custom text to describe the purpose of the policy.
Inherits from Policy

Contains the name of the policy from which settings will be inherited, referred to as the parent policy. Settings are inherited individually, depending on the value in the policy field. They inherit the parent policy value in the following cases:

  • Choice lists/radio buttons. If the selected value is Default.
  • Text fields. If the field is blank.
  • Numeric fields. If the field is blank (not 0).
  • List fields. If the list is empty.

The Show Effective Policy Settings column displays the result of the combined inherited settings with settings of the current policy.
Local Authentication

Specifies whether authentication requests using the policy will be handled by OneSpan Authentication Server using local authentication. For more information about local authentication and back-end authentication, refer to the OneSpan Authentication Server Product Guide, Section "Authenticating Users".

When local authentication is used, there are two factors that determine whether authentication with an authenticator is used – any policy restrictions on authenticator types and/or applications that can be used and whether the user account has any assigned authenticator that meets the restrictions. For example, if the policy requires a certain authenticator type, but the user has a different type, they cannot use the authenticator for authentication under that policy.

This setting also affects the provisioning registration process. For more information, refer to the OneSpan Authentication Server Product Guide, Section "Software authenticator provisioning".

Possible values:

  • Default. Use the setting of the parent policy.
  • NoneOneSpan Authentication Server will not use local authentication under this policy. The authentications may be handled using back-end authentication or not handled at all by OneSpan Authentication Server.
  • DIGIPASS OnlyOneSpan Authentication Server will always use local authentication under this policy, using authentication with authenticator. If authentication with authenticator is not possible, the user cannot log in. Back-end authentication may also be used.
  • DIGIPASS/Password During Grace PeriodOneSpan Authentication Server will always use local authentication under this policy, possibly using Digipass Authentication for Windows Logon, if applicable. The static password can only be used within a (configurable) grace period until an authenticator is used the first time. Back-end authentication may also be used.
  • DIGIPASS or Password. This authentication mode allows users to permanently use their static password or their authenticator. This is possible even after the grace period has expired and/or they have previously already used their authenticator for authentication. The grace period also expires after a successful MDL activation, either using an OTP or a signature validation. In the context of the authentication scenario, use of this authentication mode is subject to licensing. For provisioning, this authentication mode is license-free.
Back-End Authentication

Specifies whether authentication requests using the policy will be handled by OneSpan Authentication Server using back-end authentication. For more information about local authentication and back-end authentication, refer to the OneSpan Authentication Server Product Guide, Section "Authenticating users".

This setting also affects the provisioning registration process. For more information, refer to the OneSpan Authentication Server Product Guide, Section "Software authenticator provisioning".

Possible values:

  • Default. Use the setting of the parent policy.

  • None. Back-end authentication will not be used.

  • If Needed. OneSpan Authentication Server will utilize back-end authentication but only in certain cases:

    • Dynamic User Registration (DUR)
    • self-assignment
    • Password autolearn
    • Requesting a challenge or Virtual Mobile Authenticator OTP, when the request method includes a password
    • Static password authentication, when verifying a Virtual Mobile Authenticator password-OTP combination, during the grace period, or if the local authentication mode is set to DIGIPASS or Password.
    • Provisioning registration

  • Always. OneSpan Authentication Server will use back-end authentication for every authentication and provisioning registration request.

    This setting is required, if you want to use offline authentication for Digipass Authentication for Windows Logon.

    To enforce static password verification during offline authentications via Digipass Authentication for Windows Logon, you need to disable Stored Password Proxy and set Back-End Authentication to Always.
Back-End Protocol

Specifies the protocol to be used for back-end authentication.

If you have your own back-end authentication engines, they will have protocol names to identify them. The name for the required engine must be defined in the back-end protocol for the policy.

The following standard authentication options are available:

  • Windows (this is only available when OneSpan Authentication Server runs on Windows)
  • RADIUS
  • NetIQ eDirectory
  • Microsoft Active Directory
  • IBM Security Directory Server
Created

Read-only. The date and time that the record was created.
Modified

Read-only. The date and time that the record was last modified.

Available actions

  • Edit
  • Copy
  • Delete