Creating user accounts using Dynamic User Registration (DUR)

When OneSpan Authentication Server receives an authentication request for a user without a user account, it can verify the credentials with the back-end server (e.g. Windows). If back-end authentication is successful, OneSpan Authentication Server can create a user account automatically for the user. This process is called Dynamic User Registration (DUR) and can be enabled via policy settings.

Dynamic User Registration (DUR)

Dynamic User Registration (DUR) allows to create a new user account automatically when the user credentials are validated using back-end authentication. The correct static password is sufficient to create a new user account.

DUR is commonly used together with auto-assignment (see auto-assignment (Overview)). With these two features enabled, new user accounts are immediately assigned to an authenticator.

For more information about Dynamic User Registration, see Dynamic User Registration (DUR) .

DUR user information synchronization

DUR user information synchronization allows OneSpan Authentication Server to retrieve user information when a user account is created using DUR with an LDAP back-end server. This is achieved by synchronizing the data from the LDAP back-end server to the respective user account data fields. The user information that can be retrieved includes the user display name and contact data, such as the mobile phone number and the email address. The LDAP attributes used to query the respective user information are configurable.

By default, DUR user information synchronization is disabled. To enable and configure it, you need to change the applicable policy accordingly.

Case-sensitivity and user ID/domain conversion

If the data store is case-sensitive and OneSpan Authentication Server has not been configured to convert user IDs and domains to upper or lower case, it is possible for multiple user accounts to be created for a single user. For example, if a user logs on with jsmith on one occasion, and JSmith on another, two user accounts may be created for both logon attempts.

To avoid this, you can do the following:

  • If the underlying user accounts are Windows user accounts, enable Windows name resolution in the Configuration Utility. For more information, refer to the OneSpan Authentication Server Administrator Guide, Section "Domains and organizational units". This is highly recommended.
  • Alternatively, you can also configure OneSpan Authentication Server to convert all user IDs and domains to upper or lower case. For more information, refer to the OneSpan Authentication Server Administrator Guide, Section "Encoding and case-sensitivity".