OneSpan Authentication Server in a web environment
SOAP integration
OneSpan Authentication Server has a SOAP module that can be used to integrate OneSpan Authentication Server with web applications.
The OneSpan Authentication Server SOAP interface allows the following functionality to be integrated:
- User authentication
- Signature validation
- Software authenticator provisioning
- Administration
- Reporting
Digipass Authentication for IIS Basic
Digipass Authentication for IIS Basic is an add-on designed for use with Microsoft Internet Information Services (IIS). It can be configured to intercept authentication requests and redirect them to OneSpan Authentication Server to verify the credentials with OneSpan Authentication Server first.
Normally, this means verifying the one-time password (OTP) value. If the OTP is valid, then OneSpan Authentication Server passes the static password back to IIS as if the user had entered it. The normal website authentication process completes the logon.
To enable verification via OneSpan Authentication Server, it is necessary to provide a static password (typically the Windows password) to IIS. There are two methods of implementing this:
Log on with OTP only
Using this method, the users only enter their OTP (and PIN if required). OneSpan Authentication Server has to learn the static password for the user, so that when the user provides the correct OTP, OneSpan Authentication Server can give the static password back to IIS.
Figure: OneSpan Authentication Server in an IIS web environment (OTP only)
OneSpan Authentication Server can automatically learn the static Windows passwords. The user has to perform at least one logon with the static password. If this password is validated by Windows, OneSpan Authentication Server can learn it.
The same process can also be used if the static passwords are held in a RADIUS server. However, the OneSpan Authentication Server license must have RADIUS support activated for this to be enabled.
This process is not possible if the static passwords are not Windows or RADIUS passwords. Such passwords will need to be entered manually.
Log on with password and OTP
Using this method, the users enter their static password and OTP at each logon. OneSpan Authentication Server validates the OTP. If valid, OneSpan Authentication Server returns only the static password to IIS.
Figure: OneSpan Authentication Server in an IIS web environment (OTP and password logon)
This method may be necessary when the static passwords are not Windows passwords, e.g. NetIQ eDirectory passwords. It also may be suitable if you do not want OneSpan Authentication Server to store your users' Windows passwords.
OneSpan Authentication Server strongly encrypts Windows passwords whenever it is configured to store them.