Pre-defined policies
Pre-loaded policies are created for OneSpan Authentication Server during installation and provide useful policy examples for typical environments.
The Base Policy provides globally applicable settings. In general, all other policies should inherit from it, either directly or indirectly.
Non-default settings for Base Policy are as follows:
- Applicable DIGIPASS - Allow PIN change = Yes
- User Lock Threshold = 3
- Challenge Request Method = Keyword
- Virtual DIGIPASS - Delivery Method = SMS
- Primary DIGIPASS - Request Method = Password
- Backup DIGIPASS - Request Method = KeywordPassword
- Backup DIGIPASS - Request Keyword = otp
- Identification Time Window = 20
- Signature Time Window = 20
- Challenge Check Mode = 1
- Event Window = 20
- Sync-Window = 6
- Online Signature Level = 0
- Identification Threshold = 0
- Signature Threshold = 0
- Local Authentication = None
- Back-End Authentication = None
- Back-End Protocol = <empty>
- Dynamic User Registration = No
- Password Autolearn = No
- Stored Password Proxy = No
- Group-Check-Mode = No Check
- DIGIPASS Assignment - Assignment Mode = Neither
- Search Upwards in Org. Unit Hierarchy = No
- Application Type = No Restriction
- 1-Step Challenge/Response - Permitted = No
- 1-Step Challenge/Response - Add Check Digit = No
- Backup Virtual DIGIPASS - BVDP Mode = No
- Offline Authentication Enabled = No
- Offline Time Window = 21
- Offline Event Window = 300
- Password Randomization - Enabled = No
- Password Randomization - Back-End Password Length = 16
- Client-Group-Mode = No Check
- Second-OTP-Synch-Enabled = No
- Reply RADIUS Attributes = No
- RADIUS - Supported Protocols = Any
- RADIUS - Wireless Session Lifetime = 3600
- RADIUS - TLS Session Lifetime = 86400
- RADIUS - Maximum Fast Reconnect Count = 48
- Radius-Session-Ticket-Group-List = <empty>
- Static Password - Different From Last # Passwords = 4
- Static Password - Minimum Password Length = 7
- Static Password - Minimum # Lowercase Characters = 1
- Static Password - Minimum # Uppercase Characters = 1
- Static Password - Minimum # Numerical Digits = 1
- Static Password - Minimum # Special Characters = 0
- Static Password - Not Based on User ID = Yes
- Max Days Between Authentications = 90
- Multiple DIGIPASS App Validation Mode = Multiple DIGIPASS Applications Allowed
- Local Admin Users = Reject
- Virtual Signature - Delivery Method = SMS
- Virtual Signature - Virtual Signature Mode = No
- Virtual Signature - MDC Profile = <empty>
- DIGIPASS Assignment - Expiration Period = 0
- Secure Channel Support = Yes - Permitted
- Secure Channel - Activation Message Validity Period = 365
- Message Signing - Allow Custom Request Body = No
- Message Signing - Min App Version = 0
- 1-Step Challenge/Response - Require PIN = Yes
- 1-Step Challenge/Response - Template Number = 0
- 1-Step Challenge/Response - Font Index = 0
- Signature Transaction - Require PIN = Yes
- Signature Transaction - Template Number = 0
- Signature Transaction - Font Index = 0
- Signature Transaction - Show Response = Yes
- Signature Transaction - Show Warning = No
- Delayed Activation - Delay Period = 0
- Delayed Activation - Notify user when activation process starts = No
- Delayed Activation - Notify user when activation process completes = No
- Delayed Activation - Delivery Method = SMS
- Account Lockout - User Lock Threshold = 30
- Account Lockout - Lock Duration Multiplier = 150
- Account Lockout - Maximum Unlock Tries = 0
- User Info Synchronization = No
- Static Password - Maximum Age in Days = 42
- Static Password - Minimum Age in Days = 1
- Static Password - Days to Notify before Expiration = 8
- Push Notification - Request Method = KeywordPassword
- Push Notification - Request Keyword = push
- Push Notification - Mobile Application Name = <empty>
- Push Notification - Authentication Timeout (seconds) = 30
- Virtual DIGIPASS - Challenge Message = Enter One-Time Password
| Policy name | Parent policy | Description | Settings different from parent policy |
|---|---|---|---|
| Base Policy | - | Globally applicable settings. In general, all other Policies should inherit from this, directly or indirectly. |
User Lock Threshold=3 PIN Change Allowed=Yes Challenge Request Method=Keyword Primary VDP Request Method=Password Backup VDP Request Method=Keyword Password Backup VDP Request Keyword=otp Identification Time Window=20 Check Challenge Mode=1 Event Window=20 Sync Window=6 Online Signature Level= 0 Identification Threshold=0 Local Authentication=None Back-End Authentication=None DUR=No Password Autolearn=No Stored Password Proxy=No Group Check Mode=No Check Assignment Mode=Neither Search Up OU Path=No Application Types=No Restriction 1-Step Challenge/Response=No 1-Step Challenge Check Digit=No Backup VDP Enabled=No |
| IDENTIKEY Local Authentication | Base Policy | Settings applicable to all OneSpan Authentication Server authentication Policies, including local authentication. In general, all other OneSpan Authentication Server Policies using local authentication should inherit from this, directly or indirectly. | Local Authentication=DIGIPASS/Password during Grace Period |
| IDENTIKEY Windows Password Replacement | IDENTIKEY Local Authentication | OneSpan Authentication Server model for password replacement and Dynamic User Registration (DUR), using Windows back-end authentication. |
Back-End Authentication=Always Back-End Protocol=Windows DUR=Yes Assignment Mode=Neither Password Autolearn=Yes Stored Password Proxy=Yes |
| IDENTIKEY Microsoft AD Password Replacement | IDENTIKEY Local Authentication | OneSpan Authentication Server model for password replacement with Microsoft Active Directory (LDAP connection). |
Local Auth=Default Backend Auth=Always Backend Protocol=Microsoft AD DUR=Yes Password Autolearn=Yes Stored Password Proxy=Yes |
| IDENTIKEY Novell eDirectory Password Replacement | IDENTIKEY Local Authentication | OneSpan Authentication Server model for password replacement with NetIQ eDirectory (formerly Novell eDirectory) (LDAP connection). |
Local Auth=Default Backend Auth=Always Backend Protocol=Novell eDirectory DUR=Yes Password Autolearn=Yes Stored Password Proxy=Yes |
| IDENTIKEY Windows Auto-Assignment | IDENTIKEY Windows Password Replacement | OneSpan Authentication Server model for Auto-Assignment based on the Windows password replacement model. |
Assignment Mode=Auto-Assignment Search Up OU Path=Yes Grace Period=7 |
| IDENTIKEY Microsoft AD Auto Assignment | IDENTIKEY Local Authentication | OneSpan Authentication Server model for Auto Assignment for Microsoft Active Directory |
Local Auth=Default Backend Auth=If Needed Backend Protocol=Microsoft AD Assignment Mode=Auto-Assignment Search-Up-OU-Path=Yes |
| IDENTIKEY Windows Self-Assignment | IDENTIKEY Windows Password Replacement | OneSpan Authentication Server model for self-assignment based on the Windows password replacement model. |
Assignment Mode=Self-Assignment Search Up OU Path=Yes Self Assignment Separator=| |
| IDENTIKEY Microsoft AD Self Assignment |
IDENTIKEY Microsoft AD Password Replacement |
OneSpan Authentication Server model for self-assignment for AD Password Replacement |
Local Auth = Default Backend Auth = Always Backend Protocol = Microsoft AD Assignment Mode = Self-Assignment Search-Up-OU-Path = Yes |
| IDENTIKEY Novell eDirectory Self-Assignment | IDENTIKEY Novell eDirectory Password Replacement | OneSpan Authentication Server model for self-assignment for NetIQ eDirectory (formerly Novell eDirectory). |
Local Auth = Default Backend Auth = Always Backend Protocol = Novell eDirectory Assignment Mode = Self-Assignment Search-Up-OU-Path = Yes |
| IDENTIKEY RADIUS Password Replacement | IDENTIKEY Local Authentication | OneSpan Authentication Server model for password replacement using a RADIUS server for back-end authentication. |
Backend Authentication=Always Backend Protocol=RADIUS Password Autolearn=Yes Stored Password Proxy=Yes |
| IDENTIKEY RADIUS Auto-Assignment | IDENTIKEY Local Authentication | OneSpan Authentication Server model for auto-assignment based on the RADIUS password replacement model. |
Grace Period=7 Search Up OU Path=Yes Assignment Mode=Self-Assignment |
| IDENTIKEY RADIUS Self-Assignment | IDENTIKEY Local Authentication | OneSpan Authentication Server model for self-assignment based on the RADIUS password replacement model. |
Search Up OU Path=Yes Assignment Mode=Self-Assignment Self Assignment Separator=| |
| IDENTIKEY Back End Authentication | Base Policy | OneSpan Authentication Server model for only back-end authentication. Change the back-end protocol to the one required. |
Backend Protocol=RADIUS Backend Authentication=Always |
| IDENTIKEY DP110 Provisioning 1 | Base Policy | IDENTIKEY DP110 provisioning model scenario 1 - Activation codes are encrypted with pre-loaded static passwords. |
Local Auth=DIGIPASS/Password during Grace Period 1-Step Challenge/Response=Yes-Any challenge |
| IDENTIKEY DP110 Provisioning 2 | Base Policy | IDENTIKEY DP110 Provisioning model scenario 2 - Dynamic Registration using back-end system. Change the back-end protocol to the one required. |
Local Auth = DIGIPASS/Password during Grace Period Back-End Authentication = Always 1-Step Challenge/Response=Yes – Any challenge |
| IDENTIKEY DP4Mobile Provisioning 1 | Base Policy | Mobile Authenticator Studioprovisioning model scenario 1 | |
| IDENTIKEY DP4Mobile Provsioning 2 | Base Policy | Mobile Authenticator Studioprovisioning model scenario 2 |
Local Authentication = DIGIPASS/Password during Grace Period Backend authentication = NONE DIGIPASS type: |
| IDENTIKEY DP4Mobile Provsioning 3 | Base Policy | Mobile Authenticator Studio provisioning model scenario 3 |
Local Authentication = DIGIPASS/Password during Grace Period Backend authentication = IF NEEDED DIGIPASS type: |
| IDENTIKEY DP4Web Provisioning 1 | Base Policy | DIGIPASS for Web Provisioning model scenario 1 - Activation codes are encrypted with pre-loaded static passwords. | |
| IDENTIKEY DP4Web Provisioning 2 | Base Policy | DIGIPASS for WebProvisioning model scenario 2 - pre-loaded user accounts and static passwords. | Local Auth = DIGIPASS/Password during Grace Period |
| IDENTIKEY DP4Web Provisioning 3 | Base Policy | DIGIPASS for Web Provisioning model scenario 3 - Dynamic Registration using back-end system. Change the back-end protocol to the one required. |
Local Auth = DIGIPASS/Password during Grace Period DUR=Yes |
| IDENTIKEY Deferred Time signature Verfication | Base Policy | Deferred time signature verification settings: Time based. | Signature Time Window = 24 |
| IDENTIKEY Real-Time signature verfication 1 | Base Policy | Real-time signature verification settings: Time-based, several signatures are allowed in the same timestep but 2 identical successive signatures will be rejected. | Online signature level = 1 - Multiple Signatures allowed in same Time Step |
| IDENTIKEY Real-Time signature verfication 2 | Base Policy | Real-time signature verification settings: Time-based, one signature allowed per timestep. | Online signature level = 2 - Only 1 Signature/Time Step allowed |
| IDENTIKEY Real-Time signature verfication 3 | Base Policy | Deferred time signature verification settings: Event based, off-line mode. | Signature Time Window = 24 |
| Windows logon online authentication - Windows Back-End | IDENTIKEY Local Authentication | Windows Logon with Windows back end |
Back-End Authentication = Always Back-End Protocol = Windows Enable Random Password = No Client Group List = Client Group Mode = No check Offline Authentication = No |
| Windows logon online authentication - LDAP AD Back-End | IDENTIKEY Local Authentication | Windows Logon for LDAP AD back end |
Back-End Authentication = Always Back-End Protocol = Microsoft AD Enable Random Password = No Client Group List = Client Group Mode = No check Offline Authentication = No |
| Windows logon online and offline authentication – Windows Back-End | Windows logon online authentication - Windows Back-End | Windows logon online and offline authentication for Windows back end |
OfflineOffline Authentication = Yes Offline Time Window (days) = 21 Offline Event Window = 300 |
| Windows logon online and offline authentication – LDAP AD Back-End | Windows logon online authentication - LDAP AD Back-End | Windows logon online and offline authentication settings for LDAP AD back end |
Offline Authentication = Yes Offline Time Window (days) = 21 Offline Event Window = 300 |