Global ConfigurationBack-End Servers (tab)

Record changes (add, change, delete) will not take effect immediately on all OneSpan Authentication Server instances unless replication is used to synchronize the instances. If replication is not used, changes to records will take effect when each instance is restarted, once the change is available to it in its data store. Alternatively, if there is no restart, the record cache will refresh from the data store approximately every 15 minutes.

Table: Global ConfigurationBack-End Servers tab
Field name Description
User Name Resolution
Windows User Name Resolution

OneSpan Authentication Server can use Windows functions to identify user IDs as Windows user accounts. This may be required if Windows is used as the back-end system for OneSpan Authentication Server. The same setting must be applied in each database for each OneSpan Authentication Server instance.

Changes of this setting are not replicated automatically to other databases.
Active Directory User Name Resolution If enabled, the Active Directory user name resolution allows users to authenticate with their UPN or SAM account name. This feature is a platform-independent alternative to Windows user name resolution for Active Directory users.
Microsoft Active Directory

The options in this section specify default values for all Microsoft Active Directory back-end servers, unless specified otherwise in the individual back-end server records.

If the global catalog is configured and no back-end servers have been defined, domain discovery via the global catalog will be used to search for the user. If domain discovery via the global catalog is to be used, users must be set up in the same domain in Microsoft Active Directory as they are in OneSpan Authentication Server.

Enable SSL

Specifies whether to encrypt the connection using SSL.
Global Catalog Location The location of the Active Directory global catalog.
Global Catalog Port

The port to be used for the Active Directory global catalog.

Possible values: 065535

Timeout

Number of seconds to wait for a response from the back-end server before either retrying or trying another back-end server.

Possible values: 032767

Security Principal ID

The user ID of the user account required for back-end authentication requests. Specify the ID of the account being used to log on to Active Directory.

For encrypted connections the format of the security principal ID will be the DN.

For unencrypted connections the format of the security principal ID is the SAM account name.

The built-in Active Directory administrator account cannot be used as the security principal ID. An administrator must be created to be used as the security principal ID.

Security Principal Password

The password for the user account required for back-end authentication requests.
Global Catalog Domain Discovery
Enable SSL for Back-End Servers

Enable LDAP over SSL connections to domain controllers that were resolved via global catalog domain discovery.

When this setting is cleared, the SSL Port field is automatically disabled.
SSL Port

This field is only enabled if Enable SSL for Back-End Servers is selected. If specified, this port number will be used to contact domain controllers via SSL. Otherwise, the port number will be resolved via DNS or the global catalog.

Possible values: 165535 or <empty>
NetIQ eDirectory

The options in this section specify default values for all NetIQ eDirectory back-end servers, unless specified otherwise in the individual back-end server records.

If anonymous binding is disabled on the NetIQ eDirectory server, the security principal DN has to be a valid NetIQ eDirectory account with the necessary permissions to search the directory for the user accounts to be authenticated.

Search Base DN

The DN where the search for user accounts starts.

Security Principal DN

The distinguished name (DN) of the user account used to access the back-end server and handle back-end authentication requests (security principal). The distinguished name must have permission to perform searches for users on the LDAP server. When a distinguished name is not supplied, the LDAP server must allow anonymous searches.

Security Principal Password

The password for the user account required for back-end authentication requests.
IBM Security Directory Server
The options in this section specify default values for all IBM Security Directory Server back-end servers, unless specified otherwise in the individual back-end server records.

Search Base DN

The distinguished name (DN) where the search for user accounts starts.

Security Principal ID

The distinguished name (DN) of the user account used to access the back-end server and handle back-end authentication requests (security principal). The distinguished name must have permission to perform searches for users on the LDAP server. When a distinguished name is not supplied, the LDAP server must allow anonymous searches.

Security Principal Password

The password to be used for the security principal ID
Attribute Mapping
The options in this section specify default values for all LDAP back-end servers, unless specified otherwise in the individual back-end server records.
User Name Attribute Name The name of the user display name attribute on the back-end server. If user information synchronization is enabled, the user display name will be added to the user account during DUR user information synchronization.
Phone Attribute Name The name of the landline number attribute on the back-end server. If user information synchronization is enabled, the user's landline number will be added to the user account during DUR user information synchronization.
Mobile Attribute Name The name of the mobile number attribute on the back-end server. If user information synchronization is enabled, the user's mobile number will be added to the user account during DUR user information synchronization.
Email Attribute Name The name of the email address attribute on the back-end server. If user information synchronization is enabled, the user's email address will be added to the user account during DUR user information synchronization.