Structure of OneSpan Authentication Server

OneSpan Authentication Server is typically integrated within an organization's existing security infrastructure, where it interacts with other components, such as corporate and remote access clients, remote management applications, custom web applications, and back-end systems (see Figure: Structure of a typical OneSpan Authentication Server environment).

Structure of a typical OneSpan Authentication Server environment

Figure: Structure of a typical OneSpan Authentication Server environment

Web applications

OneSpan Authentication Server provides support for web applications through an SDK based on the standard SOAP protocol. These applications may cover operational tasks such as authentication and signature validation, provisioning of software authenticators, or administration of DIGIPASS Authentication for Microsoft ADFS.

SOAP over HTTPS is supported, versions 1.1 and 1.2. 'Document Literal' binding is used. A variety of SOAP client SDKs have been tested.

Corporate and remote access clients

Some of the client components of OneSpan Authentication Server also use the SOAP protocol for communication, e.g. the Digipass Authentication Module components and Digipass Authentication for Windows Logon.

OneSpan Authentication Server supports the RADIUS protocol (according to RFC 2865) for remote network access authentication. Some applications are written using RADIUS as an authentication protocol. These applications will also be supported.

OneSpan Authentication Server as a service provider

OneSpan Authentication Server is a service that receives and processes requests from the various client components. It may refer to a back-end system for a part of the processing tasks.

OneSpan Authentication Server has a modular architecture incorporating the following key concepts:

Communicator modules

OneSpan Authentication Server provides a communicator module for each protocol for which it can receive and handle requests. Each communicator module can be enabled or disabled as required, subject to support in the server license.

The following communicator modules are present:

  • SOAP (requires a license option)
  • RADIUS (requires a license option)
  • SEAL (does not require a license option)

As of OneSpan Authentication Server 3.23, SOAP is by default enabled in all licenses. If your license was created prior to product version 3.23, you can contact OneSpan Support and request a free license upgrade.

Scenario modules

OneSpan Authentication Server includes a scenario module for each major group of functionality. Each scenario can be enabled or disabled as required, subject to support in the license.

The following scenarios are present:

  • Authentication (requires a license option)
  • Signature validation (requires a license option)
  • Provisioning (requires a license option)
  • Administration (does not require a license option)
  • Reporting (does not require a license option)
  • Replication (does not require a license option)
  • Auditing (does not require a license option)
  • Configuration (does not require a license option)
  • EMV-CAP (requires a license option)

Back-end systems

A back-end system is used as an authority for user accounts and static passwords, before a user account is created in OneSpan Authentication Server and the user starts to use an authenticator. A RADIUS server may be used for both back-end authentication and returning RADIUS attributes. For more information, see Back-end authentication.

Data synchronization tools

User accounts can be created in OneSpan Authentication Server and synchronized using the following tools:

  • LDAP Synchronization Tool synchronizes user information on OneSpan Authentication Server with external LDAP databases, such as Microsoft Active Directory and NetIQ eDirectory. For more information, refer to the LDAP Synchronization Tool Administrator Guide.
  • Password Synchronization Manager automatically updates the static password on OneSpan Authentication Server when a user has changed the Windows password (see Static password synchronization).

Data store

OneSpan Authentication Server uses a supported ODBC-compliant database to store administration and configuration data.

The OneSpan Authentication Server installation package also includes an embedded MariaDB database to facilitate quick setup.

hardware security module (HSM)

A hardware security module (HSM) may be used to safeguard data (see Hardware security module setup).

OneSpan User Websites

OneSpan User Websites enable users to perform management and other tasks that are not available during usual login, such as user registration, authenticator assignment and activation, PIN change, and Virtual Mobile Authenticator one-time password (OTP) requests. You can provide and restrict access to functionality as required, and customize any cosmetic part of OneSpan User Websites to meet your corporate design and text requirements. If you want to use your own web pages with the OneSpan User Websites business logic, you can do so by implementing the correct HTML POST forms with all the required input fields.

For more information, refer to the OneSpan User Websites Administrator Guide.

DIGIPASS Gateway

DIGIPASS Gateway is a web service acting as a front-end service to OneSpan Authentication Server for authenticators. It is usually deployed in the demilitarized zone (DMZ) and isolates OneSpan Authentication Server from the (untrusted) mobile applications' networks to retrieve the required authenticator data.

It is used in the following processes:

  • Multi-device activation. DIGIPASS Gateway is used to transmit activation data to compliant authenticators.

    For more information about multi-device activation, see Authenticator licensing and activation.

  • Upgrading to push notifications. This is required after an upgrade of the OneSpan Mobile Authenticator app from a version that does not support push notifications. For more information about the upgrade procedure, refer to the OneSpan Authentication Server Administrator Guide and the OneSpan User Websites Administrator Guide.

  • Push and login. Authentication via push notifications using the OneSpan Mobile Authenticator app (see Push notification–based authentication).

  • Push and sign. Transaction data signing via push notifications.

For more information about push notifications and the required components, refer to the Push Notification Solution Guide. For more information about integrating DIGIPASS Gateway, refer to the DIGIPASS Gateway product documentation.

Digipass Authentication for Windows Logon

Digipass Authentication for Windows Logon provides strong authentication when logging on to Windows client computers.

Digipass Authentication for Windows Logon comprises:

  • Client software that is installed on the Windows client
  • Server-side functionality within OneSpan Authentication Server
  • Password randomization (optional)

For more information, see Digipass Authentication for Windows Logon .