Back-end authentication

Back-end authentication describes the process of verifying user credentials with another system. It is used primarily to:

  • Enable automatic management features, such as Dynamic User Registration (DUR) and authenticator self-assignment.
  • Verify static passwords for users who do not have an authenticator and for Virtual Mobile Authenticator.
  • Retrieve RADIUS attributes from a RADIUS server.
  • Replace passwords to allow the user to log in with just a one-time password (OTP) in an environment where the Windows password is required (e.g. Outlook Web Access).

OneSpan Authentication Server supports back-end authentication with the following systems:

  • RADIUS
  • Windows back-end authentication
  • Microsoft Active Directory (via LDAP)
  • NetIQ eDirectory (via LDAP)
  • IBM Security Directory Server (via LDAP)
  • Custom solutions (require SDK)

The Back-End Authentication policy setting indicates whether to perform back-end authentication, and if so, when to do it. This policy setting is overridden by the same setting in the user account, unless that is set to Default. The setting in the user account is typically used only for rare special case users.

The back-end authentication setting can be overridden using Windows group check in back-end mode. If a user is not member of the listed groups, back-end authentication will be performed whether it is enabled or not.

The Back-End Protocol setting indicates which type of back-end authentication should be used. The possible values are:

None

OneSpan Authentication Server will not use back-end authentication.

Always

OneSpan Authentication Server will use back-end authentication for every authentication request.

This setting is required, if you want to use offline authentication for Digipass Authentication for Windows Logon.

If Needed

Back-end authentication will only be used in situations where local authentication is not sufficient and to support certain features:

  • Dynamic User Registration
  • Authenticator self-assignment
  • Password autolearn
  • Requesting a challenge or Virtual Mobile Authenticator OTP, when the request method includes a password.
  • Static password authentication, when verifying a Virtual Mobile Authenticator password/OTP combination or during the grace period.

When a static password is used, it is first verified with the stored static password if one is used. If the static password matches the stored static password, no back-end authentication is performed.

If the static password does not match the stored static password or the stored static password is not available, then back-end authentication will be performed.