Basic Authentication Credentials

Digipass Authentication Module can modify the authentication credentials in two ways:

Stored Password Proxy

The standard Stored Password Proxy replaces an OTP entered by the user with the stored static password from the Digipass user account for back-end authentication checks by the authentication server. However, if the user enters a static password in front of their OTP, this static password takes precedence over the stored static password. In this case, the stored static password will not be used at all for that logon.

User attribute replacement

A different user ID and/or password may be set for individual Digipass user accounts. Typically, this would be used where a small number of local Windows accounts are used for authorization by a website. The Digipass Authentication Module will replace the user ID and/or password entered during logon with user attributes.

User ID and password replacement scenarios

In general, the Digipass Authentication Module enables website providers to authenticate web access via OTPs instead of static passwords. Users log on with an OTP, which is intercepted by the module and internally replaced with the stored static password associated with this user’s Digipass. Then, the static password is processed the same way as in an authentication process without OTP.

Authorization with domain Windows user accounts

In this scenario, domain Windows user accounts are used for authentication and authorization with Active Directory. Typically, the authentication server's password replacement would be used to allow a user to log on with an OTP only, with their Windows password stored in the authentication server and passed back to the Digipass Authentication Module. Alternatively, a user may be required to enter their password and OTP at every logon.

This approach requires the web server to be linked to Active Directory.

The authentication server checks the one-time password. If correct, the authentication server sends the Windows password back to the Digipass Authentication Module.

Authorization with password replacement by authentication server

The Digipass Authentication Module replaces the OTP entered by the user in the user's basic authentication credentials with the Windows password.

The website authorizes access according to the permissions set for domain user accounts.

Configuration settings for password replacement by the authentication server

Password replacement by the authentication server requires the following settings in the authentication server:

We recommend to enable Windows user name resolution (ODBC databases only, including the MariaDB database embedded in OneSpan Authentication Server) on Windows platforms.
Password Autolearn and Stored Password Proxy are enabled.
Windows back-end authentication is enabled.

Configuration settings for authentication without password replacement by the authentication server

Authentication without password replacement by the authentication server requires the following settings in the authentication server:

We recommend to enable Windows user name resolution (ODBC databases only, including the MariaDB database embedded in OneSpan Authentication Server) on Windows platforms.
Password Autolearn and Stored Password Proxy are disabled.
Windows back-end authentication is disabled for Windows platforms, or Microsoft Active Directory back-end authentication for OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance

Each user will have to enter their password in front of their OTP during logon.

Authorization with local Windows user accounts, logon with Windows domain user accounts

In this scenario, Windows domain user accounts are used for authentication, and local Windows user accounts are used for authorization. The domain must be an Active Directory domain. Typically, Windows back-end authentication would be used with Dynamic User Registration (DUR) enabled. Password Autolearn and Stored Password Proxy are not required.

This approach removes the need for the web server to be linked to Active Directory, while retaining authentication of Active Directory accounts. It allows authorization permissions to be set according to user profiles if individual authorization is not required.

Authorization with the user attributes from the authentication server

The authentication server checks the OTP. If correct, the authentication server looks up the user name and password attributes for the Digipass user account and returns them to the Digipass Authentication Module.

You can view or edit the user attributes for a Digipass user via the User tab of the Administration Web Interface for OneSpan Authentication Server or OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance.

The website authorizes access according to permissions set for local accounts, with the user name and password attributes passed back from the authentication server. You might create only a few local accounts - one per authorization profile required - or a local account for each user.

The following authentication server settings are required:

We recommend to enable Windows user name resolution (ODBC databases only, including the MariaDB database embedded in OneSpan Authentication Server) on Windows platforms.
User attributes are set for each Digipass user account. For more information, see Basic authentication credentials.

Authorization with local Windows user accounts, logon with Digipass user accounts

In this scenario, Digipass user accounts are used for authentication, and local Windows user accounts are used for authorization. This approach is similar to the scenario described in Authorization with local Windows user accounts, logon with Windows domain user accounts, but has no link to Active Directory, even for authentication.

The following authentication server settings are required:

User attributes are set for each Digipass user account.

If the Digipass user account's user ID is the same as the local Windows account user ID, there is no need to set the user name attribute.

Configuration settings

Three user attribute settings are available in the Digipass Authentication Module configuration.

Replace user names with user attributes

This option enables or disables the replacement of the user ID entered during logon with a user attribute named User-Name. This will lead to the following results:

Setting enabled and user attribute set. The user ID set in the attributes for the relevant Digipass user account will be passed to the website.
Setting enabled and user attribute not set. The user ID entered during logon will be passed to the website.
Setting disabled. The user ID entered during logon will be passed to the website.

Replace passwords with user attributes

This option enables or disables the replacement of the password entered during logon with a user attribute named Password. This will lead to the following results:

Setting enabled and user attribute set. The password set in the attributes for the relevant Digipass user account will be passed to the website.
Setting enabled and user attribute not set. The password entered during logon will be passed to the website.
Setting disabled. The password entered during logon will be passed to the website.

The stored password will override the password entered during logon if Stored Password Proxy is ON and the user has a stored password.

Attribute group

Each user attribute has an attribute group name. This allows multiple Digipass Authentication Module products to use different values for the same user attributes without confusion.

Digipass user attribute settings

Any user attributes to be used by the Digipass Authentication Module will need these settings:

Attribute group

The value in this field must be identical to the value set in the Digipass Authentication Module configuration.

Name

The name for a user attribute must be either User-Name or Password.

Usage

The usage should be set to Basic.

Value

The value set for an attribute will be the alternate user ID or password.

Basic authentication credentials