Configure the Authentication Server

Client record

In the authentication server, you need to configure a client record for the Digipass Authentication Module. Client record settings must include the following:

Set the Component type to IIS Module.
Set the Location to the IP address of the computer where the Digipass Authentication Module is installed.
Select a policy for the authentication server to use when processing authentication requests from the Digipass Authentication Module, e.g. the Identikey Windows Password Replacement policy.

The used policy settings depend on your requirements. If you need different settings, either select a different policy (e.g. Identikey Windows Self-Assignment or Identikey Windows Auto-Assignment) for the client component, or copy the Identikey Windows Password Replacement policy to a new record, modify the new policy as required, and use the new policy for the client component.

For more information about scenario-specific policy settings, see Policy.

You need to obtain a valid license key for the Digipass Authentication Module and load it into the client record.

Configuration for Windows user accounts

Windows user name resolution

If the authentication server is installed on a Windows platform, we recommend that you enable Windows user name resolution. This allows the authentication server to use Windows functionality to resolve a user ID – as entered during a logon – into a user ID and domain. If Dynamic User Registration (DUR) is used, Windows user name resolution should be enabled, too.

This setting is not available on OneSpan Authentication Server on Linux, or OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance.

If the Use Windows user name resolution feature is disabled or unavailable, it is essential that users always use the same logon name. If they try to log on with a different form of their Windows account name, their logon will be rejected, unless a second OAS user account has been created.

Case sensitivity

Windows user names are case-insensitive. If the ODBC database used by the authentication server is case-sensitive, ensure that the user ID case is converted to lower case. The embedded MariaDB database is set to convert to lower case by default. For more information, refer to the OneSpan Authentication ServerAdministrator Guide.

Default domain

Where users log on without entering a domain name or UPN, you need to configure the authentication server to use the correct domain. There are two basic scenarios that might apply:

Change master domain

If users will only ever be logging on to one domain via the authentication server, the simplest solution is to set the master domain name to the fully qualified domain name of the required domain.

This option is not available for OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance.

Set default domain in policy

Use this strategy if:

You wish to keep the master domain strictly for administration accounts and separate from user accounts.
The authentication server may be required to handle a different default domain for different Digipass Authentication Module libraries or other clients.

You can configure each policy with a default domain to be used if a user does not enter a domain on logon. Typically, you will need to modify the policy used by each Digipass Authentication Module.

Policy

Depending on your requirements and the scenarios in place, you may need to adapt the settings in the used policy. See Logon scenarios for a detailed description of scenario-specific policy settings.

Logon scenarios

For user logons, the following scenarios are possible:

Windows domain logon with password replacement (see Scenario settings—Windows domain logon with password replacement).
Windows domain logon without password replacement (see Scenario settings—Windows domain logon without password replacement).
Virtual Mobile Authenticator (see Scenario settings—Virtual Mobile Authenticator).

The following tables list the relevant settings for each scenario. For more detailed information, refer to the OneSpan Authentication Server Product Guide and the OneSpan Authentication Server Administrator Guide.

Scenario settings—Windows domain logon with password replacement
Location in Administration Web Interface	Value
These settings are typically used where the scenario described in Authorization with domain Windows user accounts is in place.
POLICIES > Policy	Back-End Authentication: If Needed
POLICIES > Policy	Back-End Protocol: Windows (OneSpan Authentication Server) or Microsoft Active Directory (OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance)
These settings allow the authentication server to verify user logon details with Windows or Active Directory in case of Dynamic User Registration (DUR) and self-assignment logons through the Digipass Authentication Module.
POLICIES > Users	Dynami User Registration: Yes
	Password Autolearn: Yes
	Stored Password Proxy: Yes
These settings allow the authentication server to create an account for an unrecognized user based on a successful Windows or Active Directory authentication. The authentication server will not store or replay a user’s Active Directory password.
POLICIES > DIGIPASS	Assignment Mode: Either Self-Assignment or Auto-Assignment would typically be used in this scenario, although manual assignment may also be used.
POLICIES > Policy	Local Authentication: DIGIPASS/Password During Grace Period

Scenario settings—Windows domain logon without password replacement
Location in Administration Web Interface	Value
These settings are typically used where: The website retrieves authorization information from Active Directory domain user accounts, and the password replacement model is not being used—Password Autolearn and Stored Password Proxy are disabled (see Authorization with domain Windows user accounts). The authentication server verifies authentication details against Active Directory domain user accounts only for Dynamic User Registration (DUR) and self-assignment logons (see Authorization with local Windows user accounts, logon with Windows domain user accounts).
POLICIES > Policy	Back-End Authentication: If Needed
POLICIES > Policy	Back-End Protocol: Windows or Microsoft Active Directory
These settings allow the authentication server to verify user logon details with Windows or Active Directory in case of Dynamic User Registration (DUR) and self-assignment logons through the Digipass Authentication Module.
POLICIES > Users	Dynamic User Registration: Yes
	Password Autolearn: No
	Stored Password Proxy: No
These settings allow the authentication server to create an account for an unrecognized user based on a successful Windows or Active Directory authentication. The authentication server will not store or replay a user’s Active Directory password.
POLICIES > DIGIPASS	Assignment Mode: Either Self-Assignment or Auto-Assignment would typically be used in this scenario, although manual assignment may also be used.
POLICIES > Policy	Local Authentication: DIGIPASS or Password or DIGIPASS/Password During Grace Period

Scenario settings—Virtual Mobile Authenticator
Location in Administration Web Interface	Value
POLICIES > Virtual DIGIPASS	Delivery Method: as required
	Primary Virtual DIGIPASS: as required
	Backup Virtual DIGIPASS: as required
	Request Method: as required
	Request Keyword: as required
	BVDP Mode: as required
	Time Limit (days): as required
	Max. Uses/User: as required

Configure the authentication server