Configure Authentication Channels

A channel is the means by which an indirect user interacts with an organization.

For example, internet banking is a channel. A channel system, such as an internet banking server, is modeled in ActivID Appliance as a direct user, within one of the “systems” subgroups. When that channel system calls the API, such as in authenticating a banking customer, it passes a code that identifies the channel. This code is validated against a list of channels held in ActivID Appliance.

Channels are configured in ActivID Appliance for two purposes:

  • When defining an authentication policy, you specify the default channels over which that authentication policy is valid. Valid channels can be further restricted at the level of individual authentication records.
  • The audit log stores the channel through which a particular authentication or administrative function occurred. The log can be searched, filtered by channel.

ActivID Appliance has three types of channels:

  • Generic – the channel will be used for generic purposes (mainly service providers leveraging the ActivID Public API)

  • RADIUS – the channel will be used to handle RADIUS authentication requests and is essentially a generic channel with additional RADIUS-specific settings

    A RADIUS channel for the RFE deployment defines a group of access controllers and specifies how the authentication requests should be handled. Using a policy configured for the channel, you filter the requests according to the IP address or hostname of the access controllers.

    Important:
    • If you are deploying ActivID Appliance in a multi-domain environment and want users from more than one domain to authenticate via the RFE solution, you must configure one channel per domain, and the channel must be configured with IP addresses that are unique to the domain.

    • If you want to filter users based on LDAP groups via a RADIUS channel, you must create the Check Before profile configured with the generic dictionary BEFORE creating the channel (and then select it as an existing profile).

  • SAML Service Provider – the channel will be used for SAML service providers

Create a Channel

  1. Log on to the ActivID Management Console as an ActivID Administrator.

  2. Select the Configuration tab and, under Policies, select Channels.
  3. All existing channels are listed in a paged table. The total number of channels is given in the lower left corner.

    Each row corresponds to a channel. It provides the following information in the different columns:

    • Name – the name of the channel
    • Type – the type (Generic, RADIUS or SAML Service Provider) of the channel

Launch the Channel Creation Wizard

  1. Click Add.

  2. Enter the Name and, optionally, a Description, for the channel.
  3. You can either accept the pre-assigned Code to identify the channel, or edit it.

  4. Note: The code is case-sensitive and can be a maximum length of 10 characters and must be unique. The code you specify for the channel cannot be changed once you have created the channel.

    Depending on the type of channel you want to create, the Add Channel page looks slightly different.

  5. From the Type drop-down list, select the channel type, and click Next.

Select the Trusted Identity Providers (Optional)

When the channel trusts an External Identity Provider that has been configured in the ActivID Appliance, the trusted Identity Provider can be enabled for the channel as described below.

Note: For further information about configuring external identity providers, contact HID Global Technical Support.

  1. From the drop-down list, select Available or All to view the possible trusted IdPs.

  1. Select the check box(es) for the required trusted IdP, click Next and proceed to Define the Authorization Profiles Selection Rules (Optional).

Define the Authorization Profiles Selection Rules (Optional)

An Authorization Profile Selection Rule is selected based on the role and Authentication Policy to be used for the user (dynamic authentication) and the roles granted to the user.

Each rule specifies the following conditions to control access:

Note: For push-based authentication via RADIUS, Check Before profiles are not supported (that is, Check Before attributes will not be applied).

  1. Select the Dictionary from the available list (filtered by the type of channel you are creating).

    • The attributes in this dictionary correspond to ActivID Appliance user attributes.
    • Dictionaries are text files of attributes to which you can add entries.
  2. Note: Only Check Before and Send After profiles defined using this dictionary can be selected when defining an Authorization Profile rule.
  3. Click Add to add authorization profiles selection rules.

  4. From the Authentication Policy drop-down list, select the authentication policy that must be enabled for the user’s group.

  5. From the User Role drop-down list, select the role that must be assigned to the user, click Next and proceed to Configure the Check Before Rule.

  6. Note: Each condition is independent, so the console does not check if the selected Authentication Policy is eligible for the selected User Role.

Configure the Check Before Rule

  1. Select the Check Before rule option and click Next:

    • No Check Before rule - no checks are performed before the authentication request is processed.
    • Check Before always succeeds - if the user role and authentication policy match those defined in the selection rule, and the provided credentials are valid, the authentication always succeeds.
    • Check Before always fails - if the user role and authentication policy match those defined in the selection rule, the authentication always fails (even if the provided credentials are valid).
    • Use existing Check Before authorization profile - from the drop-down list, select the existing profile.
    • Define new Check Before authorization profile - enter a Name for the new profile. You cannot modify the Dictionary selection.
  2. The subsequent steps depend on the selected option:

Configure the Send After Rule

  1. Select the Send After rule:
    • No Send After rule
    • Use existing Send After Authorization profile - from the drop-down list, select the existing profile.
    • Define new Send After Authorization profile - enter a Name for the new profile. You cannot modify the Dictionary selection.
  2. Note:  
    • If you did not configure a Check Before profile, then you must create/select a Send After profile (that is, the No Send After Authorization profile option is not available).
    • If there are no existing profiles, the Select Send After Authorization profile option is not displayed.
  3. The subsequent steps depend on the selected option:
  4. Either:

    • Click OK to save the selection rule, and then click Close when the success message appears. You return to the Add channel page.
    • Click Back to edit the rule.
  5. Note: You can change the profiles or create a new one, but you cannot edit the attribute selection.
  1. You can create multiple rules for the channel and define the order in which they should be applied by ActivID Appliance.

    Select the rule and move it to the required position in the Priority Order column using the Move up and Move down options.

    Important: When using a Send After profile on a RADIUS channel for push-based authentication, the corresponding rule must be first (1) in the Priority Order.
  1. Click Next and proceed to:

Configure the Channel Policy (RADIUS Only)

Note: The Channel Policy tab only applies to RADIUS channels.

  1. Enter and confirm the Shared secret.
  2. The Shared secret encrypts the information exchanges between the ActivID Appliance server(s) and the access controllers. The secret must be the same for each controller configured in the Channel policy. The secret must not exceed 40 characters.

  3. To configure the User Identification settings, select either:
    • User Centric to use the username for logon.
    • Device Centric to use the device serial number for logon.
    • ActivID Appliance looks up the user based on the serial number entered by the authenticating user.

  4. Click User Identification Configuration to define how the username or serial number is handled:
  1. To configure the access controllers that are authorized to use the channel for authentication, click Add.
    1. Select either:
      • Host name and enter the name of the machine hosting the access controller.
      • IP address and enter the address and range of the access controller.
      • Important: It is recommended that you use IP address rather than Host name. If the host name cannot be translated by the DNS, the RFE might not restart.
    2. Click Save.
    3. The access controller is displayed in the channel page and is now authorized to use the channel for authentication requests.

    4. If necessary, repeat the steps to authorize access for additional controllers.

    Note:  
    • A maximum of 10 authorized IP hosts (IP addresses) can be configured on the RADIUS Channel policy.
    • Make sure that each access controller is configured with the Shared secret you specified for the channel.
  2. If users will authenticate using challenge/response, configure the challenge settings by clicking Define Challenge Configuration.
    1. In the Challenge Promptfield, specify the prompt to display immediately before the challenge.
    2. In the Response Prompt field, specify the keyword to display immediately before response.
    3. In the Challenge Keyword field, specify the keyword to send to the authentication server requesting that it send a challenge back. ActivID Appliance uses this keyword (string) to generate a challenge. If you change it, be sure that you update your NAS and/or client.
    4. In the Out of Band Response Prompt field, specify the text sent to the NAS (RADIUS client) when using the Activation code.
    5. Click OK.

  3. If you want ActivID Appliance to redirect an authentication request to another authentication system, click Set Authentication Forward Policy.
  4. This is helpful for failed authentication requests (for example, if a user cannot be located in the LDAP directory). Conditional routing enables the system to route a user’s request directly to an external RADIUS authentication server.

    To define how failed authentication requests are handled, select one of the following options:

  5. To activate RADIUS push-based user authentication on this channel, click Define Push-based Authentication Configuration.
    1. In the Push Authentication Policy Code field, enter the authentication policy that will be used by the HID Approve mobile application to validate the logon requests.
    2. For the default push-based configuration, use the AT_PASA authentication policy (Mobile push-based Logon Validation).

    3. In the Push Keyword field, enter the keyword that the user will have to enter in the RADIUS client application (for example, a VPN client application) as the password to trigger the push-based authentication.
    4. In the Logon Request Message field, enter the message that will be displayed to the user by the HID Approve mobile application and click Ok.

  6. In the Channel Policy tab, click Next and proceed to Configure Fallback Authentication (Optional).

Configure Fallback Authentication (Optional)

Select one or both of the Fallback authentications available and click Next:

Click Next and proceed to:

Configure Adaptive Authentication Settings (Optional, Generic Only)

Note: The Adaptive Authentication tab only applies to generic channels.

The Adaptive Authentication settings are used in the HID Risk Management Solution (RMS) to bind an RMS source to the required channel. For further information, refer to the HID Risk Management Solution Integration Guide available from the ActivID Customer Portal.

Click Next and proceed to View the Allowed Authentication Policies.

View the Allowed Authentication Policies

Important: In order to enable the new channel, you must add it to an authentication policy.

The Allowed Authentication Policies tab lists the policies assigned to the channel. As this is a new channel, there are no policies currently assigned when the channel is created.

  1. Click Save to apply the channel settings.

  2. Add this channel to the required authentication policy(ies).

Edit a Channel

Important: Uploading incorrect metadata for the ActivID Management Console channel could damage the functioning of the Management Console. For best practice, do not upload new metadata. Instead, use the metadata already provided for this channel.
  1. Log on to the ActivID Management Console as an ActivID Administrator.

  2. Select the Configuration tab and, under Policies, select Channels.
  3. Edit the channel settings as required in each tab.

    All the tabs are accessible and all settings can be modified except the Code.

  4. Note: For RADIUS channels only, in the Channel Policy tab, you can either keep the current Shared Secret or update it:

  5. Click Save to apply your changes.

    If you want to cancel the operation, click Back to List.

Copy a Channel

  1. Log on to the ActivID Management Console as an ActivID Administrator.

  2. Select the Configuration tab and, under Policies, select Channels.
  3. Select the check box of the channel that you want to copy.

  4. Click Copy.

  5. Edit the channel settings as required.

Delete a Channel

Prerequisites:

Make sure the channel is not linked to one or more authentication policies. You will not be able delete the channel if it is still in use.

  1. Log on to the ActivID Management Console as an ActivID Administrator.

  2. Select the Configuration tab and, under Policies, select Channels.
  3. Select the check box of the channel that you want to delete and click Delete.

  4. When prompted, click Yes.

See also:

Configure SAML Channels/Service Providers

Configure Authorization Profiles