| Info |
|---|
Files of Indeed AM SMS OTP Provider reside in: indeed AM\Indeed AM Providers\Indeed SMS OTP Provider\<Version number>\
|
Indeed AM Storage SMS OTP Provider
| Info |
|---|
This provider is provided only in the scenario with the Indeed AM Radius Extension component. |
If you want to keep the Indeed AM data in the SQL database, you can use the Indeed AM Storage SMS OTP Provider. This provider will allow you to store, receive, and update the Indeed AM users' phone numbers in the SQL database. Phone numbers are stored in encrypted form.
| Note |
|---|
Indeed AM Storage SMS OTP Provider requires SMS gateway. This gateway should be accessible from every Indeed AM server where Indeed AM SMS OTP Provider is to be installed. The authenticator require enrollment. |
Installation
- Install Indeed SMS OTP Provider by running IndeedAM.AuthProviders.SmsOTP-x64.msi installer.
- After the installation is complete, system restart might be necessary. If the installation wizard prompts to restart the system - confirm this action.
- The product removal/ restoring is carried out using the standard procedure for the supported operating systems, via Control panel menu.
Provider registration
You can use the lightweight version of the Indeed AM EAPhoneServer API to register providers. This solution was specially designed for the Storage SMS OTP Provider. Alternatively, you can use the main API of the Indeed system.
Indeed AM OMNIKEY Provider
About the Indeed AM OMNIKEY component
Indeed AM OMNIKEY Provider is designed to be used together with Indeed AM Windows Logon and Indeed AM Enterprise SSO. The component integrates HID OMNIKEY smartcard readers with the Indeed AM Access Management modules. For more information about OMNIKEY readers and cards, please visit the manufacturer's website. The following models of HID OMNIKEY scanners are currently supported:
How to set up authentication parameters
Job timeout when a smart card is removed
The Windows Logon® policy determines the duration of the standard and service timeout following the removal of an authentication device. You can use this policy to set the time period (in seconds) between the removal of smart card and the performance of action in line with the Windows policy − Interactive logon: Smart card enhanced removal behavior. Standard timeout option prevents automatic system lockout in the event of an accidental removal of an authentication device.
Service timeout option prevents automatic system lockout when you need to extract an authentication device for a reason (to train an additional authenticator, use another account and a different authenticator to access the system, etc.). If you want to activate service timeout, press and hold [Ctrl]+[L] before removing the device. If the policy has not been set or has been disabled, there will be no timeout before the automatic lockout of your workstation.
Authentication via Indeed AM OMNIKEY Provider
- Please select the login method during your first login to the system or to the app via Indeed AM authentication. You can do this by clicking Change Login Method on the Windows login screen (on the Authentication screen if you are using Enterprise SSO). Select Card (HID OMNIKEY) as a login method.
- Connect the HID OMNIKEY card reader and place a registered card on top of the device.
- Authentication will be completed once the card data has been processed. If your login has been successful, card authentication will be saved as your preferred login method, and you will be prompted to use it again during your next login to the system or app.
How to collect server component logs
How to collect Indeed AM server logs
How to enable logger
- Use an administrator account to open this file: C:\inetpub\wwwroot\easerver\Config\nlog.config
- In the logger tags, set the Minlevel parameter to Trace and the Enabled parameter to True.
- Save the file and restart the IIS server.
How to collect logs
Configuring the authentication parameters
| Info |
|---|
It is necessary to add the Indeed AM policy templates into the administration template list before starting to configure group policies. Policy template files are included into the installation package and can be found in the Misc folder. |
SMS delivery service
The policy applies to Indeed servers. It allows to configure the following settings to use with SMS server:
- Use tls defines whether encryption is to be used or not.
- URL(IP address) defines the address of server to connect to.
- Port defines connection port to use.
- SystemId (Username) - defines the account name to use for connection to server.
Password defines account password to use for connection to server.
Info The password can be defined either in explicit form, or in encrypted one. To encryption the password, use the IndeedAM.SMSOTP.Password.Encryptor.exe utility from the installation package of provider.
- SystemType is the field for PDU operation BIND_TRANSCEIVER of SMPP protocol.
- Sender defines the sender name to be displayed to the SMS message recipient.
- Additional text before OTP defines the message text that precedes the OTP. By default, only OTP is sent. For advanced settings, use the following parameters:
- <app> defines the name of application that sent the authentication request.
- <requestLocalServerTime> defines the local server time of request receiving.
- <requestComputerDns> defines the DNS of computer that sent the request.
<requestComputerIp>defines the IP of computer that sent the request.
Info OTP code display is not configurable. It is always displayed at the end of the message.
To provide for word wrap in the message, it is necessary to modify HKLM/SOFTWARE/Policies/Indeed-ID/BSPs/SMSOTP registry key. Change the older parameter "messageOTP" of "REG_SZ” type to "messageOTP" of "REG_MULTI_SZ” type.
- SMS status timeout defines the timeout of receiving the status of the SMS from server.
- PDU with SMS status defines the PDU that server send the status of the message sent in.
- source_addr_ton defines Type of Number for the source address.
- source_addr_npi defines Numbering Plan Indicator for the source address.
- dest_addr_ton defines Type of Number for the destination.
- dest_addr_npi defines the Numbering Plan Indicator for the destination.
- esm_class defines the Message Mode & Message Type.
- registered_delivery defines the indicator of request for SMSC or SME confirmation.
- data_coding defines the encoding scheme for user data in the short message.
Configuring the message format
The policy makes it possible to define the settings of date display in the message. Format examples can be viewed here: https://docs.microsoft.com/dotnet/standard/base-types/standard-date-and-time-format-strings
Enabled
The date is displayed according to the format set in the policy.
One-time password generation settings
The policy applies to Indeed servers. It allows to configure one-time password length and usage of character groups for password generation.
Not Configured or Disabled
If the policy is not configured or disabled, a password generated would be 4 characters long and would contain digits only.
Enabled
The one-time password is generated according to the policy parameters. If the policy is not defined or is disabled, then the password can contain digits and lowercase Latin letters only, and would be 6 characters long.
Settings of concurrent connection to SMPP server
The policy applies to Indeed servers. It allows to configure the processing order for requests to SMPP server. The policy might be necessary in case the SMPP server does not support multiple simultaneous connections from a single user (account defined in the SMS delivery service policy).
Not Configured or Disabled
Connections to SMPP server and message sending requests are performed in parallel.
Enabled
Connections to SMPP server and message sending requests are performed in sequence.
Backtotop