Configure the Authentication Server

Client record

In the authentication server, you need to configure a client record for the Digipass Authentication Module. Client record settings must include the following:

• Set the Component type to Windows Remote Desktop Web.

• Set the Location to the IP address of the computer where the Digipass Authentication Module is installed.

• Select a policy for the authentication server to use when processing authentication requests from the Digipass Authentication Module, e.g. the Identikey Windows Password Replacement policy.

  The used policy settings depend on your requirements. If you need different settings, either select a different policy (e.g. Identikey Windows Self-Assignment or Identikey Windows Auto-Assignment) for the client component, or copy the Identikey Windows Password Replacement policy to a new record, modify the new policy as required, and use the new policy for the client component.

  For more information about scenario-specific policy settings, see Policy.

You need to obtain a valid license key for the Digipass Authentication Module and load it into the client record.

Configuration for Windows user accounts

Windows user name resolution

If the authentication server is installed on a Windows platform, we recommend that you enable Windows user name resolution. This allows the authentication server to use Windows functionality to resolve a user ID — as entered during a logon —“ into a user ID and domain. If Dynamic User Registration (DUR) is used, Windows user name resolution should be enabled, too.

This setting is not available on OneSpan Authentication Server on Linux, or OneSpan Authentication Server Appliance/OneSpan Authentication Server Virtual Appliance.

If the Use Windows user name resolution feature is disabled or unavailable, it is essential that users always use the same logon name. If they try to log on with a different form of their Windows account name, their logon will be rejected, unless a second OAS user account has been created.

Case sensitivity

Windows user names are case-insensitive. If the ODBC database used by the authentication server is case-sensitive, ensure that the user ID case is converted to lower case. The embedded MariaDB database is set to convert to lower case by default. For more information, refer to the OneSpan Authentication ServerAdministrator Guide.

Default domain

Where users log on without entering a domain name or UPN, you need to configure the authentication server to use the correct domain. There are two basic scenarios that might apply:

Change master domain

Set default domain in policy

Policy

Depending on your requirements and the scenarios in place, you may need to adapt the settings in the used policy. See Logon scenarios for a detailed description of scenario-specific policy settings.

Logon scenarios

For user logons, the following scenarios are possible:

• Windows user account logon with OTP only (see Scenario settings—Windows user account logon with OTP only).

• Windows user account logon with password and OTP (see Scenario settings—Windows user account logon with password and OTP).

• 1-step Challenge/Response (see Scenario settings—1-step Challenge/Response).

• 2-step Challenge/Response (see Scenario settings—2-step Challenge/Response).

• Virtual Mobile Authenticator (see Scenario settings—Virtual Mobile Authenticator).

The following tables list the relevant settings for each scenario. For more detailed information, refer to the OneSpan Authentication Server Product Guide and the OneSpan Authentication Server Administrator Guide.