OneSpan Authentication Server Appliance in a web environment

SOAP and SEAL can be used in a web environment. SOAP is available with OneSpan Authentication Server Appliance, the SDK, and Digipass Authentication Module products, such as Digipass Authentication for Citrix StoreFront or Digipass Authentication for IIS Basic.

SOAP integration

OneSpan Authentication Server Appliance has a SOAP module that can be used to integrate OneSpan Authentication Server Appliance with web applications.

The OneSpan Authentication Server Appliance SOAP interface allows the following functionality to be integrated:

• User authentication
• Signature validation
• Software authenticator provisioning
• Administration
• Reporting

Digipass Authentication for IIS Basic

Digipass Authentication for IIS Basic is an add-on designed for use with Microsoft Internet Information Services (IIS). It can be configured to intercept authentication requests and redirect them to OneSpan Authentication Server Appliance to verify the credentials with OneSpan Authentication Server Appliance first.

Normally, this means verifying the one-time password (OTP) value. If the OTP is valid, then OneSpan Authentication Server Appliance passes the static password back to IIS as if the user had entered it. The normal website authentication process completes the logon.

To enable verification via OneSpan Authentication Server Appliance, it is necessary to provide a static password (typically the Windows password) to IIS. There are two methods of implementing this:

Log on with OTP only

Using this method, the users only enter their OTP (and PIN if required). OneSpan Authentication Server Appliance has to learn the static password for the user, so that when the user provides the correct OTP, OneSpan Authentication Server Appliance can give the static password back to IIS.

Figure: OneSpan Authentication Server Appliance in an IIS web environment (OTP only)

OneSpan Authentication Server Appliance can automatically learn the static Windows passwords. The user has to perform at least one logon with the static password. If this password is validated by Windows, OneSpan Authentication Server Appliance can learn it.

The same process can also be used if the static passwords are held in a RADIUS server. However, the OneSpan Authentication Server Appliance license must have RADIUS support activated for this to be enabled.

This process is not possible if the static passwords are not Windows or RADIUS passwords. Such passwords will need to be entered manually.

Log on with password and OTP

Using this method, the users enter their static password and OTP at each logon. OneSpan Authentication Server Appliance validates the OTP. If valid, OneSpan Authentication Server Appliance returns only the static password to IIS.

Figure: OneSpan Authentication Server Appliance in an IIS web environment (OTP and password logon)

This method may be necessary when the static passwords are not Windows passwords, e.g. NetIQ eDirectory passwords. It also may be suitable if you do not want OneSpan Authentication Server Appliance to store your users' Windows passwords.

OneSpan Authentication Server Appliance strongly encrypts Windows passwords whenever it is configured to store them.