OneSpan Authentication Server settings

06 Jan 2025
29 Minutes à lire

Partager
Sombre
Lumière
PDF

OneSpan Authentication Server settings

Mis à jour le 06 Jan 2025
29 Minutes à lire

Partager
Sombre
Lumière
PDF

The content is currently unavailable in French. You are viewing the default English version.

Résumé de l’article

Avez-vous trouvé ce résumé utile ?

Merci pour vos commentaires

Table: OneSpan Authentication Server general settings fields
Field name	Description
Authentication
Enabled	Enable or disable processing of authentication requests. The OneSpan Authentication Server license key must enable authentication for this setting to be applicable.
Provisioning
Enabled	Enable or disable processing provisioning requests. Note that the OneSpan Authentication Server license key must enable provisioning for it to be enabled.
Min. Reactivation Interval	The minimum length of time in minutes between activation attempts for a particular authenticator. Applies to single-device licensing only. Default value: 1440
Max. Reactivation Attempts	The total number of successful activations per authenticator or authenticator license, respectively. Applies to single-device licensing and multi-device activation/multi-device licensing. If you set the value to 0, the number of activations is unlimited. Default value: 3
Max. Reactivation Locations	The maximum number of different locations at which a particular authenticator can be activated. This only applies where the location is specified as part of provisioning (DIGIPASS for Web). Does not apply to multi-device activation/multi-device licensing. Default value: 5
Online Provisioning Registration Identifier
Length	The minimum length of the registration identifier for online provisioning for Mobile Authenticator Studio. Default value: 8
Character Set	The character set used for the registration identifier. Possible values: Alphanumeric Numeric Default value: Alphanumeric
Case	The letter case used for the character set for the registration identifier. Possible values: Upper Case Lower Case Mixed Case Default value: Mixed Case
Online Provisioning Activation Password
Length	The minimum lengths of the activation password for online provisioning for Mobile Authenticator Studio. Default value: 8
Character Set	The character set used for the activation password. Possible values: Alphanumeric Numeric Default value: Alphanumeric
Case	The letter case used for the character set for the activation password. Possible values: Upper Case Lower Case Mixed Case Default value: Mixed Case
Signature
Enabled	Enable or disable the Signature scenario. Note that the OneSpan Authentication Server license key must enable Signature for it to be enabled.
EMV-CAP
Enabled	Enable or disable the EMV-CAP Hardware Security Module scenario.
Report
Enabled	Enable or disable the Report scenario.

SEAL configuration

Table: IDENTIKEY Authentication Server SEAL Configuration fields
Field name	Description
SSL Cipher Suite Security Level
SSL Cipher Suite Security Level	Possible values: High. Uses key lengths larger than 128 bits. Medium. Uses key equal to 128 bits. Low. Uses 64 or 56-bit encryption algorithms, excluding export cipher suites. For more information, see SSL cipher suites.
SEAL Certificate
Server Certificate	The certificate used to encrypt connections using the SEAL protocol. The list contains all valid certificates created/imported using the Certificate Management tab (see Certificate management). A default certificate for SEAL connections is created automatically during setup.
SEAL Client Certificate Verification
Require Client Certificate	Indicates whether the client certificate is required during SSL processing. Possible values: Never Optional Required Required - Signed Address Only For more information, refer to the OneSpan Authentication Server Appliance Product Guide, Section "SSL".
CA Certificate Store	The CA certificate used to authenticate the clients. The list contains all valid and trusted CA certificates imported using the Certificate Management tab (see Certificate management). If you select the default certificate for SEAL connections to use as Server Certificate, CA Certificate Store will be the certificate of the OneSpan Authentication Server Appliance root CA.
Re-verify On Re-Negotiation	If enabled, the client certificate is re-verified. For more information, refer to the OneSpan Authentication Server Appliance Product Guide, Section "SSL".
Automatically Trust Certificates	Check to automatically trust certificates.

SOAP configuration

Table: IDENTIKEY Authentication Server SOAP Configuration fields
Field name	Description
SSL CipherSuite Security Level
SSL Cipher Suite Security Level	Possible values: High. Uses key lengths larger than 128 bits. Medium. Uses key equal to 128 bits. Low. Uses 64 or 56-bit encryption algorithms, excluding export cipher suites. For more information, see SSL cipher suites.
SOAP Certificate
Server Certificate	The certificate used to encrypt connections using the SOAP protocol. The list contains all valid certificates created/imported using the Certificate Management tab (see Certificate management). A default certificate for SOAP connections is created automatically during setup.
SOAP Client Certificate Verification
Require Client Certificate	Indicates whether the client certificate is required during SSL processing. Possible values: Never Required For more information, refer to the OneSpan Authentication Server Appliance Product Guide, Section "SSL".
CA Certificate Store	The CA certificate used to authenticate the clients. The list contains all valid and trusted CA certificates imported using the Certificate Management tab (see Certificate management). If you select the default certificate for SOAP connections to use as Server Certificate, CA Certificate Store will be the certificate of the OneSpan Authentication Server Appliance root CA.
Re-verify On Re-Negotiation	If enabled, the client certificate is re-verified. For more information, refer to the OneSpan Authentication Server Appliance Product Guide, Section "SSL".

RADIUS configuration

Table: IDENTIKEY Authentication Server RADIUS Configuration fields
Field name	Description
Enable RADIUS Communication	Click to enable/disable the RADIUS communicator.
Authentication Port	The port number on which to listen for RADIUS access requests.
Accounting Port	The port number on which to listen for RADIUS accounting requests.
Server Certificate
SSL Security Level	Possible values: Very High. High. Uses key lengths larger than 128 bits. Medium. Uses key equal to 128 bits. Low. Uses 64 or 56-bit encryption algorithms, excluding export cipher suites. For more information, see SSL cipher suites.
Server Certificate	The certificate used to encrypt connections using the RADIUS protocol. The list contains all valid certificates created/imported using the Certificate Management tab (see Certificate management). A default certificate for RADIUS connections is created automatically during setup.
RADIUS Dictionary File
Default Dictionary	Click the icon to download the default dictionary of RADIUS attributes. Each dictionary file contains a list of RADIUS attributes and values, which the server uses to map between descriptive names and on-the-wire data. The names have no meaning outside of the RADIUS server itself, and are never exchanged between server and clients.
Upload New Dictionary	Use this function to upload your own set of RADIUS attributes. Once you have uploaded your own RADIUS attribute file, it will be marked as “current” (in use) and will be available for download. For more information, see RADIUS dictionary format.

Back-end settings

Table: IDENTIKEY Authentication Server Back-End Settings fields
Field name	Description
IBM Security Directory Server
Enabled	Select this option to activate the IBM Security Directory Server LDAP back-end server type for OneSpan Authentication Server.
IBM Directory SSL Certificate	The certificate used to authenticate OneSpan Authentication Server to the IBM Security Directory Server back-end server. The list contains all valid certificates created/imported using the Certificate Management tab (see Certificate management).
Microsoft Active Directory
Enabled	Select this option to activate the Microsoft Active Directory back-end server type for OneSpan Authentication Server.
AD SSL Certificate	The certificate used to authenticate OneSpan Authentication Server to the Active Directory (AD) back-end server. The list contains all valid certificates created/imported using the Certificate Management tab (see Certificate management).
NetIQ eDirectory
Enabled	Select this option to activate the NetIQ eDirectory back-end server type for OneSpan Authentication Server. For more information about NetIQ eDirectory back-end servers, refer to the OneSpan Authentication Server Appliance Product Guide.
RADIUS
Enabled	Select this option to activate the RADIUS back-end server type for OneSpan Authentication Server. For more information about RADIUS back-end servers, refer to the OneSpan Authentication Server Appliance Product Guide.

Server discovery

Table: IDENTIKEY Authentication Server - Server Discovery fields
Field name	Description
Enabled	Select this option to activate server discovery for OneSpan Authentication Server.
DNS Server Address	Enter the IP address of the DNS server.
Authentication Type	None		Use this for DNS service registration with a DNS server supporting dynamic DNS anonymously.
Authentication Type	TSIG		Use this for DNS service registration with a DNS server supporting dynamic DNS with TSIG authentication.
Shared Key File	Browse to the TSIG key file, if the TSIG authentication type is being used (see previous field).
DNS Domain	Enter the domain name.
Host Name	The FQDN of the machine hosting OneSpan Authentication Server. You may also enter an IP address in this field.
Priority	Primary	This OneSpan Authentication Server instance will be the first to which authentication requests are sent during Windows logon, where more than one OneSpan Authentication Server instances exist on the network.
Priority	Backup	This OneSpan Authentication Server instance will be the backup to which authentication requests are sent during Windows logon, where more than one OneSpan Authentication Server instances exist on the network, but the OneSpan Authentication Server instance specified as 'Primary' is unavailable.

Audit settings

Table: IDENTIKEY Authentication Server Auditing fields
Field name	Description
Send Audit Messages To Syslog
Syslog Message Type	Select one or more of these options, to enable logging the respective audit message type(s). Possible values: Error Warning Info Success Failure For more information, see Audit message types.
Remote Audit Viewer
Enable Remote Audit Viewer	If the option is enabled, you can use the OneSpan Authentication Server Audit Viewer (client application).
Maximum Connections	The maximum number of Audit Viewer clients that can be connected to OneSpan Authentication Server at the same time. A high number of connections could impact performance. Default value: 3.
Authentication Timeout	Number of seconds until an authentication times out in case of inactivity. Default value: 60 (in seconds).
Audit message type	Select one ore more of these options, to enable the respective audit message type(s). Possible values: Error Warning Info Success Failure For more information, see Audit message types.
Audit Viewer SSL
Enable SSL Connections	Select this option if you want to secure the audit connection with SSL.
SSL Cipher Suite Security Level	OneSpan Authentication Server Appliance supports SSL Cipher Suites at Very High, High, Medium, and Low levels for SSL cipher suites. For more information, refer to the OneSpan Authentication Server Appliance Administrator Guide.
Server Certificate	The certificate used to encrypt audit connections via SSL. The list contains all valid certificates created/imported using the Certificate Management tab (see Certificate management). A default certificate for SEAL connections is created automatically during setup.
Certificate Password	The password for the certificate file.
Client Certificate Verification
Require Client Certificate	You can set if selecting a Certificate Authority (CA) certificate file is required. If you do not require an SSL client certificate, select Never from the list. If you select any other setting than Never, you will be required to select a CA certificate.
CA Certificate Store	The CA certificate used to authenticate the clients. The list contains all valid and trusted CA certificates imported using the Certificate Management tab (see Certificate management). If you select the default certificate for SEAL connections to use as Server Certificate, CA Certificate Store will be the certificate of the OneSpan Authentication Server Appliance root CA.
Re-Verify On Re-Negotiation	If you select this option, an SSL handshake is performed each time the Audit Viewer is re-connected to OneSpan Authentication Server, i.e. the connection is forced to be re-verified each time a connection is established. Note that enabling the Re-Verify on Re-Negotiation option may incur a performance penalty; therefore this option should be enabled only if absolutely necessary.
Automatically Trust Certificates	When this option is enabled, your server will copy the certificate authority details from the destination server to an empty file that needs to be specified in the CA Certificate Store field. This option guarantees certificate verification by copying the necessary certificate details (during each connection).

Tracing settings

Table: IDENTIKEY Authentication Server Tracing fields
Field name	Description
Trace Level	Possible values: None. No tracing / disable tracing Basic. Shows all logging information, except debugging information Full. Shows all logging information, debugging information included. This level is recommended for troubleshooting. Debug. Shows all logging information, with more debugging information included. This setting is only for use when advised to do so by OneSpan Customer Service.
Trace File Rotation
Number of Archived Logs	The number of log files to be archived. Older logs are removed, and OneSpan Authentication Server Appliance can keep a maximum of 10 logs. As such, the maximum accepted value for this field is also 10.
Rotate On	Select whether logs should be rotated based on the following: Days. The number of days they exist. Size. The size in MB of the log file

Performance monitoring

Table: IDENTIKEY Authentication Server Performance Monitoring fields
Field name	Description
Enabled	Enables/disables the performance monitoring system.
CSV Plugin
Enable CSV Plugin	Click to enable the CSV plug-in.
Enable Log Rotation	CSV log files can be rotated, with a new file being created after a specified elapsed time period, or when a specified size is reached. Select this option to enable CSV log file rotation.
Number of Archived Logs	Specify the number of CSV log files to keep. The number of archived CSV log files will remain constant, but a new file will be added to the archive list, and the oldest file will be lost.
Rotate On	Select the criteria to decide when to rotate the log file. Size. Rotate when the log file exceeds a specified size limit. Days. Rotate after a specified amount of time.
Size	The file size limit for log file rotation. This value is given in KB. Default value: 10240
Days	The time limit for log file rotation. Default value: 1
Compression	Select this option to compress the kept CSV log files.
Counter Plugin
Enabled	Click to enable the Counter plug-in. The Counter plug-in will generate data relating to the number of times certain transactions have been performed, adding this data into the SNMP server. The Counter plug-in is only available if SNMP is enabled, and can only be viewed via SNMP.
Filters
Add Filter	Filters allow the performance monitoring tool to restrict the amount of information that it monitors. At least one filter must be provided. The filter must consist of the name of a performance transaction. The filter can contain the exact name of the performance transaction, or wildcards can be used to identify a group of transactions. For more information about performance monitoring filters, see Performance monitoring.

System monitoring alerts

These settings allow you to define SNMP traps, SMS and email warnings for OneSpan Authentication Server events. For more details about system monitoring, see System monitoring.

Table: System Monitoring Settings fields
Field name	Description
Enabled	If selected, notifications are enabled.
Targets	List of notification targets. Notification targets define where and how notifications are sent. Click Add target to add a new target (see Add target).
Filters	List of notification filters. Notification filters restrict the audit messages that are monitored. Click Add filter to add a new filter (see Add filter).

Add target

Table: System Monitoring Target fields
Field name	Description
Type	Notification target type. Possible values: SNMP Email SMS
Name	The target name used to distinguish between different notification targets.
SNMP
Host	The IP address of the SNMP host to which SNMP traps will be sent.
Type	SNMP notification type. Possible values: INFORM. This type expects an acknowledgment and will resend the message until it gets a response. TRAP.This is an SNMP v3 trap. For this notification target, an engine ID field is displayed (read-only) which is required to configure the server. TRAPv2c. This is an SNMPv2c trap.
Security Name	The user name for SNMP v3 or the community name for SNMPv2c.
Authentication Type	Required, if SNMP Type is set to INFORM or TRAP. Specifies whether messages sent and received on behalf of this user can be authenticated, and if so, which authentication protocol to use. Possible values: MD5 SHA
Authentication Secret	Required, if SNMP Type is set to INFORM or TRAP. Pass phrase used to create the authentication key.
Privacy Type	Available, if SNMP Type is set to INFORM or TRAP. Specifies whether messages sent and received on behalf this user can be encrypted, and if so, which encryption protocol to use. Possible values: AES DES None
Privacy Secret	Available, if SNMP Type is set to INFORM or TRAP. Passphrase used to create the encryption key.
Communitystring	Required, if SNMP Type is set to TRAPv2c.
Email
From	The sender's email address.
Subject	The message subject header field.
To	The recipient's email address.
SMS
Mobile	The phone number to send the message to.

Add filter

Table: System Monitoring Filter fields
Field name	Description
Enabled	If selected, the filter is enabled.
Name	The filter name used to distinguish between different filters.
Target	List of notification targets as specified in the Targets section (see Add target).
Filter	Optional. List of audit filters. Filters restrict the audit messages that are monitored. A filter defines match criteria that must be met to trigger a notification. Click Add to define a new audit filter. You can configure a notification to be sent to multiple recipients/channels by adding multiple targets to a single filter.
Severity	The severity settings allow you to select conditions to monitor. You can choose multiple condition types: Error Success Warning Failure Info

Message Delivery Component

The Message Delivery Component (MDC) is used to send notifications and one-time passwords by SMS, email, or voice message when Virtual Mobile Authenticator is used.

For more information about setting up Virtual Mobile Authenticator, refer to the OneSpan Authentication Server Appliance Administrator Guide.

Table: Message Delivery Component Settings fields
Field name	Description
Enabled	Select this option to activate the Message Delivery Component.
Tracing
Trace Level	Possible values: None. No tracing / disable tracing. Basic. Shows all logging information, except debugging information. Full. Shows all logging information, debugging information included. This level is recommended for troubleshooting.
Enable Log Rotation	Select this option to enable log rotation. Log rotation specifies when new logs files are created, based on the number of days they exist (their age) or the log file size.
Number of Archived Logs	The number of log files to be archived. The oldest log file is removed.
Rotate On	Select whether logs should be rotated based on the following: Days. The number of days they exist. Size. The size in MB of the log file
Compress Archived Logs	Select this option to compress the archived logs to save disk space.
SMS Delivery
Gateways	List of SMS gateways. Click Add SMS Server to define a new HTTP/HTTPS SMS gateway. For more information, see Add SMS server. Click Add SMPP Server to define a new SMPP gateway. For more information, see Add SMPP server.
E-Mail Delivery
Gateways	List of email gateways. Click Add SMTP Server to define a new SMTP gateway. For more information, see Add SMTP server.
Voice Delivery
Gateways	List of voice gateways. Click Add Voice Server to define a new voice gateway. For more information, see Add voice server.

Importing and exporting gateways

For each gateway option, an Import gateway and Export gatewaybutton is available. These functions allow you to import and export a description file and easily apply gateway settings from different OneSpan Authentication Server Appliance instances or to import gateway settings from OneSpan Authentication Server into OneSpan Authentication Server Appliance (and vice versa).

Add SMS server

Table: SMS Server fields
Field name	Description
Enabled	If selected, this gateway is enabled.
Profile	Name of the MDC profile. This should not be confused with the profile's display name. The MDC profile name is non-unique and thus more than one MDC profile with the same name may exist for this delivery method. The highest-ranked, enabled, and available MDC profile with the specified profile name will be used.
Name	Display name of the MDC profile. Ad-hoc field used primarily to describe and further identify the profile.
Server Type	Specifies how MDC performs load-balancing, failover, and/or fail-back. Possible values: Primary Backup
Connection Settings
URL	The complete URL of the HTTP/HTTPS gateway, including the protocol, URI, and port. protocol://host[:port][/path] If the port is omitted, then standard values are assumed depending on the specified protocol, i.e. port 80 for HTTP, and port 443 for HTTPS.. http://myHost/myPath https://myHost:443/
Certificate	The CA certificate used to verify encrypted connections to the gateway. Required, if the gateway uses HTTPS. The list contains all valid and trusted CA certificates imported using the Certificate Management tab (see Certificate management). If the list does not contain the correct certification authority (CA), you can select Add Authority from the list to upload a certificate file using the Upload Certificate wizard.
SMS Gateway Account Settings
User Name	The user name needed to authenticate with the gateway.
Password	The password needed to authenticate with the gateway.
Query & Result
Form Method	This field designates either the GET or POST method for transferring account and message data to the HTTP/HTTPS gateway.
Query String	This field defines the query string which is submitted to the HTTP server if the query method is GET. This string must contain all the required variables that are expected by the HTTP gateway. <Query type="string" data="UN=[User name]&PW=[password]&TY=T&NB=[destination]&ME=[message]&FL=F&ON=FromVM&TM=Y"/> The following parameters can be included in the query string and are set by MDC before submitting the query: [acc_user]. Specifies the account name for the gateway used to submit the information. [acc_pwd]. Sets the password for the gateway account specified by the [Username] parameters. [otp_msg]. Specifies the part of the query string, where the OTP is substituted. [otp_dest]. Specifies the part of the query string, where the destination for the OTP (usually the mobile phone number) is substituted. The query string should also incorporate any other parameters which might be expected by the gateway.
Post Params	This field defines the query string which is submitted to the HTTP server if the query method is POST. This string must contain all the required variables that are expected by the HTTP gateway. <Query type="string" data="UN=[User name]&PW=[password]&TY=T&NB=[destination]&ME=[message]&FL=F&ON=FromVM&TM=Y"/> The following parameters can be included in the query string and are set by MDC before submitting the query: [acc_user]. Specifies the account name for the gateway used to submit the information. [acc_pwd]. Sets the password for the gateway account specified by the [Username] parameters. [otp_msg]. Specifies the part of the query string where the OTP is substituted. [otp_dest]. Specifies the part of the query string where the destination for the OTP (usually the mobile phone number) is substituted. The query string should also incorporate any other parameters which might be expected by the gateway.
Result Matching Rules	List of result matching rules. A result page is returned by the gateway service when a text message is submitted by the GET or POST methods. This page would normally be a HTML formatted page containing specific error codes and/or additional messages for success/failure. Click Add Result to define a new result matching rule.
	Message Delivery Component Result
	Name	Description used to distinguish between different result matching rules.
	Messagetype	The category of the result message. Possible values: Information. Message has been delivered successfully. Warning. The submission or delivery failed, but it is most likely a specific error only affecting this user. Error. An error occurred while attempting delivery.
	Matching Pattern	This field specifies the result page template to match the result page returned by the HTTP service. If this template is matched, the corresponding audit message is composed and returned to OneSpan Authentication Server Appliance.
	Audit Text	This field specifies the audit message template for the message to be compiled and sent back to OneSpan Authentication Server Appliance. Variables may be included in this field.
Test SMS
Send Test Message To	Phone number to send a message to test the configuration settings. Click Test Settings to effectively send a test message.

Add SMPP server

Table: SMPP Server fields
Field name	Description
Enabled	If selected, this gateway is enabled.
Profile	Name of the MDC profile; should not be confused with the profile's display name. The MDC profile name is non-unique and thus multiple MDC profiles with the same name may exist for this delivery method. The highest-ranked, enabled, and available MDC profile with the specified profile name will be used.
Name	Display name of the MDC profile; ad-hoc field used primarily to describe and further identify the profile.
Server Type	Specifies how the MDC performs load-balancing, failover, and/or fail-back. Primary Backup
Connection Settings
IP Address	The IP address of the SMPP server.
Port	The server port used by the SMPP server. Default value: 2775
Certificate
SSL Enabled	If selected, the SMPP server uses encryption.
Certificate	The CA certificate used to verify encrypted connections to the gateway. The list contains all valid and trusted CA certificates imported using the Certificate Management tab (see Certificate management). If the list does not contain the correct certification authority (CA), you can select Add Authority from the list to upload a certificate file using the Upload Certificate wizard.
SMS Gateway Account Settings
User Name	The user name required to authenticate with the SMPP server.
Password	The password required to authenticate with the SMPP server.
SMPP System Settings
System Type	Name to identify the gateway.
Message Mode	Specifies how Message Delivery Component handles messages sent to the gateway. Datagram. When sending a message Message Delivery Component expects a confirmation on whether the gateway received the message. Transaction. When sending a message Message Delivery Component expects a confirmation on whether the gateway and the intended recipient received the message.
Priority Flag	The priority level of messages sent by Message Delivery Component. A higher number indicates a higher priority.
Privacy Indicator	The privacy level of sent messages. None Not Restricted Restricted Confidential Secret
SMPP Source Address
Type of Number (TON)	The type of number (TON) of the addresses used for outgoing messages sent by the gateway. Unknown International National Network Specific Subscriber Number Alphanumeric Abbreviated
Numbering Plan Indicator (NPI)	The numbering plan indicator (NPI) as specified in the SMPP specification.
Number	The phone number used as the sender's.
SMPP Destination Address
Type of Number (TON)	The type of number (TON) of the addresses of incoming messages served by the gateway.
Numbering Plan Indicator (NPI)	The numbering plan indicator (NPI) as specified in the SMPP specification.
SMPP Timeout Settings
Transaction Timeout (sec)	The time span Message Delivery Component waits to receive a reply for a transaction request until the transaction fails. The value is given in seconds. Default value: 10
Inactivity Timeout (sec)	The time span a session remains active before Message Delivery Component terminates it automatically. The value is given in seconds. Default value: 300
Enquire Link Timeout (sec)	The time span between operations before Message Delivery Component sends an enquire_link request to the gateway to test whether the gateway has still an active session. The value is given in seconds. Default value: 10
Test SMS
Send Test Message To	Phone number to send a message to test the configuration settings. Click Test Settings to effectively send a test message.

Add SMTP server

Table: SMTP Server fields
Field name	Description
Enabled	If selected, this gateway is enabled.
Profile	Name of the MDC profile. This should not be confused with the profile's display name. The MDC profile name is non-unique and thus more than one MDC profile with the same name may exist for this delivery method. The highest-ranked, enabled, and available MDC profile with the specified profile name will be used.
Name	Display name of the MDC profile. Ad-hoc field used primarily to describe and further identify the profile.
Server Type	Specifies how the MDC performs load-balancing, failover, and/or fail-back. Possible values: Primary Backup
SMTP Host
SMTP Host	Enter the FQDN or IP address of the SMTP server used for audits and reporting.
SMTP Port	Enter the port number of the SMTP server. Default value: 25
Connection Security	Select the applicable encryption used on the SMTP server. Possible values: No SSL/TLS. No encryption is used (default setting). SSL. The SMTP server uses SSL to encrypt mail traffic. A certificate file needs to be uploaded. TSL. The SMTP server uses TLS to encrypt mail traffic. A certificate needs to be uploaded.
Certificate	The CA certificate used to verify encrypted connections to the gateway. Required, if the gateway uses HTTPS. The list contains all valid and trusted CA certificates imported using the Certificate Management tab (see Certificate management). If the list does not contain the correct certification authority (CA), you can select Add Authority from the list to upload a certificate file using the Upload Certificate wizard.
Authentication
Enable SMTP Authentication	Allow OneSpan Authentication Server Appliance to log in to the SMTP server automatically.
Username	The user name required to authenticate with the SMTP server.
Password	The password required to authenticate with the SMTP server.
SMTP Options
From Address	The email address which should appear in the From field when a notification is sent.
Test E-mail
Send Test Message To	The email address to send a message to test the configuration settings. Click Test Settings to effectively send a test message.

Add voice server

Table: Voice Server fields
Field name	Description
Enabled	If selected, this gateway is enabled.
Profile	Name of the MDC profile. This should not be confused with the profile's display name. The MDC profile name is non-unique and thus more than one MDC profile with the same name may exist for this delivery method. The highest-ranked, enabled, and available MDC profile with the specified profile name will be used.
Name	Display name of the MDC profile. Ad-hoc field used primarily to describe and further identify the profile.
Server Type	Specifies how MDC performs load-balancing, failover, and/or fail-back. Possible values: Primary Backup
Connection Settings
URL	The complete URL of the voice gateway, including the protocol, URI, and port. protocol://host[:port][/path] If the port is omitted, then standard values are assumed depending on the specified protocol, i.e. port 80 for HTTP and port 443 for HTTPS. http://myHost/myPath https://myHost:443/
Certificate	The CA certificate used to verify encrypted connections to the gateway. Required, if the gateway uses HTTPS. The list contains all valid and trusted CA certificates imported using the Certificate Management tab (see Certificate management). If the list does not contain the correct certification authority (CA), you can select Add Authority from the list to upload a certificate file using the Upload Certificate wizard.
Voice Gateway Account Settings
User Name	The user name needed to authenticate with the gateway.
Password	The password needed to authenticate with the gateway.
Voice Settings
Phone Number Prefix	A prefix that is automatically added to the beginning of the user's phone number when sending a voice message.
Query & Result
Form Method	This field designates either the GET or POST method for transferring account and message data to the HTTP/HTTPS gateway.
Query String	This field defines the query string which is submitted to the HTTP server if the query method is GET. This string must contain all the required variables that are expected by the HTTP gateway. <Query type="string" data="UN=[Username]&PW=[password]&TY=T&NB=[destination]&ME=[message]&FL=F&ON=FromVM&TM=Y"/> The following parameters can be included in the query string and are set by MDC before submitting the query: [acc_user]. Specifies the account name for the gateway used to submit the information. [acc_pwd]. Sets the password for the gateway account specified by the [Username] parameters. [otp_msg]. Specifies the part of the query string where the OTP is substituted. [otp_dest]. Specifies the part of the query string where the destination for the OTP (usually the mobile phone number) is substituted. The query string should also incorporate any other parameters which might be expected by the gateway.
Post Params	This field defines the query string which is submitted to the HTTP server if the query method is POST. This string must contain all the required variables that are expected by the HTTP gateway. <Query type="string" data="UN=[Username]&PW=[password]&TY=T&NB=[destination]&ME=[message]&FL=F&ON=FromVM&TM=Y"/> The following parameters can be included in the query string and are set by MDC before submitting the query: [acc_user]. Specifies the account name for the gateway used to submit the information. [acc_pwd]. Sets the password for the gateway account specified by the [Username] parameters. [otp_msg]. Specifies the part of the query string where the OTP is substituted. [otp_dest]. Specifies the part of the query string where the destination for the OTP (usually the mobile phone number) is substituted. The query string should also incorporate any other parameters which might be expected by the gateway.
Result Matching Rules	List of result matching rules. A result page is returned by the gateway service when a text message is submitted by the GET or POST methods. This page would normally be a HTML formatted page containing specific error codes and/or additional messages for success/failure. Click Add Result to define a new result matching rule.
	MDC Result
	Name	Description used to distinguish between different result matching rules.
	Messagetype	The category of the result message. Possible values: Information. Message has been delivered successfully. Warning. The submission or delivery failed, but it is most likely a specific error only affecting this user. Error. An error occurred while attempting delivery.
	Matching Pattern	This field specifies the result page template to match the result page returned by the HTTP service. If this template is matched, the corresponding audit message is composed and returned to the OneSpan Authentication Server Appliance audit message.
	Audit Text	This field specifies the audit message template for the message to be compiled and sent back to OneSpan Authentication Server Appliance. Variables may be included in this field.
Test Voice
Send Test Message To	Phone number to send a message to test the configuration settings. Click Test Settings to effectively send a test message.

LDAP user synchronization

LDAP user synchronization is server-specific and therefore requires configuring specifically for different LDAP servers. To set up synchronization you need to configure a synchronization profile. The Configuration Tool allows you to configure the following:

General settings for a synchronization profile.
Filter fields. Records to be synchronized from the source LDAP server can be filtered by matching certain attributes. All attributes listed must match for a user account to be synchronized.
Attribute mapping fields. This is the mapping of LDAP server attributes to user account properties.

For example configurations, refer to the OneSpan Authentication Server Appliance Administrator Guide.

For more information about LDAP user synchronization, refer to the OneSpan Authentication Server Appliance Product Guide.

Table: LDAP User Synchronization: General fields
Field name	Description
Tracing
Tracing	Possible values: None. No tracing/disable tracing. Basic. Show all logging information, except debugging information. Full. Show all logging information, debugging information included. This level is recommended for troubleshooting.
Adding a Synchronization Profile
Enabled	Select this option to enable automatic synchronizations using this synchronization profile at the frequency defined in the Frequency field. The default value is disabled, in which case the profile is not operational and no user accounts are updated or copied from the LDAP server.
Description	A description should be entered to help identify this synchronization profile.
Start Time	The time that the first synchronization of a day is to start.
Frequency	The frequency defines the interval at which automatic synchronization occurs, once the profile has been manually configured. Synchronization frequency can be configured from every 15 minutes to every 24 hours.
Create Users	Select this option to allow users to be created during synchronizations.
Delete Users	If this option is selected, the LDAP synchronization process will go through the users that it has created on OneSpan Authentication Server Appliance, and will check to make sure that they still exist on the LDAP side. If they do not exist, they will be deleted from OneSpan Authentication Server Appliance. This function does not work if the Reporting Scenario is not enabled in OneSpan Authentication Server Appliance.
Enable Created Users	If users are to be created during synchronization, create them as enabled users.
Update Users	Allow synchronization to update existing users. Possible values: None. Do not update existing users during synchronization. All, Update all existing users during synchronization, if necessary. Created by LDAP Synchronization only. Only update user records previously created by LDAP synchronization. Not created by LDAP Synchronization. Only update user records not previously created by LDAP synchronization.
LDAP URI	This is the protocol and host of the source LDAP server.
Bind DN	This is the distinguished name to authenticate towards the LDAP server. This should be a string-represented DN as defined in RFC 1779. Entering the bind DN is optional.
Bind Password	This is the bind password to authenticate towards the LDAP server. Entering the bind password is optional.
Search Base	The search base is the starting point for searches in the LDAP server. This should be a string-represented DN as defined in RFC 1779.
Filter	This field serves to add LDAP attribute filter properties to the synchronization profile (see Table: LDAP User Synchronization: Attribute filter fields ).
Attribute Mapping	This field serves to add LDAP attribute mapping properties to the synchronization profile (see Table: LDAP User Synchronization: Attribute mapping fields).
Destination	This field defines the domain and optionally the organizational unit on OneSpan Authentication Server Appliance where the user accounts will be created or updated. The field therefore defines the root of the replicated organizational structure.
Create Missing OU's	Select this option to enable the synchronization process to create the same organizational structure on the destination data store as exists on the source LDAP data store. The synchronization will create the organizational structure on the destination data store if it does not already exist.
Mirror OU Structure	During synchronization the LDAP Synchronization Tool tries to reconcile the organizational structure of the source LDAP data store with the organizational structure of the destination data store: If the structures are the same: The synchronization will proceed without creating any more organizational units. If the structures differ:To create any missing organizational units with users in them, the option Create Missing OU's needs to be selected. With this option selected, users in organizational units will be created that already exist in OneSpan Authentication Server.
Include LDAP Children	Allow synchronization to create records derived from LDAP children. This option will replicate the organizational structure of the source LDAP data store onto the destination OneSpan Authentication Server data store, where the organizational structure will be created if it does not already exist. If the Mirror Organizational Unit Structure option is not selected, the LDAP children will be synchronized, but on the destination OneSpan Authentication Server data store they will be created straight under the root directory, without extra organizational units being created.
Return DIGIPASS to Parent OU on Move/Delete	If, during synchronization, the LDAP Synchronization Tool detects that a user has been deleted, it will reassign the user's authenticator to the organizational unit's administrator account. The LDAP Synchronization Tool will interpret a moved user as being deleted from its original organizational unit. When the user is created in its new organizational unit by the tool, the original authenticator will be re-assigned to the user.

Table: LDAP User Synchronization: Attribute filter fields
Field name	Description
Attribute	This must be the name of an LDAP server attribute. All attributes listed must match for a user account to be synchronized.
Match	This is the value for the attribute defined in the previous field and must match for a user account to be retrieved for synchronization. Asterisks can be used as wild cards for the value, indicating zero or more characters.

Table: LDAP User Synchronization: Attribute mapping fields
Field Name	Description
Type	This field defines whether the mapping is for one of the following: For an LDAP attribute name (Type: ldap). For a constant value (Type: constant).
Source Attribute/Value	For type ldap, this entry should be an LDAP attribute name. For type constant, this entry should be the value of the corresponding OneSpan Authentication Server property.
Destination Property	This is the property name in OneSpan Authentication Server which corresponds to the LDAP server attribute specified in the previous field. For all possible values for these properties, see USERS – User Account (tab). The following OneSpan Authentication Server properties are available for attribute mapping: User ID User Name Description E-Mail Mobile Phone Number Phone Number Password Assigned DIGIPASS Linked User ID, Linked User's Domain Users can be linked to other users by supplying the Linked User's Domain and the Linked User ID fields. Both fields must have values supplied, either by having an LDAP attribute mapped to them, or by supplying a fixed value. Local Authentication (set to 'Default' if unspecified) Back-End Authentication (set to 'Default' if unspecified) Expiration time Disabled Lock Count Locked (set to 'False' if unspecified) Offline Authentication (set to 'Default' if unspecified) Virtual Mobile Authenticator Delivery Method Virtual Mobile Authenticator MDC Profile Virtual Signature Delivery Method Virtual Signature MDC Profile
Destination	This is the domain and (optionally) the organizational unit where user accounts will be copied to or updated. If the domain is changed after user accounts have already been copied, the user accounts are copied to the new domain but not deleted from the previous domain. If the organizational unit is changed to another one in the same domain, user accounts which have been created or updated by this synchronization profile are moved from the old to the new location.

Cet article vous a-t-il été utile ?

What's Next

Administration Web Interface fields

Table des matières

SEAL configuration
SOAP configuration
RADIUS configuration
Back-end settings
Server discovery
Audit settings
Tracing settings
Performance monitoring
System monitoring alerts
Message Delivery Component
LDAP user synchronization