digipass authentication for office 365 using … · office 365 is a suite of microsoft office...

DIGIPASS Authentication for Office 365 using IDENTIKEY Federation Server

INTEGRATION GUIDE

1 DIGIPASS Authentication for Office 365 using IDENTIKEY Federation Server


1 Disclaimer

Disclaimer of Warranties and Limitation of Liabilities

The Product is provided on an 'as is' basis, without any other warranties, or conditions, express or

implied, including but not limited to warranties of merchantable quality, merchantability of fitness

for a particular purpose, or those arising by law, statute, usage of trade or course of dealing. The

entire risk as to the results and performance of the product is assumed by you. Neither we nor

our dealers or suppliers shall have any liability to you or any other person or entity for any

indirect, incidental, special or consequential damages whatsoever, including but not limited to

loss of revenue or profit, lost or damaged data of other commercial or economic loss, even if we

have been advised of the possibility of such damages or they are foreseeable; or for claims by a

third party. Our maximum aggregate liability to you and that of our dealers and suppliers shall

not exceed the amount paid by you for the Product. The limitations in this section shall apply

whether or not the alleged breach or default is a breach of a fundamental condition or term, or a

fundamental breach. Some states/countries do not allow the exclusion or limitation or liability for

consequential or incidental damages so the above limitation may not apply to you.

Copyright

Copyright © 2013 VASCO Data Security International, Inc., VASCO Data Security International GmbH. All rights

reserved.

Trademarks

VASCO®, Vacman

®, IDENTIKEY

®, aXsGUARD™, DIGIPASS

®, CertiID

™, and the Vasco ‘V’

® logo are registered or

unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S.

and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed

under all title, rights and interest in VASCO Data Security Products, updates and upgrades thereof, including

copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial

property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of

Microsoft Corporation. Other names may be trademarks of their respective owners.

Date: 2013-11-22



1 Table of Contents

1 Overview................................................................................................................... 5

1.1 Architecture .......................................................................................................... 5

1.2 Two-Factor Authentication ...................................................................................... 5

2 Components .............................................................................................................. 6

2.1 Microsoft .............................................................................................................. 6

2.1.1 Office 365 ...................................................................................................... 6

2.2 VASCO ................................................................................................................. 6

2.2.1 IDENTIKEY Federation Server ........................................................................... 6

2.2.2 IDENTIKEY Authentication Server ...................................................................... 6

3 Configuration details................................................................................................. 7

3.1 Architecture .......................................................................................................... 7

3.2 Pre-Requisites....................................................................................................... 7

3.3 IDENTIKEY Federation Server ................................................................................. 7

3.4 Preparing Office 365 WS federation connection ......................................................... 8

4 Basic IDENTIKEY Federation Setup ......................................................................... 10

4.1 Architecture ........................................................................................................ 10

4.2 Setting up the Back-End Systems .......................................................................... 10

4.2.1 LDAP ........................................................................................................... 10

4.2.2 IDENTIKEY Authentication Server .................................................................... 11

4.2.2.1 IDENTIKEY Authentication Server Client ..................................................... 12

4.2.2.2 Creating a user ....................................................................................... 12

4.2.2.3 Assigning a DIGIPASS token to a user ....................................................... 13

4.3 Additional Authentication Methods ......................................................................... 14

4.3.1 MYDIGIPASS.com .......................................................................................... 14

5 Testing the solution ................................................................................................ 16

5.1 IDENTIKEY Authentication Server .......................................................................... 16



1 5.1.1 Log in – Response-Only Mode ......................................................................... 16

5.1.2 Log in – Challenge/Response Mode and Backup Virtual DIGIPASS ....................... 17

5.1.2.1 Architecture ........................................................................................... 18

5.1.2.2 IDENTIKEY Authentication Server .............................................................. 18

5.1.2.3 Testing the solution ................................................................................. 20



1

Illustration Index Figure 1: Setup of DIGIPASS Authentication for Office 365 with IDENTIKEY Federation Server . 5

Figure 2: Configuration architecture of Office 365 with IDENTIKEY Federation Server ............... 7

Figure 3: Configuring Office 365 settings in IDENTIKEY Federation Server ................................. 8

Figure 4: Office 365 Federation settings in the example ................................................................. 9

Figure 5: Setup IDENTIKEY Federation Server with various back-end systems ......................... 10

Figure 6: Managing LDAP settings in IDENTIKEY Federation Server .......................................... 11

Figure 7: Editing the DIGIPASS authentication settings in IDENTIKEY Federation Server ........ 11

Figure 8: Registering a RADIUS client in IDENTIKEY Authentication Server .............................. 12

Figure 9: Creating a demo user in IDENTIKEY Authentication Server ......................................... 13

Figure 10: Selecting users in IDENTIKEY Authentication Server ................................................. 13

Figure 11: Assigning DIGIPASS to a user ...................................................................................... 13

Figure 12: Enter DIGIPASS data to assign the token .................................................................... 14

Figure 13: Determining the DIGIPASS options .............................................................................. 14

Figure 14: Creating a test site in the MYDIGIPASS.com developer account ............................... 15

Figure 15: Managing OAuth providers in the IDENTIKEY Federation Server .............................. 15

Figure 16: Signing in to Office 365 ................................................................................................. 16

Figure 17: DIGIPASS authentication with IDENTIKEY Federation Server .................................... 16

Figure 18: Accessing your Office 365 account .............................................................................. 17

Figure 19: Verifying if Back-Up Virtual DIGIPASS is enabled ...................................................... 17

Figure 20: Architecture of Back-Up Virtual DIGIPASS .................................................................. 18

Figure 21: Setting the conditions to call a Back-Up Virtual DIGIPASS in the policy ................... 19

Figure 22: Verifying the mobile phone number ............................................................................. 19

Figure 23: Signing in to Office 365 ................................................................................................. 20

Figure 24: DIGIPASS authentication with IDENTIKEY Federation Server .................................... 20

Figure 25: DIGIPASS authentication on IDENTIKEY Federation Server with challenge/response

.................................................................................................................................................... 20

Figure 26: Accessing your Office 365 account .............................................................................. 21



1 1 Overview This setup was created in our LABS environment and can be tested on http://labs.vasco.com.

1.1 Architecture

IDENTIKEY Server10.4.0.13

IFSIfs.labs.vasco.com

10.4.0.198

MyDIGIPASS.comMyDIGIPASS.com

Active Directory10.4.0.10

OAuth

RADIUS

LDAP

Trust

Federated Active Directory

Office 365

Figure 1: Setup of DIGIPASS Authentication for Office 365 with IDENTIKEY Federation Server

1.2 Two-Factor Authentication

Many organizations still rely on a user name and password to protect their data or external access

to their systems. However, passwords are often very simple and very easily guessed, cracked, or

even stolen. Once a password is compromised it can take a long time before anyone even notices

that it has been compromised. Recently, a lot of services are being moved to the cloud where

anyone can access the services from anywhere. Users often access services from outside the safe

network which makes protecting passwords even more important, and harder.

Two-factor authentication by VASCO Data Security will add an additional factor, DIGIPASS, to

your single-factor authentication with password. The DIGIPASS device will generate a one-time

password, or OTP, which can be used in combination with a personal password. Users access your

network with their specific device and password. Imagine if the device were to be stolen: the loss

of the device would be noticed quickly, and because of this access to the network with the stolen

device will be denied, thus stopping any attacker quickly.

With this in mind you can secure your Office 365 accounts, granting you the freedom of Office

365 with the hardened security of two-factor authentication.

http://labs.vasco.com/



1 2 Components 2.1 Microsoft

2.1.1 Office 365

Office 365 is a suite of Microsoft Office collaboration and productivity tools provided through the

Internet. This enables your staff members to access and store documents, access e-mails and

even participate in web conferences from nearly any device that is connected to the Internet.

2.2 VASCO

2.2.1 IDENTIKEY Federation Server

IDENTIKEY Federation Server is a virtual appliance providing you with the most powerful identity

and access management platform. It is used to validate user credentials across multiple

applications and disparate networks.

The solution validates users and creates an identity ticket, enabling online single sign-on for

different applications across organizational boundaries. As validated credentials can be reused,

once a user’s identity is confirmed access to authorized services and applications is granted.

Users can securely switch between the different applications and collaborate with colleagues,

business partners, suppliers, customers, and partners, using one single identity.

IDENTIKEY Federation Server functions as an identity provider within the local organization but it

can also delegate authentication requests (for unknown users) to other identity providers. In a

federated model, IDENTIKEY Federation Server does not only delegate authentication requests to

but also receives requests from other identity providers when local users want to access

applications from other organizations within the same federated infrastructure.

2.2.2 IDENTIKEY Authentication Server

IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server that

supports the deployment, use, and administration of DIGIPASS strong user authentication. It

offers complete functionality and management features without the need for significant budgetary

or personnel investments.

IDENTIKEY Authentication Server is supported on both 32-bit and 64-bit systems.

IDENTIKEY Appliance is a stand-alone authentication appliance that secures remote access to

corporate networks and web-based applications.

The use and configuration of an IDENTIKEY Authentication Server and an IDENTIKEY

appliance is similar.



1 3 Configuration details 3.1 Architecture


10.4.0.198


LDAP

Trust


Figure 2: Configuration architecture of Office 365 with IDENTIKEY Federation Server

3.2 Pre-Requisites

You will need the following components:

Office 365 account with federated Domain

IDENTIKEY Federation Server with basic setup

3.3 IDENTIKEY Federation Server

1. Open a browser and navigate to the IDENTIKEY Federation Server Manager (IFSM).

2. In the IFSM select System > Office 365 configuration.



1

Figure 3: Configuring Office 365 settings in IDENTIKEY Federation Server

3. Enable Authentication for Office 365.

4. Select an authentication profile.

5. Sign-In request reply URI: https://login.microsoftonline.com/login.srf (default).

6. Check Reply to logout request

7. Select an authentication for the Security Token Service authentication profile. (in our

example: Digipass – IAS).

8. Click Save.

9. Download the Signing certificate and store it on the Active Directory server.

Authentication profiles are linked to authentication methods – refer to the IDENTIKEY

Federation Server manuals for more information.

3.4 Preparing Office 365 WS federation connection

Log into the Active Directory Server and open a powershell window.

Enter the following commands:

Import-module msonline

connect-msolservice

set-msoldomainfederationsettings -domainname <Domain> -activelogonuri <WS-Trust STS

URL> -federationbrandname <Brand> -issueruri <Issuer ID> -logoffuri <WS-Federation

endpoint URL> -metadataexchangeuri <Metadata ExchangeURL> -passivelogonuri <WS-

Federation Endpoint URL> -signingcertificate <Certificate>

get-msoldomainfederationsettings -domainname <Domain>

https://login.microsoftonline.com/login.srf



1 Where

<Domain> is the federated domain name.

<Brand> is a friendly name for the connection.

<Issuer ID> can be found in System > Office 365 configuration.

<Metadata ExchangeURL> can be found in System > Office 365 configuration.

<WS-Trust STS URL> can be found in System > Office 365 configuration.

<WS-Federation endpoint URL> can be found in System > Office 365 configuration

<Certificate> is the certificate text from the certificate that was downloaded in 3.3

IDENTIKEY Federation Server.

In our setup the get-msoldomainfederationsettings returned the following:

Figure 4: Office 365 Federation settings in the example



1 4 Basic IDENTIKEY Federation

Setup 4.1 Architecture

IDENTIKEY Server10.4.0.13


10.4.0.198

MyDIGIPASS.comMyDIGIPASS.com


OAuth

RADIUS

LDAP

Trust


Office 365

Figure 5: Setup IDENTIKEY Federation Server with various back-end systems

4.2 Setting up the Back-End Systems

4.2.1 LDAP

To set up an LDAP back-end log in to IDENTIKEY Federation Server.

1. In the IDENTIKEY Federation Server Manager (IFSM) select Authentication > LDAP

settings.

2. Set the LDAP settings:

LDAP URL: ldap://10.4.0.10:389

DN base: DC=labs,DC=vasco,DC=com

DN user field: CN

Security principal DN:

CN=Administrator,CN=Users,DC=labs,DC=vasco,DC=com

Security principal password: <administrator password>

Check Allow user attribute gathering



1

Figure 6: Managing LDAP settings in IDENTIKEY Federation Server

3. Click Save

The DN user field is the attribute in the LDAP which the IFS will look for to authenticate

the user name.

By clicking on Test Connection you can verify the data you set.

4.2.2 IDENTIKEY Authentication Server

To set the authentication method settings log in to the IFSM and select Authentication >

Manage methods.

1. Click Edit for the DIGIPASS authentication method.

Friendly name: DIGIPASS authentication

Maximum retries: 3

Method: PAP

Server address: 10.4.0.13

Server port: 1812

NAS-IP-Address: 10.4.0.198

Shared secret: <RADIUS secret> (can be chosen)

Figure 7: Editing the DIGIPASS authentication settings in IDENTIKEY Federation Server

2. Click Save.



1 4.2.2.1 IDENTIKEY Authentication Server Client

To register a client log in to IDENTIKEY Authentication Server.

1. Select Clients > Register.

Client Type: select RADIUS Client from “select from list”

Location: 10.4.0.198

Policy ID: Select a policy

Protocol ID: RADIUS

Shared Secret: <RADIUS secret>

Confirm Shared Secret: reenter the <RADIUS secret>

Figure 8: Registering a RADIUS client in IDENTIKEY Authentication Server

2. Click Create.

Make sure the <RADIUS secret> is the same on both IDENTIKEY Federation Server and

IDENTIKEY Authentication Server.

4.2.2.2 Creating a user

The user created in the IDENTIKEY Authentication Server must also exist in the Active

Directory.

1. To create a user log in to IDENTIKEY Authentication Server and select Users > Create.

User ID: <your-user> (in our setup: Demo)

Domain: <your-domain> (in our setup: labs.vasco.com)

Organizational unit: <your-OU> (OPTIONAL, in our setup: WEB Users)

Enter static password: <your-password>

Confirm static password: <your-password>

Local Authentication: Default

Back-end Authentication: Default



1

Figure 9: Creating a demo user in IDENTIKEY Authentication Server

2. Click Create.

You have now added a user in your IDENTIKEY Authentication Server.

4.2.2.3 Assigning a DIGIPASS token to a user

1. Log in to IDENTIKEY Authentication Server.

2. Type the name of a user in the FIND field and click SEARCH.

Figure 10: Selecting users in IDENTIKEY Authentication Server

3. Click User ID.

4. Select Assigned DIGIPASS.

Figure 11: Assigning DIGIPASS to a user

5. In the Assigned Digipass Tab click ASSIGN.

6. Enter the data of the DIGIPASS device you want to assign to the user.



1

Figure 12: Enter DIGIPASS data to assign the token

7. Click NEXT.

Figure 13: Determining the DIGIPASS options

8. Click ASSIGN > FINISH.

With the DIGIPASS assigned, the user can now be tested.

4.3 Additional Authentication Methods

4.3.1 MYDIGIPASS.com

To illustrate how to add an OAuth provider to the IDENTIKEY Federation Server setup, the

MYDIGIPASS.com Sandbox environment will be used here as an example.



1 1. Log in to your MYDIGIPASS.com developer account and select Sandbox. If you do not

have a MYDIGIPASS developer account, you can create one for free on

https://developer.mydigipass.com/.

2. Click Connect your test site.

Identifier: IFS_vasco (this must be a unique identifier)

Name: Vasco Federated Login

Redirect uri: https://ifs-example.com/ifs/sso/oauth (in our example:

https://ifs.labs.vasco.com/ifs/sso/oauth)

Figure 14: Creating a test site in the MYDIGIPASS.com developer account

3. Click Create application

4. Select Sandbox and click on your newly generated test site.

5. Take note of the client_id and the client_secret.

6. Log in to IDENTIKEY Federation Server Manager (IFSM).

7. Select Federated authentication > Manage OAuth providers.

Figure 15: Managing OAuth providers in the IDENTIKEY Federation Server

8. Check Enabled for MYDIGIPASS.COM (Sandbox)

9. Fill in the API key (client_id) and API secret (client_secret) of your OAuth provider

10. Click Save.

https://developer.mydigipass.com/

https://ifs-example.com/ifs/sso/oauth

https://ifs.labs.vasco.com/ifs/sso/oauth



1 5 Testing the solution 5.1 IDENTIKEY Authentication Server

5.1.1 Log in – Response-Only Mode

Open a browser and navigate to https://portal.microsoftonline.com. Enter your domain user

name (user@yourdomain) and press Tab. The password field will grey out and you will be asked

to log in using your domain.

Figure 16: Signing in to Office 365

After clicking on the link Sign in at <your-domain>, you will be redirected to the login page of

IDENTIKEY Federation Server. For the authentication, the method as selected in the application

will be used.

Figure 17: DIGIPASS authentication with IDENTIKEY Federation Server

Username: Demo (this is the user added as described in 4.2.2.2 Creating a user).

Password: One-Time Password (this is an OTP received from the device assigned

to the user as described in 4.2.2.3 Assigning a DIGIPASS token to a user).

Once you have logged in you will be redirected to your Office 365 account.

https://portal.microsoftonline.com/



1

Figure 18: Accessing your Office 365 account

5.1.2 Log in – Challenge/Response Mode and Backup Virtual DIGIPASS

The easiest way to test challenge/response is to use (Back-Up) Virtual DIGIPASS. Virtual

DIGIPASS is a solution where an OTP is sent to your E-mail account or mobile phone, after it was

triggered in a user authentication. The trigger mechanism is configured in the policy (see later).

Virtual DIGIPASS is a DIGIPASS that needs to be ordered like a Hardware

DIGIPASS

Back-Up Virtual DIGIPASS is a feature that must be enabled while ordering other

DIGIPASS (Hardware, DIGIPASS for Mobile, DIGIPASS for Web or DIGIPASS for

Windows)

Availability of Back-Up virtual DIGIPASS can be checked in the IDENTIKEY web

administration.

Select a DIGIPASS > Click on the first application and scroll down.

Figure 19: Verifying if Back-Up Virtual DIGIPASS is enabled

For test purposes a demo DPX file (named Demo_VDP.DPX) with Virtual Digipass is

delivered with every IDENTIKEY Authentication Server



1 5.1.2.1 Architecture

1: User IDTrigger

2:Challenge

3: SMS with OTP

4:OTP received by SMS

MDC

Figure 20: Architecture of Back-Up Virtual DIGIPASS

This solution makes use of an SMS-gateway (for SMS or text messages) or SMTP-server

(for mail). The first step is to configure one of the servers. This is done in the Message

Delivery Component (MDC) configuration. For more information see the IDENTIKEY

Authentication Server manuals.

Popular SMS-gateways:

http://www.clickatell.com

http://www.cm.nl

http://www.callfactory.com

5.1.2.2 IDENTIKEY Authentication Server

5.1.2.2.1 Policy

The configuration virtual Digipass can be used is done in the policy.

Select the policy created in Policies. This should be Test.

Select Test

Go to Virtual Digipass

Click Edit

http://www.clickatell.com/

http://www.cm.nl/

http://www.callfactory.com/



1

Figure 21: Setting the conditions to call a Back-Up Virtual DIGIPASS in the policy

Delivery Method: SMS

BVDP Mode: Yes – Permitted

Request Method: KeywordOnly

Request Keyword: IwantOTP

Click Save

The request method is the trigger to send the message. The trigger can be:

Static password: as stored inside IDENTIKEY Authentication Server (different for

each individual user)

Keyword: a text message (the same for all users)

5.1.2.2.2 User

IDENTIKEY Authentication Server needs to know, where to send the mail or SMS. Therefor the

User should be added.

Select a user: Demo

Click User Info

Click Edit

Figure 22: Verifying the mobile phone number

Mobile: +32… (for the sms)

Email Address: [email protected] (for mail)

Click save



1 5.1.2.3 Testing the solution

Open a browser and navigate to https://portal.microsoftonline.com. Enter your domain user

name (user@yourdomain) and press Tab. The password field will grey out and you will be asked

to log in using your domain.

Figure 23: Signing in to Office 365

After clicking on the link Sign in at <your-domain>, you will be redirected to the login page of

IDENTIKEY Federation Server. For the authentication, the method as selected in the application

will be used.

Figure 24: DIGIPASS authentication with IDENTIKEY Federation Server

Username: Demo (this is the user added as described in 4.2.2.2 Creating a user).

Password: IwantOTP (as set up in 5.1.2.2.1 Policy)

You will view the following message from the IFS:

Figure 25: DIGIPASS authentication on IDENTIKEY Federation Server with challenge/response

https://portal.microsoftonline.com/



1 Username: Demo

Password: Password + One-Time Password (the OTP is received in form of an

SMS).

Once you have logged in you will be redirected to your Office 365 account.

Figure 26: Accessing your Office 365 account

digipass authentication for office 365 using … · office 365 is a suite of microsoft office...

Documents