Cool Solutions

Make Filr super secure with Multi-Factor Authentication!



By:

May 10, 2018 8:56 am

Reads:741

Comments:0

Score:Unrated

Print/PDF

The days of passwords are over!

With Filr Advanced you can now move beyond passwords to secure access to your sensitive information. Filr (version 3.2 onwards) integrates with Micro Focus Advanced Authentication –which supports multiple factors of authentication. With the Centralized policy engine, Geo-Fencing, Web-based administration and configuration portal, Multi site support, and more – you get more fine-grained control of which, how, and when the multiple factors of authentication would be enforced when logging into Filr.

Authentication can be based out of the following three board types/factors:

  1. Something that you know such as password, PIN, and security questions.
  2. Something that you have such as smart-card, token, and mobile phone.
  3. Something that you are such as bio-metrics (fingerprint or iris).

You can achieve multi-factor by using more than one of the factors from the above list. For example, multi-factor authentication can include the combination of a password and an OTP or a smart-card and a fingerprint.

And the icing on cake is that its very easy to configure multi-factor authentication in Filr using Advanced Authentication.  I will take you through the steps to help you get started on this.

Note: You can find the steps to install and setup Advanced Authentication server here.

Step 1: Generate Client ID and Client Secret in Advanced Authentication Administrative Portal

You need to Configure OAuth2 Event in Advanced Authentication Server Appliance to generate Client ID and Client Secret.

  1. Log into the Advanced Authentication Administrative Portal as follows: https://advanced_authentication_dns_name_or_IP_Address/admin
  2. Add repositories: A repository is a database that stores user’s information. Add a LDAP repository where your Filr users are stored.

  3. Configure methods: A method or an authenticator helps to confirm the identification of a user that is trying to log on or access resources. You can configure the required settings for the appropriate methods depending on the requirement by each department. Configure an authentication method for Advanced Authentication.

The following methods have been tested and certified with Filr.

  • LDAP Password- an option which allows to save LDAP Password.
  • Password- security settings of local password.
  • SMS OTP- One-Time Password related settings for SMS method.
  • Email OTP- Email message and One-Time Password related settings.
  • Security Questions- security questions and its security settings.
  • Smartphone- Smartphone method settings.
  • TOTP- OATH TOTP related settings.

Advanced Authentication Administrative Portal contains the Help option that guides you on how to configure all settings for your authentication framework.

Other authentication methods that NetIQ Advanced Authentication with OAuth2 event supports would also work, but they have not been explicitly tested.

You can also configure the following methods:

  • Bluetooth – Enable reaction on device configuration.
  • Card – Tap & Go policy configuration.
  • Emergency Password – security settings of Emergency Password method.
  • Fingerprint – a quality of fingerprint recognition settings.
  • OATH OTP – OATH TOTP/HOTP related settings. Also CSV/PSKC bulk import and token assignment.
  • PKI – uploading trusted root certificates.
  • Radius Client – settings for to a third-party RADIUS server.
  • Swisscom Mobile ID – settings for the Swisscom mobile ID method.
  • FIDO U2F – an option which allows to enable check of attestation certificate.
  • Voice – security settings of Voice method.
  • Voice OTP – settings for the Voice OTP method.

An authentication method itself cannot be linked to an event. You must create an Authentication Chain in order to configure the authentication for the user. It is also possible to create an Authentication chain with only one method in it.

For example: If you want to create Password and OTP authentication then you would create a chain with the Password and OTP methods in it. However, if you use only OTP for a certain event, then you can make an Authentication Chain using only the OTP in it.

4. Create chains: A chain is a combination of methods. Users must authenticate with all the methods in a chain. Create an authentication chain that is a combination of all the authentication methods that users must pass for successful authentication.

5. Configure events: An event is triggered by an external device or application that needs to perform authentication such as a Windows machine, a Radius client, a third party client and so on. Below mentioned steps can aid to Configure OAuth2 type event.

  • Specify a name for the event.
  • Enable the event by changing Is enabled to ON.
  • Select the OAuth2 event type. The client ID and client secret are generated automatically.
  • Note down the client ID and client secret values. You must specify these values in the NetIQ Advanced Authentication page of the Filr Administration Console. You can copy the values and paste them in the Filr admin Console.

Path: https://filr_appliance_ip_or_dns:8443 > Username > Administration Console > NetIQ Advanced Authentication

  • Select the chains that you want to assign to the event.

  • In the Redirect URIs option, specify the following redirect URIs for redirection to Filr page after successful authentication:
    1. The URI of the Filr web page
    2. The URI of the Filr client applicationYou can copy the URIs from the Redirection URIs option on the NetIQ Advanced Authentication page of the Filr Administration Console (https://filr_appliance_ip_or_dns:8443 > Username > Administration Console > NetIQ Advanced Authentication) and paste them here.
  • Click Save.

Step 2: Filr Administrator Console

Path: https://filr_appliance_ip_or_dns:8443 > Username > Administration Console > NetIQ Advanced Authentication

Here are the tips that will help you configure the settings in the above page:

  1. Enable the checkbox named “Enable Multi-factor Authentication”.
  2. Type in the URL of Advanced Authentication Server in the “Server URL” field.
  3. Copy the Client ID and the Client Secret key that is automatically generated when you use the Advanced Authentication Administrative Portal to create an OAuth2 event and paste it in “Client ID” and “Client Secret” fields respectively.
  4. The default value is TOP for “Tenant Name” to support single tenancy.
  5. Click “Test connection” button to test the connection between Filr and the Advanced Authentication server.
  6. Copy the Filr “Redirect URIs” and when you create an OAuth2 event in the Advanced Authentication Administration Portal, you must paste the copied URIs in the Redirect URIs option.
  7. Click “OK” button to save your changes.

Step 3: Other important settings in Advanced Authentication Administrative Portal for Filr

  1. Configure policies: An administrator can manage policies that are specific to users to control a user’s authentication.
  2. Server Options:
    • Enable Web Application: Strong Web Authentication is used for OAuth 2.0 events. Enable WebAuth, since we use OAuth 2.0 for Multi-Factor Authentication.
    • Upload File Server SSL Certificate: Advanced Authentication server uses HTTPS protocol. You must create a certificate file that is in the .pem or .crt, or .pfx

Note: Self-signed certificate does not work.

Look and feel of Filr authentication page after enabling Multi-Factor Authentication [MFA]

  1. Multi-Factor Authentication in web client: Screenshot taken from Google Chrome Version 64.0.3282.167 (64-bit)

  2. Multi-Factor Authentication in desktop client: Screenshot taken from macOS High Sierra

  3. Multi-Factor Authentication in mobile client: Screenshot taken from iOS 11.X

Prerequisites

  • Available with Filr Advanced Edition.
  • NetIQ Advanced Authentication Framework 5.6 or later appliance installed and configured.
  • Filr appliance 3.2 with latest patch.
  • Ensure that all the Filr clients are updated with the latest patch before enabling multi-factor authentication.
  • When multi-factor authentication is enabled on a Filr server, users with older versions of the Filr client cannot log into the server and therefore will not receive any system alerts to update the client.
  • A valid SSL certificate that is signed by a certificate authority (CA). Self-signed certificates are not supported.
  • Configure an OAuth2 Event in the Advanced Authentication server using the Advanced Authentication Administrative Portal to automatically generate the client ID and the client secret. You must specify these client ID and client secret values in the NetIQ Advanced Authentication Configuration dialog.

You are now all set to make the access to your organizations data super secure – go ahead and configure multi-factor authentication on your Filr Advanced server today!!!

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Tags: , , ,
Categories: Collaboration, Filr, Messaging & Team Collaboration, Mobility, Security, Technical

0

Disclaimer: This content is not supported by Micro Focus. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

Comment

RSS