A.0 Configuring Retain for NetIQ Advanced Authentication MFA Support

You are responsible to set up and configure Retain and NetIQ Advanced Authentication to provide MFA support in Retain.

For help with setting up MFA in NetIQ Advanced Authentication, refer to the NetIQ Advanced Authentication 6.3 Administration Guide (or to the guides for your version of the Advanced Authentication product).

To set up Multi-factor authentication support in Retain, do the following:

  1. Using your management browser, open the Retain Administrative Console and access the Accounts Tab > NetIQ Advanced Authentication Configuration Panel. See Figure 2-1, The NetIQ Advanced Authentication Configuration Panel.

  2. Select the option to enable Multi-factor Authentication.

  3. In the Server URL ... field, type the URL that you use to access the NetIQ Advanced Authentication server.

  4. In the configuration panel > Redirect URI field, modify the displayed URI as follows:

    1. Specify the protocol (HTTP or HTTPS) used for connections to this Retain server.

    2. Replace localhost with the DNS name or IP address of the Retain server.

    3. (Optional) If an alternate port is used for connections to the Retain server, modify the port number accordingly.

    4. Leave the rest of the URI intact.

      IMPORTANT:You copy this to the Advanced Authentication server while completing Step 9 below.

  5. Open a new tab in your management browser.

  6. Access the NetIQ Advanced Authentication administrative console as described in the Advanced Authentication Administration Guide.

  7. Create an "OAuth2 event" for the Retain server by following the steps in Creating an OAuth2.0/ OpenID Connect Event.

  8. Copy the generated OAuth2 Client ID and OAuth2 Client Secret from the AA admin console to their respective fields in the Retain console,

  9. While still in the Retain console, copy the modified URI (Step 4) in the Redirect URI field to the clipboard, then paste it in the Redirect URIs field in the OAuth2 event configuration dialog in the Advanced Authentication console.

    IMPORTANT:The URI on the Retain and AA servers must match exactly.

  10. Save the configurations in both consoles.

  11. Configure the NetIQ server with LDAP identity stores appropriate for the users you are enabling for MFA.

    Basically, there are two effective approaches, depending on the types of users you are supporting:

    • Only GroupWise and/or Exchange Users: Create identity store links in NetIQ AA for their respective LDAP identity stores as needed.

      IMPORTANT:Be aware that this should only be done when you want only GroupWise or Exchange users to use MFA. If you want administrative, offline, mobile, and other Retain users to use MFA, use Retain’s User Account LDAP service instead (next bullet point), which also provides MFA support for GroupWise and Exchange users.


    • A Combination of Retain Users Not Limited to GroupWise or Exchange: Create an identity store repository link to Retain’s LDAP directory service.

      IMPORTANT:The following points must be complied with for a successful deployment.

      • Do NOT configure other LDAP services in conjunction with Retain’s LDAP service. If you previously linked to the GroupWise and/or Exchange backend LDAP services, remove those repository links from NetIQ AA to prevent duplicate user IDs.

        See Duplicate LDAP User Entries Are Not Allowed in the Retain 4.10: How Retain Works gude.

      • Make sure there are no port conflicts on the server and that the firewall allows traffic through the port you specify (default is 8082).

      • When configuring the Retain LDAP repository in NetIQ Advanced Authentication be sure to specify the following. Otherwise, the connection with Retain’s User Account List LDAP service will not work.

        • Type: eDirectory

        • Base DN: OU=users, O=retain

        • User: cn=retainldap

        • Password: Copy the password to your clipboard by clicking the copy-password icon to the right of the password field. Paste the password from the clipboard when creating the repository in NetIQ AA.

  12. Enable Multi-factor authentication on an individual user basis, or by including users in a Configuration Group and enabling MFA for the group.

  13. Using the Test Login with Advanced Authentication button, sign in as one of the users you have enabled for MFA.