mPass administration Portal
Introduction
The mPass authentication server is an OATH compliant comprehensive solution for enabling multi-factor authentication for enterprise applications such as VPN Systems, Outlook Web Access, Active Directory Federation Services, Windows/Linux systems or any in house developed applications. mPass authentication server enables strong authentication via OATH based One Time Passwords (OTP) via SMS, Mobile Authenticator apps, emails and Push authentications.
Application Overview
mPass authentication server (AS) is an enterprise system which can be integrated with multiple systems for enabling Two-Factor authentication via OTP’s.
Application Components
Administration Portal
The administration portal is a web-based application bundled along the mPass server which can be used to administer the whole mPass system. Administrative functions such as defining policies, channels, users’ management, tokens Management, Notification gateway configuration system parameters management etc.
User Portal
The User Portal is another web application bundled along the mPass server (optionally) used by corporate directory users who wish to activate the mPass Mobile Tokens /Apps (from Apple iOS and Google Play stores). Users can also test the OTPs generated on their mobile phones using the portal.
Mobile Applications
mPass provides mobile applications for users to generate OTPs. Users can activate the mobile app from the mPass user portal or using QR Codes received via email. mPass supports mobile apps from Apple iOS and Google Play stores.
Web based API’s
mPass provides HTTP RESTful based web services for custom in-house enterprise applications to enable two factor authentication. Applications can leverage the mPass webservices and integrate into the existing authentication workflow.
LDAP Authentication Service
This service is used to integrate mPass with Enterprise Directory services via Light Weight Directory Access Protocol (LDAP) to verify authentication credentials of user and to read user information like Mobile Number and IP address for users.
Notification Service
The mPass Notification Service is used to integrate primarily with LinQ2 SMS Gateway to send OTP via SMS and it can also be used to integrate with any other enterprise SMS Gateway by means of HTTP protocols.
Channels
Channels are used to control access to the Two Factor authentication services provided by mPass. The administrator needs to define a channel for every enterprise system (VPN, OWA, ADFS and Webservices) willing to integrate with mPass.
Policies
Policies are a set of rules to control the authentication workflow from various channels. Parameters like OTP validity and the user’s automatic registration can be controlled by means of policies.
Tokens
Tokens are the key components of the mPass system used to generate OTP’s for users. The Tokens Management section is used to import tokens and maintain tokens etc.
Users
The mPass system maintains the list of all users who are authenticated for 2 Factor. The user’s management module is used to import bulk users and maintain users.
Integration Architecture
Following are the various systems which can be integrated with mPass:
Application Categories | Popular vendors |
VPN |
|
VDI | VMware Horizon |
Email | Exchange(OWA) |
Windows |
|
Linux |
|
SSO | Microsoft ADFS |
Custom Applications | Any in-house developed applications |
Portal Access
After successful installation of mPass, the administration portal can be accessed from the following URL: https://<host_name or IP Address>/mpass-web
Users belonging to the following roles can have access to the administration portal.
- Super administrators
- Administrators and authenticators
- Support
- Operations
Below is the login page for the mPass administration portal.
Channels Management
Overview
Channels are used to control access from the MFA enabled applications such as VPNs, Outlook Web Access, Active directory federation services etc. for accessing the Authentication & Validation Services of the mPass.
The channels work in coordination with policies. Hence the administrator should define the policies first before defining the Channels. Channels can be defined for the following systems:
- RADIUS (For RADIUS Clients, VPN's etc)
- OWA/ADFS (For Outlook Web Access and Active Directory Federation Services)
- WebService (For Custom developed applications)
- MNV Webservice (For Mobile Number verification applications)
- PKC Webservice (For mPass SSO, Windows and Linux)
List Channels
To view the defined channels list, the privileged user should navigate to the following path in the administration portal.
Home -> Channels -> List Channels
Define Channel
To define a new channel, privileged users can click the ‘Define New Channel’ button in the List Channels page or navigate to the following path:
Home -> Channels -> Define Channel
Following form will be displayed on the screen:
For RADIUS Channel Type:
For OWA/ADFS:
For Webservice:
For MNV WebService:
For PKC WebService
For PKC WebService, after creating the channel, to generate the Public Keys Cryptography (PKC) keys, the administrator has to open the channel details from the list page and click the Add New Key Pair button as shown below.
Following is the description of all the fields in the above form:
Parameter Name | Description |
Channel Name | Any name to identify the channel |
Channel Type | RADIUS/OWA/ADFS/WebService/MNV WebService/PKC WebService |
Sender Address | IP address of the host requesting authentication (RADIUS Server’s/Exchange Servers, Application Servers etc) |
NAS IP (Applicable only for RADIUS Channel Type) | RADIUS Network Access Server IP. If the senders packet contains the NAS IP the appropriate IP should be set here. |
Relay Framed IP (Applicable only for RADIUS Channel Type) | Used to set the RADIUS attribute “Framed-IP-Address” in the response. |
Enable Compound Password (Applicable only for RADIUS Channel Type) | Enabling will consider the password of the user to contain OTP at the end of normal password. |
Compound Pwd OTP Length(Applicable only for RADIUS Channel Type) | The length of the OTP in the compound password |
Shared Secret/API Key | Key for authentication between sender and mPass. A Random key will be generated for any new Channel Configuration definition. |
Related Domain | During authentication process, the component will verify the user credentials in the domain specified here. If not, validates credentials across all the defined domains |
Restrict Authentication to Domain groups (DNs) | Administrators can specify the Distinguished Names (DN) of directory groups to restrict access. Multiple groups can be specified separated via ; If not specified, no restrictions are applied. |
Channel Policy | Policy (Refer Policies Management) to apply for the channel requests |
SMS Sender Address | To set the SMS Sender for SMS based OTPs. Leaving empty will set from System configuration |
RADIUS Response UI Options (Applicable only for RADIUS Channel Type) | To control the response messages, send to RADIUS Clients. |
RADIUS Response Language (Applicable only for RADIUS Channel Type) | Language for displaying messages to users when using RADIUS based authentications |
Hide RADIUS Auth Options (Applicable only for RADIUS Channel Type) | To hide/display various Authentication options such as( Enter 1 to send SMS, Enter 2 to Enter OTP via mobile…….) |
RADIUS Vendor Specific Attributes: This section applies for RADIUS channels only. mPass can return Vendor specific attributes in the ACCESS_ACCEPT RADIUS packet.
Currently, supported vendors are Citrix and Fortinet
RADIUS Client Vendor | Citrix/Fortinet |
Vendor Attributes type | Static- Sets the vendor attribute value as mentioned in the Vendor Specific attributes field. Dynamic – Sets the vendor attribute based on the user group found in the directory server and which matches the first Restrict Authentication to Domain groups field value |
Vendor Specific attributes | Should be specified 1 when field Vendor Attributes type is dynamic. Should specify 1=<attribute_value1>;2=<attribute_value2> if Vendor Attributes type is static |
Channel Status | Opened- Will apply 2FA to the users Closed - will not enable 2FA for the channel. Requests will be rejected Disable MFA – Will not apply 2FA to the users |
Modify Channel
Click on the appropriate channel defined for editing it from the List Channels Page. The following screen will be displayed.
For Radius Channel Type:
After updating the required parameters, please click the Update button. The same procedure can be followed for other channel types.
Policies Management
Overview
Policies are used to control authentication and validation requests by means of various parameters. A policy defined can be used by any number of channels (See more details in Channels Management).
List Policies
To view the defined policies, the privileged user needs to navigate to the following path in the administration portal. Home -> Policies -> List Policies
Define Policy
To define a new policy, privileged users can click the ‘Define New Policy’ button in the List Policies page or navigate to the following path: Home -> Policies -> Define Policy
Following form is displayed on the screen:
Following is the description of all the fields in the above form.
Field Name | Description |
Policy Details | |
Policy Name | Any name to identify the policy |
Max Invalid authentication attempts (Applicable only for RADIUS Channel Type) | Maximum allowed invalid domain passwords for a defined user. If exceeded, the user will be marked as Locked and cannot authenticate further |
Max Invalid OTP’s | Maximum allowed invalid OTP’s during OTP validation requests. If exceeded, the user will be marked as Locked and cannot authenticate further |
User Inactive Days | Maximum Number days a user can be allowed to be inactive without authentication |
Identification Time Window | Max allowed time (in 30 sec time steps) between user’s mobile token and mPass server time. Eg: - if this value is set to 3, And If Server Time (HH::MM::SS) is : 11:30:00AM Allowed Mobile App time (HH::MM::SS): 11:28:30 AM 11:31:30 This is required to correctly validate the OTP on the mobile phone. |
SMS OTP Validity (Mins) | Maximum Time allowed between generation and validation of SMS based OTP |
MFA Control | |
Allowed Authentication Types | The allowed authentication types for this policy. If unchecked, the users will not be able to see the option. If all are unchecked, the user will be by-passed 2FA. |
Brute force Control | If enabled, multiple requests (within the allowed limits) for the SMS/Email will be silently ignored to avoid costs or performance reasons. Multiple requests can sometimes be generated by user clicking the send SMS/Email button multiple times. |
SMS/Email Bruteforce Control Window (Secs) | Interval in which a new OTP via SMS/Email will not be sent to the user |
Auto Authentication | Enabling will allow users to not apply 2FA if requested for authentication within Auto Auth Threshold period. |
Auto Auth Threshold | Time range in minutes to allow Auto Authentication |
Enable SMS Saver | This is to save SMS costs for sending OTP. Enabling this will not send SMS during authentication and the user has to use the last sent OTP. The last sent OTP will be valid for the duration mentioned in SMS Saver OTP validity |
SMS Saver OTP validity | The maximum time validity period of the last OTP sent via SMS/Email |
Enable SMS/Email Bruteforce Control | Enabling this will control the number of times the user will request OTP via SMS/Email. This is to control simulated HTTP requests using tools and saving SMS Costs |
User Auto Definition | |
Auto Create User | Whether to auto-register user during first authentication request |
Auto defined user Authentication Options | The default authentication options set for user created under ‘Auto Create User’ configuration. 1. SMS 2. Mobile 3. Email 4. Shard OTP (OTP will be split and send via SMS and Email) 5. Push Authentication |
Ignore Undefined user requests (applies when Auto Create User is set to 'No') | Enabling this will cause users who are not defined in mPass to bypass 2FA, unchecked means the users requests are rejected. |
Fraud Prevention:
Note:
- This feature requires a license for the Geo IP database from max mind. Currently mPass uses the offline database of the geo IPs. The database file should be copied into the configuration directory of the wildfly server.
- This feature also requires Google maps API key to select the precise geo location.
- This feature applies only to OWA and RESTful webservices channels/integrations.
Enforce Geo Blocking | Selecting the checkbox enables the feature |
Centroid Latitude | Latitude for the centroid( typically the mPass deployment location) |
Centroid Longitude | Longitude for the centroid( typically the mPass deployment location) |
Allowed Geo Range (kms) | Allowed distance range in Kms (circular) from the centroid |
Modify Policy
Privileged users can modify the defined policy by clicking on the Policy Name field in the List Policies Page.
Tokens Management
Overview
Tokens are virtual authenticators (like Hardware OTP Generators). mPass supports industry leading OATH (https://openauthentication.org/) Compliant tokens to generate OTP’s.
- Tokens are the core of the mPass system used to generate OTP.
- Administrators can only import tokens provided by cerebra by means of xml files provided as part of PO. Tokens can be imported by clicking on the ‘Import Tokens’ link of the Tokens Management Section.
- Mobile Tokens and Hardware tokens are assigned via User Registration Portal.
- Unassigned Tokens can also be re-cycled by assigning them to another user.
List of Tokens
Privileged users can view the available tokens using the administration portal from the following path: Home -> Manage Tokens -> List Tokens
Privileged users can search for a token based on the serial number and know whether it is assigned to any user or not. The privileged user can also view a particular token detail by clicking on the Serial No of the token.
Following are the details of a token:
Test Token
To troubleshoot any issues with OTP validation, administrators can test the token using the ‘Test Token’ feature provided in Token Details page. The administrator needs to input the latest OTP generated from the Token.
Import tokens
Tokens can only be imported into the mPass system. Typically tokens files are PSKC based XML files provided by Cerebra and are part of Purchase Order delivery. To import tokens into the mPass system privileged users need to access the following path: Home -> Manage Tokens -> Import Tokens
Un-Assign Token
Any token, which is assigned to a user can be Un-assigned from the user and re-assigned to another user. To unassign a particular token, administrators need to navigate to the details page of the required token and click the Un-Assign Button as shown below.
User Management
Overview
Users are the core entities of mPass system. There are 6 types of roles a user can belong to:
Role Name | Description |
Super Administrator | Master user role of the system, Users who belongs to this role can execute all the privileges of the system. |
Authenticator | Users who belong to this role cannot login to the administration or user portal. These users can only be authenticated by the MPass system. |
VPN Local | Users local to VPN system and not present in Active Directory/belonging to domain. |
Support | Users with Support role can only view the Request Logs and the Dashboard of the MPass system. |
Authenticator and Administrator | User with both Authenticator and Super Administrator role |
Operations | User with privilege for the following: 1. Dashboard(without interaction) 2. List Users(Read-Only) 3. Request Logs |
mPass Local | User like Authenticator role, but the credentials are stored in mPass database rather than directory server |
Authenticator users can be defined in the mPass system in 5 methods:
- Automatic registration by the services like radius, owa, etc. (allocated ‘authenticator’ role)
- Bulk import of users from .csv file in a specific format from the ‘import user’ feature of administration portal. (allocated ‘authenticator’ role)
- From ‘create user’ function of the administration portal
- Import from directory server
- Created when user logs into user portal via self-registration.
Automatic Registration
The automatic registration of users can be performed by the following mPass Services provided the corresponding channel policy is configured for Automatic User Registration.
Bulk Import
Using this feature of the administration portal, system administrators can import bulk users who should be assigned ‘Authenticator’ role from a .csv file in a specific format mentioned below. This feature can be accessed from the following path of the administration Portal. Home -> Users -> Import Users
All the users imported will be assigned a role of ‘Authenticator’.
The .csv file should have following specifications to successfully import the user names.
- Each line in the file should have the following structure <user id>,<first name>,<last name>,<mobile number>,<email> The first field <user id> is mandatory and the others are optional.
- The file name should be a valid operating system file name.
- The extension should be .csv and should not exceed 500 records.
- The user ids in the file should not exist in the mPass system and if exists, the import of other valid user ids will not succeed.
Create User
Administrators can also define individual user from the administration portal. This feature is also useful when the administrator wants to create a user with roles ‘Super Administrator’/’Authenticator’/’Support/Authenticator and Administrator’ roles. This feature can be accessed from the following path of the administration Portal. Home -> Users -> Create User
User definition for a Non-Authenticator Role
For a non-authenticator role password is mandatory
Following is the description of all the fields in the above Create User Form:
Field Name | Description |
User Details | |
User Id | Unique Identifier for the user without spaces |
First Name | First Name of the user with Alpha numeric characters and with a space |
Last Name | Last Name of the user with Alpha numeric characters and with a space |
Password (Applies only to Super Administrator, Support , Operator and mPass Local Roles) | Password of the user. The password should follow the following rules: 1. Must contains one digit from 0-9. 2. Must contains one lowercase characters. 3. Must contains one uppercase characters. 4. Must contains one special symbols in the list "@\#$%". 5. Length of at least 10 characters and maximum of 128. |
Re-Type Password(Applies only to Super Administrator and Support Roles) | Should match the above password |
Role | Role to assign to the user. 1. Authenticator 2. Super Administrator 3. Support 4. VPN Local 5. Authenticator and Administrator 6. Operations 7. mPass Local |
Language Preference | The language of the SMS sent during OTP |
Contact Details | |
Email Id | Valid Email address of the user (used to send QR codes via email to users) |
Redirect QR Code | If checked, the QR codes will be sent to the Redirect Email |
Redirect Email | Email address to be used to send QR codes rather than the above email |
Mobile Number | Mobile Number of the user Will be used in the following cases: 1. Send SMS to users if role is VPN Local 2. Send SMS if ‘Always use above mobile number’ field is checked(see below field) |
Always use above mobile number | Selecting this checkbox will always use the mobile number defined in above field Mobile Number rather than from directory user attribute when sending SMS to user. |
MFA Control | |
Allowed Authentication types | User will be able to view/use the selected options during authentication from OWA/ADFS/VPN 1. SMS 2. Mobile 3. Email 4. Shard OTP 5. Push authentication Note: Displaying of these options will also be based on the policy being applied for the channel |
Delay MFA User | Enabling this feature will delay applying the 2FA to the users across all channels till the specified date in Delay MFA Till. |
Modify User
The privileged user can modify the user’s information of previously defined user by automatic /imported methods. This feature can be accessed from the following path of the administration Portal. Home -> Users -> List Users
The administrator can modify the editable fields except the User Id
Searching Users
Privileged users search users using combination of various parameters. The search form is hidden by default and can be viewed from the following path: Home -> Users -> List Users-Search Button The following search form will be displayed below.
Following is the description of all the fields in the above Search User Form:
Field Name | Description |
User Id | Unique Identifier for the user without spaces |
User Status | Status of the user: 1. Enabled 2. Disabled 3. Locked |
Authentication types | 1. SMS 2. Mobile 3. Email 4. Shard OTP 5. Push Auth |
Token Status | To find users with tokens assigned/not assigned |
|
Note: Search Start date should always be before the Search End date. |
Un-Assign Tokens from User
The administrator can Un-Assign the tokens already assigned to the user from the ‘Assigned Tokens’ tab in the User Details form.
Once Un-assigned from the user, the token is free and can be assigned to another user in the mPass system.
Deleting User(s)
The administrator can delete any user from the mPass system using the delete button in the list user’s page or select the checkboxes of the left side for multiple users. Home -> Users -> List Users
Defining User Alias
Privileged users can define multiple user aliases(maximum 5) for a single user. Users can use the user id or the alias during authentication from RADIUS/OWA/Windows Channels.
Defining user alias can be found in the user details page as shown below.
Send QR Token
Privileged users can send QR codes to the required users to via emails any time. Please navigate to the following path to access this feature Home -> Users -> Send QR Token
Note:- Please note that the old token assigned to the user will be automatically invalidated.
Group Management
Users in mPass can be managed using various groups. The ‘default’ user group is already defined in mPass and the new users automatically belong to this group. mPass administrators can create new groups and perform the following operations on the users:
- Change Language
- Change Authentication Options
- Extend Token activation date
- Move selected users to other groups
- Change User Status
- Change User Application access types
View Groups
To view the current groups, the privileged users can navigate to Home->Users->Groups Management
Update Group
Privileged users can modify existing groups to perform operations on bulk users. To update a group, the privileged user should click on the required group name from the group list.
Following screen will be displayed to the user:
To view the users in the group, privileged user should click the ‘Users List’ tab in the group details page.
Reports
Home(Dashboard)
Using the dashboard feature of mPass, privileged users can view the high–level statistics of mPass system. Information such as Authentication and Validation requests across different channels (RADIUS, OWA…) at different intervals such as Daily, Weekly, Monthly.
The default screen will display the Authentication and Validation logs statistics. The default channel type will be RADIUS and the period will be monthly. Users can also view the statistics for other channel types and for different periods.
Request Logs
Privileged users can view the Authentication and Validation logs from all the Channels of the MPass system. Users can access the report from the following web link path: Home -> Reports -> Request Logs
Users can also filter the report output using the following criteria:
Criteria Name | Description |
From Date | Authentication/Validation Request Date start |
To Date | Authentication/Validation Request Date end |
Request Type | Authentication/Validation Request types from channels RADIUS/REST/OWA/ADFS channels |
User id | User identifier of the required user |
Response Result | Response status for the request |
Sender Address | IP address of the service requester |
Response Code | Reason for Rejection of request |
Validation result | Reason for Acceptance/Rejection of OTP validation |
The report contains information such as the following:
Parameter Name | Description |
User Id/Alias | User identifier of the required user |
Sender Address | IP address of the service requester |
Channel Name | The channel name of the request |
Request Type | Authentication/Validation Request types from channels RADIUS/REST/OWA/ADFS channels |
MFA Mode | The MFA option used by the user |
Response Result | Response status for the request |
Response Code | Reason for Rejection of request |
Validation result | Reason for Acceptance/Rejection of OTP validation |
SMS Logs
The privileged users can view the SMS report to know the status of OTP via SMS sent to the users. The privileged user can view the destination number, the status and the date and time of the SMS, but not the OTP message. Users can also filter reports using various criteria such as From Date, To Date, receiver email and status. To navigate to the report, privileged users can navigate to Home->Reports->SMS Logs:
Email Logs
The privileged users can view the Email report to know the status of emails sent to users/OTP via Email sent to the users. The privileged user can view the email address, Subject, Status, Created Date and Error status. Administrators can also filter reports using various criteria such as From Date, To Date, receiver email and status. To navigate to the report, privileged users can navigate to Home->Reports->Email Logs:
Push authentication logs
mPass administrators can view the push authentication requests sent to the users’ mobile phone using the Push authentication logs feature. Various details such as User Id, notification reference, the originated application name, the requested time, and the status of the push authentication notification.
Administrators can also filter reports using various criteria such as From Date, To Date, user name and status.
To navigate to the report, privileged users can navigate to Home->Reports->Push Authentication logs:
Backend System
Overview
The backend system section deals with mPass system level parameters and provides functionality to define backend systems such as Directory Servers, SMPP Servers etc. To view the defined backend systems, the privileged user should navigate to the following path: Home -> Backend System -> Backend System
System configuration
The Backend Systems list provides a default Backend System with name ‘system’, which cannot be deleted and is required for mPass to function. The ‘system’ parameters can be accessed by clicking on the Backend System Name ‘system’ and should be displayed as follows:
To view the ‘system’ parameters users need to click the BackEnd Parameters tab:
The ‘system’ backend contains the following sections containing parameters.
mPass Push Authentication configuration
Parameter Name | Description |
Applies to the mPass push authentication services configuration | |
Service Status | Control to enable/disable mPass push authentication services. Disabling will not allow push authentication to users |
Client Id | Unique client Id generated in the mPass Push online authentication service to identify the mPass setup. Cerebra PS team will provide the unique to an organization |
Client Secret | Client secret to access the mPass push online services |
mPass Push Service Base URL | Base URL of the mPass Push online authentication service |
Push Authentication Time-out (Secs) | Maximum allowed time for the user to respond to push authentication notification |
Activation Code Validity (Mins) | Maximum time allowed for the user to scan the QR code in the user portal |
Channel Global Parameters
Parameter Name | Description |
Applicable for HTTP based channels such as OWA/ADFS, WebServices, MNV Webservice and PKC webservice. Applies to the HTTP based Sender address (mPass service caller) | |
Sender IP in HTTP Header | Enabling it will cause the channels mentioned above to read Sender IP from HTTP Header name as configured below. HTTP based Channels should be configured to the IP address passed in this header as sender address |
HTTP Header Name | All the HTTP based channels will read from the HTTP header configured here. Default value is X-Forwarded-For |
Users Portal Configuration
Parameter Name | Description |
This section is used to control the mPass User portal configuration. | |
User Portal URL | mPass User portal URL address |
Mobile Token Activation Mode: | Offline-mPass authenticator device need not connect to the mPass server during QR code scanning. Online- mPass authenticator device need to connect to the mPass server during QR code scanning. |
Enable Manual Activation for mobile | Users can use either the QR code or can use the 16-character code. This will be useful for users not allowing camera access or phone does not have a camera. |
Allow user activation without definition | Yes – User can use the mPass User portal to register themselves without requiring the administrator to define first. No- Not allowed for user register before the administrator defines it. |
Users Config
Parameter Name | Description |
This section contains the parameters to control the Web Browser session timeout of the administration portal and user portal | |
Session Time Out(Mins) | mPass administration portal & mPass User Portal browser session timeout |
Notify Mobile Users | This configuration will be applied when defining new users. 1. Single user 2. Bulk Import No – User will not be notified. Email with Information Only- Send Email to user about instructions to download and activate the mPass mobile app and also the URL for user portal Email with Information and QR code- Send email to user about instructions to download and activate the mPass mobile app an also the QR code as an email attachment |
mPass windows Mobile token time window | Applies to TOTP provided via mPass Windows Agent. This value specifies the allowed time window difference between the server time and user mobile time. |
SMS OTP Length | OTP length for the OTP generated via SMS |
Inactive Users Cleanup | |
Enable Automatic Inactive Users Deletion | Enable feature to delete inactive users |
Delete Users Not logged more than | If enabled in above option, users who did not logged in the last 30/60/90/120 days will be deleted. A list of users who were deleted along with last logged date will be emailed to the administrator |
Locked users controls | |
Enable Auto Unlock | Enable automatically unlocking of users who got locked due to Invalid passwords/Invalid OTPs |
Auto Unlock users after | Value (in minutes) which specifies how the cutoff time after which users can be marked as unlocked |
QR Codes and Token Activation
Parameter Name | Description |
This section is used to control the mPass User portal configuration. | |
Enforce QR Code Validity in email | Sets a validity period for QR code sent via email |
QR Code Validity(days) | QR code validity period in days |
Allow Mobile Token Activation via Channels | If enabled, users can activate the mPass authenticator app via mPass agents(currently supports only OWA agent) |
Allow Mobile Token Activation for new users | If enabled, users who are defined by the administrator/auto-defined/imported will be allowed QR activation via user portal |
LinQ2SMS
Using this section, users can configure the Cerebra’s LinQ2 SMS Enterprise gateway details for delivering OTP as SMS.
Parameter Name | Description |
LinQ2 WebService | URL of the LinQ2SMS SOAP Service |
User | Username to access the SOAP Service |
Password | Password for the above user |
SMS Sender | SMS Sender |
In the Web Service section field, administrators need to modify the hostname and specify the port if required.
SMS Message Templates
Parameter Name | Description |
SMS English Template | English Template for SMS. Applies to all channels OWA/RADIUS/ADFS/WebServices etc. |
SMS Arabic Template | Arabic Template for SMS. Applies to all channels OWA/RADIUS/ADFS/WebServices etc. |
System Keystore
The mPass system uses keystore to store the encryption keys. Administrators if required can modify the keystore password as displayed below.
Parameter Name | Description |
Password | Use this to change the password of mPass internal keystore |
Cleanup
Enabling will purge the request logs from the system.
Parameter Name | Description |
Enable validation cleanup | If enabled, authentication logs will be deleted |
Purge validation logs before (Hrs) | Delete logs later than configured hours |
Enable SMS cleanup | If enabled, SMS OTP messages will be deleted |
Purge SMS logs before (Hrs) | Delete SMS OTP messages later than configured hours |
Notifications
Parameter Name | Description |
Enable License Expiry Notifications | If enabled, mPass license expiry notifications will be sent to the configured System Administrator emails |
Remind Every | Frequency of reminders to be sent |
Last Notified on: | The last notified time |
System Administrator emails | Comma separated values of administrators emails |
Other Backend definitions
Apart from the ‘system’ configuration, privileged users can define a Backend system such as the following:
System Type | Description |
Email Server | Email Server to send email for QR Codes to users |
Directory Server | Enterprise Directory Server for authentication and retrieving mobile number information. |
Simple HTTP Gateway | HTTP Gateway to send SMS via simple parameters |
To define a new backend, privileged users should click on the ‘Add’ button in the Backend System list page. A new form wizard should be displayed as follows:
Selecting the appropriate Backend System Type will display the appropriate forms
For Active Directory Server
This backend is used to define the Active directory for authentication. This configuration is used in the following scenarios:
- To verify username and password of the user (RADIUS configurations)
- To read mobile number of the user before sending OTP via SMS
- To read email address of the user before sending OTP via Email.
Parameter Name | Description |
| HostName/IP Address | Hostname or IP address of the Active Directory. Multiple IP addresses can be specified for multiple servers |
Port | LDAP/LDAPS Port number |
Domain Name | Active Directory Domain name |
UPN Suffix | UPN suffix (should be same as Domain Name if no UPN suffix) |
Base Name | English Template for SMS. Applies to all channels OWA/RADIUS/ADFS/WebServices etc. |
User | Service account name to read mobile number or other attributes of user |
Password | Service account password |
Mobile number field name | User attribute name of the mobile number field in Active directory |
SMS Sender Name | The SMS Sender Name for this Active directory. If not set, the name will be used from channel configuration/system configuration |
MFA Groups | Full OU name to enable 2FA. Only users belonging to the defined groups will be applied 2FA others rejected. For multiple groups please use comma separated. |
For Simple HTTP Gateway
This configuration will be required if the system use HTTP based SMS gateway.
Parameter Name | Description |
SMS Service URL | Base URL of the SMS provider/Base URL including static parameters |
SMS Service Password/API Key Parameter Name | If the service requires a password this parameter specifies the field name of the password If Request Type is GET, this parameter will be set as HTTP URL parameter name. If Request Type is POST with Payload Type x-www-form-urlencoded, the parameter name will be sent in the POST body If Request Type is POST with Payload Type JSON, the JSON tag name for password should be specified here. |
SMS Service Password/API Key Value | If the service requires a password this parameter specifies the value of the password (see above for field name details) If Request Type is GET, this parameter will be set as HTTP URL parameter value for above parameter name. If Request Type is POST with Payload Type x-www-form-urlencoded, the parameter value will be sent in the POST body for the above parameter name If Request Type is POST with Payload Type JSON, this value will be set for the JSON tag name as configured above |
SMS Receiver Parameter Name (to set mobile number) | This parameter specifies the request parameter name for setting the mobile number. If Request Type is GET, this parameter will be set as HTTP URL parameter name. If Request Type is POST with Payload Type x-www-form-urlencoded, the parameter name will be sent in the POST body. If Request Type is POST with Payload Type JSON, the JSON tag name for mobile number should be specified here. |
SMS Parameter Name (to set SMS Content) | This parameter specifies the request parameter name for setting the SMS content. If Request Type is GET, this parameter will be set as HTTP URL parameter name. If Request Type is POST with Payload Type x-www-form-urlencoded, the parameter name will be sent in the POST body. If Request Type is POST with Payload Type JSON, the JSON tag name for SMS content should be specified here. |
SMS Message Language Parameter Name | This parameter specifies the request parameter name for setting the language type. If Request Type is GET, this parameter will be set as HTTP URL parameter name. If Request Type is POST with Payload Type x-www-form-urlencoded, the parameter name will be sent in the POST body. If Request Type is POST with Payload Type JSON, the JSON tag name for language type should be specified here. |
English SMS Message Type Parameter Value | This parameter specifies the value to set for English messages in the above parameter field |
Arabic SMS Message Type Parameter Value | This parameter specifies the value to set for Arabic messages in the above parameter field |
HTTP Request Configurations | |
Request Type | Whether the HTTP request should be GET / POST method |
HTTP POST Request Payload Type | Payload type for HTTP POST requests |
HTTP POST JSON Body Template | The template for JSON, For HTTP POST requests with payload type JSON. Can contain static and dynamic values. Dynamic values normally include:
Eg: { "Username": "myuser", "Password": "<Password>", "Tagname": "Cerebra", "RecepientNumber": "<RecepientNumber>", "VariableList": "", "ReplacementList": "", "Message": "<Message>", "SendDateTime": 0, "EnableDR": false } In the above JSON, the password, the recipient number and the SMS content is populated dynamically. |
HTTP Response Configurations | |
HTTP Response Check | Specifies the mechanism to check the SMS was sent successfully or not sent |
Success Response Value/HTTP Status Code | If the above field configured to check HTTP status code, the HTTP status code should be specified here for success messages If the above field configured to check HTTP response body, the HTTP response body for success should be specified here. |
Failure Response Value/HTTP Status Code | If the HTTP Response Check field configured to check HTTP status code, the HTTP status code should be specified here for failure messages If the above field configured to check HTTP response body, the HTTP response body for failure should be specified here. |
Enable Dynamic SMS Sender | If enabled, the SMS sender will be set as set in the mPass channels, else will be set as configured in parameter below |
SMS Sender HTTP Parameter Name | Default SMS sender value |
Other static parameters | To add any static name=value pairs which will be appended to the URL during GET and Post Request which the SMS vendor requires it. This can be Sender Name, Application identifier for tracking and reporting |
Email Server
This backend
configuration will be used to send in the following scenarios:
- Send Invitation
emails to users about mPass token activation with QR code/User Portal URL.
- Send OTP via email.
Parameter Name | Description |
Host Name/IP | Host name or IP of the email server |
Port | SMTP port |
Protocol | None- Just TCP/IP TLS- Transport Layer Security SSL- Secure Sockets Layer security |
Sender User Id | Sender Email address for the emails |
No Authentication | This option should be selected when sending emails does not require any password |
Password | Password of the Sender User Id |
Sender Name | Sender Name to be included in Email |
Sometimes due to network connection issues or any other issues between the mPass windows agent installed PC/server and the mPass server, the user might not be able to login to the system. The purpose of this feature is to disable the mPass Windows Agent. This feature is used to disable mPass windows agents and also to provide the Deactivation codes to remote users who might have installed it in online/offline mode. Privileged users can navigate using the following path: Home -> Backend System -> Backend System
Following is a brief description about each parameter:
Parameter Name | Description |
Install Id | Unique ID generated for mPass agent installation in the organization |
DeActivate Code | Deactivation code which should be used to deactivate the mPass agent in the OTP box. |
Host IP | The host IP address of the mPass installed windows agent. |
MAC Addr | The MAC address of the network card for the remote system. |
Created Date | The date the mPass agent was activated on the remote system |
Status | Enable/Disabled state |
Email Template
mPass uses templates to send various emails to users in the following cases:
- New-User creation (Information email without QR Code)
- New-User creation (Information email with QR Code)
- OTP via email
Privileged users can update these templates and customize accordingly. The following path can be used to navigate the same.
Home -> Backend System -> Email Templates
To modify any template, click on the Template Name of the required template.
License Management
mPass services work based on the license validity. License is issued per server based on the following parameters:
- IP Address of the server
- Network MAC address for the above IP address
Cerebra provides a license.dat file which should be uploaded using the web interface at Home->Backend System->License Management
GENERAL MAINTENANCE
Application Backup
The recommended method is to back up the entire OS image and the recommended period is every week. If the OS image backup is not possible, the minimum backup required is to back up the JBOSS_HOME directory (usually at C:\Program Files\ mPass\ wildfly-17.0.0.Final) including sub- directories.
Database Backup
The database backup is critical to business continuity in case of disaster. The recommended backup is real time backup if possible or else the administrators should configure a daily backup plan.
Re-starting mPass Windows Service
To restart mPass Windows Service mPass for any reason, the service should be first stopped first and start again
Note: Please don’t click restart button
Re-booting the Servers
A typical setup of mPass is installed on 2 servers: Application Server and Database Server. For cases where Re-booting is required, the order of the re-booting is important to note as the application server relies on the Database server to load system parameters.
Stopping order
1. Application Server windows service ‘mPass’
2. Database Server
Starting order
1. Database Server
2. Application Server windows service ‘mPass’ (automatically starts during system reboot)
General Incidents and Troubleshooting
Users unable to authenticate via VPN
- Check connectivity between VPN system and MPass
- Check connectivity between MPass and Active Directory
- Check connectivity between MPass and Database Server
- Check connectivity between MPass and SMS Gateway (if applicable)
- Check ‘Request Logs’ from MPass administration portal for error message
- Send server.log file from ‘C:\Program Files\ mpass\ wildfly-17.0.0.Final\standalone\log’ from server to support
OTP Validation Failure
- Check ‘Request Logs’ from MPass administration portal for error message
- Check if OTP is expired (as per policy parameter SMS OTP expiry time)
- If mobile token, check whether the token assigned to user and in system has the same serial number
- Send server.log file from ‘C:\Program Files\mpass\ wildfly-17.0.0.Final \standalone\log’ from server to support
SMS OTP Not Receiving
- Check connectivity between MPass and SMS Gateway (if applicable)
- Check whether SMS quota is expired/completed
- Check ‘Request Logs’ from MPass administration portal for error message
- Send server.log file from ‘C:\Program Files\mPass\ wildfly-17.0.0.Final\standalone\log’ from server to support
mPass Server Not running
- Check whether windows service ‘mpass is running from Windows-services window.
- Check connectivity between mpass and Database Server
- Check whether database credentials are valid
- Check whether windows service ‘mpass service account credentials are valid(if applicable)
- Send server.log file from ‘C:\Program Files\mpass\wildfly-17.0.0.Final\standalone\log’ from server to support
Appendix
Abbreviation | Description |
RADIUS | Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service. |
OTP | One Time Password |
MFA | Multi-Factor authentications |
REST | Representational State Transfer |
PO | Purchase Order |
© 2024 Cerebra All Copyrights Reserved
Related Articles
mPass MFA High Level Design
Introduction The mPass authentication server (AS) is an OATH compliant comprehensive solution for enabling Multi-Factor Authentication (MFA) for enterprise applications such as VPN Systems, Outlook Web Access, Active Directory Federation Services ...mPass MFA User Guide
Introduction The mPass authentication server is an OATH compliant comprehensive solution for enabling multi-factor authentication for enterprise applications such as VPN Systems, Outlook Web Access, Active Directory Federation Services, Windows/Linux ...What is mPass MFA?
Introduction The mPass MFA is an OATH compliant comprehensive solution for enabling Multi-Factor Authentication (MFA) for enterprise applications such as VPN Systems, Outlook Web Access, Active Directory Federation Services (ADFS), Windows/Linux ...mPass MFA Mobile Number Verification
Introduction mPass is an OATH compliant comprehensive solution for enabling Multi Factor authentication for enterprise applications. mPass provides HTTP based web services for enterprise applications to verify mobile numbers of their users by means ...mPass MFA Install Windows Agent
Introduction The mPass authentication server is an OATH compliant comprehensive solution for enabling multi-factor authentication for enterprise applications such as VPN Systems, Outlook Web Access, Active Directory Federation Services, Windows/Linux ...