We did some deployments with Vasco Identikey Server for multi-factor authentication already. The solution is not only feasible for One-Time-Password authentication as first and protecting factor in addition to the usual AD or other LDAP directory auth with username and Password, but it also provides one-stop-authentication in mixed environments and enables different “single-sign-on” scenarios.
Just this week, I did my first deployment with the Virtual Appliances Vasco provides (be aware though that they need to be licensed in addition to the Identikey Server component you usually install on Windows or Linux). They work like a charm. The setup is really Enterprise-ready as in this case it aims at 1,000 users to be authenticated using username, password and an OTP from a physical Vasco Digipass Go6. You don’t want to assign those devices to 1,000 (or even 50) users manually. And you don’t want to create those users manually in Identikey Server.
For user import, you could go for a CSV list import or a filtered LDAP sync. We did decide for Dynamic User Registration (DUR) with back-end authentication against Active Directory. You can use group membership as a requirement for registration. Additionally, we configured Self-Assignment for the Digipasses. So now a user receives his or her Digipass and then connects to the NetScaler Gateway login page and enters
- Username (is automatically converted to lower case to prevent multiple user objects to be created in case somebody hits a shift key)
- Digipass serial number, AD password, current OTP <– all concatenated in the “Token” field
- AD password (third field could be removed and AD-auth delegated to Identikey server for all cases, but we decided to keep it and do AD-auth from Identikey for DUR only)
Identikey server figures out a new user and starts DUR: password is validated against AD, okay, user created. OTP is checked against expected current value from serialnumber, okay, Digipass assigned. On subsequent logins, the Token field takes only the OTP. AD password is validated by NetScaler Gateway on its own (second authentication cascade) and finally the user is logged on and signed in to the Webinterface/Storefront showing available apps and desktops. Done.
The setup of replication between the Virtual Appliances was a breeze as well. Worked instantly and replicates the database and configuration of the Authentication Server bidirectonally. Just like that.