Oplon Multi Factor Authentication Setup
Oplon MFA Explanation How it Works and Features
We give an overview of the operation of MFA (Multi Factor Authentication) to better understand the steps that will describe its implementation on resources exposed by our Virtual Appliance
Multifactor Authentication is today the best way to protect services that must be exposed to the Internet audience.
Oplon MFA is integrated into the latest version of the Oplon ADC platform and allows you to secure all WEB services that require strong authentication without touching or integrating anything into the service.
image 1
Any service, or part of it, that traverses the Oplon ADC layer can undergo dual-factor authentication simply by applying a rule. This is completely transparent to the application, which can be reached by the operator only after ascertaining its identity.
MFA services are immediately available because they are attested in Super Oplon Cloud, a service provided directly by Oplon Networks and therefore immediately applicable to all services that traverse Oplon ADC (check Oplon ADC version for activation).
Advantages
- Any WEB service or part of it that traverses Oplon ADC at Layer 7 can undergo Dual Authentication
- Dual Authentication is directly available for WEB services without installing any other component besides the ADC since it is sufficient to apply a rule on the resource to be protected and activate the service at oplon Networks
- Users who need to access resources can self-register on the service without prior header. It will be sufficient on the part of the manager to accept the request, decline it, or enter a termination date beyond which the operator will be disabled for that service.
- MFA can be used and registered either through email or through Mobile APP available for iOS and Android
- The Mobile APP does not need the phone number to be activated. Not needing to activate the Mobile APP with a cell phone number has the following benefits:
- Private Smartphones users don't need to give their phone number
- At the server configuration level, the customer does not have to contract with telephone operators, saving considerable amounts of money as the number of users increases
- Configuration does not require any integration with telephony providers with significant advantages in both economics and reduced adoption time
- In the case of foreign users, there are no limitations dictated by telephon contracts for the provision of SMS services
- Access authorization management is handled through Tenants and Managers. This means that it is possible to delegate to service Managers the authority to authorize access to a user
- Any MFA operation, from the user's request for authorization to the Manager's confirmation or denial of authorization are tracked in a way that cannot be modified by users
- Tracking of operations on services is attributable to the unique user who performed MFA increasing the overall security of the system
- A unique user can request for access to different services
- With Oplon MFA it is very easy to integrate SSO into existing applications because the user login and its features are added to the http header that reaches the end servers. This system, simplified compared to other platform, allows:
- With very little implementation effort, it is possible on the application side (the service manager) to read the information from the header and prepare an automatic login
- With Oplon MFA it is possible to indicate both roles (groups) and impersonations on a per-service basis. This allows an MFA user to indicate to the end application which user, role (group) to announce with on that specific application and facilitate SSO implementations by the application manager
- For the reasons described above (a) (b), with Oplon MFA, services can be unconnected to the Internet, as recent best practices predict, increasing security exponentially by not allowing latent viruses to activate and any malicious plug-ins to exfiltrate sensitive data
Prerequisites
- You have downloaded, installed and configured the Oplon Secure Access Virtual Appliance as indicated in this guide.
- Make sure that the appliance has outgoing port
2443
open, it will need to communicate with super.oplon.cloud for MFA to work correctly.
Import Certificate .P12 super.oplon.cloud
Once you have purchased the Multi Factor Authentication service from Oplon, you will be given a .P12 certificate, which will be the certificate with which the appliance will interface with super.oplon.cloud for verifying the trustworthiness of the connection to allow the authorizations of the Multifactor Authentication Users.
At this point we can import the Keystore into Our Virtual Appliance.
we select the file from the local path where we placed it and decide to Insert it on Our Platform
A video of the operation of inserting the Keystore into our Platform A10_LBLGoPlatform
Copying and Configuring MFA/2FA Rewrite Rules
- Rewrite Header Rules Research
We flag the Templates view and search in search for the string
2fa
- Rewrite Header Rules Copy
we copy Templates in our
A10_LBLGoPlatform
Platform
A video of the operation of copying the Rewrite Header Rules secure
Templates into our Platform A10_LBLGoPlatform
.
Now we can proceed with the configuration of the Rewrite Rules that will protect the Oplon Secure Access resources.
Configuration Rewrite Header 2faActivation
and ACTIVATION_CODE
We go to the Rewrite Management>Rewrite Header Rules menu and look for the Rewrite Header rule 2faActivation
Once Entered in Parameter Writing Look for the Variables
named ACTIVATION_CODE and in Value
we give an "ACTIVATIONCODE" at will.
A video of the operation of insertion of ACTIVATION_CODE in the Rewrite Header Rule 2faActivation
Configuration Rewrite Header Rule 2faGeneric
We go in the Rewrite Management>Rewrite Header Rules menu and look for the Rewrite header Rule 2faGeneric
Once we got into Writing of Parameters we look for the Variables
section
and insert the appropriate values to the CLIENT_KEYSTORE_NAME --> (in our example "THECertificate.p12")
and CLIENT_KEYSTORE_PASSWORD items --> (the password received with it)
A video of the operation of Parameters insertion in the Rewrite Header 2faGeneric
Rule
Application of MFA Rules
At this point it is a matter of deciding where to apply them, remembering that rewrites can be applied to Level of
ADCs
Groupings
Domains
Endpoints
For this demonstration, we decided to apply them at the level of Domains, remembering however that the way of activation remains nearly the same for other entity types.
Ex. How to secure a Domain
At this point we can protect any of the resources exposed by OPLON SECURE ACCESS with a system of Multiple Factor Authentication
at this point we proceed to the implementation on a domain of MFA protection rules
we decide to protect the domain a_domain.oplon.net
Research of the Domain
ADC Settings / Domains and we look for the domain a_domain.oplon.net and get into edit
Insertion Rewrite header rules
inside the customization of the domain we look for the Rewrite header rules
section
and insert the two rewrites that we did a little while ago
2faGeneric
and 2faActivation
.
Also remember to set 2fa Activation to the LAST value in the Operation column
Insertion Video Rewrite Rules MFA on Resource (e.g. Domain)
A video of the domain search operation and on inserting the 2faGeneric
and 2faActivation
rewrite header Rules
FAQ
Where in the configuration of the Oplon Adc is it possible to bring in an MFA (Multiple Authentication Factor) control?
- Following the logic and application philosophy of Oplon ADC a rewrite can be applied at the Hierarchical Level of ADC, Group , Domain or Context, or, like any other product rewrite rule, through regexp.
What is exactly the effect that is presented to the user in the case in which an MFA rewrite has been elevated in the context of a domain or even into a resource subjected to a regexp that matches it?
- very simply, the resource results to be unreachable from everyone who was not enabled by his/her own manager.
Figure 15: Portale di autenticazione
Does it mean that I am forced to redo the authentication any time I get into a resource submitted to rewrite?
- No, you aren't! You'll be forced to do it only if the session of the current Browser is closed. Authentication has been executed with injection of cookies, therefore it won't be lost until those cookies are valid for the browser in use.