If you are new to DualShield, then you might want to first refer to the general instruction on how to build an application in DualShield.

Complete the following steps to build an application for computer MFA logon.

Create logon procedure for computer MFA

For computer MFA logon, the type of logon procedure is called Windows. It is named as such due to historical reasons. 

Below is the general guide for creating a logon procedure in DualShield 

In the Admin Console, in the side panel, select "Authentication | Logon Procedure"

Click the "CREATE" button on the toolbar

In the "Name" field, enter a name for this new logon procedure, e.g. "Office 365"

In the "Type" field, select the type of the logon procedure from the drop list, e.g. "Web SSO"

Click the "SAVE" button to save it.


Now that a new logon procedure is created, you want to add logon steps.

To add logon steps to a logon procedure or to change logon steps, firstly navigate to the logon procedure.

Navigate to Authentication | Logon Procedures

Click the context menu icon "..." of the application to be edited, e.g. "Office 365"

select "Logon Steps" to bring up the logon steps editor

To add a logon step, click the "ADD" button

Select the one or multiple authentication methods that you want to add to this step, e.g. "One-Time Password" 

Click the "SAVE" button to save it

You can change the order of the steps by clicking the "UP" and "DOWN" buttons.

Make sure that the type of the Logon Procedure you have created is Windows 

Once a logon procedure has been created, you need to add logon steps into the newly created logon procedure.

Logon Step for Computer MFA Logon 

The computer MFA logon process, including both Windows and Mac OS, is implemented in such a way that both the first factor (i.e. AD password) and the second factor (e.g. one-time password) are entered within one single step on the same screen. The first factor, i.e. AD password, is always required and actually verified by the AD itself, and the second factor, such as an OTP token or FIDO key, is verified by the DualShield MFA server. Therefore, you only need to add one logon step into the logon procedure and you only need to add a second factor into the logon step.

The example below is a logon step that includes 2 authentication options, one-time password and FIDO U2F, which means that the users will be allowed to authenticate themselves using either of the credentials. 

Create application for computer MFA

In DualShield, an application does not have a type. Therefore, creating an application for any integration is the same. 

In the admin console, in the side panel, select "Authentication | Applications"

Select "CREATE" on the toolbar

Select the Realm to be linked to this application, e.g. Deep.Net

Select the Logon Procedure to be used by this application, e..g. Office 365

Click "SAVE" to save the application.



However, you must select a Logon Procedure that is of the type of Windows. In the example below, we are create an application with a name called "Windows Logon" and the logon procedure we select is a Windows logon procedure.

 

Publish application for computer MFA

Generally, an application has to be published before it can be accessible by users.

Below is the general guide on how to publish an application.

To publish an application on an authentication agent, first navigate to the application list by select "Authentication | Applications" in the side panel

Click the conext menu icon "..." of the application, e.g. "Office 365" to access its context menu

select "Agents" in the context menu

select the authentication agent on which the application is to be published, e.g. "Single-Sign-on Server"

Click "SAVE" button to save settings


A computer logon application has to be published on one or many Windows logon agents. If there is no Windows logon agent found in your DualShield platform, then you must first install a Windows logon agent.


  • No labels