Before an application can be created, a logon procedure must be created first.
In the Admin Console, in the side panel, select "Authentication | Logon Procedure"
Click the "CREATE" button on the toolbar
In the "Name" field, enter a name for this new logon procedure, e.g. "Office 365"
In the "Type" field, select the type of the logon procedure from the drop list, e.g. "Web SSO"
Click the "SAVE" button to save it.
Now that a new logon procedure is created, you want to add logon steps.
To add logon steps to a logon procedure or to change logon steps, firstly navigate to the logon procedure.
Navigate to Authentication | Logon Procedures
Click the context menu icon "..." of the application to be edited, e.g. "Office 365"
select "Logon Steps" to bring up the logon steps editor
To add a logon step, click the "ADD" button
Select the one or multiple authentication methods that you want to add to this step, e.g. "One-Time Password"
Click the "SAVE" button to save it
You can change the order of the steps by clicking the "UP" and "DOWN" buttons.
The type of logon procedure for SAML integration must be Web SSO.
Once a logon procedure has been created, you need to add logon steps into the newly created logon procedure. Typically, you would create a two logon steps, as the example below.
Of course, you can create as many steps as you like.
Create Web SSO application
In DualShield, an application does not have a type. Therefore, creating an application for any integration is the same.
In the admin console, in the side panel, select "Authentication | Applications"
Select "CREATE" on the toolbar
Select the Realm to be linked to this application, e.g. Deep.Net
Select the Logon Procedure to be used by this application, e..g. Office 365
Click "SAVE" to save the application.
However, you must select a Logon Procedure that is of the type of Web SSO. In the example below, "Salesforce (SAML)" is a Web SSO logon procedure.
Publish Web SSO application
Generally, an application has to be published before it can be accessible by users.
To publish an application on an authentication agent, first navigate to the application list by select "Authentication | Applications" in the side panel
Click the conext menu icon "..." of the application, e.g. "Office 365" to access its context menu
select "Agents" in the context menu
select the authentication agent on which the application is to be published, e.g. "Single-Sign-on Server"
Click "SAVE" button to save settings
A Web SSO application has to be published on one or many Single Sign-On (SSO) servers.
You might see two SSO servers in your DualShield platform, one called "SSO Server" and the other called "Single Sign-on Server". The so-called "SSO Server" is the legacy SSO server in DualShield 5 and the "Single Sign-on Server" is the new SSO server in DualShield 6.
An application for Office 365 integration must have 2 logon procedures, one must be set as Web SSO and the other must be set as Enhanced Client, respectively.
The Web SSO logon procedure will be used in logins from web browsers as well as logins from Office desktop clients that support modern authentication. On the other hand, the Enhanced Client logon procedure will be used by client applications that do not support modern authentications, such as some old versions of Outlook, and some third-party mail clients such as Thunderbird, Apple Mail, and Android Mail.
The logon procedure for the Enhanced Client must include only one logon step, and the logon step must include the Static Password only as the authentication method.
The logon procedure for the Web SSO usually includes 2 logon steps for 2-factor authentication.
Set up Policies for Office 365
You might want to create some customised policies for Office 365 integration. Please refer to the tutorial below:
In the initial stage of deploying MFA across your entire domain and user base, you might not want to enforce MFA on all user accounts on day one. Instead, you might consider enforcing MFA gradually across your user base, in stages. To do so, you need to create a special user group in AD and a couple of logon policies in DualShield. For the simplicity of this guide, let's call this AD group as DualShield MFA group.
The strategy is that MFA will only be enforced on users who are a member of the DualShield MFA group. All other domain users will be able to continue to login into the domain with password only.
The first step is to create the DualShield MFA group in your AD server.
Then, create 2 logon policies in your DualShield server. A domain policy and a group policy.
The domain policy is bound to the entire domain, and multi-factor authentication is not required on all users.
The group policy is bound to the DualShield MFA user group, and multi-factor authentication is required on all users.
Below is an example.
Domain Logon Policy
Option
Value
Category:
Logon
Holder:
Domain
Domain:
Select your AD domain
Name:
Describe the purpose of this policy
Apply policy to these applications:
Select the application that this policy will be applied to
Authentication:
Select "Multi-factor authentication is not required for all users"
Group Logon Policy
Option
Value
Category:
Logon
Holder:
Group
Domain:
Select your AD domain
Group
Select the DualShield MFA group
Name:
Describe the purpose of this policy
Apply policy to these applications:
Select the application that this policy will be applied to
Authentication:
Select "Multi-factor authentication is required for all users"
For the general guide of creating a logon policy, expand the link below
To create or edit a policy, we need to open the policy editor window first.
Select "Administration | Policies" on the side panel,
To create a new policy, click the "CREATE" button on the toolbar to open the policy editor window.
In the policy editor, firstly select Logon from the Category drop-down list
Policy Bindings
Enter or select the following policy bindings:
Holder:
The policy holder defines the scope of the policy.
Name:
An unique name that describe this policy
Applications:
Optionally, you can bind the policy to a specific applicaiton or a list of applications. To specify the application(s), select the field: Apply policy to these applications
If the field Apply policy to these applications is left empty, then the policy will be applied to all applications.
Policy Options
There are 3 authentication options:
Multi-Factor Authentication is not required for all users
Multi-Factor Authentication is required for users with tokens only
Multi-Factor Authentication is required for all user
Multi-Factor Authentication is not required for all users
This option means that all users will be exempted from 2FA or MFA. This option is typically used to exempt a group of users from 2FA or MFA.
Multi-Factor Authentication is required for users with tokens only
This option means that users who have a 2FA/MFA token in their account will be enforced to login with 2FA/MFA, while those users who do not have a token 2FA/MFA token will be exempted from 2FA/MFA in the logon process.
Multi-Factor Authentication is required for all users
This option means that all users will be enforced to login with 2FA/MFA
Please note that users in the context of a policy include users in the scope of the policy only, i.e. the policy holder.