To download offline tokens from the DualShield MFA server, follow the steps below:

Configure the offline Token Download Endpoint

In the "config.json" file that is to be distributed to the users' PCs, add the value below to the "token_download_endpoint" key: 
"token_download_endpoint": "https://your-dualshield-fqdn/sso/v1/authc/oauth/connect/downloadTokens"

You must replace "your-dualshield-fqdn" with the actual FQDN of your DualShield MFA server, e.g. "demo.la.deepnetid.com"

Below is an example:

Configure the DualShield MFA Server

In your DualShield MFA server, you need to configure the following policies & settings:

  • Computer Logon Client Policy
  • Token Policy
  • SSO Service Provider for EAM 

Computer Logon Client Policy

Edit the Computer Logon Client policy and enable the option "Download Offline Tokens automatically"

Optionally, you can also set the lifetime of offline tokens by editing the option "Offline Token Lifetime in N Days"

Token Policy

Currently, only OTP tokens can be downloaded automatically and used for offline logins.

Depending on the types of OTP tokens used by your users, edit the token policy, e.g. SafeID/Time-Based, and enable the option "Enable Offline Logon"

SSO Service Provider for EAM 

This step is only required if the MFA server used for the Entra-joined PC is Entra rather than DualShield, i.e. Architecture D1 & E1. Otherwise, skip this step.

For maximum flexibility, the Deepnet Computer Logon MA (CLO/MA) solution integrates with any MFA server or SSO service that supports the OpenID Connect (OIDC) protocol, including:
  • Microsoft Entra ID MFA
  • Deepnet DualShield MFA
  • Deepnet SafeID MFA


123

ArchitectureEntra ID Joined PCOn-Prem AD Joined PCHybrid Joined PC
APC [CLO/MA] > Entra ID MFA > Azure AD(tick) (tick) (tick) 
BPC [CLO/MA] > DualShield MFA > On-Prem AD(tick) (tick) (tick) 

C

PC [CLO/MA] > DualShield MFA > Azure AD

(tick) (tick) (tick) 
DPC [CLO/MA] > Entra ID EAM > DualShield MFA > On-Prem AD(tick) (tick) (tick) 

E

PC [CLO/MA] > Entra ID EAM > DualShield MFA > Azure AD

(tick) (tick) (tick) 
FPC [CLO/MA] > Entra ID EAM > SafeID MFA > Azure AD(tick) (tick) (tick) 



You have already set up an enterprise application in your Entra ID tenant for Computer Logon MA:

(Set up an enterprise application in Entra ID for Computer Logon MA)

Also, you have already created an SSO service provider in DualShield for EAM integration:

(Create an SSO service provider in DualShield for EAM integration)

Now, in your DualShield Admin Console, edit the SSO service provider for EAM and add value of the "Token Download Application ID" option:



  • No labels