Background This is the the third lab in the series around Strong Authentication. In the previous lab we focused on StrongAuth for UNIX/Linux using PKI Smart Card or YubiKey. We will be focu...
We will be focusing on securing access to Internal web or SaaS apps, shared credentials and privileged sessions using Centrify Identity Service and Privilege Service.
If you're familiar with Identity Service and Privilege Service, they provide built-in MFA and step-up authentication like:
Centrify Mobile Authenticator
RADIUS Client (SecurID, Vasco, Symantec, etc)
SMS
Phonefactor
E-mail
Security Question
We are going to cover
YubiKey (Smart Card) for PKI-based auth to Apps secured by CIS and secrets and sessions secured by CPS
OATH OTP (TOTP/HOTP) using YubiKey or other OATH compatible Authenticator (e.g. Google Authenticator)
Centrify uses Authentication Profiles to control what authentication mechanisms are used in different contexts:
a) Securing access to applications or the Centrify Portal (IDP initiated)
b) Securing access to UNIX & Linux systems
c) Step-up (privilege elevation) for UNIX, Linux and Windows systems
c) Provide RADIUS-based challenges for Cisco, Juniper and other VPN scenarios
d) Securing access to reverse-proxied on-prem applications made available via Privilege Service
e) Secure applications that implement Centrify APIs (e.g. Web, Mobile SDKs)
Challenges
Web Apps (on Prem or SaaS) need to be protected with strong mechanisms
Systems that provide access to secrets (like password managers) and secure session brokers also require strong authentication.
The proliferation of "best of breed" solutions promotes IT fragmentation and limits organizational flexibility. There's no need to have multiple individual/non-cohesive solutions to secure servers, secure apps, provide multifactor and other services. This promotes IT complexity.
Regulatory frameworks (like the upcoming PCI DSS 3.2) stress the use of Multifactor Authentication in sensitive systems.
Organizations may have already standardized on OATH or PKI authentication and it may be undesirable for them to adopt new mechanisms or train users.
Opportunities
Both CIS and CPS support Certificate-based authentication (Smart card) and OATH OTP
YubiKey simplifies the adoption of both mechanisms in a single form factor.
Lab Goals
Limit application users (on-prem web or SaaS) to strong authentication via Smart Card (YubiKey) or OATH OTP
Limit privileged users (of shared passwords and secure sessions) to strong authentication via Smart Card or OATH OTP
What you'll need
For All
Centrify Identity Service or Privilege Service Tenant (start a trial here) with basic knowledge an account with system administrator's rights
For the Contractor Scenario
A test user (can be from any source: AD, LDAP, Cloud Directory, Federated or Social Identity)
A YubiKey4, NANO or NEO and Yubico Authenticator (alternatively, any OATH-compatible authenticator like Google Authenticator will do fine)
For the Employee Scenario
Active Directory with Certificate Services
A Certificate provisioned for the user's smart card or YubiKey To see instructions on how to set this up, check out the Announcement Post that contains the base lab instructions.
Define an authentication profile for login that requires Smart Card or OATH OTP for login to the Centrify Portal This will cover any portal-based access (IDP initiated) or unauthenticated service-provider initiated connections
Request OATH OTP multifactor authentication to access to an application.
Employees with SmartCards
Define an authentication profile that considers users authenticated with Smart Card as strongly authenticated
Centrify Identity Service (or Privilege Service) Setup for Contractors
Sign-in to Centrify Identity Service (or privilege Service) and go to Cloud Manager > Policies. At this point you can either create a new policy or work with a new one tied to an specific role. I am using a Contractors role and tying it to that role.
Navigate to Policies > Your Policy > User Security Policies > OATH OTP Allow OATH OTP Integration: YES Show QR code for self service: [Select your appropriate setting - see other considerations at the bottom] OATH OTP Name: [type a descriptive name]; I used "Google Authenticator or YubiKey" OATH OTP has been enabled, now it's time to enable it for an authentication profile.
Navigate to User Security Policies > Login Authentication - To configure the policy for login - capture the name of the effective rule (e.g. GlobalAuth High) - To configure the profile for secure app access - capture the name of the effective policy. Save the policy.
Navigate to Settings > Authentication > Authentication Profiles and identify the profiles form Step 3. For each profile: In my example, I'm using a single profile that allows for phone call and OATH OTP client, then Password.
Onboarding OATH OTP tokens for Contractors
This step can be performed in two ways:
Self-service from User Portal > Account > Actions > Set up "[OATH OTP name]"
Bulk (this is for larger deployments); from Cloud Manager > Settings > Authentication > Other > OATH Tokens Use the provided Excel template to perform a bulk import of OATH tokens.
Centrify Identity Service (or Privilege Service) Setup for Smart Card Employees
In Cloud Manager, go to Settings > Authentication > Certificate Authorities Give it a name, and select a method for extracting the username (SAN, RFC822 or Subject) and press Save.
Enable the policy in Policies > [policy that applies to employees] > User Security Polcies > Login Authentication
Edit the "Other Settings" accordingly:
Press Save When testing, use a browser that supports Cert-based auth and is configured correctly for your PKI infrastructure.
Test Matrix
Contractor can self-service enroll their OATH OTP using the user portal
Access the Centrify Identity Service (or Privilege Service portal) requires OATH OTP, then password (to protect the user's Password).
Access a designated application (e.g. Amazon AWS) requires OATH OTP.
Testing for Employees
Authenticate using your Smart Card or YubiKey
Attempt to access Centrify Privilege Service or Identity service URL or SP-initiated connection.
Select the Certificate in the picker.
Type the PIN for your smart card or YubiKey
Depending on how you set up your policy, Smart Card sessions can be set up to bypass additional controls.
Video: Contractor Setup
Other considerations:
When using self-service onboarding for OATH OTP tokens, allow for a secondary step-up (like phone call) so the user can enroll their OATH token.
When using self-service onboarding for OATH OTP tokens, be careful about allowing access to QR codes. Users have to be educated that it is a sensitive operation. Centrify provides a policy to allow this capability.