GEMALTO (Gemplus / Axalto Merger)

GEMALTO authentication server is called Protiva. It is a global authentication solution which can especially provide OTP (One Time Password) authentication.

The integration is very simple since the protocol used between IAG and Protiva server is Radius, so we just need to change a few things.

 

Step 1 : In IAG, create a Radius Repository and also create an AD repository called “ADRepository” (can be other name)

 

Step 2 : Add an OTP field to the IAG’s authentication page

First, we want to add an “OTP” field in IAG authentication banner. To do so, create a <Trunk><0/1>loginForm.inc in customupdate.

Content of this file will be this :

<% If IsSessionAuthenticated(g_cookie) = false Then %> <TR> <TD Class="ParamText">OTP :</TD> <TD><INPUT Class="ParamTextbox" TYPE="password" ID="j_password" NAME="j_password" maxlength="8" ></TD> </TR> <% Else End If %>

As you can see we add a new “field” called J_PASSWORD.

 

Step 3: Saves the password, before Radius authentication

Before authentication take place, we “save” the password value in a server session variable. This is because during IAG/Protiva discussion, we use Radius protocol and radius know only 2 fields : login and password. It does not know OTP field. To transport login/password and OTP, we will concatenate the OTP+Password, and send it in the Radius “password” field.

 

Prevalidate.inc

<% session("password1")=password If IsSessionAuthenticated(g_cookie) = false Then password=request("j_password")+password Else End If %>

 

Step 4 : Ask IAG to authenticate also towards AD

The postpostvalidate event take place occurs “after” authentication is successful. What we do here is just preload in memory, for a repository called “ADRepository”. As you can see here, we preload the “user_name” of the user, and also load user password via the variable we have created in “Prevalidate” event.

PostPostValidate.inc

<% AddSessionUser g_cookie,user_name,session("password1"),"ADRepository" %>

 

 

Step 5 : IAG’s URL Set

IAG’s firewall will refused by default any kind of parameter sent to validate.asp (IAG authentication page) if they are not explicitly specified. Because we added a new “J_password” field, we need to add this new value.

In IAG console, rule set, add this “j_password” variable for validate.asp.

 

Activate the configuration with the checkbox, and it will work fine.

 

Optional 1: display Protiva in the list of authentication types

By default, “protiva server” does not appear in the list of directories, just because it works on top of Radius.

If for any reason (pre-sales, internal reason) you want to have it in the list, you can do this tiny modification.

On IAG, go in C:\Whale-Com\e-Gap\von\conf\CustomUpdate, create (or modify) repositorytype.xml

 

Add this description, which means for IAG a new “type” of repository.

<RepositoryTypes> <RepositoryType>                         <Type>Gemalto Protiva(Radius)</Type>                         <BaseType>RADIUS</BaseType>                         <Info>                                    <GUIType>RADIUS</GUIType>                                    <ProtocolType>UDP</ProtocolType>                                    <WhaleType>RADIUS</WhaleType>                         </Info> </RepositoryType> </RepositoryTypes>

As you can see it is still Radius, but “Gemalto Protiva” will appear in the list.

You must exit IAG console, and re-run it after activation (with checkbox) to see this new repository in the list.

Optional 2 : SA Server configuration

C:\Program Files\Gemalto\SAServer\AuthenticationServer\webapps\saserver\WEB-INF\classes\authserver.config

Locate these fields

authuser.attr.dsuid=userPrincipalName
authuser.attr.dsuid=sAMAccountName

… update value based on your scenario (long or short name).