Integrate Entrust IdentityGuard Desktop for Microsoft Windows

Entrust IdentityGuard Desktop for Microsoft Windows filters logging for Windows clients. You can configure Entrust IdentityGuard Desktop for Windows so that Identity as a Service manages authentication to the application. For the new Identity as a Service Desktop for Windows that includes support for offline token authentication, see Integrate IDaaS Desktop.

Supported authentication methods

● Entrust soft token push

● Software and hardware token

● Voice/SMS/Email OTP

● Knowledge-based authenticator (for offline KBA)

● grid

● Offline token

● Temporary Access Code

To integrate Entrust IdentityGuard Desktop for Windows with Identity as a Service, you must do the following:

1. Determine whether you want to install to support offline knowledge-based authentication (KBA) and password-less authentication.

d. Export the Gateway SSL certificate. You need to add this certificate when you install Entrust IdentityGuard Desktop for Windows using the custom installer.

Note: See the section Manage Gateways in the Administrator Help for instructions if you need to complete these steps.

Add Entrust IdentityGuard Desktop for Windows to Identity as a Service

1. Click > Security > Applications. The Applications Lists page appears.

2. Click Add. The Add Applications page appears.

3. Under IdentityGuard Integrations, select IdentityGuard Desktop. The Add IdentityGuard Desktop page appears.

4. Optional: Modify the Application Name or Application Description.

5. Optional. Add a custom application logo.

a. Click next to Application Logo. The Upload Logo dialog box appears.

b. Click to select an image file to upload.

c. Browse to select your file and click Open. The Upload Logo dialog box reappears showing your selected image.

d. If required, resize your image.

e. Click OK.

6. Click Next. The Setup page appears.

7. Leave the Hosts and Port settings at the defaults.

8. From the Select IdentityGuard agent drop-down list, select the gateway instance containing the Entrust IdentityGuard agent.

9. Click Submit.

Limitations

● Resource rules for Entrust Identity Enterprise applications only include the Date / Time condition restriction. The Medium Risk and High Risk authentication steps are system-defined; they cannot be modified. The changes that can be made to the Low Risk authentication steps are limited.

● When configuring a resource rule for the Entrust Identity Desktop application, the user ID has to match the user ID in the domain controller.

Create a resource rule to protect access to an Entrust legacy application

1. Log in to your Identity as a Service administrator account.

2. Click > Security > Resource Rules. The Resource Rules List page appears.

3. Click + next to the application you want to protect with a resource rule. The Add Resource Rules page appears.

4. Enter a Rule Name and Rule Description for the resource rule.

5. In the Groups list, select the group or groups of users restricted by the resource rule.

These are the groups to which the resource rule applies. If you do not select any groups, by default the resource rule applies to all groups.

6. Click Next. The Authentication Conditions Settings page appears.

7. If you do not Enable Advanced Risk Factors, do the following:

a. Select the Authentication Flow from the drop-down list. The Authentication Flow flowchart updates based on the selection.

b. Click Submit to save the Resource Rule.

8. If you want to Enable Advanced Risk Factors, complete the remaining steps in this procedure.

9. Select Enable Advanced Risk Factors to add additional risk factors to the resource rule.

10. Select Enable Strict Access for Application to set the resource rule to deny access regardless of the outcome from other resource rules. If this option is disabled for any resource rule that denies access, the user is allowed access if at least one resource rule allows access.

11. For Advanced Risk Factors, click the Deny option to deny access to the application if the risk factor fails regardless of the results of the other risk factors.

12. Click Date/Time to set the conditions as follows:

a. Select one of the following:

– Allow Date/Time to set when a user can access the application.

– Deny Date/Time to set when the user cannot access the application.

The Date/Time Context Condition Settings appear.

b. Select the Condition Type:

– Specific Date Range Condition—Allows or denies access to the application during a select period of days.

– Time-of-day and/or Day of Week Recurring Conditions—Allows or denies access to the application on a specific time of day, day of the week, or both. Recurring times selected only apply to days not denied.

– Clear Selection—Clears existing Date and Time conditions.

c. Set the Condition Type settings, as follows:

i) Select Use local time zone to use the local time zone or deselect Use local time zone to use the local time zone and begin typing the time zone in the Begin Typing Timezone name field and select the time zone from the drop-down list.

ii) If you selected Specific Date Range Condition, click Start Date to select a start date from the pop-up calendar. Optionally, select the End Date.

iii) If you selected Time-of-Day and/or Day-of-Week, click Start Time and select the start time from the pop-up clock. Optionally set the End Time. You must also select the days of the week for the condition.

d. Click Save to return to the Authentication Conditions Settings page.

13. Set the risk score for application conditions to set the risk percentage a user receives if they fail to meet the condition, as follows:

● Click the dot next to the condition setting and slide the risk scale to the risk percentage

-or-

● Click the 0% and enter the risk points and then click OK.

The default setting is 0%. The Risk percentage determines the authentication requirements as set by the Authentication Decision. When a user attempts to authenticate to an application, the final risk percentage is the sum of all failed conditions.

14. Set the Authentication Decision risk level for Medium Risk and High Risk as follows:

a. Click the risk threshold percentage to the right of Medium Risk or High Risk. The Risk Threshold dialog box appears.

b. Enter the risk percentage.

c. Click OK.

15. Select the Authentication Flows for Low Risk, Medium Risk, and High Risk from the drop-down lists. The Authentication Flows flowchart updates based on your selections.

16. Click Submit to create the resource rule.

4. Using the applicable Entrust IdentityGuard Desktop for Microsoft Windows Integration Guide, complete the following:

a. Install the Entrust IdentityGuard Desktop for Windows using the custom installer (see the section, Customizing the Entrust IdentityGuard Desktop for Microsoft Windows installation package).

Note: If you want to install for offline KBA and password-less authentication, be sure to select the appropriate options during the installation. You can also add these post-installation by editing the registry settings (see the section, Registry Settings).

b. Modify and run Entrust IdentityGuard Desktop for Microsoft Windows setup files. (see the section, Applying your custom transform file during installation).

c. Install any applicable Entrust IdentityGuard for Microsoft Windows patches. You can find these by logging in to your Entrust Trusted Care account and follow the patch installation instructions.