Integrate Entrust IdentityGuard ISAPI Filter

The ISAPI Filter solution uses Entrust IdentityGuard to provide strong second-factor authentication to Microsoft Outlook Web Access (OWA), Remote Desktop Web Access (RD Web Access), Integrated Windows Authentication (IWA), SharePoint, and generic TMG forms-based authentication types. The solution is made up of two components: the filter component and the authentication application component.

Users logging in to ISAPI must complete two authentication challenges. First-factor authentication requires one of the ISAPI default authentication methods (such as entering an ISAPI account password). Second-factor authentication requires completing an Identity as a Service authentication challenge.

To support this, the Identity as a Service resource rule for this application must have Skip Password selected as the first-factor authentication type for every Authentication Decision level. The following authenticators are supported for second-factor authentication:

Note: This integration guides provides the instructions to add a legacy version of the Entrust IdentityGuard ISAPI Filter to Identity as a Service. For the new Identity as a Service ISAPI Filter that includes an installer to install the Identity as a Service plug-in, see the instructions in Integrate IDaaS ISAPI Filter.

Note: See the section Manage Gateways in the Administrator Help for instructions if you need to complete these steps.

2. Copy the Subject Distinguished Name (SDN) to a separate location. You need it in step 6.

3. On the Entrust IdentityGuard ISAPI Filter Application Server, if the domain name in the gateway instance fails, add the IP address of the appliance and the domain name to the hosts file of the Entrust IdentityGuard ISAPI Filter application. The hosts file is located at: C:\Windows\System32\drivers\etc\hosts.

a. Access your computer's Search tool.

b. Enter or select Run. The Run dialog box appears.

c. Enter mmc and click OK. The Console Root page appears.

d. Select File > Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.

e. Select Certificates from the Available snap-ins panel and click Add. Another pop-up window appears.

f. Select Computer account when prompted, and click Next.

g. Select Local Computer.

h. Click Finish and OK.

i. Expand the Certificates field and the Trusted Root Certificates folder in the left Console Root panel.

j. Right-click the Certificates folder. Select All Tasks > Import. The Certificate Import Wizard appears.

k. Click Next, browse to the certificate previously downloaded, and open the file.

l. Click Next, Next, and Finish to complete the import. The certificate details appear in the console.

5. Add the following tag to the <IdentityGuardServer> section in the IdentityGuardAuthAppConfiguation.xml file to point the ISAPI Filter to your Identity as a Service domain:

See the Entrust IdentityGuard ISAPI Filter Technical Integration Guide for more details.

6. Open Windows Services on the computer and restart the World Wide Web Publishing Service.

Add Entrust IdentityGuard Desktop for Windows to Identity as a Service

1. Click > Security > Applications. The Applications Lists page appears.

2. Click Add. The Add Applications page appears.

3. Under IdentityGuard Integrations, select ISAPI Filter. The Add ISAPI Filter page appears.

4. Optional: Modify the Application Name or Application Description

5. Optional. Add a custom application logo.

a. Click next to Application Logo. The Upload Logo dialog box appears.

b. Click to select an image file to upload.

c. Browse to select your file and click Open. The Upload Logo dialog box reappears showing your selected image.

d. If required, resize your image.

e. Click OK.

6. Click Next. The Setup page appears.

7. Enter the host name or the IP address of the ISAPI Filter server.

8. From the Select IdentityGuard agent drop-down list, select the gateway instance containing the Entrust IdentityGuard agent.

9. Click Submit.

Limitations

● Resource rules for Entrust Identity Enterprise applications only include the Date / Time condition restriction. The Medium Risk and High Risk authentication steps are system-defined; they cannot be modified. The changes that can be made to the Low Risk authentication steps are limited.

● When configuring a resource rule for the Entrust Identity Desktop application, the user ID has to match the user ID in the domain controller.

Create a resource rule to protect access to an Entrust legacy application

1. Log in to your Identity as a Service administrator account.

2. Click > Security > Resource Rules. The Resource Rules List page appears.

3. Click + next to the application you want to protect with a resource rule. The Add Resource Rules page appears.

4. Enter a Rule Name and Rule Description for the resource rule.

5. In the Groups list, select the group or groups of users restricted by the resource rule.

These are the groups to which the resource rule applies. If you do not select any groups, by default the resource rule applies to all groups.

6. Click Next. The Authentication Conditions Settings page appears.

7. If you do not Enable Advanced Risk Factors, do the following:

a. Select the Authentication Flow from the drop-down list. The Authentication Flow flowchart updates based on the selection.

b. Click Submit to save the Resource Rule.

8. If you want to Enable Advanced Risk Factors, complete the remaining steps in this procedure.

9. Select Enable Advanced Risk Factors to add additional risk factors to the resource rule.

10. Select Enable Strict Access for Application to set the resource rule to deny access regardless of the outcome from other resource rules. If this option is disabled for any resource rule that denies access, the user is allowed access if at least one resource rule allows access.

11. For Advanced Risk Factors, click the Deny option to deny access to the application if the risk factor fails regardless of the results of the other risk factors.

12. Click Date/Time to set the conditions as follows:

a. Select one of the following:

– Allow Date/Time to set when a user can access the application.

– Deny Date/Time to set when the user cannot access the application.

The Date/Time Context Condition Settings appear.

b. Select the Condition Type:

– Specific Date Range Condition—Allows or denies access to the application during a select period of days.

– Time-of-day and/or Day of Week Recurring Conditions—Allows or denies access to the application on a specific time of day, day of the week, or both. Recurring times selected only apply to days not denied.

– Clear Selection—Clears existing Date and Time conditions.

c. Set the Condition Type settings, as follows:

i) Select Use local time zone to use the local time zone or deselect Use local time zone to use the local time zone and begin typing the time zone in the Begin Typing Timezone name field and select the time zone from the drop-down list.

ii) If you selected Specific Date Range Condition, click Start Date to select a start date from the pop-up calendar. Optionally, select the End Date.

iii) If you selected Time-of-Day and/or Day-of-Week, click Start Time and select the start time from the pop-up clock. Optionally set the End Time. You must also select the days of the week for the condition.

d. Click Save to return to the Authentication Conditions Settings page.

13. Set the risk score for application conditions to set the risk percentage a user receives if they fail to meet the condition, as follows:

● Click the dot next to the condition setting and slide the risk scale to the risk percentage

-or-

● Click the 0% and enter the risk points and then click OK.

The default setting is 0%. The Risk percentage determines the authentication requirements as set by the Authentication Decision. When a user attempts to authenticate to an application, the final risk percentage is the sum of all failed conditions.

14. Set the Authentication Decision risk level for Medium Risk and High Risk as follows:

a. Click the risk threshold percentage to the right of Medium Risk or High Risk. The Risk Threshold dialog box appears.

b. Enter the risk percentage.

c. Click OK.

15. Select the Authentication Flows for Low Risk, Medium Risk, and High Risk from the drop-down lists. The Authentication Flows flowchart updates based on your selections.

16. Click Submit to create the resource rule.

Note: For the Authentication Decision settings, set the first-factor to Skip first-factor for low, medium, and high risk.

Integrate ISAPI Filter with Identity as a Service

Limitations