Integrate Identity as a Service Desktop for Windows

IDaaS Desktop provides strong second-factor authentication to Windows Desktop Login (online or offline). Local users of the computer on which the IDaaS Desktop for Microsoft Windows is installed are not required to use second-factor authentication to log in.

Note: This integration provides the instructions to add IDaaS Desktop for Microsoft Windows to Identity as a Service. For legacy versions of Entrust IdentityGuard Desktop for Windows, see Integrate Entrust IdentityGuard Desktop for Microsoft Windows.

Entrust Desktop for Microsoft Windows contains a credential provider. The credential provider responds to these use cases:

When you install the Entrust Desktop for Microsoft Windows package, the installation installs a Credential Provider Filter. You can opt to have this filter replace default Windows behavior, or you can have more that one credential provider coexist with this filter to handle different use cases.

Supported authentication methods

● Entrust soft token push

● Software and hardware token

● OTP (voice, SMS, and email)

● Knowledge-based authenticator (for offline KBA)

● grid

● Offline token

● Temporary Access Code

● RBA (see the Entrust Desktop for Windows Administration Guide for limitations and prerequisites)

Support for offline token

The Entrust Desktop for Windows client supports offline token download. If offline token has been configured, the lo gin window includes a checkbox to download offline tokens. By default, the checkbox is not selected. While online, the user selects to download offline tokens to their PC. The downloaded tokens are valid for the period of time set in the Windows registry setting for offline token login (see the section, Registry Settings under WIGL in the Entrust Desktop for Microsoft Windows Technical Integration Guide. If the PC remains offline for too long, the user will be unable to log into their PC until they complete a successful online login and download new token data. If the validation is successful, then the user is allowed to log in. An error message appears if the validation fails.

Note: To allow for offline token challenge, you must select Enable Identity as a Service Desktop Offline Token Support when you add Entrust Desktop for Windows to Identity as a Service.

Note: To ensure that you are using the latest version of the document, it is best to download the document from Entrust TrustedCare.

e. Click Documents and download the Entrust Desktop for Windows Administration Guide.

Add IDaaS Desktop for Windows

1. Go to > Security > Applications. The Applications page appears.

2. Click Add. The Select an Application Template page appears.

3. Under IDaaS Integrations, click IDaaS Desktop. The Add IDaaS Desktop page appears.

4. In the Application Name field, type a name for your application.

5. In the Application Description field, type a description for your application.

6. Optional. Add a custom application logo as follows:

a. Click next to Application Logo. The Upload Logo dialog box appears.

b. Click to select an image file to upload.

c. Browse to select your file and click Open. The Upload Logo dialog box reappears showing your selected image.

d. If required, resize your image.

e. Click OK.

7. Click Next. The General Settings page appears.

8. Select Source of the Client IP Address for Risk Conditions. This setting lets the Identity as a Service Desktop application know from where to get the IP address.

Note: Use the private one (Provided in the API) or neither (Not Provided). Do not use the public IP (incoming HTTP connection).

9. Select Do not use IP Address for Resource Rule Risk Factors if you only want to use the IP address for Audits but not for the resource rule risk conditions.

10. Select Enable Identity as a Service Desktop Offline Token Support to enable offline token authentication.

11. If you select Enable Identity as a Service Desktop Offline Token Support, complete the following:

a. Enter the Maximum Number of Desktop clients to the set the number of Desktop clients a user is allowed to register for offline token authentication. The maximum number is 10. For example:

– If the maximum number of clients is set to 1, then the user can download the offline token on only one machine.

– If the maximum number of clients is set to 10, then the user can download the offline token on 10 machines.

b. Enter the Default Offline Time (Hours) to the number of hours a client can go offline before the offline tokens expire.

When an application that allows offline token authentication requests a small refill of a number of hours worth of OTPs to download, the server uses this setting to determine the number of OTPs to generate.

c. Set the Maximum Offline Time (Hours) to set the maximum number of hours a client can go offline.

When an application that allows offline token authentication requests the maximum number of hours worth of OTPs to download, the server uses this value to determine the number of OTPs to generate.

d. From the Offline Token Protection Strength drop-down list, select one of the following:

– Normal (Fast)

– Strong (Slow)

– Very Strong (Very Slow)

The Offline Token Protection Strength sets the strength of the hashing algorithm that is used when storing offline tokens on the Desktop clients. The stronger the algorithm, the longer it will take for the client to authenticate the offline token authentication request. Choose a setting that meets the security requirements of your organization.

12. Click Submit. The Application ID is generated.

13. Copy the Application ID. You need to paste this information in the Entrust Desktop Credential Provider Windows installer.

14. Click Done.

3. Be sure to copy the Application ID. You need this ID to complete the installation of the Entrust Desktop for Microsoft Windows for Identity as a Service.

4. Protect IDaaS Desktop for Windows with a resource rule. When setting the authentication methods for the resource rule, select Password for first-factor and deselect all second-factor authentication methods.

Note: Before you begin, note the following information for the step that requires you to set the Authentication Decision risk settings if you want to support offline KBA authentication.

a. Select Knowledge-based Authenticator and at least one other type of supported authenticator as the Second Factors authenticators for Low Risk users.

b. Click and drag the Knowledge-based Authenticator so that it is not at the top of Second Factors list for Low Risk users.

5. Using the Entrust Desktop for Microsoft Windows Administration Guide documentation, complete the following:

Integrate IDaaS Desktop

Supported authentication methods

Support for offline token