Multi-factor Authentication for External Users

 
4 Likes

Multi-factor Authentication for External Users

OpenText Filr is an enterprise file-sharing and collaboration solution that allows users to access and share files securely from anywhere.  OpenText Filr provides Multi-factor authentication (MFA) for internal LDAP users and external users by integrating Filr with NetIQ Advanced Authentication (a product that provides multi- factor authentication)

OpenText Filr Advanced supports MFA for internal LDAP users and there is a separate License called Power External User License which supports MFA for external users.

Customers under maintenance for Filr Advanced or Power External Licenses have a free entitlement to Advanced Authentication Limited which includes SMS OTP, Email OTP, TOTP and Radius client.  Many more methods are available with the Full Advanced Authentication license.

MFA is a security mechanism that adds layer of protection to the authentication process by requiring users to provide two or more forms of identification. This can help build trust with customers and partners and enhance the organization's brand reputation.

Advantages of using MFA for external users:

  1. Organizations can ensure sensitive information is not shared with unauthorized users.
  2. Increased security for the user accounts.
  3. Reduces the risk of account takeovers.

 

Figure 1: FILR and NETIQ integration

Steps to Integrate Advanced Authentication with FILR

  • Login to NetIQ Advanced Authentication Administration Console
  • Click on repositories

Step 1:  Create an SQL Repo

Figure 2:SQL repo creation

 

DB host, DB name, DB user, and password as per the FILR database setup, and DB host value remain same as filr IP for small deployment. The above picture represents PostgreSQL, it also supports other databases such as MSSQL DB, Maria DB and MySQL DB.

Note: If MSSQL is the DB type, the User’s Id column must be changed to email address and user’s id type must be String.

 

Step 2: Create a CHAIN

  • Click on Chain
  • Enter the name of the chain as the authentication method to be used.
  • Select the needed authentication methods.
  • Add the repositories in which the external users are present and SAVE the chain.

Figure 3 : Chain creation

 

Note: Recommended authentication methods for external users are Email OTP and SMS OTP

  • For both EMAIL and SMS OTP methods to work, the email sender (for email OTP) and SMS sender (for SMS OTP) needs to be configured in AAF -> Policies Follow the documentation link attached below for the instructions.

https://www.netiq.com/documentation/advanced-authentication-64/server-administrator-guide/data/mail_sender.html  
https://www.netiq.com/documentation/advanced-authentication-64/server-administrator-guide/data/mail_sender.html

Note: Do not select SMS OTP alone as an authentication method. If the registered phone number is incorrect , user might not be able to login using advanced authentication , to modify the phone number in this case use 2nd or 3rd way mentioned below .

For SMS OTP to work, the mobile number should be added to Filr. This can be done in multiple ways.

  1. Enter the mobile number (non-mandatory field) during external user registration
  2. Login to Web Client as External User -> Top right drop-down click on ‘View profile’ & enter the phone number
  3. Log in as a Filr Administrator, access the Administration console, click on Users & search for the external user > Edit profile & modify the phone number.

 

The chain creation process can vary based on different scenarios:

When External and Internal LDAP users need to have a different authentication method.

·       create a new chain (for internal LDAP users)

·       Add the authentication method needed for internal LDAP users.

·       Add the internal user's repo and SAVE

 

·       Start creating a new chain (for external users)

·       Add the authentication method needed for internal and external users.

·       Add the external user's repo and SAVE

·       Add both chains in an EVENT

When a user needs optional authentication methods to choose from

·       create a new chain

·       Add the authentication method needed

·       Add all the user repos needed and SAVE

·       Repeat the same for another authentication method or methods as well

·       Add all the chains to the EVENT.

 

Step 3: Create an EVENT

Figure 5: Event creation

 

  • Click on EVENT
  • Enter the name of the EVENT that you want to create.
  • Select the EVENT Type which is OAuth2/ OpenID Connect.
  • Select an authentication chain / chains name needed.
  • Copy the CLIENT ID and CLIENT SECRET. They should be copied to the Filr Administrator console in the next Step.
    Note: Store the Client's secret somewhere if needed for future requirements. Once the EVENT is saved, the client’s secret will vanish.
  • SAVE the EVENT

 

Step 4: To Integrate Filr with NetIQ Advanced Authentication

  • Login to Filr Administration Console

Figure 6 : Filr NetIQ page

  • Login to Filr as admin → Go to Administration Console → NetIQ Advanced Authentication Tab
  • Enter the hostname of the NetIQ application in the Server URL
  • As shown in the previous step, enter the values of CLIENT ID and CLIENT SECRET
  • Copy the redirect URIs. They should be later copied to the NetIQ AA server → EVENTS page in the next step.
  • Click on Test connection, if the test connection succeeds select Internal LDAP Users & External Users check boxes for MFA and click on OK to save the details.

Step 5: Modify EVENT using the Advanced Authentication Admin Console

  • Select the EVENT we have created in Step-3
  • Under ‘Redirect URIs, One URI per line’ copy the URIs we copied in the previous step
  • SAVE the EVENT

 

Step 6: Log in to FILR using multi-factor authentication

  • Login to Filr using the external user email address and password that was provided during the self-registration.
  • The logged-in external user will be redirected to the advanced authentication page as shown in the below picture.

Figure 7:Authentication methods

 

  • Choose the required authentication method from the dropdown.

 

(Note: Choose email OTP & login to Filr Web Client, later external users can configure their phone number so that they use SMS OTP as well from the next login onwards)

Figure 8:OTP page

Enter the OTP sent and the user will be successfully logged in to the Filr.

 

 

Summary :

With Filr 5.0 and above - For organizations Multi-factor authentication provides an extra layer of security in the authentication process and reduces the risk of unauthorized access to sensitive data.MFA is an effective way to improve the security of external users accessing OpenText Filr and to meet regulatory compliance requirements while also providing convenience to users.

 

 

Labels:

How To-Best Practice
Knowledge Docs
New Release-Feature
Comment List
Related
Recommended