Assigning Login Authentication Profiles

The next step is to assign login authentication profiles. Do this by performing the following steps.

  1. Click Access > Policies and Add Policy Set. Under Policy Settings, navigate to Login Policies. Choose between Linux, UNIX and Windows Servers and Windows Workstations.
  2. Select Yes in the Enable authentication policy controls drop-down.Click Add Rule.

    The Authentication Rule window displays.

  3. Click Add Rule on the Authentication Rule window.
  4. Define the filter and condition using the drop-down boxes.

    For example, you can create a rule that requires a specific authentication method when users access Privileged Access Service from an IP address that is outside of your corporate IP range. Supported filters are:

    Filter Description

    IP Address

    The authentication factor is the computer’s IP address when the user logs in. This option requires that you have configured the IP address range in Settings, Network, Corporate IP Range.

    Day of Week

    The authentication factor is the specific days of the week (Sunday through Saturday) when the user logs in.

    Date

    The authentication factor is a date before or after which the user logs in that triggers the specified authentication requirement.

    Date Range

    The authentication factor is a specific date range.

    Time Range

    The authentication factor is a specific time range in hours and minutes.

    Device OS

    The authentication factor is the device operating system.

    Country

    The authentication factor is the country based on the IP address of the user computer.

    Risk Level

    Risk Level: The authentication factor is the risk level of the user logging on to Admin Portal. For example, a user attempting to log in to Privileged Access Service from an unfamiliar location can be prompted to enter a password and text message (SMS) confirmation code because the external firewall condition correlates with a medium risk level. This Risk Level filter, requires additional licenses. If you do not see this filter, contact Centrify support. The supported risk level are:

    • Non Detected -- No abnormal activities are detected.
    • Low -- Some aspects of the requested identity activity are abnormal. Remediation action or simple warning notification can be raised depending on the policy setup.
    • Medium -- Many aspects of the requested identity activity are abnormal. Remediation action or simple warning notification can be raised depending on the policy setup.
    • High -- Strong indicators that the requested identity activity is anomaly and the user's identity has been compromised. Immediate remediation action, such as MFA, should be enforced.
    • Unknown -- Not enough user behavior activities (frequency of system use by the user and length of time user has been in the system) have been collected.

    Managed Devices

    The authentication factor is the designation of the device as “managed” or not. A mobile device is considered “managed” if it is managed by Privileged Access Service (MDM enrolled), or if it has a Privileged Access Service-trusted certificate authority (CA has been uploaded to your tenant using Admin Portal > Settings > Authentication > Certificate Authorities).

    For the Day/Date/Time related conditions, you can choose between the user’s local time and Universal Time Coordinated (UTC) time.

  5. Click the Add button associated with the filter and condition.
  6. Select the profile you want applied if all filters/conditions are met in the Authentication Profile drop-down.
  7. The authentication profile is where you define the authentication methods. If you have not created the necessary authentication profile, select the Add New Profile option.
  8. Click OK.
  9. Select a default profile to be applied if a user does not match any of the configured conditions in the Default Profile (used if no conditions matched) drop-down.

    Note:   If you have no authentication rules configured and you select Not Allowed in the Default Profile dropdown, users will not be able to log in to the service.

  10. Click Save.

  11. If you have more than one authentication rule, you can prioritize them on the Login Authentication page.