1. Home
  2. Docs
  3. LDS Edition Administrator’s Guide
  4. DigitalPersona Identity Server

DigitalPersona Identity Server

The DigitalPersona Identity Server is used to identify and authenticate users logging in to DigitalPersona web applications such as the Web Administration Console, Web Enrollment and the Application Portal. It is also used as part of the DigitalPersona Office365 integration solutions.

dp1 DigitalPersona Identity Serverdp2 DigitalPersona Identity Server

When presented with this webpage for the first time, if no other credentials have been enrolled yet, the user enters their domain and user name in the format Domain\Username or username@domain and clicks the arrow to the right of the password field.

If Step-up Authentication has been enabled (see the topic Enabling Step-up Authentication), additional credentials may be specified by the administrator to be required for authentication depending on various risk factors including

  • Behavioral biometrics – analysis of a user’s keystroke and mouse movement while entering data into text fields presented by the Identity
  • IP Address – Access from a new IP
  • Originating device – User Agent String of the web browser being used for

Once credentials are enrolled, users can select which credential to use by clicking one of the credential tiles and submitting the specified credential.

The system will remember the last used credential and automatically select that credential the next time the user visits the page. If a combination of credentials is required, any additional credentials will be requested automatically after authentication with a previous credential.

Configuring the DigitalPersona Identity Server

Configuration of the credentials authorized for use when logging in to the DigitalPersona Identity Server is accomplished during installation of the DigitalPersona Web Components. Additional subsequent changes can be made directly in the various XML files that specify: the tiles to be displayed on the DigitalPersona Identity Server, what credentials or credential combinations are allowed for authentication, and additional configuration settings.

There are several XML files used for configuration of the DigitalPersona Identity Server, as described in the following sections. The paths to the most commonly used files are listed below as located on the machine where the DigitalPersona Web Management Components are installed.

  • C:\Program Files\DigitalPersona\Web Management Components\DP STS\DPPassiveSTS
  • C:\Program Files\DigitalPersona\Web Management Components\DP Access Mgmt\DPWebPolicies\web.config

Enable Identity Server tiles (DPPASSIVESTS\web.config)

The DigitalPersona Identity Server is called during an authentication request from a service provider (relying party), such as the DigitalPersona Web Administration Console, Web Enrollment or Application Portal. In the web.config file located in the dpsts directory, you can specify the credentials that are available for logging on to the DigitalPersona Identity Server page, as well as the names displayed on the tiles where the credentials are presented. Only credentials specified in this file with an Add tag will be shown and can be used to log on to the DigitalPersona Web Administration Console and any web applications integrated with the DigitalPersona SAML SSO Portal.

dp3 DigitalPersona Identity Server

By default, the tiles of all supported credentials are displayed.The DigitalPersona Identity Server is also used for SAML authentication to the DigitalPersona SSO Portal, a separate component described in the DigitalPersona SAML SSO Implementation Guide, which can be used to create a web portal to third party providers such as Google, Salesforce, etc., as well as the DigitalPersona Web Administration Console if desired.

To remove a credential tile from the DigitalPersona Identity Server page

  • Under the Credentials node, comment out the <add … /> tag for the specific To do so, add <!– to the beginning of the element and –> to the end of the element. For example:

<!–<add Guid=”324C38BD-0B51-4E4D-BD75-200DA0C8177F” InternalName=”totp” DisplayName=”One-Time Password” TemplatePath=”content/plugins/totp.html” ScriptPath=”content/plugins/totp.js” />–>

The credentials listed in this file are the only ones supported for the DigitalPersona Identity Server at this time. Note that Smart cards and Proximity cards are supported but Contactless cards are not.

Set SAML Authentication Policies (DPwebPolicies\web.config)

Specific authentication credentials or combinations of credentials may be specified as required to log on through the DigitalPersona Identity Server.

The required credentials or credential combinations are specified in the DPwebPoliciesWeb.config file located in the C:\\DigitalPersona\Web Management Components\DP Access Mgmt\DPWebPolicies folder on your web server.

However, note that the credentials to be used must be specified in the dpsts/web.config file mentioned in the previous section and not be commented out.

Note that the examples of combined or multi-factor credential policies at the end of this file are commented out, and should be uncommented in order to use them. However, when using combined or multi-factor credential policies, the entries for the single credentials used in making the combined policy must be commented out. Otherwise you would end up with, for example, a policy that requires Fingerprint (only) and Fingerprint plus PIN at the same time — which wouldn’t make sense.

To create a new multi-factor credential policy, use the structure shown in the examples, replacing the GUIDs with the GUIDs for the credentials that you want to combine. Note that each GUID is separated by a semicolon.

Enabling Step-up Authentication

Step-Up Authentication gives the administrator a means of requiring a user to present additional credentials based on the level of risk assessed in three separate areas.

  • Behavioral biometrics – analysis of a user’s keystroke and mouse movement while entering data into text fields presented by the Identity
  • IP Address – Access from a new IP
  • Originating device – User Agent String of the web browser being used for

Note that Step-up Authentication applies only when logging in to an application or portal using the DigitalPersona Identity Provider. It does not affect other DigitalPersona components such as Windows login or Password Manager.

Changes to the DPWebPolicies\web.config file

To enable Step-up Authentication, the following changes need to be made to the web.config file located on the machine where the DigitalPersona Identity Server is hosted. The default path to this file is

C:\Program Files\DigitalPersona\Web Management Components\DP Access Mgmt\DPWebPolicies\.

dpWebStepUpPolicies

Add at least the opening and closing elements and a <dpWebPolicy> element as indicated in blue in the following example. Specify the credentials to be used in the policy by entering their GUIDs separated by semicolons, and optionally replacing the name parameter with a relevant name for the Step-up policy to be enforced. Although the explanatory comments aren’t required, they may be helpful for future administrators in understanding the purpose of the policy.

<dpWebStepUpPolicies>

<!–Example of tokens in combined policy are separated by ‘;’–>

<!– The policies below will be used when Step-up Authentication is triggered.–>

<dpWebPolicy name=”Fingerprint plus PIN” tokens=”AC184A13-60AB-40e5-A514- E10F777EC2F9;8A6FCEC3-3C8A-40c2-8AC0-A039EC01BA05″/>

<dpWebPolicy name=”Pin plus Password” tokens=”8A6FCEC3-3C8A-40c2-8AC0-A039EC01BA05;D1A1F561- E14A-4699-9138-2EB523E132CC” />

<dpWebPolicy name=”Fingerprint plus Password” tokens=”AC184A13-60AB-40e5-A514- E10F777EC2F9;D1A1F561-E14A-4699-9138-2EB523E132CC” />

</dpWebStepUpPolicies>

In the above example, the user should be enrolled in at least two factors from the following: Fingerprint, PIN, Password. If the person has PIN and Password enrolled, then they are required to enter in either pin or password for step up. If the person has Fingerprint and Password enrolled, then any of the two can be entered in step up.

dpWebStepUpTriggers

Add the opening and closing elements and one or more of the triggers shown in blue to specify the types of activity to monitor. Although the explanatory comments aren’t required, they may be helpful for future administrators in understanding the purpose of the policy.

<dpWebStepTriggers>

<!– The following parameters specify which types of activity trigger Step-up Authentication when changes in user behavior for the specific activity do not match previously captured data. –>

<dpWebStepUpTrigger name=”behavior” />

<dpWebStepUpTrigger name=”ip” />

<dpWebStepUpTrigger name=”device” />

<dpWebStepTriggers>

Changes to the DPWebDPPassiveSTS\web.config file

In order to enable Step-up authentication, you need to enter the URL to the behavioral biometrics server provided to you during implementation. This is added to the <AltusConfirm> element in the web.config file located on the machine where the DigitalPersona Identity Server is hosted. The default path to this file is

C:\Program Files\DigitalPersona\Web Management Components\DP STS/DPPassiveSTS\.

Example

BehavioSecAPIEndpoint=”https://srbjiwc6.behaviosec.com/BehavioSenseAPI

Add or change administrator groups

During installation of the Web Management Components, two groups are defined as specifying those AD groups with permission to log in to the Web Administration Console or use Web Enrollment to supervise the enrollment of credentials for other users. By default, the named groups are Domain Admins and DPCA SO. Additional named groups can be identified during the installation, or specified in the files described below.

DPAdminUI/web.config

The default path to this file isWithin this config file, you can specify the AD groups that can log in to the Web Administration Console through the DigitalPersona Identity Server.

C:\Program Files\DigitalPersona\Web Management Components\DP WebAdmin\DPAdminUI/web.config.

The Domain Admins group will, of course, consist of the enterprise’s Domain Administrators. The DPCA SO group, however, is merely a placeholder, and must correspond to an AD group of the same name populated with any users to be assigned DigitalPersona administrative permissions. Alternatively, you can specify here anyAD group that you want to use as DigitalPersona administrators. Note that the name of the groups is case sensitive, so be sure that the name specified here is exactly the same as the related AD group.

DPEnrollment/appSettings.json

Within this .json file, you can specify the AD groups that can log in to Web Enrollment through the Identity Server in order to supervise the enrollment of credentials for other users.

The default path to this file is

C:\Program Files\DigitalPersona\Web Management Components\DP Web Enroll\DPEnrollment/appSettings.json 

The Domain Admins group will, of course, consist of the enterprise’s Domain Administrators. The DPCA SO group, however, is merely a placeholder, and must correspond to an AD group of the same name populated with any users to be assigned DigitalPersona administrative permissions. Alternatively, you can specify here any AD group that you want to use as DigitalPersona administrators. Note that the name of the groups is case sensitive, so be sure that the name specified here is exactly the same as the related AD group. Also, this does not create an AD group, but simply identifies a group that needs to exists in AD already.

Note that for the LDS solution, the DPCA SO group (or the group specified) also needs to be added to the Security Officers group in the Microsoft Authentication Manager (AzMan).