> Protectimus DSPA

Protectimus DSPA

The Protectmus DSPA (Dynamic Strong Password Authentication) component allows integrating Protectimus two-factor authentication solution with Microsoft Active Directory or any other user directory (AD/LDAP, DBMS). After that, the 2FA dynamic passwords will be requested on all services connected to this directory (for example on Winlogon, RDP, ADFS, and OWA at once).

Protectimus DSPA adds six-digit time-based one-time passwords onto users’ static passwords. The resulting passwords look somehow like this: [email protected]!459812. Where:
  • [email protected]! is the fixed part;
  • 459812 is a TOTP one-time password that changes within a set time interval.

The administrator sets the one-time password change interval, which must be a multiple of 30 seconds.

From the end-user side, authentication will look like this: to access their accounts, a user must enter their fixed password and a one-time code in one line. To generate OTPs, users should use the app Protectimus SMART.

1. Install Protectimus On-Premise Platform

1.1. Windows

Download the Protectimus On-Premise Platform installer for Windows here.

The Protectimus DSPA component will be installed automatically.

1.2. Another OS

Install the Protectimus On-Premise Platform using the Docker image. You’ll find instractions here.

2. Get Registered

The Protectimus On-Premise Platform installer will automatically open the registration form at http://localhost:8080.

Please, create an account and log in to configure the necessary settings. How to get registered in Protectimus system when you install Protectimus 2FA platform

3. Add User Provider

  1. After installing the platform and registering in the Protectimus system, log into your account, open the DSPA tab, and select Add task  -> Add LDAP user provider.
Protectimus DSPA setup - step 1 Protectimus DSPA setup - step 2  
  1. Fill in the details about your user directory.
Protectimus DSPA setup - step 3  

Basic settings:
Field Value Note
Urls URL to connect to your LDAP server Example:
ldaps://dc1.domain.local:636
For DSPA, you need to use the LDAP connection, and you also need to import the SSL certificate.
A standard way:
keytool -import -alias ___ -file '___.cer' -keystore 'C:\Program Files\Java\jre___\lib\security\cacerts' -storepass changeit
Base DN Full DN of the directory in which your users are stored Example:
DC=domain,DC=local
User Dn DN of the administrator or user who has access to user information Example:
CN=Administrator, CN=Users, DC=demo, DC=domain, DC=local
The user must have rights to change passwords
Password The password of the specified user
Filter A filter to be applied during synchronization Use this filter to select only the users you want to synchronize

Example:
(memberOf=CN=DSPA Group, DC=domain, DC=local)

To import users from a specific group
 
(mail=*)

To import only those users who have the mail attribute specified

  1. After successfully adding the user provider, you need to synchronize the users in Protectimus system with your user directory.
    This can be done in three ways:
  • Using the Synchronize now button.
Protectimus DSPA setup - 'Synchronize now' button  
  • Using the Synchronize individuals feature to synchronize only the selected users from your user directory.
Protectimus DSPA setup - 'Synchronize individuals' button  
  • Enabling automatic user synchronization, to do this activate the Enabled option at the top of the page.
Protectimus DSPA setup - automatic user synchronization

4. Add Passwords

PLEASE NOTE! You can activate the Users’ Self-Service Portal so that your users could add their passwords to the system themselves. Read how to set up a Users’ Self-Service Portal below.
If you prefer to set a password for a user manually:
  1. Go to the user editing page (click Users in the menu on the left). After that, click on the user Login -> Actions -> Edit to go to the User editing menu.
Protectimus DSPA setup - How to add users passwords manually - step 1  
  1. Enter the user password in the corresponding field and click Save.
Protectimus DSPA setup - How to add users passwords manually - step 2  

5. Add Tokens

So far, the Protectimus DSPA component is only compatible with the in-app 2FA tokens Protectimus Smart OTP, available on iOS and Android, therefore we recommend activating the User Self-Service Portal so that your end users could issue tokens on their own. Read about setting up a Self-Service Portal below.
If you prefer to add tokens to uers manually:
  1. Select a synced user and click Assign Token, then click New.
Protectimus DSPA setup - How to add users tokens manually - step 1  
  1. Select the Protectimus SMART token and configure it. Protectimus Smart OTP App is available for free on Google Play and App Store.
Protectimus DSPA setup - How to add users tokens manually - step 2

6. Protectimus DSPA Activation and Deactivation

  1. To activate the Protectimus DSPA component, go to the DSPA tab and activate the Enabled parameter.

    Accordingly, to deactivate the Protectimus DSPA component, it is necessary to uncheck the Enabled parameter.

    When DSPA is disabled, all passwords will be reset automatically (i.e., the dynamic part will be removed).
Protectimus DSPA Activation and Deactivation - How to enable DSPA  
  1. For the Protectimus DSPA component to work, you need:
    • A configured user provider;
    • A synchronized user;
    • A password set for the user;
    • A token assigned to the user.
    You can check whether these conditions are fulfilled by clicking the Affected users button on the DSPA tab.
Protectimus DSPA Activation and Deactivation - Affected users Protectimus DSPA Activation and Deactivation - Affected users  
  1. You can see the results of the passwords update in the table below.

    When Protectimus DSPA is disabled, all passwords are reset automatically (i.e., the dynamic part is removed).
Protectimus DSPA Activation and Deactivation - Scheduled passwords update  
  1. The result of updates can be viewed by clicking on the icon in the table of reports.
Protectimus DSPA Activation and Deactivation - result of updates Protectimus DSPA Activation and Deactivation - result of updates 2

7. How to Activate the Users’ Self-Service Portal

If you want users to enroll tokens and set passwords on their own, use the Users’ Self-Service Portal.

From the Resource information page, navigate to the Self-Service tab. You can enable self-service for a resource after entering the address at which the self-service page will be located. More detailed instructions on how to set up a self-service portal can be found here. Protectimus DSPA setup - how to activate the Users Self-Service Portal - step 1 Protectimus DSPA setup - how to activate the Users Self-Service Portal - step 2 Protectimus DSPA setup - how to activate the Users Self-Service Portal - step 3 Protectimus DSPA setup - how to activate the Users Self-Service Portal - step 4

8. Users Interaction with the Self-Service Portal

8.1. Authorization on the Users’ Self-Service Portal

To sign in to their accounts on the Users’ Self-Service Portal, the user needs their login (CN) and one-time password (it will be sent by email). User Interaction with the Protectimus Users' Self-Service Portal - step 1 User Interaction with the Protectimus Users' Self-Service Portal - step 2

8.2. Enrolling the token Protectimus SMART OTP

  1. The user needs to choose the tab Register New Token -> Software Tokens -> Protectimus SMART.
User Interaction with the Protectimus Users' Self-Service Portal - step 3  
  1. After that the user needs to enter the name of the token, set the length of the one-time password, select the lifetime of the one-time password and click on the “Show QR code” button.

    To create a token, the user should scan the QR code using the Protectimus SMART OTP application, having previously installed it on their smartphone. The Protectimus Smart OTP app is available for free on Google Play and the App Store.

    And to finish the token enrollment, the user must enter the OTP code generated using the Protectimus SMART OTP application.
User Interaction with the Protectimus Users' Self-Service Portal - step 4

8.3. Creating a password

  1. The user should navigate to the Create Password tab in Self-Service.
User Interaction with the Protectimus Users' Self-Service Portal - step 5  
  1. The user should enter the password identical to their password in user directory.
User Interaction with the Protectimus Users' Self-Service Portal - step 6
Last updated on 2022-03-10