> Protectimus DSPA
The Protectmus DSPA (Dynamic Strong Password Authentication) component allows integrating Protectimus two-factor authentication solution with Microsoft Active Directory or any other user directory (AD/LDAP, DBMS). After that, the 2FA dynamic passwords will be requested on all services connected to this directory (for example on Winlogon, RDP, ADFS, and OWA at once).
Protectimus DSPA adds six-digit time-based one-time passwords onto users’ static passwords. The resulting passwords look somehow like this: P@ssw0rd!459812. Where:
- P@ssw0rd! is the fixed part;
- 459812 is a TOTP one-time password that changes within a set time interval.
The administrator sets the one-time password change interval, which must be a multiple of 30 seconds.
From the end-user side, authentication will look like this: to access their accounts, a user must enter their fixed password and a one-time code in one line. To generate OTPs, users should use the app Protectimus SMART.
1. Install Protectimus On-Premise Platform
1.1. WindowsDownload the Protectimus On-Premise Platform installer for Windows here.
The Protectimus DSPA component will be installed automatically.
1.2. Another OSInstall the Protectimus On-Premise Platform using the Docker image. You’ll find instractions here.
2. Get RegisteredThe Protectimus On-Premise Platform installer will automatically open the registration form at http://localhost:8080.
Please, create an account and log in to configure the necessary settings.
3. Add User Provider
- After installing the platform and registering in the Protectimus system, log into your account, open the DSPA tab, and select Add task -> Add LDAP user provider.
- Fill in the details about your user directory.
|Urls||URL to connect to your LDAP server||Example:
For DSPA, you need to use the LDAP connection, and you also need to import the SSL certificate.A standard way:
|Base DN||Full DN of the directory in which your users are stored||Example:
|User Dn||DN of the administrator or user who has access to user information||Example:
The user must have rights to change passwords
|Password||The password of the specified user|
|Filter||A filter to be applied during synchronization||Use this filter to select only the users you want to synchronize
- After successfully adding the user provider, you need to synchronize the users in Protectimus system with your user directory.
This can be done in three ways:
- Using the Synchronize now button.
- Using the Synchronize individuals feature to synchronize only the selected users from your user directory.
- Enabling automatic user synchronization, to do this activate the Enabled option at the top of the page.
4. Add Passwords
PLEASE NOTE! You can activate the Users’ Self-Service Portal so that your users could add their passwords to the system themselves. Read how to set up a Users’ Self-Service Portal below.If you prefer to set a password for a user manually:
- Go to the user editing page (click Users in the menu on the left). After that, click on the user Login -> Actions -> Edit to go to the User editing menu.
- Enter the user password in the corresponding field and click Save.
5. Add Tokens
So far, the Protectimus DSPA component is only compatible with the in-app 2FA tokens Protectimus Smart OTP, available on iOS and Android, therefore we recommend activating the User Self-Service Portal so that your end users could issue tokens on their own. Read about setting up a Self-Service Portal below.If you prefer to add tokens to uers manually:
- Select a synced user and click Assign Token, then click New.
- Select the Protectimus SMART token and configure it. Protectimus Smart OTP App is available for free on Google Play and App Store.
6. Protectimus DSPA Activation and Deactivation
- To activate the Protectimus DSPA component, go to the DSPA tab and activate the Enabled parameter.
Accordingly, to deactivate the Protectimus DSPA component, it is necessary to uncheck the Enabled parameter.
When DSPA is disabled, all passwords will be reset automatically (i.e., the dynamic part will be removed).
- For the Protectimus DSPA component to work, you need:
- A configured user provider;
- A synchronized user;
- A password set for the user;
- A token assigned to the user.
- You can see the results of the passwords update in the table below.
When Protectimus DSPA is disabled, all passwords are reset automatically (i.e., the dynamic part is removed).
- The result of updates can be viewed by clicking on the icon in the table of reports.
7. How to Activate the Users’ Self-Service PortalIf you want users to enroll tokens and set passwords on their own, use the Users’ Self-Service Portal.
From the Resource information page, navigate to the Self-Service tab. You can enable self-service for a resource after entering the address at which the self-service page will be located. More detailed instructions on how to set up a self-service portal can be found here.
8. Users Interaction with the Self-Service Portal
8.1. Authorization on the Users’ Self-Service PortalTo sign in to their accounts on the Users’ Self-Service Portal, the user needs their login (CN) and one-time password (it will be sent by email).
8.2. Enrolling the token Protectimus SMART OTP
- The user needs to choose the tab Register New Token -> Software Tokens -> Protectimus SMART.
- After that the user needs to enter the name of the token, set the length of the one-time password, select the lifetime of the one-time password and click on the “Show QR code” button.
To create a token, the user should scan the QR code using the Protectimus SMART OTP application, having previously installed it on their smartphone. The Protectimus Smart OTP app is available for free on Google Play and the App Store.
And to finish the token enrollment, the user must enter the OTP code generated using the Protectimus SMART OTP application.
8.3. Creating a password
- The user should navigate to the Create Password tab in Self-Service.
- The user should enter the password identical to their password in user directory.
Last updated on 2022-03-10