> Protectimus DSPA
Protectimus DSPA
The Protectmus DSPA (Dynamic Strong Password Authentication) component allows integrating Protectimus two-factor authentication solution with Microsoft Active Directory or any other user directory (AD/LDAP, DBMS). After that, the 2FA dynamic passwords will be requested on all services connected to this directory (for example on Winlogon, RDP, ADFS, and OWA at once).
Protectimus DSPA adds six-digit time-based one-time passwords onto users’ static passwords. The resulting passwords look somehow like this: P@ssw0rd!459812. Where:
- P@ssw0rd! is the fixed part;
- 459812 is a TOTP one-time password that changes within a set time interval.
The administrator sets the one-time password change interval, which must be a multiple of 30 seconds.
From the end-user side, authentication will look like this: to access their accounts, a user must enter their fixed password and a one-time code in one line. To generate OTPs, users should use the app Protectimus SMART.
1. Install Protectimus On-Premise Platform
1.1. Windows
Download the Protectimus On-Premise Platform installer for Windows here.The Protectimus DSPA component will be installed automatically.
1.2. Another OS
Install the Protectimus On-Premise Platform using the Docker image. You’ll find instractions here.2. Get Registered
The Protectimus On-Premise Platform installer will automatically open the registration form at http://localhost:8080.Please, create an account and log in to configure the necessary settings.
![Installing-prtectimus-on-premise-platform-how-to-get-registered - Protectimus Limited How to get registered in Protectimus system when you install Protectimus 2FA platform](https://www.protectimus.com/wp-content/uploads/2021/11/Installing-prtectimus-on-premise-platform-how-to-get-registered.png)
3. Add User Provider
- After installing the platform and registering in the Protectimus system, log into your account, open the DSPA tab, and select Add task -> Add LDAP user provider.
![protectimus-dspa-setup-1 - Protectimus Limited Protectimus DSPA setup - step 1](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-1.png)
![protectimus-dspa-setup-2 - Protectimus Limited Protectimus DSPA setup - step 2](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-2.png)
- Fill in the details about your user directory.
![protectimus-dspa-setup-3 - Protectimus Limited Protectimus DSPA setup - step 3](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-3.png)
Basic settings:
Field | Value | Note |
Urls | URL to connect to your LDAP server | Example:
For DSPA, you need to use the LDAP connection, and you also need to import the SSL certificate.A standard way:
|
Base DN | Full DN of the directory in which your users are stored | Example:
|
User Dn | DN of the administrator or user who has access to user information | Example:
The user must have rights to change passwords |
Password | The password of the specified user | |
Filter | A filter to be applied during synchronization | Use this filter to select only the users you want to synchronize Example:
|
- After successfully adding the user provider, you need to synchronize the users in Protectimus system with your user directory.
This can be done in three ways:
- Using the Synchronize now button.
![protectimus-dspa-setup-4 - Protectimus Limited Protectimus DSPA setup - 'Synchronize now' button](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-4.png)
- Using the Synchronize individuals feature to synchronize only the selected users from your user directory.
![protectimus-dspa-setup-5 - Protectimus Limited Protectimus DSPA setup - 'Synchronize individuals' button](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-5.png)
- Enabling automatic user synchronization, to do this activate the Enabled option at the top of the page.
![protectimus-dspa-setup-6 - Protectimus Limited Protectimus DSPA setup - automatic user synchronization](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-6.png)
4. Add Passwords
PLEASE NOTE! You can activate the Users’ Self-Service Portal so that your users could add their passwords to the system themselves. Read how to set up a Users’ Self-Service Portal below.If you prefer to set a password for a user manually:
- Go to the user editing page (click Users in the menu on the left). After that, click on the user Login -> Actions -> Edit to go to the User editing menu.
![protectimus-dspa-setup-7 - Protectimus Limited Protectimus DSPA setup - How to add users passwords manually - step 1](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-7.png)
- Enter the user password in the corresponding field and click Save.
![protectimus-dspa-setup-8 - Protectimus Limited Protectimus DSPA setup - How to add users passwords manually - step 2](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-8.png)
5. Add Tokens
So far, the Protectimus DSPA component is only compatible with the in-app 2FA tokens Protectimus Smart OTP, available on iOS and Android, therefore we recommend activating the User Self-Service Portal so that your end users could issue tokens on their own. Read about setting up a Self-Service Portal below.If you prefer to add tokens to uers manually:
- Select a synced user and click Assign Token, then click New.
![protectimus-dspa-setup-9 - Protectimus Limited Protectimus DSPA setup - How to add users tokens manually - step 1](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-9.png)
- Select the Protectimus SMART token and configure it. Protectimus Smart OTP App is available for free on Google Play and App Store.
![protectimus-dspa-setup-10 - Protectimus Limited Protectimus DSPA setup - How to add users tokens manually - step 2](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-10.png)
6. Protectimus DSPA Activation and Deactivation
- To activate the Protectimus DSPA component, go to the DSPA tab and activate the Enabled parameter.
Accordingly, to deactivate the Protectimus DSPA component, it is necessary to uncheck the Enabled parameter.
When DSPA is disabled, all passwords will be reset automatically (i.e., the dynamic part will be removed).
![protectimus-dspa-setup-11 - Protectimus Limited Protectimus DSPA Activation and Deactivation - How to enable DSPA](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-11.png)
- For the Protectimus DSPA component to work, you need:
- A configured user provider;
- A synchronized user;
- A password set for the user;
- A token assigned to the user.
![protectimus-dspa-setup-12 - Protectimus Limited Protectimus DSPA Activation and Deactivation - Affected users](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-12.png)
![protectimus-dspa-setup-13 - Protectimus Limited Protectimus DSPA Activation and Deactivation - Affected users](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-13.png)
- You can see the results of the passwords update in the table below.
When Protectimus DSPA is disabled, all passwords are reset automatically (i.e., the dynamic part is removed).
![protectimus-dspa-setup-14 - Protectimus Limited Protectimus DSPA Activation and Deactivation - Scheduled passwords update](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-14.png)
- The result of updates can be viewed by clicking on the icon in the table of reports.
![protectimus-dspa-setup-15 - Protectimus Limited Protectimus DSPA Activation and Deactivation - result of updates](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-15.png)
![protectimus-dspa-setup-16 - Protectimus Limited Protectimus DSPA Activation and Deactivation - result of updates 2](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-16.png)
7. How to Activate the Users’ Self-Service Portal
If you want users to enroll tokens and set passwords on their own, use the Users’ Self-Service Portal.From the Resource information page, navigate to the Self-Service tab. You can enable self-service for a resource after entering the address at which the self-service page will be located. More detailed instructions on how to set up a self-service portal can be found here.
![protectimus-dspa-setup-17 - Protectimus Limited Protectimus DSPA setup - how to activate the Users Self-Service Portal - step 1](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-17.png)
![protectimus-dspa-setup-18 - Protectimus Limited Protectimus DSPA setup - how to activate the Users Self-Service Portal - step 2](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-18.png)
![protectimus-dspa-setup-19 - Protectimus Limited Protectimus DSPA setup - how to activate the Users Self-Service Portal - step 3](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-19.png)
![protectimus-dspa-setup-20 - Protectimus Limited Protectimus DSPA setup - how to activate the Users Self-Service Portal - step 4](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-20.png)
8. Users Interaction with the Self-Service Portal
8.1. Authorization on the Users’ Self-Service Portal
To sign in to their accounts on the Users’ Self-Service Portal, the user needs their login (CN) and one-time password (it will be sent by email).![protectimus-dspa-setup-21 - Protectimus Limited User Interaction with the Protectimus Users' Self-Service Portal - step 1](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-21.png)
![protectimus-dspa-setup-22 - Protectimus Limited User Interaction with the Protectimus Users' Self-Service Portal - step 2](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-22.png)
8.2. Enrolling the token Protectimus SMART OTP
- The user needs to choose the tab Register New Token -> Software Tokens -> Protectimus SMART.
![protectimus-dspa-setup-23 - Protectimus Limited User Interaction with the Protectimus Users' Self-Service Portal - step 3](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-23.png)
- After that the user needs to enter the name of the token, set the length of the one-time password, select the lifetime of the one-time password and click on the “Show QR code” button.
To create a token, the user should scan the QR code using the Protectimus SMART OTP application, having previously installed it on their smartphone. The Protectimus Smart OTP app is available for free on Google Play and the App Store.
And to finish the token enrollment, the user must enter the OTP code generated using the Protectimus SMART OTP application.
![protectimus-dspa-setup-24 - Protectimus Limited User Interaction with the Protectimus Users' Self-Service Portal - step 4](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-24.png)
8.3. Creating a password
- The user should navigate to the Create Password tab in Self-Service.
![protectimus-dspa-setup-25 - Protectimus Limited User Interaction with the Protectimus Users' Self-Service Portal - step 5](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-25.png)
- The user should enter the password identical to their password in user directory.
![protectimus-dspa-setup-26 - Protectimus Limited User Interaction with the Protectimus Users' Self-Service Portal - step 6](https://www.protectimus.com/wp-content/uploads/2022/02/protectimus-dspa-setup-26.png)
Last updated on 2022-03-10