Delegation and authentication workflow in VIP Enterprise Gateway version 9.8.

INFO3824
Last Updated November 10, 2017

The following table describes the delegation and authentication workflow of the following authentication methods, with and without a temporary passcode:

  1. User ID – LDAP Password – Security Code
  2. User ID – Security Code
  3. User ID – Access PIN – Security Code

Note: This information applies to VIp EG 9.8 only if a delegation server is configured within the enterprise.

 

Authentication Method 1: User ID + LDAP Password + Security Code

Case A: A temporary passcode is set for the user

Password Example

Last 6 Characters of Password

Residual Password

Workflow

Password123456

Digits

Alpha-numeric

Authenticate the last 6 characters with VIP Service.

  • If the authentication succeeds, perform an LDAP Bind with the residual user input.
  • If the authentication fails, perform an LDAP Bind with the full user input.

9876123456

Digits

Digits

Delegate the user input to the Delegation server as it is unlikely that the entire password is numeric.

Pas5w0rd

Alpha-numeric

Alpha-numeric

Strip the last 6 characters of the password and authenticate the same with the Cloud.

  • If the authentication succeeds, the Cloud will ask the Validation Server to do an LDAP Bind with the residual user input.
  • If the authentication fails, the Cloud will ask the Validation Server to do an LDAP Bind with the full user input. If the full input bind succeeds, it will lead to Out-of-Band (OOB) authentication.

Case B: A temporary passcode is not set for the user

Password Example

Last 6 Characters of Password

Residual Password

Workflow

Password123456

Digits

Alpha-numeric

Delegate the user input to the Delegation server as it is unlikely that all the last 6 characters of the LDAP password are numeric. This could be a case of RSA PIN + OTP.

9876123456

Digits

Digits

Delegate the user input to the Delegation server as it is unlikely that the entire password is numeric.

Pas5w0rd

Alpha-numeric

Alpha-numeric

Strip the last 6 characters and authenticate the same with the Cloud.

  • If the authentication succeeds, the Cloud will ask the Validation Server to do an LDAP Bind with the residual user input.
  • If the authentication fails, the Cloud will ask the Validation Server to do an LDAP Bind with the full user input. If the full input bind succeeds, it will lead to Out-of-Band (OOB) authentication.

 

Authentication Method 2: User ID – Security Code

Case A: A temporary passcode is set for the user

Input Example

Workflow

123456

Authenticate the user input with VIP Service. There is no need to delegate the user input to the Delegation server.

Push secret (push/send)

Perform Out-of-Band (OOB) authentication. There is no need to delegate the user input to the Delegation server.

Case B: A temporary passcode is not set for the user

Input Example

Workflow

123456

Delegate the user input to the Delegation server.

Push secret (push/send)

Perform Out-of-Band (OOB) authentication. There is no need to delegate the user input to the Delegation server.

 

Authentication Method 3: User ID – Access PIN – Security Code

Case A: A temporary passcode is set for the user

Input Examples

Workflow
  • 123456
  • 1234123456
  • abcd123456
  • 1234
  • If the Access PIN is set, then authenticate the user input with VIP Service. This may result in Out-of-Band (OOB) authentication.
  • If the Access PIN is not set, then delegate the user input to the Delegation server.

Case B: A temporary passcode is not set for the user

Input Examples

Workflow
  • 123456
  • 1234123456
  • abcd123456
  • 1234
  • If the Access PIN is set, and Out-of-Band (OOB) authentication is enabled, and the user has a valid OOB, then authenticate the user input with VIP Service.
  • If the Access PIN is not set, then delegate the user input to the Delegation server.

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Symantec Corporation