Octopus Passwordless Desktop MFA

Secret Double Octopus brings advanced Passwordless Authentication capabilities to any ForgeRock deployment by replacing Active Directory passwords, adding workstation One-Time Password (OTP) for Windows and Mac, enabling off-line authentication and other unique benefits. This integration delivers an improved security posture for the organization, reduces help desk operational costs and increases user accessibility in all work scenarios.

Project Readme

Octopus Credential Provider

Octopus Authentication is a high-assurance, passwordless authentication system engineered to address the diverse authentication needs of a real-world, working enterprise.

Octopus Authentication replaces all employee passwords with a strong, password-free authentication mechanism. Our proprietary Windows Credential Provider works in conjunction with standard Active Directory interfaces to seamlessly deliver a stronger, more secure alternative to passwords.

A direct effect of eliminating passwords with the Octopus Authentication Module is a significant increase in security of AD domains, edge devices and remotely accessed services. Moreover, user experience becomes standardized, resulting in enhanced productivity and accessibility, and password management and support costs are dramatically lowered.

As part of the integration with ForgeRock, Secret Double Octopus allows users to choose the ForgeRock Authenticator app as an additional multifactor authentication method.

Workstation Authentication using ForgeRock MFA with Push Authentication

Workstation Authentication using ForgeRock MFA with OTP Authentication

Prerequisites

Before beginning installation, verify that the following requirements are met:

  • Octopus Authentication Server v4.6 (or higher) is installed and operating with a valid enterprise certificate (for User Portal and administrator access via HTTPS)

  • Corporate Active Directory Server is operating with Admin rights and an AD LDAP root certificate to establish a secure LDAPS connection

  • Corporate domain Windows machines (user PCs) are available

  • Octopus Authentication for Windows is deployed on all corporate Windows machines (Windows users)

  • Octopus Authentication for Mac is deployed (Mac users)

  • ForgeRock is installed and enrolled users are operating the mobile ForgeRock Authenticator (Push or OTP)

  • The Octopus Authentication for Windows MSI and MSIUpdater packages have been obtained from the Secret Double Octopus team

Octopus Authentication for Windows supports all Windows versions: Windows 7, 8, 10 and Servers 2008, 2012 and 2016. Required Windows updates are listed in the table below.

OS / Arch Required Update
Windows 7 x86 KB2999226 update from Microsoft
Windows 7 x64 KB2999226 update from Microsoft
Windows 8.1 Refer to Appendix A: Windows 8.1 Registry Update

System Architecture Overview

The high-level architecture of the Octopus Authentication Module is shown in the diagram below. Windows/Mac credential providers are used for workstation authentication by Active Directory.

Any of the following authentication methods can be used:

  • Passwordless + ForgeRock Push Authentication

  • MFA + Password + ForgeRock Push Authentication

  • MFA + Password + ForgeRock OTP

Octopus + ForgeRock Architecture

Supported Use Cases

Use Case 1: Authentication to Windows/Mac using the ForgeRock App

Octopus + ForgeRock Push

Use Case 2: Authentication to Windows/Mac using ForgeRock OTP

Octopus + ForgeRock Integration (MFA + OTP)

Use Case 3: Authentication to Windows/Mac using Offline OTP

Octopus + Offline OTP

Configuring the Octopus Management Console

Before beginning the installation and deployment process, make sure to complete the following preparations in the Octopus Management Console:

Adding the ForgeRock Authenticator

Follow the steps below to add ForgeRock to your list of supported third party authenticators. The data you will need to create this authenticator is related to your tree or chain configuration in ForgeRock. For example:

 

To add the ForgeRock authenticator:

  1. From the Octopus Management Console, open the System Settings menu and select Authenticators.

  2. Click Add Authenticator to open the Add 3rd Party Authenticator dialog.

  3. From the Type dropdown list, select FORGEROCK.

  4. Configure the following settings:

    Setting Value / Notes
    URL The access URL for your ForgeRock identity platform, e.g., https://amlb.domain.com/openam
    Chain / Tree Node Name of the relevant node/chain in the Authentication Tree
    Realm Path Name of the relevant realm in the AM console
  5. To verify your settings, click Test Connection.

  6. Click Add.

    Note: You can add several ForgeRock authenticators pointing to different nodes/chains, and use each one for a different directory of users or OU. Each directory can be assigned to one authenticator for primary authentication and another authenticator for the OTP chain.

Integrating Your Corporate Directory

Follow the procedure below to integrate your corporate directory with the Octopus Management Console.

You can integrate either an Active Directory type or a ForgeRock directory type.

To integrate your corporate Directory:

  1. From the Octopus Management Console, open the System Settings menu and select Directories.

  2. Click Add Directory to open the Select Directory Type dialog. From the Directory Type dropdown list, select either Active Directory or ForgeRock.

  3. If you want directory users to be synced automatically, enable the Directory Sync toggle button. When Directory Sync is disabled (as in the example below) you will need to import users manually. (For more information, refer to the Octopus Management Console Admin Guide.)

  4. Click Select.

    The New Directory page opens.

  5. Configure the following parameters, based on your corporate directory settings:

    Parameter Value / Notes
    Name Corporate Directory Server name
    Base DN Directory Distinguished Name; Directory top tree level, from where a server will search for users
    (e.g., dc=<AD name>,dc=com)
    User DN Directory Administrator User DN string (e.g., cn=administrator=users, dc=<AD name>,dc=com)
    Password Directory Administrator Principal’s password
    Host Name/URL Corporate Directory URL (LDAP/LDAPS) and port
    Upload Certificate Directory LDAPS 64-base encoded root CA. If you are using LDAPS, click and upload the certificate file.
  6. To verify your settings, click Test Connection.

  7. At the bottom of the page, click Save.

Configuring Authentication Policies for the Directory

After integrating your corporate Directory, you need to specify instructions about which authentication options and methods are supported for it. The Policy tab of the directory settings allows you to select ForgeRock as a Primary and/or Secondary authenticator and specify one-time password (OTP) settings.

When ForgeRock is selected as an authenticator (either Primary or Secondary), information including user agent, Source IP, etc. is sent to ForgeRock for additional policy enforcement or authentication.

The procedure below explains how to configure the following settings in the Policy tab:

  • Supported authenticators: ForgeRock Authenticator can function as a primary or secondary authenticator (or both).

    • When ForgeRock is a Primary authenticator, it can work alongside or instead of Octopus Authenticator. If both methods are enabled, users will be able to choose the authenticator they prefer.

    • When ForgeRock is a Secondary authenticator, users first authenticate with another authentication method (not ForgeRock). Then, information is sent to ForgeRock for additional policy enforcement or authentication. This information includes the usual headers as well as the authentication that was used for the primary authenticator.

  • OTP settings: To enhance authentication capabilities, Secret Double Octopus provides the option of issuing a one-time password for login. You can enable either or both of these OTP options:

    • Online OTP: When enabled, enrolled users can log into Windows, Mac or the User Portal using a one-time password issued by either the Octopus Authenticator or by ForgeRock.

    • Offline OTP: When enabled, enrolled users can log into Windows, Mac or the User Portal using a one-time password that is stored locally. These OTPs are supplied by the Octopus Authenticator or by ForgeRock.

Note: For more information about OTP enrollment, refer to Appendix B: Enrolling Users for Octopus OTP.

To configure the directory’s authentication policies:

  1. From the settings of the directory you just added, open the Policy tab and scroll to the Authenticators section.

  2. From the Additional Authenticator dropdown list, select the ForgeRock authenticator. Then select the mapping field that the Octopus Authentication Server will send to ForgeRock as the authentication field (Username, Email, Displayname, etc.).

    Verify that the Enable Authenticator as Primary toggle button is enabled.

  3. If you want ForgeRock to serve as a further authenticator in addition to other authentication methods (Octopus Authenticator, FIDO, etc.), enable the Enable Authenticator as Secondary toggle button.

  4. Scroll down to the One Time Password (OTP) section.

    a. To activate online OTP, click the Enable Online OTP toggle button. Then, select the appropriate authenticator from the Online Validator list. (You can specify either the Octopus Authenticator or the ForgeRock TOTP chain as the OTP validator.)

    b. To activate offline OTP, click the Enable Offline OTP toggle button. select the appropriate authenticator from the Offline Validator list. (You can specify either the Octopus Authenticator or the ForgeRock TOTP chain as the OTP validator.)

    c. In the OTP Configuration section, set the parameters of algorithm, number of digits, time period for replacement of the OTP token, and amount of time for which users are allowed to authenticate offline.

  5. At the bottom of the Policy tab, click Save and then publish your changes.

Note: When an additional primary authenticator is selected, that authenticator needs to be selected in the Windows MSI Updater as well. This will allow users to choose that primary authentication method on their Windows workstations. For more information, refer to Configuring the MSIUpdater Client.

Creating the Active Directory Authentication Service

Follow the steps below to create the required AD service and configure its settings.

To add and configure the Active Directory Authentication service:

  1. From the Octopus Management Console, open the Services menu and click Add Service.

  2. In the Active Directory Authentication tile, click Add.

    Then, in the dialog that opens, click Create.

  3. Review the settings in the General Info tab. If you make any changes, click Save.

    Setting Value / Notes
    Service Name / Issuer Change the default value if desired.
    Description Enter a brief note about the service if desired.
    Display Icon This icon will be displayed on the Login page for the service. To change the default icon, click and upload the icon of your choice.
  4. Open the Parameters tab. From the credential type that will be sent by the user for the authentication (usually Username).

    Then, click Save.

  5. Open the Sign On tab and review the following settings:

    Setting Value
    Endpoint URL The access URL from the Windows client to the Octopus Authentication Server
    Service Key An identifier for the service that is used. This key is one of the parameters required for the Windows client to connect to the Octopus Authentication Server.
    Custom Message This message is displayed on the mobile during the OWA authentication process only. The message for the Windows authentication is part of the Windows client, and is not set in this service.
    Authentication Token Timeout Used as part of the REST API communication. It sets the token timeout for a request from the application to re-authenticate.
    Rest Payload Signing Algorithm Method with which the X.509 certificate was generated.
    X.509 Certificate The service’s certificate file, which will be used as part of the Windows Credential provider installation. Click Download to download the file.
    Service Metadata The METADATA includes all the information needed to update the MSI file using the MSI updater. Click the button to download the XML file.
  6. At the bottom of the Sign On tab, click Save.

  7. Open the Directories tab and select the directories that will be available for the service.

  8. Open the Users & Groups tab and click Add.

    A popup opens, with a list of directories displayed on the left.

  9. For each directory, select the groups and users to be added to the service.

    A screenshot of a social media post Description automatically generated
  10. After making your selections, click Save (in the upper right corner) to close the dialog.

    The groups and users you selected are listed in the Users & Groups tab.

  11. Click Save and then publish your changes.

Windows Client Installation with MSIUpdater

MSI is a Microsoft tool that allows easy and silent installation of Octopus Authenticator for Windows on all clients. This installation option is intended for enterprise IT teams and other large-scale deployments.

The following sections present the processes required for a successful deployment with MSI:

Installing the MSIUpdater Client

The MSIUpdater client provides an update tool for basic MSI with the Corporate Octopus AD Authentication configuration. This enables MSI silent installation to corporate Windows clients.

MSIUpdater can run on any Windows client running the following versions: Windows 7, 8, 10, Server 2002, 2008, 2010 and 2012.

Before you begin, verify that all system requirements and prerequisites are met. For details, refer to the Prerequisites section of this document.

To install the MSIUpdater client:

  1. Run MSIUpdater.exe as an administrator.

    If the Microsoft .NET Framework is not installed, an installer opens.

  2. To launch the wizard, click Install.

  3. On the Welcome page, click Next.

  4. Accept the license agreement, and then click Next.

  5. To begin the installation, click Install.

    A confirmation message is displayed when installation is complete.

  6. To exit the wizard, click Finish.

When you quit the wizard, the MSIUpdater application will automatically launch, allowing you to configure the Octopus Authentication for Windows.msi with the corporate Octopus Active Directory Authentication Sign-On details. For more information, refer to Configuring the MSIUpdater Client (below).

Configuring the MSIUpdater Client

The MSIUpdater, which launches automatically after you quit the MSIUpdater installer, updates the Octopus Authentication for Windows (64-bit or 32-bit) MSI file with the corporate Octopus Active Directory Authentication Sign-On details.

Before you begin working with the MSIUpdater, verify that you have access to the following elements. They can be copied or downloaded from the Sign On tab of the Active Directory Authentication service that you created in the Octopus Management Console.

  • Endpoint URL: Click the Copy icon to copy the URL.

  • Service Key: Click View. Then, in the popup that opens, click Copy to copy the key.

  • X.509 Certificate: Click Download to download the cert.pem file.

Alternatively, you can download all the service metadata at once by clicking SERVICE METADATA. The metadata will be saved in the Metadata.xml file.

To configure the MSIUpdater application:

  1. At the top of the Parameters tab, click Browse and upload the Octopus Authentication for Windows MSI (64-bit or 32-bit) file to be updated.

  2. Add the service parameters by pasting the Endpoint URL and Service Key values into the appropriate fields. Then, click Browse and upload the X.509 certificate file.

    Alternatively, you may upload the parameters by clicking Load from XML and uploading the Metadata.xml file from the Active Directory Authentication service.

  3. If you want to use multi-factor authentication from Active Directory when logging into Windows, select the Multi-Factor Authentication (MFA) checkbox. When MFA is activated, users will need to enter their AD passwords in order to receive a push notification from Octopus, ForgeRock or OKTA Authenticators. If the checkbox is not selected, users will have passwordless authentication.

    Note: In order to successfully use a FIDO key with MFA, the key must not have an associated PIN.

  4. Select one or more of the following authenticators:

    Authenticator Description
    Octopus App Octopus Authenticator mobile app (iOS/Android)
    FIDO2 FIDO authenticator from Yubico
    OKTA Verify For OKTA users using OKTA Verify Authenticator
    ForgeRock For ForgeRock users using ForgeRock Authenticator
    OTP This option enables authentication with ForgeRock OTP or Octopus-generated OTP. In order to select the checkbox, the Multi-Factor Authentication (MFA) checkbox must be selected.
  5. Click Next.

  6. On the Settings tab, enable the following options as required by selecting the relevant checkboxes:

    Setting Description / Notes
    Lock Screen Authenticate Determines whether there is Auto Login for AD users from the Lock screen. When the setting is enabled, AD users receive a push notification from Octopus, ForgeRock or OKTA Authenticators immediately after pressing <Ctrl> <Alt> <Del>.
    Show Default Credential Provider Determines whether the entities that control the account options are displayed when logging into Windows. Default credential providers are Windows and Active Directory.
    Enforce MFA When selected, users must authenticate with mobile (2nd factor) when using domain username and password. This setting is relevant for users with Octopus, ForgeRock or OKTA authenticators only (not FIDO).
    SafeGuard Support Selecting this option enables Octopus Authentication for Windows to login to the SafeGuard client (session).
    TPM Support If TPM 2.0 is enabled, selecting this option allows TPM to store the private key for BLE password encryption.
    Change Password on RDP When selected, password changes on RDP sessions are allowed. This option is relevant mainly for admin users using RDP sessions that do not login to Windows machines. This option is relevant to passwordless authentication only.
    Change Password on Unlock When selected, password changes are allowed on Unlock as well as on Login to the workstation. This option is relevant to passwordless authentication only.
    POC Mode When selected, Octopus Authentication for Windows will not check the certificate with the server. This setting is used mainly for POC, when using a self-signed certificate on the Octopus Authentication Server.
    Local User Support When selected, Octopus Authentication for Windows will be enabled for local users and will verify that the local user matches the mapping with Octopus Authentication Server user.
    Bypass MFA on unlock when connected to AD When selected, users connected to the enterprise network who have already authenticated with MFA are not required to authenticate with 2nd factor again when unlocking the workstation. This behavior continues for an unlimited period of time, provided that users remain inside the network.
    Force Lock After Offline OTP When selected, workstations that were unlocked using an Offline OTP and then connected back to enterprise network (online) are automatically locked and the user is asked to authenticate. This setting prevents users from using weak authentication to log into the enterprise network (online).
  7. Configure the following settings, as required:

    Setting Description / Notes
    Enable SSO / Enable Third Party SSO You may configure ONE of these settings only. After selecting the checkbox, enter the portal URL / 3rd party portal URL. In runtime, the portal will open in the default browser. Users will be automatically logged in and be able to view all assigned services.
    Enable CP Bypass List Displays a list of credential providers that will not be filtered by Octopus Authentication for Windows.
    Enable Change OTP Name Allows you to change the default name of the OTP displayed in the Windows credential provider’s login authentication method selection list. After selecting the checkbox, enter the desired name in the field (e.g., ForgeRock OTP).
  8. At the bottom of the Settings tab, click Apply.

    A new modified MSI file is created in the same location as the original MSI file. The name of the new file will include Octopus Authentication for Windows 32-bit or 64-bit and the timestamp of file creation.

    Note: The original MSI file will not be updated and can be reused. Do not use the original MSI file for installation.

MSI Deployment of Octopus Authenticator

The following sections explain how to deploy and upgrade using the MSI tool.

Performing Silent Installation

Silent installation allows administrators to push the installation to all client machines from a central tool (e.g., GPO). All required components are installed as part of the deployment.

Note: Administrator permissions are required to run the Octopus Authentication for Windows MSI.

To perform silent installation:

  1. Open and run your distributing software.

  2. Open the command prompt as Admin, and run
    Octopus Authentication for Windows (64bit or 32bit).msi

  3. Run Octopus Authentication for windowsxx.msi /qn:

    • Windows 64-bit:
      C:\> Octopus Authentication for Windows64bit – xx_xxx_xx.msi /qn

    • Windows 32-bit:
      C:\> Octopus Authentication for Windows32bit – xx_xxx_xx.msi /qn

Performing MSI Upgrade

IMPORTANT: To successfully perform MSI upgrade, the MSI file must have the same filename as that of the original installation. The MSI updater creates an MSI file with the update date in the filename. This file needs to be renamed to match the name of the original installation file.

If you try to upgrade using an MSI file that is named differently from the original installation file, the following error message will appear: Error 1316: The specified account already exists

This error is an alert that you are trying to install an MSI file that has a different name from the one that is already installed.

If you are not sure of the name of the original installation file, follow these steps:

  1. Navigate to C:\Windows\Installer

  2. Open the following file: SourceHash{F88FAA40-72B9-4CE0-88DA-6592EF361C94}

  3. Search for the name of the file that was used for installation. You will find it at the end of the SourceHash file.

To upgrade the MSI, run the following command:

  • Windows 64-bit:
    C:\> msiexec /I " Octopus Authentication For Windows 64bit.msi" REINSTALL=ALL REINSTALLMODE=vomus IS_MINOR_UPGRADE=1 /qn

  • Windows 32-bit:
    C:\> msiexec /I " Octopus Authentication For Windows 32bit.msi" REINSTALL=ALL REINSTALLMODE=vomus IS_MINOR_UPGRADE=1 /qn

Windows ForgeRock Authentication

Once installation is complete, the user can authenticate to a Windows machine using ForgeRock or a FIDO key (according to the configured setup). The different authentication flows are described below.

ForgeRock MFA Authentication Flow (with ForgeRock Push):

  1. User selects ForgeRock as the authentication method.

  2. User enters username + Password.

  3. User receives a push notification to the mobile device (ForgeRock App) with a prompt to approve authentication.

  4. Once authentication is approved, the user is logged into Windows.

ForgeRock MFA Authentication Flow (with ForgeRock OTP):

  1. User selects ForgeRock OTP as the authentication method.

  2. User enter username + Password + OTP.

  3. Once the system verifies the credentials, the user is logged into Windows.

Appendix A: Windows 8.1 Registry Update

Follow the steps below to change the ownership of the relevant Credential Providers registry key from TrustInstaller to Domain Admins.

To update the registry key ownership:

  1. Connect to the machine registry and navigate to: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}]

  2. Right-click on the registry key and select Permissions.

    Then click Advanced to open the Advanced Security Settings dialog.

  3. The Owner value should appear at the top of the dialog. Click Change and set the ownership to Domain Admins.

Appendix B: Enrolling Users for Octopus OTP

The following sections explain how to send Octopus OTP enrollment invitations from the Octopus Management Console. You can send invitations to all members of a group in a bulk operation, or you can invite specific individual users.

Sending Enrollment Invitations to a Group

You can send group invitations quickly and easily using the Quick Actions menu for the relevant group.

To send Octopus OTP enrollment invitations to a group:

  1. From the Management Console, select the Manage Users menu. On the left side of the page, expand the directory tree and navigate to the relevant node.

  2. In the row of the relevant group, click the Actions icon and select Send Invitation > OTP Authenticator.

Sending Enrollment Invitations to Individual Users

You can send an enrollment invitation to a user directly from the Users List, or from the user’s settings.

To send an enrollment invitation from the Users list:

  • In the row of the relevant user, click the Actions icon and select Send Invitation > OTP Authenticator.

To send an enrollment invitation from the user's settings:

  1. From the Users List, click the Edit icon to view the user's settings.

  2. At the top of the page, click the Actions icon and select Send Invitation > OTP Authenticator.

Contact Information

For technical assistance please contact support@doubleoctopus.com or frank.gasparovic@forgerock.com

For additional information and questions related to business and purchasing, please contact sales@doubleoctopus.com

Project Information
Partner
Partner
6.5.0
2020-06-29
openam
authentication
authTreeNode
Frank.Gasparovic
here
here