Posted on November 7, 2010 by gpedersen

 Step by Step guide to implement Pledge Enrollment to One Time Password Server 3

Table of Contents

Pledge Overview

Being able to securely access critical data is imperative, but for many organisations the standard authentication method for accessing information is with a username and a password. This is too weak for protecting corporate assets.

The Pledge system solves this problem by securing the login with two-factor authentication.

Pledge turns mobile devices into security tokens and is available for most devices. The product comes with a complete infrastructure for automation of key enrollment and customizable profiles. Instead of using a security token when logging in, you simply use your preferred device. Using Pledge, you can log in securely to different applications and even sign different transactions.

This guide describes how to implement the Nordic Edge Mobile Client Pledge together with Nordic Edge One Time Password Server version 3 (OTP Server).

The Pledge system consists of three components:
- Pledge Profile Factory
- Pledge Enrollment
- Pledge Client


Pledge Profile Factory

Pledge Profile Factory is the environment where administrators can configure and customize their Pledge corporate profile. A designer tool is available to customize logos, background pictures, colors as well as configure PIN-code settings, contact information such as text and service desk URL and check Pledge licensing information.

Pledge Profile Factory is a web service provided by Nordic Edge.


Pledge Enrollment

Pledge Enrollment is a service to automate the delivery of Pledge User Profiles to end-users.

There are two ways to enroll for Pledge, end-users can self-enroll or Pledge administrators can enroll end-users.

Pledge enrollment generates an OATH key and sends a request to Pledge Profile Factory to provide a Pledge ID to the end-user or the administrator.

The Pledge Enrollment service is embedded into the Nordic Edge OTP Server but can also be downloaded and installed separately into a DMZ solution.


Pledge Client

Pledge is a mobile client used to generate one-time passwords based on the OATH algorithm.

The Pledge Client can be installed on most devices and generates One-time passwords used for two factor authentication with the Nordic Edge OTP Server or other OATH compliant systems. 

The Pledge Client supports multiple profiles which makes it useful for authentication to multiple services or ISP-solutions. 

The Pledge client is available from all major App Stores, search for "Pledge" or nordicedge.com/pledge

TERMINOLOGY

Term Description

Pledge

Pledge is a software token from Nordic Edge following the HOTP (RFC 4226) OATH standard.

Pledge Profile Factory

A Nordic Edge web service for corporations to design and customize their corporate Pledge profile. Pledge Profile Factory receives enrollment request from Pledge Enrollment service and is responsible for distributing Pledge Profiles to Pledge clients.  

Pledge Corporate Profile

A Pledge Corporate profile is designed following a corporation's branding and security standard and is the template for all Pledge User Profiles downloaded onto Pledge Clients. 

Pledge User Profile

The Pledge User Profile is a copy from the corporate profile combined with a profile ID, also called Pledge Profile.

Pledge ID

A Pledge ID is offered by Pledge Enrollment and is representing a unique Pledge User Profile which is used when downloading it.

Pledge Enrollment

Pledge Enrollment is a service to automate the delivery of Pledge User Profiles to end-users. Must be able to contact Pledge Factory and OTP Server.

Pledge Client

Pledge is a software client used to generate one-time passwords based on the OATH algorithm.

Pledge Web service account

A web service account corresponding to a Pledge Profile Factory account must exist prior to configure Pledge Enrollment. Used to access Pledge Factory.

Pledge Profile Factory Administrator account

Administrative accounts used to access Pledge Profile Factory to customize and configure corporate profiles.

OATH

Open Authentication (OATH) is an open standard designed to offer strong authentication to devices from multiple vendors. OTP Server is supporting Tokens using both OATH standards, HOTP and TOTP. http://support.nordicedge.se/nordic-edge-one-time-password-server-oath-integration/

OTP Server

Nordic Edge One Time Password Server.

Pledge Enrollment Database

A LDAP or SQL database for storing OATH keys. Usually the User Store, for example the Active Directory.

OTP Client

Native Client

Nordic Edge Client that uses the OTP Server APIs to communicate with the OTP Server.




1 Overview of Pledge Enrollment Process

The Pledge Enrollment process generates an OATH-key and combines this OATH-key with a copy from the corporate profile to generate a unique Pledge User Profile including a Pledge ID. 

This Pledge ID is sent to Administrators or Users and is used to download Pledge User Profiles into Pledge Clients.


Self-enrollment process

1. Install Pledge Client on device.
2. User browse to the Pledge Enrollment service. Eg. https://OtpServerIP:8080/PledgeEnrollment/enroll.jsp
3. User enter its username and password to receive a Pledge ID.
4. User start Pledge Client app and enter Pledge ID.
5. Pledge User Profile is downloaded into Pledge app.


Admin-Enrollment process

1. User install Pledge Client on device.
2. Administrator browse to the Pledge Enrollment service. Eg. https://OtpServerIP:8080/PledgeEnrollment/supportenroll.jsp
3. Administrator enter its username and password plus the username from end-user. Pledge Enrollment service presents a Pledge ID on Administrator's screen.
4. Administrator send Pledge ID to User via e-mail for example.
5. User start Pledge Client app and enter Pledge ID.
6. Pledge User Profile is downloaded into Pledge app.

Technical description of the enrollment process

When enrolling for a Pledge Profile the Pledge Enrollment service sends a web service request to the Pledge Profile Factory asking for a Pledge profile. The Pledge Profile Factory will perform the following steps:


1. Generate a unique symmetric key and a corresponding counter.
2. Package the corporate profile into a zip-file.
3. Generate a unique Profile ID.
4. Combine all the above information into an XML message and associate it with the Profile ID.
5. Reply to the Pledge Enrollment Service with the unique symmetric key, corresponding counter and the Pledge ID.

The Pledge Enrollment Service is presenting the Pledge ID to end-user or administrator. End-user starts the Pledge Client on the device, clicks on the key symbol in the down left corner and enters Pledge ID. The Pledge Client contacts to Pledge Profile Factory via an HTTPS connection and download the Pledge User Profile.

The Pledge Client is now ready to generate One-time passwords.


Overview of Pledge enrollment

2 Implementing Pledge Overview

The process of implementing Pledge begins with the configuration of the corporate profile in Pledge Profile factory and ends by installing and configuring Pledge Enrollment.


1. Register for a Administrator account in Pledge Profile Factory

2. Configure the Pledge profile in Pledge Profile Factory

3. Request a Pledge Web service account

4. Configure the OTP Server and Pledge Enrollment



Implementing Pledge Overview Step by Step

3.1 Register Pledge Profile Factory account



  • Type in your email address. 

Notes: This address will be the administrator account for the Pledge Factory account

  • Type in the name of your Company

Notes: This name will be the Profile Factory account – If you are a partner setting up Pledge for a Customer, enter your email address and create an account matching the customer's company name, not your own company.


  • Enter the CAPTCHA code
  • Click Register






An email will be sent to the email address used to register.




  • Click on the registration link from the email.



  • Enter email address and the CAPTCHA code. 
  • Click "Login"




A One Time Password is sent to email address. 



  • Enter OTP received via email.
  • Click "OK"


3.2 Customize your Pledge Corporate Profile and settings.

In Pledge Profile Factory Administrators can customize a Company profile with background, logo, icon, button, background color, text color, PIN code length and a signing URL (optional).



  • Click on the Design tab and personalize your Company Pledge Profile.

INFO: Size of images is shown in the information text.



  • Click on the settings tab and configure the length of the PIN code, Profile TTL and support information. 

Pin Length:

The Pledge PIN code requires end-users to assign a PIN code to their profile. Can be Set to 0 (zero) to disable this function. The Pledge PIN code is meant to be used for devices without central PIN code policy.


Profile TTL:

The Profile TTL determines how long a Pledge User Profile will be available for download from the Pledge Profile Factory. When an end-user or administrator enroll for a Pledge User Profile then the end-user will have 120 minutes to download the Pledge User Profile to the device before it expires.




  • Click on Apply
  • Click on Logout (The button in the top right corner)

3.4 Important about the Pledge Factory Profile


When Logo or PIN Code length from corporate profile are modified, changes will not take effect until a user has been enrolled with a Pledge Profile again.
 

4 Request Pledge Web service Account

  • Send an email to support@nordicedge.se containing the e-mail adress and the Company Name used when performing Pledge Profile Factory registration.



Within 24 hours Nordic Edge Support will reply with the Pledge Web service account and password.






5 Configure OTP Server for Pledge Enrollment Service

The configuration steps are:

- Configure a Pledge Enrollment Database to assign a Pledge OATH key attribute to user accounts.

- Configure a Pledge Enrollment Client for the Pledge Enrollment service.


Configure Pledge Enrollment Database

The Enrollment Database is storing Pledge OATH keys.

In this guide Microsoft Active Directory is used as the enrollment database.

  • Start OTP Server and click "Configuration"




  • Click on Databases and then on the LDAP Database button.

5.1.1 Configure LDAP Settings

Active Directory is installed on the same server as OTP Server. Internal IP-address used is (127.0.0.1) for host address and standard LDAP port 389 to communicate with Active Directory is selected.


INFO: 

Admin DN user needs rights to read the user objects attributes and write the OATH-key into selected attribute to store the users OATH-key.

To use the Disable Account feature from OTP Server, Admin DN user also needs rights to modify the disable account attribute.


  • Choose a name for the database. Eg. Pledge Enrollment Database.
  • Must select "Uses HOTP (OATH)".
  • Enter IP adress from Active Directory server (127.0.0.1).
  • Port number, use default 389.
  • Enter Admin DN.
  • Enter Admin DN password.
  • Click on Test Connection (You should get a message saying “LDAP connection success”)


5.2 Configure the LDAP database settings

The BASE DN is the search base where user objects are stored in Active Directory.

  • Click on the button with three dots on the right side of the Base DN field to browse Active Directory Database.
  • Click on the Organization Unit or Organization where user objects are stored and click OK.


5.2.1 Configure search filter

Configure the search filter for Microsoft Active Directory.

  • Click on the “Sample Button”. 
  • Choose the filter template for MS Active Directory and click OK and Yes.

5.2.2 Configure OATH Key attribute

The OATH Key field must correspond to an un-used Active Directory user object attribute.

This attribute must be a String type and have a minimum length of 60 characters.

In this guide the "carLicense" attribute is used.


  • Use the browse button and select the carLicense attribute.
  • Click on OK

The pledge Enrollment database for the Pledge Enrollment Service should look like this:

5.3 Configure Pledge Enrollment Client

The Pledge Enrollment service requires OTP Server to be configured with a corresponding Native OTP Client to communicate with.

INFO: 
Pledge Enrollment uses TCP port 3100 (Enrollment service <-> OTP Server)

  • In the left pane click "Clients" and then in the right pane click "New Native Client"
  • Enter a name for your Pledge Enrollment Client. Eg. Pledge Enrollment Client
  • Enter 127.0.0.1 as the IP address (Change this when using an external Pledge Enrollment Service)
  • Choose the "Pledge Enrollment Database" configured earlier as the User Database.
  • Click on Advanced button
  • Enable name detection
  • Enter Client Name, for example "PledgeEnrollment"

The Client's configuration for the Pledge Enrollment Service should look like this:


5.4 Enable Pledge Enrollment Services 

Enable the Pledge Enrollment service and configure it to use the newly created Pledge Enrollment database and the Web service account received in a email.


INFO: 
OTP Server requires TCP port 443 communication to necs.nordicedge.se


  • In the left pane click "Identity Manager & Pledge Enrollment", in the right pane enable it.
  • Go to the HOTP-LDAP Database for Pledge Enrollment field and choose your "Pledge Enrollment Database".
  • Type in the Web Service Account and Password you received from Nordic Edge Support earlier.
  • Enter Client Name Detection, for example "PledgeEnrollment".
  • Click Save Config.

  • Start the HTTP Service from the "Embedded HTTP Server" section.

5.5 Pledge Enrollment interface

The Pledge Enrollment service is web based and can be accessed via the OTP Server Configurator or directly via a browser.


Self-enrollment: https://OtpServerIP:8080/PledgeEnrollment/enroll.jsp

Admin-enrollment: https://OtpServerIP:8080/PledgeEnrollment/supportenroll.jsp



  • Click "Go to Pledge Enrollment" 

The Admin Enrollment Page looks like this:





The Self Enrollment page looks like this:



Pledge Enrollment Services is now configured.

6 Test your Pledge Enrollment Service

This requires the Pledge Client to be installed on a device.

See instructions on http://nordicedge.com/products/mobile-client-pledge


6.1 Self-enrollment

Enroll for Pledge as an end-user with Pledge self-enrollment service


  


Notes: Add another key is meant for Users who owns several devices running the Pledge Client.

A page showing the user's Profile ID, in this case 64647531 for user jdoe.

  • Click on Test your Pledge Profile



On the device:

  • Open the Pledge Client. Click on the Key symbol with a plus sign in the down left corner. 
  • Choose "Profile ID" or "email address".
  • Enter Profile ID, in this case 64647531
  • PIN code will be asked when PIN code was configured for the Profile in the Pledge Profile Factory. This is a personal code and must be kept secret.
  • Click Generate one-time password, in this case 063046.
  • Go back to the "Test your Pledge Profile" web page and enter OTP.



A success message will show up.


7 Next Step

Now that a the Pledge Enrollment Service is running the next step is to configure OTPServer to protect applications and services with 2 factor authentication.

Nordic Edge provides a wide range of integrations:
http://nordicedge.com/products/one-time-password-server/integrations/ 

Step by Step Guides for integrations: 

http://support.nordicedge.se/

If you have any technical questions during the tests or installation phase please don't hesitate to contact us att support@nordicedge.se

Best Regards,
Nordic Edge Support















Download article as PDF

Comments are closed.