Delegation and authentication workflow in VIP Enterprise Gateway version 9.8 and later
search cancel

Delegation and authentication workflow in VIP Enterprise Gateway version 9.8 and later

book

Article ID: 150420

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

 

Cause

Using the information below, it shows how it is possible for an incorrect password used together with an incorrect OTP could increment the bad password count in AD by 2.

Resolution

The following table describes the delegation and authentication workflow of the following authentication methods, with and without a temporary passcode:

  1. User ID – LDAP Password – Security Code
  2. User ID – Security Code
  3. User ID – Access PIN – Security Code

Note: This information applies to VIp EG 9.8 only if a delegation server is configured within the enterprise.

 

Authentication Method 1: User ID + LDAP Password + Security Code

Case A: A temporary passcode has been set for the user

If the user's password is.... 

the last 6 characters of the password are...

so the residual password is...

and is processed by the VIP EG workflow...

Password123456

Digits

Alpha-numeric

  1. Authenticate the last 6 characters of the password against the VIP cloud.
  2. If the authentication succeeds, perform an LDAP Bind with the residual password.
  3. If the authentication fails, perform an LDAP Bind with the full user input.

9876123456

Digits

Digits

  1. Delegate the user input to the delegation server as it is unlikely that the entire password will be numeric. This is an unlikely scenario.

Pas5w0rd 

Alpha-numeric

Alpha-numeric

  1. Authenticate the last 6 characters of the password against the VIP cloud.
  2. If the authentication succeeds, the Cloud will ask the Validation Server to do an LDAP Bind with the residual user input.
  3. If the authentication fails, the Cloud will ask the Validation Server to do an LDAP Bind with the full user input. If the full input bind succeeds, it will lead to a challenged response or an Out-of-Band (OOB) authentication.

Case B: No temporary passcode is not set for the user

Password Example

Last 6 Characters of Password

Residual Password

Workflow

Password123456

Digits

Alpha-numeric

  1. Delegate the user input to the delegation server as it is unlikely that all the last 6 characters of the LDAP password are numeric. This could be a case of RSA PIN + OTP. This is an unlikely scenario. 

9876123456

Digits

Digits

  1. Delegate the user input to the Delegation server as it is unlikely that the entire password is numeric. This is an unlikely scenario.

Pas5w0rd

Alpha-numeric

Alpha-numeric

  1. Strip the last 6 characters and authenticate the same with the Cloud.
  2. If the authentication succeeds, the Cloud will ask the Validation Server to do an LDAP Bind with the residual user input.
  3. If the authentication fails, the Cloud will ask the Validation Server to do an LDAP Bind with the full user input. If the full input bind succeeds, it will lead to a challenge request or an Out-of-Band (OOB) authentication.

 

Authentication Method 2: User ID – Security Code

Case A: A temporary passcode has been set for the user

Input Example

Workflow

123456

  1. Authenticate the user input with VIP Service. There is no need to delegate the user input to the Delegation server.

Push secret (push/send)

  1. Perform Out-of-Band (OOB) authentication. There is no need to delegate the user input to the Delegation server.

Case B: A temporary passcode is not set for the user

Input Example

Workflow

123456

  1. Delegate the user input to the Delegation server.

Push secret (push/send)

  1. Perform Out-of-Band (OOB) authentication. There is no need to delegate the user input to the Delegation server.

 

Authentication Method 3: User ID – Access PIN – Security Code

Case A: A temporary passcode is set for the user

Input Examples

Workflow

  • 123456
  • 1234123456
  • abcd123456
  • 1234
  1. If the Access PIN is set, then authenticate the user input with VIP Service. This may result in Out-of-Band (OOB) authentication.
  2. If the Access PIN is not set, then delegate the user input to the Delegation server.

Case B: A temporary passcode is not set for the user

Input Examples

Workflow

  • 123456
  • 1234123456
  • abcd123456
  • 1234
  1. If the Access PIN is set, and Out-of-Band (OOB) authentication is enabled, and the user has a valid OOB, then authenticate the user input with VIP Service.
  2. If the Access PIN is not set, then delegate the user input to the Delegation server.

Additional Information

Commonly seen error:  ERROR "2022-10-27 14:50:07.135 GMT-0400" 0.0.0.0 NA-E_MCCS:1820 0 0 "text=Residual Password failed for user [userid]." Thread-2483025664 VSAuthOTPStandardControllerImpl.cpp