GEMALTO authentication server is called Protiva. It is a global authentication solution which can especially provide OTP (One Time Password) authentication.
The integration is very simple since the protocol used between IAG and Protiva server is Radius, so we just need to change a few things.
Step 1 : In IAG, create a Radius Repository and also create an AD repository called “ADRepository” (can be other name)
Step 2 : Add an OTP field to the IAG’s authentication page
First, we want to add an “OTP” field in IAG authentication banner. To do so, create a <Trunk><0/1>loginForm.inc in customupdate.
Content of this file will be this :
As you can see we add a new “field” called J_PASSWORD.
Step 3: Saves the password, before Radius authentication
Before authentication take place, we “save” the password value in a server session variable. This is because during IAG/Protiva discussion, we use Radius protocol and radius know only 2 fields : login and password. It does not know OTP field. To transport login/password and OTP, we will concatenate the OTP+Password, and send it in the Radius “password” field.
If IsSessionAuthenticated(g_cookie) = false Then
Step 4 : Ask IAG to authenticate also towards AD
The postpostvalidate event take place occurs “after” authentication is successful. What we do here is just preload in memory, for a repository called “ADRepository”. As you can see here, we preload the “user_name” of the user, and also load user password via the variable we have created in “Prevalidate” event.
Step 5 : IAG’s URL Set
IAG’s firewall will refused by default any kind of parameter sent to validate.asp (IAG authentication page) if they are not explicitly specified. Because we added a new “J_password” field, we need to add this new value.
In IAG console, rule set, add this “j_password” variable for validate.asp.
Activate the configuration with the checkbox, and it will work fine.
Optional 1: display Protiva in the list of authentication types
By default, “protiva server” does not appear in the list of directories, just because it works on top of Radius.
If for any reason (pre-sales, internal reason) you want to have it in the list, you can do this tiny modification.
On IAG, go in C:\Whale-Com\e-Gap\von\conf\CustomUpdate, create (or modify) repositorytype.xml
Add this description, which means for IAG a new “type” of repository.
As you can see it is still Radius, but “Gemalto Protiva” will appear in the list.
You must exit IAG console, and re-run it after activation (with checkbox) to see this new repository in the list.
Optional 2 : SA Server configuration
Locate these fields
… update value based on your scenario (long or short name).