Extending Privileged Access Management with MFA

Osirium PAM Privileged Access Management (PAM) using the principle of identity-in / role-out. This means that Osirium PAM authenticates users to prove their identity and then makes the onward role-based connection to systems, devices and applications. At no time does the user or their workstation/endpoint have the actual credentials for the administrator role required on the target device or application.

Proving Identity

The first part of that process is the user proving they are who they say they are. Typically, this might be by providing a username and password which is validated against a system such as Active Directory to prove they have a valid and currently active user account. Increasingly, this identity validation is moving towards stronger authentication, often involving some form of “multi-factor” authentication, i.e. more than just a password is needed to prove identity.

Osirium PAM supports a number of MFA providers via the Radius interface. Radius is a standards-based interface for interacting with authentication systems and OneLogin is a leader in this space, one we often encounter in our engagements with customers which makes it a perfect compliment to PxM. OneLogin provides the ‘Protect’ app for mobile devices for multi-factor authentication.

The Identity/Role Workflow

Authentication starts with a shared secret between client and server, this is used to prove that both the client and server are valid. Once validated, it is a request and challenge model. For password style authentication, the username and password are passed to the Radius server. The response can be ACCEPT, REJECT or CHALLENGE, where CHALLENGE means ‘the provided data was correct, but here is another request for more data’. In the case of the ‘Protect’ app, just the username side is passed, this then triggers a PUSH request to the app.

Since the app is already authenticated against OneLogin, if the user APPROVES the request, it will flow back to the Radius Server which in turn will respond to Osirium PAM with an ACCEPT.

There is always the possibility that the end-user is out of network coverage. In this case, they can use the ever-changing six digital ‘offline’ authentication code which is based on RFC 6238. This goes along with the username to the Radius server. The OneLogin side of the Radius server has the same random number generator and a reference to the clock timing of the last time it saw or used an offline code. If the offline code is correct and within time tolerance an ACCEPT is returned.

You can see the integration in operation in this demo by Osirium’s Tom Hills.

It’s about what you know

Using OneLogin and Osirium PAM together provides a secure link between ID and ROLE. It works on the basis of something about you, something you know, and something you have:

  • Your relationship with OneLogin based on the app registration.
  • Your username
  • Your mobile phone

If you’d like to know more about OneLogin integration or integration with other MFA providers, please get in touch.

Related Topics