close icon
Home Page
Products

Products

PAM logo
Privileged Access Management
PEM logo
Endpoint Privilege Management
PPA logo
Automation
Industries

Industries

school_line
Education
bank_line
Finance
government_line
Government and Defence
hospital_line
Healthcare
computer_line
IT Operations
settings_5_line
Industrial Control Systems
briefcase_line
Legal
store_2_line
Retail
Partners

Partners

Resellers and Distributors
Partner marketing support
Partner opportunity
Resources

Resources

tool_line
Free Tools
bookmark_line
Blog
file_search_line
Case Studies
usb_line
PAM Integrations
video_line
Videos
Webinars
paper_line
White Papers
book_2_line
Osirium University
news_line
Documentation
Company

Company

IDcard_line
About
news_line
News & Events
Team
Investor Hub
Software reviews gold medal
See the report
search_3_line
BOOK A DEMO
All posts
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Prev
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
Next
30
July 2019

Multi-Factor Authentication: Osirium PAM and OneLogin

Andy Harris

Extending Privileged Access Management with MFA

Osirium PAM Privileged Access Management (PAM) using the principle of identity-in / role-out. This means that Osirium PAM authenticates users to prove their identity and then makes the onward role-based connection to systems, devices and applications. At no time does the user or their workstation/endpoint have the actual credentials for the administrator role required on the target device or application.

Proving Identity

The first part of that process is the user proving they are who they say they are. Typically, this might be by providing a username and password which is validated against a system such as Active Directory to prove they have a valid and currently active user account. Increasingly, this identity validation is moving towards stronger authentication, often involving some form of “multi-factor” authentication, i.e. more than just a password is needed to prove identity.

Osirium PAM supports a number of MFA providers via the Radius interface. Radius is a standards-based interface for interacting with authentication systems and OneLogin is a leader in this space, one we often encounter in our engagements with customers which makes it a perfect compliment to PxM. OneLogin provides the ‘Protect’ app for mobile devices for multi-factor authentication.

The Identity/Role Workflow

Authentication starts with a shared secret between client and server, this is used to prove that both the client and server are valid. Once validated, it is a request and challenge model. For password style authentication, the username and password are passed to the Radius server. The response can be ACCEPT, REJECT or CHALLENGE, where CHALLENGE means ‘the provided data was correct, but here is another request for more data’. In the case of the ‘Protect’ app, just the username side is passed, this then triggers a PUSH request to the app.

Since the app is already authenticated against OneLogin, if the user APPROVES the request, it will flow back to the Radius Server which in turn will respond to Osirium PAM with an ACCEPT.

There is always the possibility that the end-user is out of network coverage. In this case, they can use the ever-changing six digital ‘offline’ authentication code which is based on RFC 6238. This goes along with the username to the Radius server. The OneLogin side of the Radius server has the same random number generator and a reference to the clock timing of the last time it saw or used an offline code. If the offline code is correct and within time tolerance an ACCEPT is returned.

You can see the integration in operation in this demo by Osirium’s Tom Hills.

It’s about what you know

Using OneLogin and Osirium PAM together provides a secure link between ID and ROLE. It works on the basis of something about you, something you know, and something you have:

  • Your relationship with OneLogin based on the app registration.
  • Your username
  • Your mobile phone

If you’d like to know more about OneLogin integration or integration with other MFA providers, please get in touch.

‍

Related Topics

Privileged Access Management
Manager
Identity & Access Management
all posts
Top
Home Page
cyber essentials certified badge
Industries
EducationFinanceGovernment and DefenceHealthcareIT OperationsIndustrial Control SystemsLegalRetail
Company
AboutTeamBoard of DirectorsInvestor HubJob Opportunities
Resources
Free ToolsBlogPAM IntegrationsVideosWebinarsWhitepapersDatasheetsDocumentationCase Studies
Support
Support PortalOsirium University
© 2023 OSIRIUM. All rights reserved.
AccessibilityPrivacy PolicyEULATerms of ServiceSitemap