Authentication Policy for Delinea Services
You can enable users to perform certain tasks related to their accounts.
To access and enable the Delinea Services options:
- Log in to Admin Portal, click Access > Policies, and select the policy set.
- Click Authentication > Delinea Services.
- Select Yes in the "Enable authentication policy controls" drop-down.
Once enabled, you can configure the following options:
Authentication Rules
| Available Settings | Description |
|---|---|
| Authentication Rules | Build rules to define conditions for authentication challenge requirements. Each rule maps to a customizable authentication profile. The default profile is used if no rules are configured. |
| Default Profile | The profile Delinea PAS uses if no profile is added/selected. |
Session Parameters
| Available Settings | Description |
|---|---|
| Hours until session expires (default 12) | The number of hours that Privileged Access Service accepts a previous log in from the same browser for authentication |
| Allow 'Keep me signed in' checkbox option at login (session spans browser sessions) | Enables the option to select 'Keep me signed in' at login. |
| Default 'Keep me signed in' checkbox option to enabled | Option that allows “Keep me signed in” checkbox enabled by default for users. |
| Hours until session expires when 'Keep me signed in' option enabled (default 2 weeks) | Number of hours "Keep me signed in” checkbox enabled by default for users. Default is 2 weeks. |
Additional Delinea Services Parameters
| Available Settings | Description |
|---|---|
| Allow IWA connections (bypasses authentication rules and default profile) | Allows Delinea PAS to bypass already configured authentication rules and default authentication profiles when IWA is configured. This option is configured by default. |
| Set identity cookie for IWA connections | Enables Delinea PAS to write a cookie in the current browser after a successful IWA-based log in. Delinea PAS checks the browser for this cookie when the user logs in to the Admin Portal. As long as the cookie is there, the user is not prompted for multi-factor authentication. |
| IWA connections satisfy all MFA mechanisms | This option tells the Privileged Access Service to allow IWA to override all application specific authentication requirements. |
| Use certificates for authentication | Allows you to use certificate for authentication. |
| Certificate authentication bypasses authentication rules and default profile | When this setting is disabled, an Authentication Rule that contains a "Certificate Authentication" filter will challenge users with the selected Authentication Profile after certificate authentication succeeds. |
| Set identity cookie for connections using certificate authentication | Allows you to log in using smart cards and another authentication method. |
| Connections using certificate authentication satisfy all MFA mechanisms | Connections using certificate authentication satisfy all MFA mechanisms. |
| Allow users without a valid authentication factor to log in | Exempts users from multifactor authentication when their account does not have a mobile phone number and email address. |
| Apply additional authentication rules to federated users | When enabled, additional authentication rules are applied to federated users. Federated IDP authentication satisfies the password mechanism in these cases. |
| Connections via Federation satisfy all MFA mechanisms | When enabled, if a user is successfully authenticated via Federation then they will not be challenged with additional MFA mechanisms. |
| Allow additional authentication from same device | Disabling this option blocks all authentication methods to the same device except Password, Email, Security Questions, and 3rd Party RADIUS. |
| Continue with additional challenges after failed challenge | Notifies users of a failed authentication after the first failed challenge. |
| Do not send challenge request when previous challenge response failed | Configure Delinea PAS to handle the default MFA behavior (allow users to step through all the relevant MFA challenges before we notify them of their failed authentication attempt) differently based on the challenge type. |
| Remember and suggest last used authentication factor | To remember the last used authentication method. |
