Identity Policies

To enable MFA on the Delinea Platform, you must set up identity policies and assign them to users. An identity policy determines whether and when a user is presented with the challenges specified in the associated Authentication profile (see Authentication Profiles). Identity policies apply to all web log-ins to the Delinea Platform.

Users can also log on to the platform using MFA on the Delinea Mobile application. For more information, see the following: Delinea Mobile Overview, Delinea Mobile Log in Process, Delinea Mobile Login Flow.

When creating a policy enabling a user to select or modify their authentication challenges (such as phone call, SMS, or FIDO2), do not require the user to complete the same challenge they are trying to set up. For example, when creating a policy enabling a user to select FIDO2 as an authentication challenge, do not use a profile that requires the user to complete the FIDO2 challenge. If you create such a defective policy, the user will be presented with the following error message: "Authentication Challenge Required. Cannot start step-up authentication flow. User does not have the attributes required to log in. Please contact your administrator."

Create and Assign an Identity Policy

  1. Click Access from the left navigation, then click Identity Policies.

  2. Click Add Policy.

  3. Optional: Select the box next to State if you wish to activate the policy.

  4. Fill in the fields:

    • Name: (required) The name must be unique on the platform.
    • Description: (optional) The description should make it easy for others to identify the purpose of the policy.
  5. At the top, select the Enabled checkbox if you wish to activate the policy.

    Alt

  6. Next to Policy assignment, choose Specific groups. You can then apply the policy to specific users, groups, or service groups, tailoring the policy to the unique needs of different departments within your organization.

    If you select Global, the policy will apply to all users, groups, and service groups across the entire tenant. For example, you could lock yourself and everyone else out of the platform, so choose this option with great care.

  7. Click Next.

  8. Search for a group or select one or more groups from the list.

  9. Click Add to create the policy.

For optimal policy implementation, consider assigning a new policy to a small test user group initially, before assigning it for real-world use. This approach allows you to recover gracefully from issues that might arise, with minimal impact.

Create a Conditional Access Policy

In some scenarios, a platform admin might need to allow platform log in access for specific groups while denying that access to other groups. For example, this functionality could improve the organization's security and compliance when integrating Active Directory into the platform.

On the Delinea Platform, a platform admin can set up this functionality using a combination of specific profile and policy settings.

If you select Deny platform authentication in the Default profile drop-down, and you configure no authentication rules in the next section, users will not be able to log in to the platform. This can be an efficient way to restrict users from gaining access to the platform.

To ensure that not ALL users are prevented from logging into the platform, make sure you assign some users appropriate log in policies and verify that those users can log in as expected.

Steps

  1. Create a new policy with an intuitive name, such as Disallow Login Policy.

  2. On the Authentication tab next to Default authentication profile, select Deny platform authentication from the drop-down.

  3. Configure no authentication rules.

  4. Apply the policy to users you wish to prevent from logging into the platform.

  5. Send the Disallow Login Policy you created to the bottom of the list to trigger last, because the platform searches policies for rules in stack ranked order. All policies not at the bottom should target the groups of users that need access to login to the platform.

The policy and policy order creates conditional access where only the Active Directory Group users are granted access...

... and all other users, per the Global assignment, are not allowed to log in:

Update an Identity Policy

  1. Click Access from the left panel, then click Identity Policies.

  2. Click the policy you want to edit.

    The policy page opens to the Overview tab, which displays the policy state, name, and description.

  3. Click Edit.

  4. If you want the policy to be active, select the box next to Enabled if it is not already selected.

  5. Update the Name and Description fields as desired.

  6. To update the group policy assignment:

    1. Click the Policy assignment tab.

    2. Click Edit.

    3. Click Assign Groups.

    4. Search for or select one or more groups from the list.

    5. Click Assign.

    6. To unassign a group from the policy, select the policy and click the trash icon next to the group name.

  7. Click Save.

Authentication

Click the Authentication tab. The tab displays information on the policy's Services, Authentication Rules, Browser Session Parameters, Delinea Mobile Application Session Parameters, and Other Settings.

Services

  1. In the Services section, click Edit.

  2. For Enable authentication policy controls, select the box next to Enabled.

  3. Select a default profile from the dropdown options.

    If you select Deny platform authentication from the Default authentication profile drop-down, and you configure no authentication rules in the next section, users will not be able to log in to the service.

  4. Click Save.

Once you enable authentication policy controls, you can configure the rest of the policy options on the same page.

Authentication Rules

Build rules to define conditions for authentication challenge requirements. Each rule maps to a customizable authentication profile. The default profile is used if no rules are configured.

  1. In the Authentication Rules section, click Edit.
    Alt

  2. Click Add rule.

    Alt

  3. Enter a Name for your new authentication rule.

  4. Select an Authentication profile to associate with the rule.

  5. Click Add new filter.

  6. Select the desired Filter.

  7. Select the desired Condition.

  8. Click Save.

  9. Add more filters as desired.

  10. After adding filters, click Add. Your new rule appears on the Authentication Rules page, with its name and authentication profile displayed.

Available Settings Description
Authentication Rules Build rules to define conditions for authentication challenge requirements. Each rule maps to a customizable authentication profile. The default profile is used if no rules are configured.
Default Profile The profile platform used if no profile is added/selected. New profiles can be added from here or from Settings > Authentication Profiles.

Browser Session Parameters

  1. In the Browser Session Parameters section, click Edit.
  2. Use the following table to make your selections, then click Save.
Available Settings Description
Allow 'Keep me logged in' checkbox option at login (session spans browser sessions) Enables the user to select the option to select Keep me logged in at login. Persists session cookies across browser sessions.
Session Length (in Hours)when 'Keep me logged in' option enabled Number of hours "Keep me logged in" checkbox enabled by default for users. Default = 12 hours, minimum value = 1 hour, maximum value = 24 hours
User Idle Timeout The value is set in minutes. It controls the idle time before the user's session expires. Default = 15 minutes, minimum value = 1 minute, maximum value = 720 minutes.

The platform's User Idle Timeout for browser sessions applies equally to PRA sessions. You cannot modify user idle timeout settings specifically for PRA connections.

Delinea Mobile Application Session Parameters

  1. In the Delinea Mobile Application Session Parameters section, click Edit.
  2. Use the following table to make your selections, then click Save.
Available Settings Description
Session Length (Days) Applicable to the Delinea Mobile App only. This setting keeps the user's session alive on the mobile app. When the session length is reached, the user must authenticate with the platform again. Default = 14 days, minimum value = 1 day, maximum value = 90 days.

Other Settings

In the Other Settings section, click Edit.

Use the following information to make your selections, then click Save.

IWA Connections

  • Allow IWA Connections (bypasses authentication rules and default profile)
    Allows platform to bypass already configured authentication rules and default authentication profiles when IWA is configured. This option is configured by default.

    • Set identity cookie for IWA Connections
      Enables the platform to write a cookie in the current browser after a successful IWA-based log in. The platform checks the browser for this cookie when the user logs in to the platform. As long as the cookie is there, the user is not prompted for multi-factor authentication.

    • IWA Connections satisfy all MFA mechanisms
      Optional. Configure Delinea Platform to use IWA to override all application-specific authentication requirements.

Other

  • Allow users without a valid authentication factor to log in
    Exempts users from multi-factor authentication when their account does not contain a mobile phone number and email address, and cannot satisfy the applied policies.

  • Platform log in via federation satisfies all MFA mechanisms
    Enabled by default. If a user is successfully authenticated through Federation, they will not be required to complete additional MFA steps.

  • Allow additional authentication from same device
    Disable this option to block all authentication methods to the same device except Password, Email, Security Questions, and 3rd Party RADIUS.

  • Continue with additional challenges after failed challenge
    Notifies users of a failed authentication after the first failed challenge.

    • Do not send challenge request when previous challenge response failed
      Configures the platform to handle the default MFA behavior (allow users to step through all the relevant MFA challenges before we notify them of their failed authentication attempt) differently, based on the challenge type.

  • Remember and suggest last used authentication factor
    Remember the authentication method that was used most recently.

User Security

Click the User Security tab, where you can configure settings under sub-tabs for Self Service, Password Settings, OATH OTP, RADIUS, User Account Settings, and Authentication Settings.

Self Service

  1. Click the Self Service sub-tab.

  2. Click Edit, then select Enabled.

  3. Click Save.

The page displays three configuration areas:

  • Password Reset
  • Account Unlock
  • Additional Policy Parameters

Password Reset

  1. Click Edit.

  2. Password reset status: select Enabled.

  3. Select one or more of the checkboxes:

    • Allow for Active Directory Users
    • Only allow from browsers with identity cookie
    • User must log in after successful password reset
  4. Password reset authentication profile: Select Default Password Reset Profile from the drop-down. When a user clicks "forgot password" at the platform log in page, the Default Password Reset Profile presents the user with one or two non-password challenges. When the user meets these challenges, the user is presented with the reset password workflow.

  5. Maximum consecutive password reset attempts per session: Select the desired number of reset attempts from the dropdown list.

Account Unlock

  1. Account unlock status: select Unlocked.

  2. Account Unlock Parameters: Select one or more checkboxes:

    • Allow account unlock for Active Directory Users

    • Only use account unlock from browsers with identity cookie

    • Show a message to end users in desktop login that account is locked (default: no)

  3. Account unlock authentication profile: Select a profile from the dropdown list.

  4. If you checked Allow account unlock for Active Directory Users, you can choose a setting in Active Directory self service settings:

    • Use connector running on privileged account
    • Use these credentials
  5. If you select Use these credentials, fill in the fields for Admin User Name and Admin User Password.

    Alt

  6. Click Save.

Additional Policy Parameters

  1. Click Edit.

  2. Select the desired options from the dropdown menus:

    • Maximum forgotten password resets allowed within window (default: 10)
    • Capture window for forgotten password resets (default: 60 minutes)

    Alt

  3. Click Save.

Password Settings

  1. Click the Password Settings sub-tab. The following fields are displayed:

    • Password Requirements
    • Display Requirements
    • Additional Requirements
    • Password Age
    • Capture Settings

Password Requirements

  1. Click Edit.

    Alt

  2. Make your selections for Password Length and Password Complexity Requirements.

  3. Click Save.

Display Requirements

  1. Click Edit.

    Alt

  2. Make your choices for the following:

    • Show password complexity requirements when entering a new password (default: no)
    • Password complexity requirements for directory services other than Delinea Directory
  3. Click Save.

Additional Settings

  1. Click Edit.

    Alt

  2. Make your selections from the drop-down lists:

    • Check against weak password

    • Allow username as part of password

    • Allow display name as part of password

    • Require at least one Unicode character

    • Limit the number of consecutive repeated characters

  3. Click Save.

Password Age

  1. Click Edit.

    Alt

  2. Make your selections for Password Age Parameters and Password Expiration Notification.

  3. Click Save.

Capture Settings

  1. Click Edit.

    Alt

  2. Make your selections from the dropdown lists:

    • Maximum consecutive bad password attempts allowed within window (default: off)

    • Capture window for consecutive bad password attempts (default: 30 minutes)

    • Lockout duration before password re-attempt allowed (default: 30 minutes)

  3. Click Save.

OATH OTP

  1. Click the OATH OTP sub-tab.

  2. Click Edit.

    Alt

  3. Select Enabled from the dropdown list.

  4. Click Save.

RADIUS

  1. Click the RADIUS sub-tab.

  2. Select Enabled from the dropdown list to enable RADIUS.

User Account Settings

  1. Click the User Account Settings sub-tab.

  2. Click Edit.

    Alt

  3. Make your selection from the dropdown list.

  4. Click Save.

Authentication Settings

  1. Click the Authentication Settings sub-tab. Each authentication setting is labeled either Active or Not Set.

  2. Click Edit.

    Alt

    The page displays the following sections. Under each section heading is a dropdown list where you can choose Enabled, Disabled, or Not Set:

    • Enable users to change their passwords

    • Enable users to enroll FIDO2 authenticators

    • Enable users to configure OATH OTP client (requires enabling OATH OTP policy)

    • Enable users to configure Security questions

    • Enable users to configure a Phone PIN for MFA

    • Require users to register device at sign in to use Mobile Authenticator.

      The Delinea Mobile app can be used as an MFA mechanism for logging in to the Delinea Platform. See Login Flow for the Delinea Platform Portal (MFA).

  3. Make your desired choices in each section.

    For each user capability that you enable, more fields appear where you can configure additional settings, including the authentication profile required for the user to access the capability, as shown in the images below.

    When selecting a profile in Authentication profile required to..., do not select the default user login profile. If you do, the user could get locked out of the platform by entering an endless authentication loop.

    Enable users to change their passwords

    alt

    Enable users to enroll FIDO2 Authenticators

    alt

    Enable users to configure an OATH OTP client

    alt

    Enable users to configure Security Questions

    alt

    Enable users to configure a Phone PIN for MFA

    alt

    Require users to register device at sign in to use Mobile Authenticator

  4. When you are finished making your selections, click Save.

The page displays the sections listed below, and under each section heading is a dropdown menu where you can choose Enabled, Disabled, or Not Set:

  • Enable users to change their passwords

  • Enable users to enroll FIDO2 Authenticators

  • Enable users to configure OATH OTP client (requires enabling OATH OTP policy)

  • Enable users to configure Security Questions

  • Enable users to configure a Phone PIN for MFA

  • Require users to register device at sign-in to use Mobile Authenticator.

The Delinea Mobile app can be used as an MFA mechanism for logging in to the Delinea Platform. See Login Flow for the Delinea Platform Portal (MFA).

For each user capability that you enable, more fields appear where you can configure additional settings, including the authentication profile required for the user to access the capability, as shown in the images below.

When selecting an Authentication profile required to..., do not select the default user login profile. If you do, the user could get locked out of the platform by entering an endless authentication loop.

Enable users to change their passwords

alt

Enable users to enroll FIDO2 Authenticators

alt

Enable users to configure an OATH OTP client

alt

Enable users to configure Security Questions

alt

Enable users to configure a Phone PIN for MFA

alt

Require users to register device at sign-in to use Mobile Authenticator

When you are finished making your selections, click Save at the bottom of the page.

Users with the Manage Identity Settings permission can bypass the required MFA setup.
See Platform Permissions

Summary

The Summary tab displays comprehensive information about the configured identity policy settings. The page does not provide editing capabilities, because all of these policies are added, changed, and removed elsewhere.