Scribd Logo
Upload

Welcome to Scribd!

  • 2FA

    Uploaded by

    Reena Manish Thakur
    63 views34 pages
    2fa

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    2fa

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    63 views34 pages

    2FA

    Uploaded by

    Reena Manish Thakur
    2fa

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 34

    2FA for Mobility Manager

    [Sprint I]
    AC-CORE II

    2FA for Mobility Manager (MM)


    Problem Statement
    Enable 2FA for stronger access
    control to the Mobility Manager
    (a.k.a Admin Console for App
    Center)

    Drivers
    Compliance in specific verticals
    Desire for stronger authentication

    Constraints
    Should involve minimal or no
    incremental cost to customers
    Customers should not need to
    install anything or incur lot of
    effort

    VIP as 2FA Solution for MM


    Solution
    VIP will be used to provide 2FA for
    MM
    2FA will be enabled for MM admins
    based on configuration at a tenant
    level
    Once turned on at a tenant level, all
    admins of the tenant will have to
    use 2FA to login to MM
    All MM admins for a tenant will have
    the ability to download and bind a
    VIP mobile credential with their
    account. They will have to complete
    this step prior to next login

    Samp
    le

    Solution Setup
    A single VIP Reseller account will be setup for
    Mobility
    A Mobility Operations team will be responsible for
    managing this account
    Each Mobility customer that wishes to have 2FA for MM will
    get a new VIP Account (but no VIP Manager access) for free
    The solution supports both SaaS and On-Prem scenarios in
    the same way every customer gets a VIP account
    There is no API set/ automation/ code integration possible
    Operations team as described above will manage setting
    up member account for each tenant
    Each member account so created shall go through an
    approval process on VIP side (takes 3-4 working days)

    Overview Workflow
    Tenant Admin

    Initialize Set
    up
    Request 2FA
    Provisioning

    Request Sent

    Ops Personnel

    Create VIP
    Tenant Account
    Configure VIP
    Policy
    Run Script to
    send success
    email

    SaaS: Success Notification


    On-Prem: Success Notification
    with a verification Key

    Tenant Admin

    SaaS: Enable
    2FA
    On-Prem:
    Verify Key and
    Enable 2FA
    5

    Experience for SaaS


    Customers

    Presentation Identifier Goes Here

    MM [SaaS]: Ops Personnel receive


    request

    Presentation Identifier Goes Here

    MM [SaaS]: Ops Personnel create VIP


    account

    Presentation Identifier Goes Here

    MM [SaaS]: Ops Personnel create VIP


    account

    Presentation Identifier Goes Here

    1
    0

    MM [SaaS]: Ops Personnel set-up VIP


    policy

    Presentation Identifier Goes Here

    1
    1

    MM [SaaS]: Ops Personnel run a script


    Script expect following arguments
    Tenant Name

    Script output
    Notification in Admin Inbox.
    $ cd /usr/local/nukona/appstore_cu
    setings.APPSTORE_ROOT

    $ /usr/local/nukona/python/bin/python scripts.pyc notify-for2fa-provisioning <tenant name>

    Presentation Identifier Goes Here

    1
    2

    MM [SaaS]: Admin receive success


    notification

    Presentation Identifier Goes Here

    1
    3

    MM [SaaS]: Admin enable 2FA

    Presentation Identifier Goes Here

    1
    4

    Tenant Admin Usage Experience


    First-Factor
    Authentication

    MM
    Login/Pwd

    Presentation Identifier Goes Here

    Second-Factor
    Authentication

    VIP OTP

    1
    5

    Experience for On-Prem


    Customers

    Presentation Identifier Goes Here

    1
    6

    Presentation Identifier Goes Here

    1
    7

    MM [On-Prem]: Admin initialize Request


    Setup

    Presentation Identifier Goes Here

    1
    8

    MM [On-Prem]: Admin request VIP


    Configuration

    Presentation Identifier Goes Here

    1
    9

    MM [On-Prem]: State change post


    request submission

    Presentation Identifier Goes Here

    2
    0

    MM [On-Prem]: Ops Personnel receive


    request

    Presentation Identifier Goes Here

    2
    1

    MM [On-Prem]: Ops Personnel create


    VIP account

    Presentation Identifier Goes Here

    2
    2

    MM [On-Prem]: Ops Personnel set-up


    VIP policy

    Presentation Identifier Goes Here

    2
    3

    MM [On-Prem]: Ops Personnel run a


    script [SPRINT II]
    Script expect following arguments
    Tenant Name
    Success/ Failure flag
    Email Address
    Verification Key (mandatory for on-prem)

    Script output
    Notification with verification key

    Presentation Identifier Goes Here

    2
    4

    MM [On-Prem]: Admin receive success


    notification [SPRINT II]

    Presentation Identifier Goes Here

    2
    5

    MM [On-Prem]: Admin enter verification


    key

    Presentation Identifier Goes Here

    2
    6

    MM [On-Prem]: Admin enable 2FA

    Presentation Identifier Goes Here

    2
    7

    Tenant Admin Usage Experience


    First-Factor
    Authentication

    MM
    Login/Pwd

    Presentation Identifier Goes Here

    Second-Factor
    Authentication

    VIP OTP

    2
    8

    Additional Scenarios

    Presentation Identifier Goes Here

    2
    9

    Exceptions

    SaaS
    No exception scenario on SaaS model
    On-Prem
    Request got rejected for first time 2FA provisioning
    Expiration workflow
    Request got rejected for recurring user having 2FA

    Presentation Identifier Goes Here

    3
    0

    MM [On-Prem]: VIP Configuration Error

    Presentation Identifier Goes Here

    3
    1

    MM [On-Prem]: Admin enters


    Verification Key

    Verification Key
    Your VIP configuration request has been rejected due to issues in the
    certificate uploaded. Please request again by uploading a new valid
    certificate.

    OK

    Presentation Identifier Goes Here

    3
    2

    MM [On-Prem]: Admin enter verification


    key

    Rejecte
    d

    Presentation Identifier Goes Here

    3
    3

    Thank you!
    AC-CORE II
    DL-ENG-EME-ACCORE2@symantec.com

    Copyright 2011 Symantec Corporation. All rights reserved.Symantec and the Symantec Logo are trademarks or registered trademarks
    of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
    This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this
    document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to
    change without notice.

    3
    4

    You might also like