Microsoft IAG Multiple Authentication

From Swivel Knowledgebase
Jump to: navigation, search

PINsafe and IAG/UAG Integration using multiple repositories

This article explains how to use PINsafe with Microsoft IAG/UAG so that different applications are available to users depending on how they authenticated.

These notes are based on IAG Version 3.7 and PINsafe Version 3.6

This article shows the approach required to add this functionality to a standard IAG/UAG and PINsafe integration. Standard integration notes are available from the Microsoft IAG Integration guide and should also be referred to.


The approach is to create two different repositories on the IAG. One repository will use Agent-XML for authentication the other will use RADIUS.

One repository will be associated with single channel authentication, the other with dual channel authentication.

The login page will determine which repository the user is authenticating based on whether the user has requested a single channel (TURing) image or not.

The IAG will be configured to allow access to specific applications based on the repository a user has authenticated to.\

On the PINsafe server the NAS or Agent associated with the IAG Dual channel repository will be set to accept dual channel authentication only.


The names used for repositories etc are just examples, but sometimes names are important, eg the repository of type "other" needs to have the same name as the associated .inc file and needs to reflected in the checkradio() function in PinsafeLogin.asp

PINsafe Configuration

In this example radius will be used for dual channel authentications only so on the PINsafe server

Enable RADIUS server

Create a NAS entry for the IAG

Set ip address and shared secret as required

Set mode to dual channel only for the NAS

Create an Agent entry for the IAG

Set ip address and shared secret as required

IAG Repository Configuration

Copy images.asp to von\IntnernalSite\Images\CustomUpdate

Ensure that it is the version that can also handle index images and ensure that the IP addresses etc match the PINsafe server

if request.querystring("index") <> "" then	
  Set objWinHttp = Server.CreateObject("WinHttp.WinHttpRequest.5")
  objWinHttp.Open "GET", ""&request.querystring("username"), false
  Set objWinHttp = Server.CreateObject("WinHttp.WinHttpRequest.5")
  objWinHttp.Open "GET", ""&request.querystring("username"), false
end if

Create a new Repository called pinsafe of type other.

Copy the file to von\InternalSite\inc\CustomUpdate

Edit so that the secret (m_secret), ip address and port matches that of the PINsafe server

function checkswivelpwd (userName, password)
LIGHT_TRACE "checkswivelpwd entered for " & userName
LIGHT_TRACE "SWIVEL - lets check if the password is right"
Dim strHTML
m_secret = "secret"
Dim objWinHttp
m_request = "<?xml version=""1.0"" ?><SASRequest><Version>1.0</Version><Action>login</Action><Username>" & username & "</Username><OTC>" & password & "</OTC><Secret>"
& m_secret & "</Secret></SASRequest>"     
Set objWinHttp = Server.CreateObject("WinHttp.WinHttpRequest.5")
objWinHttp.Open "GET", "http://<ipaddress>:8080/pinsafe/AgentXML?xml=" & m_request, false

Create a new Repository called pinsaferadius or type RADIUS.

Enter the details of the PINsafe RADIUS server on the config screen.

Trunk Configuration

For the trunk you are using eg portal, ensure that both pinsafe and pinsaferadius repositories are associatd with the page

Also ensure that the option User Selects from A List of Servers is set

Set the login pages to be PINsafeLogin.jsp


Now copy the PINsafeLogin.jsp to von\InternalSite

Edit the PINsafeLogin.jsp to ensure that the repository names match those that you are using and that the dual channel and single channel authentication are matched to the correct repository.

function checkradio() 
  var radiovalue = eval(document.form1.swivel[1].checked);
  var r = document.getElementById("repository");
  if (radiovalue == true)
  //TURing selected, therefore refresh TURing image
  //repository for TURing is pinsafe
  r.value = "pinsafe"
  } else{
 updateindex(); //if we are using multi-sms update index will display required index
 r.value = "pinsaferadius"
 //repository for TURing is pinsaferadius

Application Authorization

With different repositories aligned to different authentication methods, it is possible then to make some applications only accessible when a user has authenticated using the dual channel method.

To do this restrict access to applications to the pinsaferadius group on the Trunk->Applications-.Authorization tab


User Experience

The user is presented with the option of authenticating via SMS or TURing.

To authenticate the user enters their username and then clicks on the authentication method they wish to use.

If they select TURing and TURing image is displayed.


If they select SMS (and multi-SMS is being used) the index of the security string that they need to use is displayed.


(If they have no valid SMS strings, -1 is shown)

When they make their selection the login page automatically associates them with the correct repository.

After authentication they will only have access to applications appropriate to their method of authentication.