Configure PortalGuard Security Policies

Configure Security Policy for SSPR via Challenge Questions/Answers (Optional)

1. Select the “Security Policies” tab.

a. Click on the “default” security policy to select it.

b. Click the “Edit” button.

2. Leave the defaults on the “General” tab.

3. Select the “Auth Methods” tab.

a. Select the “Q/A” tab.

i. Select the “Behavior” tab.

ii. Click on the “Required” radio button.

iii. You can leave the “Max Deferred Enrollments” set to 0 or choose a value appropriate for your environment.

4. Select the “Actions” tab.

a. Select the “Acct Unlock” tab.

i. On the “Authentication” tab.

1. Click the “Allow users to unlock their accounts” check box.

2. Leave the “Optional Challenge Answers” check box enabled

3. By default, the user is presented with 10 challenge answers during enrollment.

4. They have to answers at least 5 of them.

5. You can specify how many of the enrolled questions have to be answered correctly by specifying a value from 1 to 5 in the field to the right of the “Optional Challenge Answers” check box label.

6. Select the “Printed” “Default OTP Method” from the same drop down list.

b. On the “PW Reset” tab.

i. On the “Authentication” tab.

1. Click the “Allow users to unlock their accounts” check box.

2. Leave the “Optional Challenge Answers” check box enabled

3. By default, the user is presented with 10 challenge answers during enrollment.

4. They have to answers at least 5 of them.

5. You can specify how many of the enrolled questions have to be answered correctly by specifying a value from 1 to 5 in the field to the right of the “Optional Challenge Answers” check box label.

6. Select the “Printed” “Default OTP Method” from the same drop down list.

c. On the “PW Recovery” tab.

i. On the “Authentication” tab.

1. Click the “Allow users to unlock their accounts” check box.

2. Leave the “Optional Challenge Answers” check box enabled

3. By default, the user is presented with 10 challenge answers during enrollment.

4. They have to answers at least 5 of them.

5. You can specify how many of the enrolled questions have to be answered correctly by specifying a value from 1 to 5 in the field to the right of the “Optional Challenge Answers” check box label.

6. Select the “Printed” “Default OTP Method” from the same drop down list.

5. Click the “Save” button.

Configure Security Policy for Web-based 2FA (Optional)

The following steps can be used to enable 2FA login to the PortalGuard website.This can be used to enforce 2FA for other web applications by federating them with PortalGuard using protocols like SAML, WS-Federation or CAS.

1. Select the “Security Policies” tab and edit the security policy for which you would like to enable two-factor authentication (2FA).

2. In the individual sub-tabs under the Auth Methods tab, ensure you explicitly allow each OTP method you want to be available.For example, for YubiKey tokens, enable the “Allow YubiKey Tokens” checkbox in the Tokens sub-tab:

To utilize SMS to cell phones, set the Required Enrollment option under the Phone sub-tab:

3. In the Actions -> Login tab, set the “PortalGuardWebSite Login” drop-down to Two-factor (2FA):

4. This will now display all the OTP methods enabled in this policy.Choose which methods are available for website login and set the Default method.If a method was not enabled on the Auth Methods tab, then it will be disabled on this tab.If you would like to allow end-users to choose their own Default OTP method on the PortalGuard Account Management page, do so directly under the Default OTP Method drop-down:

5. Save the changes to the security policy then apply them to the server as detailed in the next section.