ApplicGate
(v12.0.9111.30500 started 2024-12-11 16:09:49 on VM2)

Authentication for Autologon Sessions:

Select one of the authentication options below.
Certificates, RADIUS and se.SAM allow automatic start of autologon sessions (if keyword DISABLED is not specified) because these options do not need user intervention, if completely configured.
For all other authentication options the keyword DISABLED must be specified. The user must start the session and can enter the required logon data for OTP, TOTP and FIDO2.

Certificates:
- At the autologon routing entry the keyword SSLCC must be defined.
- At the reverselogon routing entry the keywords SSL and CCR must be specified.

RADIUS:
- At the autologon routing entry the keyword RADIUS:[username ][!password] must be defined.
-- username and password are optional and are default values when prompting to start the autologon session.
- At the reverselogon routing entry the keyword RADIUS:grouplist must be defined.
-- Additionally the keyword OTPU may be specified.

se.SAM crypto processor:
- At the autologon routing entry the keyword SSLCC2:sesam:comx!pin!slot must be defined.
- At the reverselogon routing entry the keyword CCR2:sesam:groups must be specified.

Time-based One-Time Password (TOTP) with Authenticators (e.g. Google or Microsoft):
- At the autologon routing entry the keyword TOTP:[email][!SecurityID] must be defined.
-- email and SecurityID are optional and are default values when prompting to start the autologon session.
- At the reverselogon routing entry the keyword TOTP:[port] must be defined.
-- port (optional) refers to a logon routing entry for registration of the authenticator
-- if port is not specified: only authentication is supported, registration is not possible
-- Additionally the keyword OTPU may be specified.
Remark:
Initial configuration of the (Microsoft or Google) authenticator can also be done via a logon rule configured for TOTP.

One-Time Password (OTP) via email or SMS:
- At the autologon routing entry the keyword OTP:[email][![SecurityID][!mode]] must be defined.
-- email and SecurityID are optional and are default values when prompting to start the autologon session.
-- mode defines how the one-time password will be sent: Email or SMS (default is Email)
- At the reverselogon routing entry the keyword OTP:port must be defined.
-- port must refer to a logon routing entry for authentication
-- Additionally the keyword OTPU may be specified.

FIDO2:
- At the autologon routing entry the keyword FIDO2:[email][!SecurityID] must be defined.
-- email and SecurityID are optional and are default values when prompting to start the autologon session.
- At the reverselogon routing entry the keyword FIDO2:port must be defined.
-- port must refer to a logon routing entry for authentication and registration
-- Additionally the keyword OTPU may be specified.

OAuth 2.0:
- At the autologon routing entry the keyword OA2:provider must be defined.
- At the reverselogon routing entry the keyword OA2:grouplist must be defined.
-- Additionally the keyword OA2U may be specified.

Remark:
reverselogon routing entries can handle certification authentication, OTP, TOTP, FIDO2, OAuth2 and RADIUS authentication at the same time.
In this case the keywords CCNRQ and OTP, TOTP, FIDO2, OA2 and/or RADIUS must be specified. If certificate authentication fails, one of the other configured authentication options will be tried.

====================================================================================================================================

Message Flow for autologon/reverselogon configurations with OTP, TOTP (registration) and FIDO2:
 (1) The autologon session is started via a web browser.
 (2) The ApplicGate client requests authentication from the ApplicGate server.
 (3) The ApplicGate server responds with the port of the logon routing entry to access ApplicGate as authentication server.
       For TOTP this ocurs only if the Authenticator is not registered.
 (4) The ApplicGate client forwards the URI to the web browser (as redirection).
 (5) The web browser redirects to the ApplicGate server (as authentication server).
 (6) The web browser communicates with the ApplicGate server for authentication and/or registration (TOTP, FIDO2),
 (7) When the authentication is successful the ApplicGate server send a SessionID to the web browser (as redirection).
 (8) The web browser redirects the SessionID to the ApplicGate client.
 (9) The ApplicGate client forwards this SessionID to the ApplicGate server.
(10) The ApplicGate server checks the SessionID and checks if the provided email is authorized.
       If all checks are ok, the autologon session is authorized.
(11) The Applicgate server sends back the result of the check.
(12) The Applicgate client presents the result to the web browser.
       (1)Start
      +------------+             +------------+             +--------------+
      |            |--(1)------->|            |--(2)------->|              |
      |            |<-------(4)--|            |<-------(3)--|              |
      |    Web     |             | ApplicGate |             |  ApplicGate  |
      |  Browser   |             |   Client   |             |    Server    |
      |            |--(8)------->|            |--(9)------->|     (10)     |
      |            |<------(12)--|            |<------(11)--|              |
      |            |             +------------+             |     as       |
      |            |--(5)---------------------------------->|Authentication|
      |            |<----------------------------------(6)--|   Server     |
      |            |--(6)---------------------------------->|     (6)      |
      |            |<----------------------------------(7)--|              |
      +------------+                                        +--------------+
       (12)Result


ApplicGate Logo  reinhold.leitner@applicgate.com (C) December 2024
www.applicgate.com