Use the Authentication sub-step to protect an app by requiring the user to enter a passphrase, PIN, or biometric recognition before accessing the app. You can also configure options to require re-authentication after a period of user inactivity or when the user switches between different apps and returns to the original app. Additionally, this sub-step provides the ability for the client application to forward the provided OAuth Token, SiteMinder Token or x509 user certificate to a downstream server.
|Step||Blue Cedar Enforce|
Using this sub-step in a workflow
In the workflow builder for your app:
- Add the App Enhancement stage
- Add the Blue Cedar Enforce step to the workflow.
- Add the Authentication sub-step to the Enforce step.
Click on the options gear icon next to Authentication in the workflow outline. Configure the options:
The configuration settings for Authentication are organized in two sections, shown in the App Enhancement / Blue Cedar Enforce / Authentication section of the workflow builder as these tabs:
- Server Authentication
Required (one of these):
Allow biometric authentication. If selected, the user can authenticate with fingerprint or Face ID (as available on the device).
|Minimum Length||Required. The minimum number of characters required for a user passphrase or PIN (as selected above). Longer passphrases and PINs are more secure, but require more effort from the user.|
Optional. If selected, the user must select a complex passphrase or PIN.
Complex passphrases may not contain four or more of each of the following:
|Passphrase character types|
(Passphrase only.) Passphrase must contain at least one of each selected character type:
Remember the last n passphrases/PINs
Optional. If selected, the user cannot repeat a previously used passphrase when setting a new one
|Invalid Passphrase/PIN handling|
Lock user out of the app if user makes n consecutive incorrect passphrase/PIN entries
Enable/disable lockout and select the number of attempts before locking the user out.
If this option is enabled, and the app is not integrated with Blue Cedar Connect, the user is locked out after the specified number of invalid attempts.
If this option is enabled, and the app is integrated with Blue Cedar Connect using a Blue Cedar or IKEv2 gateway, the user is locked out after the specified number of invalid attempts and the app allows the user to re-authenticate with their gateway enrollment credentials. The user can then set a new local app passcode.
|Maximum Age Rule|
User must change passphrase/PIN frequency
Optional. Select whether the user must change the passphrase at a regular interval. You can set a reminder for the user as well.
Optional. Select whether the user must enter their local passphrase or PIN in the selected case(s):
On Android, there is a 3-second grace period when switching apps before re-authentication is required.
|Allow background access|
Allow background access (bypass local authentication when app is launched by the system in the background)
If selected, allow app launched in the background to access information secured by local app authentication. User interactions with the app still require local app authentication.
For example, an app may not require the main UI to be available for certain tasks, such as an email client fetching emails and sending notifications for new email. This option allows the app's background processing to perform without having to ask the user to enter local app authentication credentials. Once the user is ready to interact with the app, the app prompts for local app authentication as usual.
This option provides the ability for the client application to forward the provided OAuth Token, SiteMinder Token or x509 user certificate to a downstream server for use in authenticating the end user.
Required (one of these):