MFA Guides

Global Settings

RapidIdentity Server is installed with these six default settings.

  1. Authorization Codes are Suppressed

  2. Secure Workflows are Enabled

  3. Role Mapping is Not Enabled

  4. Auto Enroll is Turned Off

  5. Allow synchronization of non-domain users is Enabled

  6. Allow Self-Service of reset credential during validation is NOT Enabled

Clicking each of the six Global Settings links directs administrators to the corresponding module section to update the configuration as desired.

Administrators can also update additional configuration options by clicking the desired checkboxes and if necessary modify the URLs as needed.

Allow synchronization of non-domain users enables administrators to limit the ability of non-domain users to synchronize their data to RapidIdentity Server and applies to local users and users located in other domains.

Synchronization is limited by the domain username and password pair. If a local account contains the same username and password pair as one located in the domain (local = user1/password and domain – user1/password), the user’s data will synchronize to RapidIdentity Server.

Two accounts will be created on RapidIdentity Server, one with the local account information and one with the domain account information. Administrators can distinguish between the two accounts based upon the domain representation in the user lookup menu.

The logic within RapidIdentity Server is to always attempt to authenticate an Authorization Code when the need arises. Therefore, suppressing authorization codes has the true effect of having RapidIdentity Server always assume the user entered their authorization code already and that it was correct.

This increases convenience for the end users and administrators while reducing security, and is especially apparent if secure workflows are enabled and if an authentication set is used which has no secure workflows present (e.g. Smart Card only).

A user attempting to reset their credential (e.g. unblocking a card) will be able to do so without being prompted for any additional information.

Therefore, if this option is suppressed, take care to assign only authentication sets with Secure Workflows with a question set that can be used for Emergency Access into users’ systems with RapidIdentity Windows or Mac Clients.

Administrators can change the policy for this access, but not the actual question set.

Administrators can choose to check or uncheck any of the following options at any time, along with configuring the default timeout for SMS OTP codes and the URLs for the Admin Portal, Mobile Client Provisioning, and RestService for mobile clients.

  1. Allow PingMe for OTP users

  2. Require PIN for PingMe

  3. Allow Unauthenticated One-To-Many Biometric Match

  4. Allow synchronization of non-domain users

  5. Allow Self-Service of reset credential during validation

  6. Send an email when sending an SMS

  7. Enable SMS for OTP codes

  8. Default timeout (in seconds) for SMS OTP codes

  9. Automatically approve workstations for synchronization