Vasco digipass with UMRA and Active Directory

Several clients are using digipass systems from Vasco as their main security token system for both VPN and building access. Since this system is Active Directory integrated and features an API, we can easily integrate it within the UMRA identity management framework for automatic token provisioning on new user accounts, and token profile management on existing user accounts.

The process of assigning a token to a user account is fairly simple and involves some basic steps:

1. Locate a token from the digipass-pool. This is a root OU created by the Vasco software when installed in your environment.
2. Retrieve the vasco-SerialNumber attribute from the located token.
3. Supply the sAMAccountName attribute, domain name, vasco-SerialNumber and grace period # of days to the TCL script
4. The Vasco software moves the digipass object from the digipass-pool to the user OU and applies all kinds of vasco related attributes on both the user object and the digipass object. Vasco extends the Active Directory schema to support these attributes.
5. The user in Active Directory gets extra tabs in their property dialog when using the AD Users and Computers MMC snap-in.

The challenging part when integrating Vasco into Active Directory account provisioning is to write TCL scripts. The documentation provided by Vasco is unfortunately very basic and didn’t offer much help. Some of the operations, like adding authorization profiles and grace periods are not documented at all. Also, be careful that the Vasco connection to the Active Directory appears to be not bound to a specific domain controller, so integrating it with batch jobs may cause replication issues. I’ve determined that for most clients a delay of 5-10 seconds before executing a TCL script is sufficient to let the AD replicate to its domain controllers.

When moving user accounts to another OU, make sure you also move the digipass object to the same OU, otherwise it won’t work. Also, update the vasco-linkUserToDPToken attribute on the user object and the vasco-linkDPTokenToUser attribute on the token object in your script, otherwise the link between the user and the digipass object will be broken.

Vasco uses TCL scripting for all unattended scripted operations, which can be executed using the command line tool DPAMINCMD.EXE, which is installed by default with the Vasco software inside the BIN folder.

Example TCL script to create a user account with digipass association:
set userid [lindex $argv 0]

set domain [lindex $argv 1]
set serial_no [lindex $argv 2]
set grace_period_end [lindex $argv 3]
set grace_period_minus [lindex $argv 4]
set password [lindex $argv 5]

puts $userid
puts $domain
puts $serial_no
puts $grace_period_end
puts $grace_period_minus
puts $password

if [catch “user create {userid $userid domain $domain password $password}” result] {
puts “Create: $result”
} else {
puts “Create: $result”
}

if [string equal $grace_period_minus yes] {
if [catch “digipass assign {userid $userid serial_no $serial_no search_up_ou 1 grace_period_end -$grace_period_end}” result] {
puts “Assign-minus: $result”
} else {
puts “Assign-minus: $result”
}
} else {
if [catch “digipass assign {userid $userid serial_no $serial_no search_up_ou 1 grace_period_end $grace_period_end}” result] {
puts “Assign: $result”
} else {
puts “Assign: $result”
}
}

A similar TCL script to delete the digipass association from a user account:

set userid [lindex $argv 0]
set domain [lindex $argv 1]
set serial_no [lindex $argv 2]
puts $userid
puts $domain
puts $serial_no

if [catch “user delete {userid $userid domain $domain}” result] {
puts “Create: $result”
} else {
puts “Create: $result”
}

if [catch “digipass unassign {userid $userid serial_no $serial_no}” result] {
puts “Assign: $result”
} else {
puts “Assign: $result”
}