General principles

Introduction

The purpose of this documentation is to provide guidance for administrators who want to implement the inWebo 2FA service.

As you may already know, inWebo enables you to strengthen authentication to your web site / VPN / SaaS application by replacing the traditional login & password with a login & OTP (One-Time Password) mechanism.

inWebo OTP generators can be downloaded for free by end users. They will have to be “activated” by the end user, using an Activation code (a 9-digit code that you, administrator, will have to send him).

inWebo OTP validation API is available in Radius, SAMLv2, Web Services (SOAP & REST).

Prerequisites

Integrating inWebo is fairly simple. But before starting, you still need to have answers to a couple of questions:

  • What is the application or Web Site I want to use inWebo for?

    • If it is a Web Site you are developing, you’ll be interested in implementing the Web Services API

    • For Remote VPN access, you are likely to use Radius

    • For ADP-GSI, Google Apps or any other SAML compliant application, you will look at SAMLv2 integration

    • For Microsoft ADFS, Shibboleth, specific connectors are provided

    • For Ilex and Memority, inWebo is supported as a native strong authentication method.

  • Do you have “admin access” to this application or Web Site?

  • Which OTP generator(s) are you considering using?

    • Mobile or Desktop Token: inWebo Authenticator App

    • Cloud Token: inWebo Virtual Authenticator or Helium

    • In-App Token: inWebo mAccess

For testing purposes, starting with Mobile Token is the easiest way.

Integrating inWebo with your application, the big picture

Here are the main steps you may follow to integrate inWebo

  1. Create and configure your inWebo account on our platform

  2. Test authentication with inWebo on our platform

  3. Implement inWebo API on your platform

  4. Start provisioning your users on our platform

Note

the Activation Code was formerly called "Secure Site ID" in some authentication tools or in the documentation.
Please note that a "Secure Site ID" refers to an activation code.

Creating and configuring your inWebo account

Creating your inWebo account

To use inWebo authentication, you can subscribe to our free trial. The Signup process will allow you to create an account on inWebo platform for 1 “standard” service, 10 users, valid for 30 days. Should you need more users or a longer period of time, please contact your inWebo reseller or partner.

At the end of the signup process, you will have to activate inWebo Virtual Authenticator in your browser.

Virtual Authenticator is your first inWebo Token to be enrolled, you are prompted to enter you pin code twice to define it. Be sure to remember it, as it will be asked every time you'll need to authenticate on myinwebo.com or to add a new trusted device.

Virtual Authenticator (often abbreviated as VA), among other things, allows you to access the Administration Console. To do so, go to https://www.myinwebo.com/console/logon.

Type in your pin code, click ‘Sign in’ and you are connected.

Initial configuration of your inWebo account

The first time you connect to inWebo Admin Console you will be taken to the main admin window.

At this stage, you are the only user of your inWebo account, and you have only one inWebo token. For safety reasons, we strongly recommend that you:

Activate a second token for you

Add other administrators

Configure additional connectors and Secure Sites

According to the type of site or application you want to integrate inWebo to, you will have to create and configure the appropriate inWebo connector (for SAML 2.0, for Google Apps, for radius…) in the Admin Console.

Once this connector is created, you will be able to add secure sites (bookmarks) of the given type in the console. Secure Sites are sites and applications your users can log into with their inWebo authentication devices.

At this point, your inWebo account is created and access to it is secured. You can now move on to Integration with your application / Web Site

Other recommended operations

Activate a second token

The safest choice is to activate inWebo Authenticator App (Mobile/Desktop).

From your mobile phone, search ‘inwebo’ in your Application Store (AppStore, Play Store, AppWorld) and install inWebo Authenticator.

When starting the app, you will be prompted for an Activation code.

From the Admin Console, hover over your name on the top right corner, and click on ‘My inWebo Account’ and then ‘My Devices’ (or go directly).

Click on ‘Activate a new Device’ to get an Activation code

Type the ‘Activation code’ (or scan the QR code) in your app. Then, you will be prompted to confirm your identity by typing your inWebo PIN. Click ‘Ok’, your inWebo Authenticator App is active.

Should you loose inWebo Virtual Authenticator, you will be able to activate a new instance from https://www.myinwebo.com/console/enrole, by using an Activation code provided by your inWebo Authenticator App.

Add other administrators

From the Admin Console, go to ‘Service Users’, click ‘Add a new user’ and fill the form. If you check ‘Send an Activation Email’, your colleague will receive an email with an activation link, valid for 3 weeks. We recommend that the 2nd admin activates his account as soon as possible, and configures 2 inWebo tokens as described above for redundancy.

Testing authentication with inWebo on our platform

inWebo provides a simple demo web page for you and your users to try out inWebo tokens.

This demo page is automatically generated when you create your account and its properties can be viewed and edited from the Admin Console (it is the first of your Secure Sites).

You can access the demo page from the SSO page: https://www.myinwebo.com/sso.

At this point, your inWebo account is created and access to it is secured. You can now move on to Integration with your application / Web Site

Implement inWebo API on your platform

Basic API implementation

Depending on the technology in use in your site, download the appropriate inWebo API kit.

manual for inWebo API is also available there. Read it carefully and check the code samples that will help you understand how to use the API.

Radius integration

For Radius integration, you need to do the following:

On your firewall, open port UDP 1812 towards inWebo RADIUS addresses

inWebo Radius server addresses :

(See RADIUS integration and redundancy for additional details and configuration)

Get the public IP address of your VPN Gateway (i.e. the Radius client)

Choose a secret password that will be shared between the Radius client and inWebo

For detailed implementation of Radius integration, please refer to one of the Tutorials available on inWebo developer site, such as:

inWebo integration with BoostEdge

inWebo integration-with Pulse Secure

inWebo integration with Netasq

inWebo integration with F5 Big-ip APM

SAML integration

Several guides already exist on inWebo developer site for SAML integration. You will choose which guide depending on the application you want to connect. For more information, check out:

inWebo Setup with ADFS (3.0, 4.0)

inWebo integration Google Apps

inWebo integration Salesforce SAML v2

inWebo integration with F5 Big-ip APM

Integrating inWebo Virtual Authenticator or Helium

In order to use Virtual Authenticator or Helium on your web site or your SSL VPN authentication page, you need to know a little bit of HTML, and maybe also some Javascript for advanced integration. Please refer to our QuickStart Virtual Authenticator or Quickstart Helium for detailed information.

Other use cases

Salesforce Delegated authentication, QR Code, inWebo In-App Token (mAccess)… There are many use cases where inWebo 2FA Service is relevant.

Start provisioning your users on our platform

Creating users

Users can be created from the Admin Console or using API Commands. For testing purposes, we recommend the Admin Console.

Warning: being the administrator who created the inWebo account, your login has been set to your email address. You may change it by editing your own account in the ‘Service Users’ tab.

Using inWebo Directory Sync for users provisioning

IWDS is a Java application that will synchronize any of your inWebo users with any LDAP directory. It can be installed on any Windows or Linux server that supports Java 1.6 or later. For detailed information, check IWDS documentation.

Important: IWDS usage is not granted by default with trial accounts. It can be unlocked simply by requesting it to your inWebo Partner or Reseller.

Viewing Reports

Authentication and Provisioning logs are available in the ‘Service Reports’ tab. This can become handy for troubleshooting purposes.

Useful myinwebo URLs Summary


URL

Comments

Secure Sites Bookmarks

https://www.myinwebo.com/

List of configured secure sites

Admin Console

https://www.myinwebo.com/console/

Access to Administration Console

User's Profile

https://www.myinwebo.com/myinwebo/profile

View/change user's personnal informations

User's Devices/selfcare

https://www.myinwebo.com/myinwebo/devices

View/Add/Remove user's trusted devices

VA Enrolment

https://www.myinwebo.com/console/enrole

Default browser token enrolment page

Helium Enrolment

https://www.myinwebo.com/console/he/enrole

Helium enrolment page (if applicable)*

“Returning”

https://www.myinwebo.com/welcome

Re-enrolment by mail (if applicable)**

* Please note that 'Helium' (another browser token) is not activated/activable in an inWebo “Standard Service” (and thus in the inWebo Trial context by default). Helium is part of our “inWebo White Label Service” offer which is not the purpose of this Getting Started manual.

** The returning user process is disabled by default (it corresponds to the 'Activate a new device per email' setting in tab 'Service Parameters'). When actived, it allows users to receive an activation email to re-enroll a browser. The pros are that users won't have to contact the helpdesk/admins in case of lost or additional device. The cons or the impacts are that from a security point of view you need to trust email as a secure enough channel for browser re-enrollment. Note though that users need to provide their inWebo PIN/password if your service requires one: email can be used to restore one factor only.