Orion Authenticator
Overview
Orion Authenticator is an advanced authentication solution designed specifically for Apple Mac devices, enabling users to connect seamlessly with the 1Kosmos dashboard. This authenticator leverages a six-digit PIN to securely verify user identities, ensuring safe and instant access to their accounts. By integrating robust security features and a user-friendly interface, users can manage and use their data without compromising on security.
The administrator can install a desktop agent, Orion Authenticator, on a Mac machine to perform the multifactor authentication in organizations where mobile devices are restricted in critical departments. With the Orion authenticator, the administrators can onboard accounts seamlessly and generate passcodes for login.
The Orion authenticator uses one of the specific ports (47061 – 47069) in sequence to bind with a target system. After binding with an open port, the authenticator finds the appropriate account associated with the user and onboards them. The community administrator must ensure that for onboarding the account associated with a user, they must enable the Orion Authenticator setting in the Adminx interface and can use the Devices tab in the My Profile details page to start the onboarding process. The community administrator can also configure an adaptive auth journey specific to Orion Authenticator and can define the rules as required.
After onboarding the account, the administrator can view the details of the devices used during onboarding and those details are recorded as an event. In addition to this, the authenticator has been enabled with the log feature where it captures the logs related to the session activity such as the port used for performing the onboarding, error details in case of non-availability of the port, and so on. The logs can be found in the ‘/logs/’ directory within the installation path of the agent.
Additionally, the administrator can perform the in-place upgrade by running the installer of a newer version on the target system. This capability allows the administrator to directly upgrade the installer without any need to uninstall any existing agents
Open Ports
The following ports must be open inbound for communication among the endpoint and the authenticator:
Port 47061 – 47069 : One of the ports must be open to identify the connection endpoint.
Prerequisites
Following are the prerequisites for the Orion Authenticator:
System Requirements
- Operating System : macOS 13 and above
- Required Disk Space : 13MB of available disk space
- Open Ports : 47061 – 47069
- Access : Users with Administrative Access
Installing Orion Authenticator
The Orion Authenticator is distributed to customers through the Mobile Device Management (MDM) solution.
Enabling Orion Authenticator
The community administrator can use the Login with Orion Authenticator setting under Authenticator > Orion Authenticator page to enable the Orion Authenticator.
When the setting is enabled, all users in the community can use the Orion Authenticator option under the Setup drop-down menu of your profile, else cannot access the option if the setting is disabled.
To enable the Orion authenticator, follow these steps:
- Navigate to the AdminX interface.
- Go to Authentication > Orion Authenticator. The Orion Authenticator page is displayed.
- Turn the Login with Orion Authenticator slider ON.
- Click Save.
Onboarding Accounts
The administrator can use the Orion authenticator to onboard users' accounts. Based on the value configured in the Max number of devices linked to an account and Max number of accounts onboarded on single device settings under Authentication > Passwordless Login on the AdminX interface, the administrator can associate that many number of accounts with the device.
Currently, the Orion authenticator supports onboarding of accounts from the following browsers:
- Safari
- Brave
- Mozilla Firefox
- Microsoft Edge
- Google Chrome
The following section provides information on onboarding accounts through Safari and Google Chrome Browsers.
- Onboarding Accounts Through Safari
- Onboarding Accounts Through Google Chrome
Onboarding Accounts Through Safari
To onboard accounts using the Safari Browser, follow these steps:
-
Navigate to the Adminx interface.
-
In the Profile icon on the right corner of the page, click the logged in user name drop-down menu and click My profile.
-
Navigate to the Devices tab and under the Setup drop-down menu, click Orion Authenticator.
The system identifies the installed authenticator in the target system and the account been associated with the logged in user of the AdminX interface.
After onboarding the appropriate account, a E_USER_ONBOARDED event is created on the Adminx interface where the administrator can view the details of the onboarded account.
Onboarding Accounts Through Google Chrome
To onboard accounts using the Google Chrome Browser, follow these steps:
-
Navigate to the Adminx interface.
-
In the Profile icon on the right corner of the page, click the logged in user name drop-down menu and click My profile.
-
Navigate to the Devices tab and under the Setup drop-down menu, click Orion Authenticator. The interface displays a pop-up notifying users about the discovery of the agent.
-
Click Link to onboard the appropriate account.
After linking an account, a pop-up is displayed prompting users to close the window as shown below. The details of the device used to onboard the account are displayed on the Devices tab.
- Navigate to the Devices tab and click on the device name used for onboarding.
Viewing Device Details Used During Onboarding
After successfully onboarding the account, the details of the device used for onboarding can be viewed on the Adminx interface.
To view the details, follow these steps:
-
Navigate to the Adminx interface.
-
In the Profile icon on the right corner of the page, click the logged in user name drop-down menu and click My profile.
-
In the Devices tab of the My Profile details page, click on the device name that appeared recently after onboarding the account as shown below.
The device details page consists of two sections:
-
Summary : This section displays the high level summary of the device been used while onboarding:
- Device Name: Name of the device used for onboarding.
- Onboard On: Date on which the accounts are onboarded.
- Device ID: ID of the device.
- User Agent: Agent responsible for performing this event.
-
Show Details : Displays the complete details of the event. The following screenshot illustrates the same:
-
Creating Adaptive Auth Journey For Orion Authenticator
The community administrator can create an adaptive auth journey for the Orion Authenticator to perform the multi-factor authentication. After onboarding an account through the Orion authenticator,
To create an adaptive auth journey, follow these steps:
-
In the Adminx interface, navigate to Authentication > Adaptive Authentication.
-
Click Add new adaptive auth journey. The Create New Adaptive Auth Journey page is displayed.
-
Specify a journey name and associate a rule to it.
-
In the MFA Required action, select the Authentication Method as Password & Passcodes from Orion Agent.
-
Click Save.
Performing MFA Using OTP Generated from Orion Authenticator
The OTP generated from the Orion authenticator is used while logging into the Adminx interface.
To generate the OTP from Orion Authenticator, follow these steps:
-
After onboarding the account through the Orion authenticator, click View your Passcode in the Accounts page as shown below.
-
The authenticator generates an OTP and displays it on the Accounts page as shown below. Copy the OTP.
-
Logout of the Adminx interface and navigate to the Sign in screen again.
-
After entering the username and password, click Next.
-
In the Choose an authentication method screen, the journey names configured while creating the adaptive journey is displayed; Click Codes generated by Orion Agent.
-
In the Enter your verfication code screen, enter the code received from the Orion agent. You will be logged into the Adminx interface.
Viewing Logs
The administrator can view the logs in the ‘/logs/’ directory within the installation path of the agent.
Here’s the path in which you can view the logs:
/Users/{macUser}/Library/Containers/com.onekosmos.orion.mac/Data/Library/Logs/Orion_2024-08-13_17-32-14.log
The logs provide information on the port selected by the agent, the success of the setup process, and whether the account request was received, and so on. The following screenshot illustrates the log details:
Note: The maximum size of a log file before it rolls over to a new file is 30 MB, and up to 10 log files will be retained in the logs directory.
Performing In-place Upgrades
To execute an in-place upgrade, launch the installer for the newer version on the target machine. This process will replace the older binary with the updated agent.
Note: Current enrollments and data will remain intact.
Frequently Asked Questions
Q. Which Mac versions are supported?
A. The supported Mac versions are macOS 13 and above.
Q. What happens when I reset the agent?
A. When you reset the agent, users accounts can again be onboarded using did and publicKey parameters.
Q. Which browsers allow onboarding accounts?
A. You can use the following browsers to onboard user’s account through Orion Authenticator:
- Google Chrome
- Microsoft Edge
- Mozilla Firefox
- Safari
Q. Why cannot I login using codes generated by the BlockID App?
A. BlockID app uses mobile to generate the code. Hence, it cannot be used for the desktop authenticator.
Q. What happens when you attempt to onboard accounts into the system where the authenticator is not installed?
A. It is not recommended to onboard accounts into the system where the authenticator is not installed. However, when you try to onboard an account through the AdminX interface, a pop up is displayed alerting users about the unavailability of the agent due to which the account was not onboarded.
Q. What is the maximum number of devices that can be linked to an account?
A. Based on the value configured in the Max number of devices linked to an account and Max number of accounts onboarded on single device settings under Authentication > Passwordless Login on the AdminX interface, you can associate that many number of accounts with the device.
Q. Where can I find the logs related to the Orion Authenticator?
A. You can find the logs in the ‘/logs/’ directory within the installation path of the agent.
Note: The maximum size of a log file before it rolls over to a new file is 30 MB, and up to 10 log files will be retained in the logs directory.
Q. Can I perform an in-place upgrade of the Orion Authenticator?
A. Yes, you can carry out an in-place upgrade by running the installer for the newer version on the target machine that already has the agent installed. This process will overwrite the old binaries with the new version while preserving existing enrollments and data.