PhenixID Self Service

PhenixID Self Service includes features to allow user to active themselves for strong authentication with one-time password (OTP). OTP methods allowed to be activated are OTP via SMS, Voice or mail or generated with an mobile app or hardware token device.

In this scenario you will configure:

  • Configure a connection to the LDAP store where the users are
  • Choose methods available for users to activate

Start configuring by clicking "Scenarios"-> "Create scenario" ->"PhenixID Self Service" -> "Start".

Configuring a datasource

First time configuration a new data source needs to be created. This will be used as source of authentication and user lookup.

If a datasource already is configured administrator can select it from the dropdown an proceed to next step.

 

 

Start by entering name an description for the new data source.

 

Configure host and port. For multiple hosts use comma as delimiter.

Enter user credentials to be used. Make sure the configured account has appropriate access rights in the data source.

Configure security settings for accessing the data source. Often to enable SSL this require additional configuration on the data source.

If possible verify connection settings.

Configure tokenenrollment

Configure type of tokens that is going to be used.

If using hardware tokens make sure to enable the hardware token module. How this is done is described in Import hardware tokens .

To use One Touch, One Touch must be configured in advance using the One Touch guide.

Configure attributes

Last screen in the configuration lets administrators configure attribute settings and where users resides in the data source.

  • Search base defines the starting point in the directory tree structure from where searches are made. Search is done with scope "SUB". This value is mandatory with LDAP DN as required syntax
  • Email attribute should point to the attribute containing the email value in the directory. This attribute must be a single value attribute. Leave blank to omit.
  • Mobile attribute should point to the attribute containing the mobile value in the directory. This attribute must be a single value attribute. Leave blank to omit.
  • Username attribute should point to the attribute containing the email value users use to identify themselves  This attribute must be a single value attribute.
  • Displayname attribute should point to the attribute containing the user friendly name display name. This attribute must be a single value attribute.

 

Summary

Before anything is saved/updated administrator must accept the last step.

By clicking save system configuration is updated.

Verify result by pointing the browser to  http(s)://<host>:<port>/otpenrollment/ and login.

OTP length other than 6

By default the system assumes an otp length of 6.

If tokens have another length than default, the parameter:

"otp_length" : "<length>"

must be configured on the Prism OTPEnrollment module (under NODES).

Example:

"userLookUpPipe" : "enrollmentuserLookUpPipe",
            "userUpdatePipe" : "enrollmentuserUpdatePipe",
            "userNameAttribute" : "sAMAccountName",
            "otp_length" : "8",
            "displayNameAttribute" : "cn",

Additional information

To edit the the current configuration click "Scenarios"-> "PhenixID Self Service" -> "Edit".

To delete the entire "Scenarios"-> "PhenixID Self Service" -> "Delete".