PhenixID Self Service

PhenixID Self Service application includes features to allow user to active themselves for strong authentication with one-time password (OTP). OTP methods allowed to be activated are OTP via SMS, Voice or mail or generated with an mobile app (PhenixID Pocket Pass) or hardware token device. Self Service also contains user enrollment for One Touch.

In this guide you will configure:

  • Configure a connection to the LDAP store where the users are
  • Choose methods available for users to activate

Start guide

Start guide by clicking the '+' sign on the Self Service menu item

Guide steps

You navigate the guide using the previous and next buttons at the bottom of the page. You can also choose to cancel the guide at any time (information entered will be lost).

Guide steps

User store selection

Select an existing connection to an LDAP user store or create new.

To create a new connection, follow the steps in the LDAP connection guide.

User store selection

Search settings

Manually enter or select by using Choose the search base to use. Search base is the starting point in the directory tree structure from where searches are made. Search is done with scope "SUB". This value is mandatory with LDAP DN as required syntax.

Also enter the attribute identifying your users (like uid, mail or samaccountname).

Search settings

Attributes settings

Configure name of the attributes visible and/or editable by the user.

  • First name should name the attribute containing the users first name. This attribute must be a single value attribute.
  • Last name should name the attribute containing the users last name. This attribute must be a single value attribute.
  • Email should name the attribute containing the email value in the directory. This attribute must be a single value attribute. Leave blank to omit.
  • Mobile should name the attribute containing the mobile value in the directory. This attribute must be a single value attribute.

Note: Username attribute was configured in previous step, is always visible and never editable.

Attributes settings

Features

Enable application features. If no feature is enabled, users can only view and/or edit their basic information (configured in previous step).

Features:

  • PIN: PIN enrollment
  • Prefetch OTP: Create and download onetime passwords (emergency OTP)
  • Pocket Pass: Enrollment for OATH based Pocket Pass mobile application
  • Hardware tokens: Enrollment for hardware tokens. When enabling hardware tokens, make sure to enable the hardware token module. How this is done is described in Import hardware tokens .
  • One Touch: Enrollment for PKI based One Touch mobile application

Note: The One Touch feature can only be enabled if One Touch is configured and enabled using the One Touch guide.

Features

PIN feature

PIN feature

Prefetch OTP feature

Prefetch OTP feature

Pocket Pass feature

Pocket Pass feature

Hardware tokens feature

Hardware tokens feature

One Touch feature

If One Touch is enabled an informational step is displayed.

Note: One Touch is configured in a separate guide.

One Touch feature

Network settings

If online provisioning is enabled for Pocket Pass or if OneTouch is enabled, the external URL of the server must be configured. The external URL is used for constructing URL that points back to this application used by Pocket Pass and One Touch clients.

For more information, see Server external URL.

Network settings

Finish

When guide is completed, click Create to create your configuration.

Finish

When completed, the Self Service guide configuration will appear below the Self Service menu item.

Note: It is only possible to configure one Self Service instance using the guide.

Edit guide configuration

You can edit and delete your self service configuration by selecting it in the lefthand menu.

When you click save, the configuration will be updated and the server will instantly restart affected components to apply your changes.

Delete removes all configuration created by the guide but not shared components (i.e components that could be used by other configurations like connections).

Edit guide configuration

General

General application settings.

Use the application link to open the Self Service application in a new browser window. Please note that depending on how your network is configured, the link may not work.

  • Name: Logical name of application (displayed in left side menu).
  • Description: Application description
  • Connection: User store connection. To add a new connection, use the LDAP connection guide and then choose the new connection.
  • URI: The http context (path) to the application. Must be unique in the current configuration (i.e not in use by another application) and start with a '/'
  • ID: Internal configuration ID
  • Created: Timestamp when configuration was created
General

LDAP Settings

LDAP Settings

  • Search base: DN to use as base for user search. Add manually or use Choose to browse your directory.
  • User identifier attribute: Attribute identifying users. Used for bind during login and visible in application.
LDAP Settings

Attributes

Configure user attributes

  • Field display name: User attribute display name (read only)
  • Field attribute name: Userstore attribute
  • Visible: Let users see this attribute
  • Editable: Let users edit this attribute

Note: Username attribute is configured in LDAP Settings view and is always visible and never editable

Attributes

Pin Code

Enable and configure PIN Code enrollment

  • Attribute: The userstore attribute used for storing the pin
Pin Code

Prefetch OTP

Enable and and configure Prefetch OTP. Prefetch OTPs are one time password that are created in advance and downloaded by a user to be used for authentication.

  • OTP Length: Length of OTP
  • Number of OTPs: Number of prefetch OTPs a user can create
  • Require OTPs to be used in the defined order: If enabled, OTPs must be used in the same order as they are defined when downloaded
  • Default number of days OTPs are valid: How many days the OTPs are valid after they have been created/downloaded.
Prefetch OTP

Pocket Pass

Enable and configure Pocket Pass enrollment.

  • Issuer: Name of organization or unit issuing the token. Identifies the the token (key) in the Pocket Pass client in combination with username.
  • Default number of days a Pocket Pass token is valid: How long a token valid after it has been enrolled.
  • Use online provisioning: Turns on or off online key provisioning (see below)
Pocket Pass

Hardware token

Enable and configure user enrollment of hardware tokens.

  • Use default number of days hardware tokens are valid: Enable lifespan for hardware tokens
  • Default number of days hardware tokens are valid: Number of days a token is valid after enrollment
Hardware token

One Touch

Enable the One Touch extension of Self Service.

Note: One Touch is configured in a separate guide.

One Touch

Advanced

In the advanced settings tab you can configure an application specific HTTP listener.

  • Port: Must be a valid port number and an unused port or a port used for HTTP by this server instance. If reusing an already configured port, this port will inherit SSL/TLS settings.
  • Use SSL/TLS: Enables SSL for this listener
Advanced

Online key provisioning

When using software tokens, online key provisioning can be enabled. This setting changes how the token key is distributed to the client. In offline mode, the QR-code scanned during enrollment contains the key. In online mode, the QR-code instead contains a one-time URI to the key. This makes it harder for the enrolling user to misbehave and save the key for later use (i.e. install it on multiple devices).

When online provisioning is enabled, the selfservice application must be available on the client/device network (i.e Internet). Technically this can be done in many ways, but in all solutions the application must know the external address the client will use to connect to the server to be able to build the URI used for key download. The external address must contain the following parts:

  • scheme (http/https)
  • host (name or ip)
  • port (if not using standard ports 80/443)
  • path (a logical path that is forwarded to the root of the PhenixID server)

When the application builds the key download URI, it will append the internal (known) path to the external address. The external address must therefor not contain the internal paths of the PhenixID server.

Note: It is important to use secure communication (SSL/TLS) when using online key provisioning, otherwise the key will be visible on the network.