PhenixID Self Service
PhenixID Self Service application includes features to allow user to active themselves for strong authentication with one-time password (OTP). OTP methods allowed to be activated are OTP via SMS, Voice or mail or generated with an mobile app (PhenixID Pocket Pass) or hardware token device. Self Service also contains user enrollment for One Touch.
In this guide you will configure:
- Configure a connection to the LDAP store where the users are
- Choose methods available for users to activate
Start guide by clicking the '+' sign on the Self Service menu item
You navigate the guide using the previous and next buttons at the bottom of the page. You can also choose to cancel the guide at any time (information entered will be lost).
User store selection
Select an existing connection to an LDAP user store or create new.
To create a new connection, follow the steps in the LDAP connection guide.
Manually enter or select by using Choose the search base to use. Search base is the starting point in the directory tree structure from where searches are made. Search is done with scope "SUB". This value is mandatory with LDAP DN as required syntax.
Also enter the attribute identifying your users (like uid, mail or samaccountname).
Configure name of the attributes visible and/or editable by the user.
- First name should name the attribute containing the users first name. This attribute must be a single value attribute.
- Last name should name the attribute containing the users last name. This attribute must be a single value attribute.
- Email should name the attribute containing the email value in the directory. This attribute must be a single value attribute. Leave blank to omit.
- Mobile should name the attribute containing the mobile value in the directory. This attribute must be a single value attribute.
Note: Username attribute was configured in previous step, is always visible and never editable.
Enable application features. If no feature is enabled, users can only view and/or edit their basic information (configured in previous step).
- PIN: PIN enrollment
- Prefetch OTP: Create and download onetime passwords (emergency OTP)
- Pocket Pass: Enrollment for OATH based Pocket Pass mobile application
- Hardware tokens: Enrollment for hardware tokens. When enabling hardware tokens, make sure to enable the hardware token module. How this is done is described in Import hardware tokens .
- One Touch: Enrollment for PKI based One Touch mobile application
Note: The One Touch feature can only be enabled if One Touch is configured and enabled using the One Touch guide.
Prefetch OTP feature
Pocket Pass feature
Hardware tokens feature
One Touch feature
If One Touch is enabled an informational step is displayed.
Note: One Touch is configured in a separate guide.
If online provisioning is enabled for Pocket Pass or if OneTouch is enabled, the external URL of the server must be configured. The external URL is used for constructing URL that points back to this application used by Pocket Pass and One Touch clients.
For more information, see Server external URL.
When guide is completed, click Create to create your configuration.
Edit guide configuration
You can edit and delete your self service configuration by selecting it in the lefthand menu.
When you click save, the configuration will be updated and the server will instantly restart affected components to apply your changes.
Delete removes all configuration created by the guide but not shared components (i.e components that could be used by other configurations like connections).
General application settings.
Use the application link to open the Self Service application in a new browser window. Please note that depending on how your network is configured, the link may not work.
- Name: Logical name of application (displayed in left side menu).
- Description: Application description
- Connection: User store connection. To add a new connection, use the LDAP connection guide and then choose the new connection.
- URI: The http context (path) to the application. Must be unique in the current configuration (i.e not in use by another application) and start with a '/'
- ID: Internal configuration ID
- Created: Timestamp when configuration was created
- Search base: DN to use as base for user search. Add manually or use Choose to browse your directory.
- User identifier attribute: Attribute identifying users. Used for bind during login and visible in application.
Configure user attributes
- Field display name: User attribute display name (read only)
- Field attribute name: Userstore attribute
- Visible: Let users see this attribute
- Editable: Let users edit this attribute
Note: Username attribute is configured in LDAP Settings view and is always visible and never editable
Enable and configure PIN Code enrollment
- Attribute: The userstore attribute used for storing the pin
Enable and and configure Prefetch OTP. Prefetch OTPs are one time password that are created in advance and downloaded by a user to be used for authentication.
- OTP Length: Length of OTP
- Number of OTPs: Number of prefetch OTPs a user can create
- Require OTPs to be used in the defined order: If enabled, OTPs must be used in the same order as they are defined when downloaded
- Default number of days OTPs are valid: How many days the OTPs are valid after they have been created/downloaded.
Enable and configure Pocket Pass enrollment.
- Issuer: Name of organization or unit issuing the token. Identifies the the token (key) in the Pocket Pass client in combination with username.
- Default number of days a Pocket Pass token is valid: How long a token valid after it has been enrolled.
- Use online provisioning: Turns on or off online key provisioning (see below)
Enable and configure user enrollment of hardware tokens.
- Use default number of days hardware tokens are valid: Enable lifespan for hardware tokens
- Default number of days hardware tokens are valid: Number of days a token is valid after enrollment
Enable the One Touch extension of Self Service.
Note: One Touch is configured in a separate guide.
In the advanced settings tab you can configure an application specific HTTP listener.
- Port: Must be a valid port number and an unused port or a port used for HTTP by this server instance. If reusing an already configured port, this port will inherit SSL/TLS settings.
- Use SSL/TLS: Enables SSL for this listener
Online key provisioning
When using software tokens, online key provisioning can be enabled. This setting changes how the token key is distributed to the client. In offline mode, the QR-code scanned during enrollment contains the key. In online mode, the QR-code instead contains a one-time URI to the key. This makes it harder for the enrolling user to misbehave and save the key for later use (i.e. install it on multiple devices).
When online provisioning is enabled, the selfservice application must be available on the client/device network (i.e Internet). Technically this can be done in many ways, but in all solutions the application must know the external address the client will use to connect to the server to be able to build the URI used for key download. The external address must contain the following parts:
- scheme (http/https)
- host (name or ip)
- port (if not using standard ports 80/443)
- path (a logical path that is forwarded to the root of the PhenixID server)
When the application builds the key download URI, it will append the internal (known) path to the external address. The external address must therefor not contain the internal paths of the PhenixID server.
Note: It is important to use secure communication (SSL/TLS) when using online key provisioning, otherwise the key will be visible on the network.
Multiple Self Service applications
Some environments might have a use for multiple Self Service applications.
The scenario guide will support the configuration, but an extra first panel will be presented during the configuration. This first panel will contain the properties to differentiate this webapp from the default one.