Add configuration for legacy tokens

This article will describe how to add configuration for legacy tokens.

When making changes to the configuration, please make sure to have backup of the file/files.

Overview

If tokens has been used in an earlier authentication solution, we can add configuration to look for that key in the LDAP attribute (SQL column) that was used to store the legacy token.

With this new configuration we will retrive the key during runtime and store it in PhenixID server.

This document assumes that there is already configuration in place that uses tokens to generate OTP's, such as the scenario Username, Password & Token generated OTP.

Configuration

Start by choosing the 'Execution flow' tab on the scenario. Then choose the pipe for validation of the OTP (Verify token otp). This is where we will add additional configuration to support legacy tokens. 

Click the 'Add valve' button and add the LDAPSearchValve to the configuration. Click the 'Enabled' checkbox to make the valve runnable.

Add all necessary parameters.

Hint: A valve just like this is already present under the 'Find user and validate password' pipe if you need help configuring it.

Be sure to add the 'attributes' parameter with the user attribute containing the legacy token in your user store.

Make sure that this new valve is the first one, before the TokenValidationValve.

Now open the TokenValidationValve and add a new parameter 'try_legacy_token'.

Click the 'Add valve' button once again and add the LegacyTokenValidationValve to the configuration. This is the valve responsible for both validating the OATH OTP and migrating the legacy token. It must be located after the TokenValidationValve.

Click the 'Enabled' checkbox to make the valve runnable.

Add the parameters shown in the image below. Note that the 'stored_token_attribute' must be the same as the 'attributes' value for LDAPSearchValve.

Click the 'Save' button. After a couple of seconds the newly created configuration is ready to be tested.