TokenValidationValve

Valve for validating a HOTP/TOTP token otp against token(s) assigned to the user.

This valve supports user lockout. See: PhenixID Authentication Services › Version 2.8 › Solutions › User Lockout in PhenixID Server

Properties

Name Description Default value Mandatory Supports property expansion
userid_param_name Property containing the username. User-Name No Yes
provided_otp_param_name Property containing the provided otp value. Yes Yes
otp_length The length of the token one-time password. 6 No No
hotp_lookahead Look ahead value for HOTP tokens. 20 No No
totp_max_drift Max drift value for TOTP tokens. 10 No No
try_legacy_token If this valve should continue to the next valve (LegacyTokenValidationValve) when the OTP fails. false No No
try_auto_enroll If this valve should continue to the next valve (TokenAutoEnrollment) for an auto enrollment. false No No
check_yubikey If the valve should try yubikey tokens validation. false No No
debug_token_data Special debug of token data. Only use in test environment. false No No

Example Configuration

{
        "name": "TokenValidationValve",
        "config": { 
              "otp_length":"8",
              "hotp_lookahead":"50",
              "totp_max_drift": "10",
              "provided_otp_param_name":"{{request.User-Password}}",
              "userid_param_name": "{{request.User-Name}}",
	      "try_legacy_token": "false",
	      "try_auto_enroll": "false",
	      "check_yubikey": "false"
        }
}

The value for parameter provided_otp_param_name is the  provided otp sent in the request.

The value for  userid_param_name  is the userid sent in the request.
Most common values for userid_param_name are User-Name for RADIUS and username for HTTP.

Example on how to configure PhenixID Server for legacy token can be found here.

If try_auto_enroll is set to true, users can activate hardware tokens by themselves during login.
So after intitial login using uid/password, first enter the serial number of the token, directly followed by an otp fom the token, in the provided otp box.
When this is done the token has been assigned to the user and at next login otp will be provided without the serial number of the token.
NOTE:
When try_auto_enroll is activated, make sure to add the valve "TokenAutoEnrollment", directly after "TokenValidationValve".

Requirements

Item set must have at least one entry.