TokenValidationValve
Valve for validating a HOTP/TOTP token otp against token(s) assigned to the user.
This valve supports user lockout. See: PhenixID Authentication Services › Version 2.8 › Solutions › User Lockout in PhenixID Server
Properties
Example Configuration
{
"name": "TokenValidationValve",
"config": {
"otp_length":"8",
"hotp_lookahead":"50",
"totp_max_drift": "10",
"provided_otp_param_name":"{{request.User-Password}}",
"userid_param_name": "{{request.User-Name}}
",
"try_legacy_token": "false",
"try_auto_enroll": "false",
"check_yubikey": "false"
}
}
The value for parameter provided_otp_param_name is the provided otp sent in the request.
The value for userid_param_name is the userid sent in the request.
Most common values for userid_param_name are User-Name for RADIUS and username for HTTP.
Example on how to configure PhenixID Server for legacy token can be found here.
If try_auto_enroll is set to true, users can activate hardware tokens by themselves during login.
So after intitial login using uid/password, first enter the serial number of the token, directly followed by an otp fom the token, in the provided otp box.
When this is done the token has been assigned to the user and at next login otp will be provided without the serial number of the token.
NOTE:
When try_auto_enroll is activated, make sure to add the valve "TokenAutoEnrollment", directly after "TokenValidationValve".
Requirements
Item set must have at least one entry.