PhenixID Verify User Identity
Following the steps below creates a service to verify the identity of a user who is calling in to Help-desk or other functions in your organisation.
The users available verify methods will be displayed and the person handling the call can select one of the methods to verify the identity of the user.
Requirements
- All methods to be used shall be configure
Step 1 - Authentication - HTTP
Add the following configuration to “Authentication - HTTP”
{
"alias": "phxverifyunpw",
"name": "PostUidAndPassword",
"id": "phxverifyunpw",
"displayName": "Username Password",
"configuration": {
"errorURL": "/error/myerrorpage.html",
"loginTemplate": "login.template",
"successURL": "/phxverify/authenticate/phxverify",
"pipeID": "UserLookupAndAuthWithLDAP"
}
},
{
"alias": "phxverify",
"name": "Registration",
"id": "phxverify",
"configuration": {
"stages": [
{
"pipeid": "phxverify-username",
"template": "phxverify",
"sessionValues": [
"roles"
],
"translation": [
"phxverify.messages.information.title",
"phxverify.messages.username",
"phxverify.messages.userid"
]
},
{
"pipeid": "phxverify-verifychoice",
"template": "phxverify",
"sessionValues": [
"phxverify-disabled-token",
"phxverify-disabled-sms",
"phxverify-disabled-ot",
"phxverify-disabled-mail",
"givenname",
"sn",
"mobile",
"username",
"mail",
"roles"
],
"translation": [
"phxverify.messages.information.title",
"phxverify.messages.username",
"phxverify.messages.givenname",
"phxverify.messages.snname",
"phxverify.messages.mobile",
"phxverify.messages.mail",
"phxverify.messages.userid",
"phxverify.messages.noot",
"phxverify.messages.ot",
"phxverify.messages.nosms",
"phxverify.messages.sms",
"phxverify.messages.nomail",
"phxverify.messages.mail",
"phxverify.messages.nopp",
"phxverify.messages.pp",
"phxverify.messages.cancel"
]
},
{
"pipeid": "phxverify-verifyOTP",
"template": "phxverify",
"translation": [
"phxverify.messages.information.title",
"phxverify.messages.username",
"phxverify.messages.enterotp",
"phxverify.messages.givenname",
"phxverify.messages.snname",
"phxverify.messages.mobile",
"phxverify.messages.mail",
"phxverify.messages.userid",
"phxverify.messages.noot",
"phxverify.messages.ot",
"phxverify.messages.otstatus",
"phxverify.messages.nosms",
"phxverify.messages.sms",
"phxverify.messages.nomail",
"phxverify.messages.mail",
"phxverify.messages.nopp",
"phxverify.messages.pp",
"phxverify.messages.cancel"
],
"sessionValues": [
"phxverify-disabled-token",
"phxverify-disabled-sms",
"phxverify-disabled-ot",
"phxverify-disabled-mail",
"givenname",
"sn",
"mobile",
"username",
"mail",
"roles"
]
},
{
"pipeid": "phxverify-complete",
"template": "phxverify",
"translation": [
"phxverify.messages.information.title",
"phxverify.messages.username",
"phxverify.messages.enterotp",
"phxverify.messages.givenname",
"phxverify.messages.snname",
"phxverify.messages.mobile",
"phxverify.messages.mail",
"phxverify.messages.userid",
"phxverify.messages.noot",
"phxverify.messages.ot",
"phxverify.messages.otstatus",
"phxverify.messages.nosms",
"phxverify.messages.sms",
"phxverify.messages.nomail",
"phxverify.messages.mail",
"phxverify.messages.nopp",
"phxverify.messages.pp",
"phxverify.messages.cancel",
"phxverify.messages.userverified"
],
"sessionValues": [
"phxverify-disabled-token",
"phxverify-disabled-sms",
"phxverify-disabled-ot",
"phxverify-disabled-mail",
"givenname",
"sn",
"mobile",
"username",
"mail",
"phxverify-newstatus",
"roles"
]
}
]
}
}Step 2 - Pipes
Add the following configuration to “Pipes”
{
"id": "UserLookupAndAuthWithLDAP",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "LDAPSearchValve",
"config": {
"connection_ref": "replace-ldap-ref",
"base_dn": "replace-base_dn",
"scope": "SUB",
"size_limit": "0",
"filter_template": "sAMAccountName={{request.username}}",
"attributes": ""
}
},
{
"name": "LDAPBindValve",
"config": {
"connection_ref": "replace-ldap-ref",
"password_param_name": "password"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "roles",
"value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93"
}
},
{
"name": "SessionPersistValve",
"config": {}
}
]
},
{
"id": "phxverify-username",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "LDAPSearchValve",
"config": {
"connection_ref": "replace-ldap-ref",
"base_dn": "replace-base_dn",
"scope": "SUB",
"size_limit": "0",
"filter_template": "sAMAccountName={{request.username}}",
"attributes": "mobile,givenname,sn,mail"
}
},
{
"name": "FlowFailValve",
"config": {
"message": "User does not exist",
"exec_if_expr": "flow.items().isEmpty()"
}
},
{
"name": "FlowFailValve",
"config": {
"message": "Multiple users found",
"skip_if_expr": "flow.isSingle()"
}
},
{
"name": "GetTokenExistsValve",
"config": {
"username_attribute": "username",
"token_type": "OATH",
"get_value_attribute_key": "OATH"
}
},
{
"name": "GetTokenExistsValve",
"config": {
"username_attribute": "username",
"token_type": "PKI",
"get_value_attribute_key": "PKI"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "OATH",
"value": "{{item.OATH}}"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "PKI",
"value": "{{item.PKI}}"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "username",
"value": "{{request.username}}"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "mobile",
"value": "{{item.mobile}}"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"dest_id": "{{session.pki_user}}",
"name": "givenname",
"value": "{{item.givenName}}"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "sn",
"value": "{{item.sn}}"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "mail",
"value": "{{item.mail}}"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "phxverify-disabled-sms",
"value": "disabled",
"exec_if_expr": "",
"skip_if_expr": "flow.items().get(0).containsProperty('mobile')"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "phxverify-disabled-mail",
"value": "disabled",
"exec_if_expr": "",
"skip_if_expr": "flow.items().get(0).containsProperty('mail')"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "phxverify-disabled-token",
"value": "disabled",
"exec_if_expr": "flow.property('OATH').equals('false')"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "phxverify-disabled-ot",
"value": "disabled",
"exec_if_expr": "flow.property('PKI').equals('false')"
}
},
{
"name": "SessionPersistValve",
"config": {}
}
]
},
{
"id": "phxverify-verifychoice",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "ItemCreateValve",
"config": {
"dest_id": "{{request.session_id}}"
}
},
{
"name": "OTPGeneratorValve",
"config": {
"length": "6",
"alpha_numeric": "false",
"name": "generated_otp",
"valid_time_in_seconds": "300",
"exec_if_expr": "",
"skip_if_expr": ""
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "generated_otp",
"value": "{{item.generated_otp}}",
"skip_if_expr": ""
}
},
{
"name": "OTPBySMSValve",
"config": {
"gw_username": "replace-gw_username",
"gw_password": "replace-gw_password",
"recipient_param_name": "{{session.mobile}}",
"generated_otp_name": "generated_otp",
"use_flash": "true",
"exec_if_expr": "request.get('type').contains('sms')",
"skip_if_expr": ""
}
},
{
"name": "OTPBySMTPValve",
"config": {
"smtp_settings": "replace-smtp",
"start_tls_enabled": "true",
"userid_param_name": "{{session.username}}",
"mail_param_name": "{{session.mail}}",
"exec_if_expr": "request.get('type').contains('mail')"
}
},
{
"name": "IssueAssignmentValve",
"config": {
"userNameParameter": "{{session.username}}",
"serviceName": "Phenixid",
"authMessage": "Verify your user ID",
"serviceMessage": "",
"exec_if_expr": "request.get('type').contains('ot')"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "ot_verify",
"value": "{{item.assignmentid}}",
"exec_if_expr": "request.get('type').contains('ot')",
"skip_if_expr": ""
}
},
{
"name": "SessionPersistValve",
"config": {}
}
]
},
{
"id": "phxverify-verifyOTP",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "ItemCreateValve",
"config": {
"dest_id": "{{request.session_id}}"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "username",
"value": "{{session.username}}"
}
},
{
"name": "OTPValidationValve",
"config": {
"provided_otp_param_name": "{{request.otp}}",
"generated_otp_param_name": "generated_otp",
"proceed_on_error": "true",
"exec_if_expr": "request.get('type').contains('sms')"
}
},
{
"name": "OTPValidationValve",
"config": {
"provided_otp_param_name": "{{request.otp}}",
"generated_otp_param_name": "generated_otp",
"proceed_on_error": "true",
"exec_if_expr": "request.get('type').contains('mail')"
}
},
{
"name": "TokenValidationValve",
"config": {
"provided_otp_param_name": "{{request.otp}}",
"otp_length": "6",
"userid_param_name": "{{item.username}}",
"exec_if_expr": "request.get('type').contains('token')"
}
},
{
"name": "FlowFailValve",
"config": {
"message": "Wrong verification code",
"exec_if_expr": "attributes.user_authenticated === false"
}
},
{
"name": "AssignmentStatusValve",
"config": {
"id": "{{session.ot_verify}}",
"dest": "userverifiedot",
"exec_if_expr": "request.get('type').contains('ot')"
}
},
{
"name": "FlowFailValve",
"config": {
"message": "User rejected",
"exec_if_expr": "flow.property('userverifiedot').equals('REJECTED') && request.get('type').contains('ot')"
}
},
{
"name": "FlowFailValve",
"config": {
"message": "Pending user confirmation",
"exec_if_expr": "flow.property('userverifiedot').equals('PENDING') && request.get('type').contains('ot')"
}
},
{
"name": "FlowFailValve",
"config": {
"message": "User confirmation in progress",
"exec_if_expr": "flow.property('userverifiedot').equals('IN_PROGRESS') && request.get('type').contains('ot')"
}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "phxverify-newstatus",
"value": "ok"
}
},
{
"name": "SessionPersistValve",
"config": {}
}
]
},
{
"id": "phxverify-complete",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "SessionRemoveValve",
"config": {}
}
]
}Replace the following
“replace-ldap-ref” with your LDAP connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”
“replace-base_dn” with your “base_dn”, example “DC=phenixid,DC=local”
"replace-gw_username" with your SMS gateway account username
"replace-gw_password" with your SMS gateway account password
"replace-smtp" with your SMTP connection id, example “631c93fb-f123-403a-9b4f-45720eeed838”
Step 3 - Translations
Add the following to the english translation file "server installation root folder"\mods\com.phenixidentity~auth-http~2.6\web\res\lang\en\strings.xml
Example path "C:\Program Files\PhenixID\Server\mods\com.phenixidentity~auth-http~2.6\web\res\lang\en\strings.xml"
<!-- PHXVerify -->
<string name="phxverify.messages.information.title">Verify User ID</string>
<string name="phxverify.messages.username">Enter the username to verify</string>
<string name="phxverify.messages.enterotp">Enter OTP</string>
<string name="phxverify.messages.givenname">Givenname : </string>
<string name="phxverify.messages.snname">Surname : </string>
<string name="phxverify.messages.mobile">Mobile : </string>
<string name="phxverify.messages.mail">Mail : </string>
<string name="phxverify.messages.userid">UserID</string>
<string name="phxverify.messages.userverified">User verified !</string>
<string name="phxverify.messages.noot">No One Touch</string>
<string name="phxverify.messages.ot">One Touch</string>
<string name="phxverify.messages.otstatus">Check One Touch status</string>
<string name="phxverify.messages.nosms">No SMS</string>
<string name="phxverify.messages.sms">SMS</string>
<string name="phxverify.messages.nomail">No Mail</string>
<string name="phxverify.messages.mail">Mail</string>
<string name="phxverify.messages.nopp">No Pocket Pass</string>
<string name="phxverify.messages.pp">Pocket Pass</string>
<string name="phxverify.messages.cancel">Cancel</string>Replace translations to fit your requirements
Step 4 - Template
Copy the template "phxverify.template" to the folder "server installation root folder"\mods\com.phenixidentity~auth-http~2.6\templates
Example path "C:\Program Files\PhenixID\Server\mods\com.phenixidentity~auth-http~2.6\templates"
Step 5 - Restart the service
The PhenixID Service has to be restarted to load the added translations
Step 6 - PhenixID Verify Link
Go to the url https://"Your server addres"/phxverify/authenticate/phxverify/
Example https://pas.phenixid.se:8443/phxverify/authenticate/phxverify/