PhenixID web apps authentication – Username, password and OTP
This authenticator is used for username-password-otp authentication.
Modules required
- auth-http
- pipes
Configuration Properties
Example configuration
LDAP user store is used in this example.
HTTP Authenticators
{
"id" : "unpwotp",
"alias" : "unpwotp",
"name" : "PostUidPasswordAndOTP",
"configuration" : {
"userValidationPipeID" : "UserLookupAndAuthWithLDAP",
"otpValidationPipeID" : "ValidateSentOtp",
"successURL" : "/otpadmin/"
}
}
Pipes
{
"id" : "UserLookupAndAuthWithLDAP",
"valves" : [ {
"name" : "LDAPSearchValve",
"config" : {
"connection_ref" : "local_ldap",
"base_dn" : "ou=users,dc=demo,dc=phenixid,dc=se",
"scope" : "SUB",
"size_limit" : "0",
"filter_template" : "(&(objectclass=*)(uid={{request.username}}))",
"attributes" : "commonName,uid,mail,mobile"
}
}, {
"name" : "LDAPBindValve",
"config" : {
"connection_ref" : "local_ldap",
"password_param_name" : "password"
}
} ,{
"name" : "OTPGeneratorValve",
"config" : {
"length" : "6",
"name" : "generated_otp"
}
}, {
"name" : "OTPBySMSValve",
"config" : {
"userid_param_name" : "username",
"gw_username" : "testkonto",
"gw_password" : "{enc}p38dlZnPiEXBkEtPf6xfSuCE2pxzNkKBOvZgZHzHQJM="
}
} ]
} ,{
"id" : "ValidateSentOtp",
"valves" : [ {
"name" : "SessionLoadValve",
"config" : {
"id" : "{{request.session_id}}"
}
}, {
"name" : "OTPValidationValve",
"config" : {
"provided_otp_param_name" : "{{request.otp}}",
"generated_otp_param_name" : "generated_otp"
}
}, {
"name": "ItemCreateValve",
"config": {
"dest_id": "{{request.username}}
"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "roles",
"value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
"enable_multi_value": "true"
}
}
]
}
Read this article to get the correct value for the roles property.
NOTE: To limit login to specific group membership, please use the following example for LDAP search:
"filter_template" : "(&(objectclass=*)(uid={{request.username}})(memberOf=CN=Group1,OU=Training,DC=company,DC=local))"
Database Connection
{
"id" : "local_ldap",
"type" : "ldap",
"description" : "Connection to local OpenDJ",
"config" : {
"host" : "localhost",
"port" : "389",
"bind_dn" : "cn=Directory Manager",
"password" : "{enc}D5rVvfE+HpfoHagoMv1r1oy91oDYX44eObCS6qCLh9I=",
"use_ssl" : "false",
"ssl_trust_all" : "false",
"follow_referrals" : "false",
"auto_reconnect" : "true",
"use_keep_alive" : "true",
"response_timeout_ms" : "30000",
"pool_initial_size" : "1",
"pool_max_size" : "2"
}
}
Enable authenticator for the web app
When the steps above has been completed, we can enable the new authenticator for the web app.
In Configuration Manager, go to the tab Advanced and then press the pencil next to Modules.
Find the module that reference the "auth_redirect_url" for the web app.
The last part of the value should be changed to the alias of the HTTP Authenticator, "unpwotp" in the example above.
So it should now look similar to this:
{
"name": "com.phenixidentity~phenix-prism",
"enabled": "true",
"config": {
"base_url": "/selfservice",
"auth_redirect_url": "/selfservice/authenticate/unpwotp",
"http_configuration_ref": "da5095a3-95ce-485b-b6ae-41be99bed01b",
"module_refs": "baad7c09-83b5-45b2-97d5-dfeb1351a1ef",
"enable_roles": "true"
},
"id": "e64a779c-5140-4eec-84ee-958dae935f0c"
}
NOTE: In the example above the parameter http_configuration_ref has been added because the default port and protocol is not used for Myapps. So when using a different port and if the setting for SSL has been changed from default, please use this parameter and set the value to the HTTP configuration that should be used.
When done press Stage changes and then Commit changes.
Web app should now use the newly configured authenticator.