Change authentication to mail and OTP with SQL UserStore
Requirements : SQL and SMTP must be configured, note the ID of the connections used in later steps.
This example requires good knowledge about PAS configurations.
Do the following steps in the ADVANCED tab in the Configuration GUI
Step 1 - Authentication - HTTP
This example is made from an activateOneTouch authenticator.
But the function works with any authenticator based on OTP.
The key is the PipeIDs pointing to UserValidation and OTPValidation.
{
"id": "activateonetouchotp",
"alias": "activateonetouchotp",
"name": "PostUidPasswordAndOTP",
"configuration": {
"userValidationPipeID": "EnrollPkiOtpUserLookupAndAuthWithLDAP",
"otpValidationPipeID": "EnrollPkiOTPValidateSentOtp",
"successURL": "/activateonetouch/",
"translationKey": "login.messages.information.body.enrollment.onetouch",
"headingtranslationKey": "login.messages.information.header.enrollment.onetouch",
"title": "login.messages.information.title.enrollment.onetouch",
"loginTemplate": "enrollmentonetouch_otp1.template",
"otp": "enrollmentonetouch_otp2.template",
"allowLanguageChange": "true",
"translation": [
"login.messages.enrollment.onetouch.title.header1",
"login.messages.enrollment.onetouch.title.header2",
"login.messages.enrollment.onetouch.info.learnMore",
"login.messages.enrollment.onetouch.btn.proceed",
"login.messages.enrollment.onetouch.input.username",
"login.messages.enrollment.onetouch.input.password",
"login.messages.enrollment.onetouch.input.securityCode",
"login.messages.enrollment.onetouch.title.header3",
"login.messages.enrollment.onetouch.info.enterOTP",
"login.messages.enrollment.onetouch.input.enterOTP"
]
}
}
Step 2 - Pipes
The first pipe connects to SQL to verify that the mailadress exists. If not, the authentication fails.
The second pipe is a standard OTP verify pipe.
{
"id": "EnrollPkiOtpUserLookupWithSQL",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "InputParameterExistValidatorValve",
"config": {
"param_name": "username"
}
},
{
"name": "StatementExecutorValve",
"config": {
"proceed_on_error": "false",
"connection_ref": "<replace-SQL-ref>",
"statement": "select mail,sn,givenName from <database> where mail ='{{request.username}}'"
}
},
{
"name": "FlowFailValve",
"config": {
"message": "User does not exist",
"exec_if_expr": "flow.items().isEmpty()"
}
},
{
"name": "FlowFailValve",
"config": {
"message": "User does not exist",
"skip_if_expr": "flow.isSingle()"
}
},
{
"name": "FlowFailValve",
"config": {
"message": "No email",
"exec_if_expr": "",
"skip_if_expr": "flow.items().get(0).containsProperty('mail')"
}
},
{
"name": "SessionBindToUidValve",
"config": {
"userid": "{{request.username}}"
}
},
{
"name": "OTPGeneratorValve",
"config": {
"length": "6",
"name": "generated_otp"
}
},
{
"name": "OTPBySMTPValve",
"config": {
"smtp_settings": "<replace-SMTP-ref>",
"start_tls_enabled": "false",
"userid_param_name": "{{request.username}}",
"mail_param_name": "{{item.mail}}",
"generated_otp_name": "generated_otp",
"mail_template": "resources/otp_mail_template.mustache",
"socket_connection_timeout": "15",
"removal_prefixes": "smtp:,SMTP:,sip:"
}
}
]
},
{
"id": "EnrollPkiOTPValidateSentOtp",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "OTPValidationValve",
"config": {
"provided_otp_param_name": "{{request.otp}}",
"generated_otp_param_name": "generated_otp"
}
},
{
"name": "ItemCreateValve",
"config": {
"dest_id": "{{request.username}}"
}
},
]
}
Replace the following Pipe settings:
“replace-SQL-ref” with your SQL connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”
“replace-SMTP-ref” with your SMTP connection id, ex. “90ac16f3-35a9-49a7-91ed-de11c61b8cb3”
Verify that the SQL “statement“ match your environment.
Step 3. Change the enrollmentonetouch_otp1.template
...\Server\mods\com.phenixidentity~auth-http~2.7.0\templates
Remove or remark the password part of the login page.
This authentication don't control any passwords so we don't need to fill that in.
It may look different in another OTP template.
<!-- <fieldset>
<input id="password" autocomplete="off" required="" name="password" type="password">
<label for="password">{{login.messages.enrollment.onetouch.input.password}}</label>
</fieldset> -->
Step 4. Replace username in strings.xml
...\Server\mods\com.phenixidentity~auth-http~2.8.0\web\res\lang\en
Change the parameter below to change the look of this particular loginpage from Username to mail.
Make the changes in all applicable languages.
The service has to be restarted after a change in strings.xml
<string name="login.messages.enrollment.onetouch.input.username">mail</string>
Remember for future upgrading
Changes in templates and country strings must be reconfigured after an upgrade.