PhenixID DocumentationPhenixID Authentication ServicesVersion 2.7 Authenticators - HTTPPhenixID web apps authentication – Username, password and OTP

PhenixID web apps authentication – Username, password and OTP

This authenticator is used for username-password-otp authentication.

Modules required

  • auth-http
  • pipes

Configuration Properties

Name Description Default value Mandatory
successURL The URL to redirect the browser to after successful authentication.   Yes
includeQueryString Enable to append query string (passed to authenticator) to successURL. false No
loginTemplate Template to use for user interface (username and password prompt). login.template No
otp Template to use for user interface (one-time-password). otp.template No
userNameParamName Name of the username request parameter username No
passworParamterName Name of the password request parameter. password No
allowLanguageChange Enable / disable language change. Set ??? to allow language change.   No
translationKey Set key to use for fetching login page body text. login.messages.information.body No
headingtranslationKey Set key to use for fetching login page header text. login.messages.information.header No
userValidationPipeID Id of pipe used to validate username and password, and, in the case of otp by sms or email, generate and distribute the otp   Yes
otpValidationPipeID Id of pipe used to validate one-time-password   Yes
errorURL The URL to redirect the browser to after unsuccessful authentication.   No

Example configuration

LDAP user store is used in this example.

HTTP Authenticators

{
  "id" : "unpwotp",
  "alias" : "unpwotp",
  "name" : "PostUidPasswordAndOTP",
    "configuration" : {
    "userValidationPipeID" : "UserLookupAndAuthWithLDAP",
    "otpValidationPipeID" : "ValidateSentOtp",
    "successURL" : "/otpadmin/"
  }
}

Pipes

{
  "id" : "UserLookupAndAuthWithLDAP",
    "valves" : [ {
      "name" : "LDAPSearchValve",
      "config" : {
        "connection_ref" : "local_ldap",
        "base_dn" : "ou=users,dc=demo,dc=phenixid,dc=se",
        "scope" : "SUB",
        "size_limit" : "0",
        "filter_template" : "(&(objectclass=*)(uid={{request.username}}))",
        "attributes" : "commonName,uid,mail,mobile"
        }
      }, {
        "name" : "LDAPBindValve",
        "config" : {
          "connection_ref" : "local_ldap",
          "password_param_name" : "password"
        }
      } ,{
        "name" : "OTPGeneratorValve",
        "config" : {
          "length" : "6",
          "name" : "generated_otp"
        }
      }, {
        "name" : "OTPBySMSValve",
        "config" : {
          "userid_param_name" : "username",
          "gw_username" : "testkonto",
          "gw_password" : "{enc}p38dlZnPiEXBkEtPf6xfSuCE2pxzNkKBOvZgZHzHQJM="
        }
      } ]
  } ,{
    "id" : "ValidateSentOtp",
    "valves" : [ {
      "name" : "SessionLoadValve",
      "config" : {
        "id" : "{{request.session_id}}"
        }
      }, {
      "name" : "OTPValidationValve",
      "config" : {
        "provided_otp_param_name" : "{{request.otp}}",
        "generated_otp_param_name" : "generated_otp"
      }
    },  {
      "name": "ItemCreateValve",
      "config": {
         "dest_id": "{{request.username}}"
       }
     },
   {
      "name": "PropertyAddValve",
      "config": {
        "name": "roles",
        "value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
        "enable_multi_value": "true"
      }
    }
]
}

Read this article to get the correct value for the roles property.

NOTE: To limit login to specific group membership, please use the following example for LDAP search:

"filter_template" : "(&(objectclass=*)(uid={{request.username}})(memberOf=CN=Group1,OU=Training,DC=company,DC=local))"

Database Connection

{
  "id" : "local_ldap",
  "type" : "ldap",
  "description" : "Connection to local OpenDJ",
  "config" : {
    "host" : "localhost",
    "port" : "389",
    "bind_dn" : "cn=Directory Manager",
    "password" : "{enc}D5rVvfE+HpfoHagoMv1r1oy91oDYX44eObCS6qCLh9I=",
    "use_ssl" : "false",
    "ssl_trust_all" : "false",
    "follow_referrals" : "false",
    "auto_reconnect" : "true",
    "use_keep_alive" : "true",
    "response_timeout_ms" : "30000",
    "pool_initial_size" : "1",
    "pool_max_size" : "2"
  }
}

Enable authenticator for the web app

When the steps above has been completed, we can enable the new authenticator for the web app.

In Configuration Manager, go to the tab Advanced and then press the pencil next to Modules.
Find the module that reference the "auth_redirect_url" for the web app.
The last part of the value should be changed to the alias of the HTTP Authenticator, "unpwotp" in the example above.

So it should now look similar to this:

{
        "name": "com.phenixidentity~phenix-prism",
	"enabled": "true",
	"config": {
	   "base_url": "/selfservice",
	   "auth_redirect_url": "/selfservice/authenticate/unpwotp",
      "http_configuration_ref": "da5095a3-95ce-485b-b6ae-41be99bed01b",
	     "module_refs": "baad7c09-83b5-45b2-97d5-dfeb1351a1ef",
	     "enable_roles": "true"
		},
		"id": "e64a779c-5140-4eec-84ee-958dae935f0c"
	} 

NOTE: In the example above the parameter  http_configuration_ref has been added because the default port and  protocol is not used for Myapps. So when using a different port and if  the setting for SSL has been changed from default, please use this  parameter and set the value to the HTTP configuration that should be  used.

When done press Stage changes and then Commit changes.
Web app should now use the newly configured authenticator.