Disable OTP for radius authenticators

This document describes how to exclude users from multi-factor authentication (NOT recommended).

Overview

In some scenarios customers wants to exclude some users from multi-factor authentication. These users will be able to login using only userid/password.

This setup is not recommended but might be required in some scenarios.

This will only affect radius authentications.

Requirements

  • PhenixID Server installed

Instruction

The configuration below is entered by editing the "Execution flow" for the scenario in Configuration manager.

Set the parameters "exec_if_expr" and "skip_if_expr" to relevant valves according to the example below. More examples of expressions can be found here.

The Radius authenticator will not send access challenge when the property "disable_otp" = "true".

Example 1

This example will disable OTP if the attribute postOfficeBox is set to NOOTP.

Please note that the postOfficeBox attribute has exist in the item set for this to work. In most scenarios the attributes will be loaded in the LDAPSearchValve by adding the proptery to the attributes parameter.

{
  "name" : "PropertyAddValve",
  "config" : {
    "name" : "disable_otp",
    "value" : "true",
    "exec_if_expr" : "flow.getPropertyValue('postOfficeBox','')==('NOOTP')"
  }
}, {
  "name" : "OTPGeneratorValve",
  "config" : {
    "length" : "6",
    "alpha_numeric" : "false",
    "name" : "generated_otp",
    "skip_if_expr" : "flow.getPropertyValue('postOfficeBox','')==('NOOTP')"
  }
}, {
  "name" : "OTPBySMSValve",
  "config" : {
    "message_gateway_settings" : "c908d597-b010-4262-9c4c-049445a304e6",
    "recipient_param_name" : "mobile",
    "generated_otp_name" : "generated_otp",
    "use_flash" : "true",
    "skip_if_expr" : "flow.getPropertyValue('postOfficeBox','')==('NOOTP')"
  }
}

Example 2

This example will disable OTP if mobile starts with +46.

{
  "name" : "PropertyAddValve",
  "config" : {
    "name" : "disable_otp",
    "value" : "true",
    "exec_if_expr" : "(flow.items().get(0).containsProperty('mobile') && flow.items().get(0).getPropertyValue('mobile').startsWith('+46'))",

  }
}, {
  "name" : "OTPGeneratorValve",
  "config" : {
    "length" : "6",
    "alpha_numeric" : "false",
    "name" : "generated_otp",
    "skip_if_expr" : "(flow.items().get(0).containsProperty('mobile') && flow.items().get(0).getPropertyValue('mobile').startsWith('+46'))"
  }
}, {
  "name" : "OTPBySMSValve",
  "config" : {
    "message_gateway_settings" : "c908d597-b010-4262-9c4c-049445a304e6",
    "recipient_param_name" : "mobile",
    "generated_otp_name" : "generated_otp",
    "use_flash" : "true",
    "skip_if_expr" : "(flow.items().get(0).containsProperty('mobile') && flow.items().get(0).getPropertyValue('mobile').startsWith('+46'))"
  }
}

Example 3

This example will disable otp if the user is member of the specified group.

The memberOf attribute has to be fetched in the LDAPSearchValve to be able to use it later in the flow as described below.

Note that the value of the token parameter in PropertyContainsValve is case sensitive.

{
  "name" : "PropertyContainsValve",
  "config" : {
    "dest" : "disable_otp",
    "source" : "memberOf",
    "token" : "CN=NoOTP,OU=SecurityGroups,DC=company,DC=local"
  }
}, {
  "name" : "OTPGeneratorValve",
  "config" : {
    "length" : "6",
    "alpha_numeric" : "false",
    "name" : "generated_otp",
    "skip_if_expr" : "flow.getPropertyValue('disable_otp','')==('true')"
  }
}, {
  "name" : "OTPBySMSValve",
  "config" : {
    "message_gateway_settings" : "c908d597-b010-4262-9c4c-049445a304e6",
    "recipient_param_name" : "mobile",
    "generated_otp_name" : "generated_otp",
    "use_flash" : "true",
    "skip_if_expr" : "flow.getPropertyValue('disable_otp','')==('true')"
  }
},
{
  "name" : "PropertyRemoveValve",
  "config" : {
    "name" : "disable_otp",
    "skip_if_expr" : "flow.getPropertyValue('disable_otp','')==('true')"
  }
}