Activate Pocket Pass - Username, Password and OTP
Requirements : LDAP must be configured, note the ID of the connection used in later steps.
Do the following steps in the ADVANCED tab in the Configuration GUI
Step 1 - Authentication - HTTP
Add the following section to “Authentication - HTTP”
<p>{
"id": "activatepocketpassotp",
"alias": "activatepocketpassotp",
"name": "PostUidPasswordAndOTP",
"configuration": {
"userValidationPipeID": "EnrollOathOtpUserLookupAndAuthWithLDAP",
"otpValidationPipeID": "EnrollOathOTPValidateSentOtp",
"successURL": "/activatepocketpass/",
"translationKey": "login.messages.information.body.enrollment.pocketpass",
"headingtranslationKey": "login.messages.information.header.enrollment.pocketpass",
"title": "login.messages.information.title.enrollment.pocketpass",
"loginTemplate": "enrollmentpocketpass_otp1.template",
"otp": "enrollmentpocketpass_otp2.template",
"allowLanguageChange": "true"
}
}</p>
Step 2 - HTTP connections
Add the following section to “HTTP connections”, change “port” and “ssl” settings to your requirements
<p>{
"id": "http_oath",
"port": "8443",
"ssl": "true"
}</p>
Step 3 - Modules
Add the following section to “Modules”
<p>{
"name": "com.phenixidentity~phenix-prism",
"enabled": "true",
"config": {
"base_url": "/activatepocketpass",
"auth_redirect_url": "/activatepocketpass/authenticate/activatepocketpassotp",
"http_configuration_ref": "http_oath",
"module_refs": "enroll_oath_01",
"enable_roles": "true",
"use_css": "false"
},
"id": "enrolloath"
},
{
"id": "enroll_oath_01",
"name": "com.phenixidentity~phenix-prism-enroll-oath",
"enabled": "false",
"prism_enabled": "true",
"config": {
"display_name": "Pocket Pass enrollment",
"base_uri": "oath",
"token_allow_multiple": "true",
"token_pin": "true",
"token_type": "TOTP",
"token_algorithm": "SHA-1",
"token_digits": "6",
"token_issuer": "PhenixID",
"http_configuration_ref": "http_oath",
"requires_role": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93"
}
}</p>
Change the following to your requirements
"token_allow_multiple":
"token_pin":
"token_digits":
"token_issuer":
Step 4 - NODE_GROUPS
Add the module “enrolloath” to module_refs in “NODE_GROUPS” , see example below.
example
<p>"module_refs": "d55205cc-e067-4490-9e2b-dbc98459e501,f4660046-9003-4131-ae4b-3710c6b1d147,b7f370d7-f9ec-41f7-982c-408b9cbfc5a3,d802bda5-623e-4afe-b740-f318ee5683dd,enrolloath"</p>
Step 5 - Pipes
Add the following section to “Pipes”
<p>{
"id": "EnrollOathOtpUserLookupAndAuthWithLDAP",
"valves": [
{
"name": "LDAPSearchValve",
"config": {
"connection_ref": "Replace-ldap-ref",
"base_dn": "Replace-base_dn",
"scope": "SUB",
"size_limit": "0",
"filter_template": "(&(objectclass=user)(sAMaccountName={{request.username}}))",
"attributes": "cn,mail,mobile"
}
},
{
"name": "LDAPBindValve",
"config": {
"connection_ref": "replace-ldap-ref",
"password_param_name": "password"
}
},
{
"name": "OTPGeneratorValve",
"config": {
"length": "6",
"name": "generated_otp"
}
},
{
"name": "OTPBySMSValve",
"config": {
"userid_param_name": "username",
"gw_username": "replace-gw_username",
"gw_password": "replace-gw_password"
}
}
]
},
{
"id": "EnrollOathOTPValidateSentOtp",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "OTPValidationValve",
"config": {
"provided_otp_param_name": "{{request.otp}}",
"generated_otp_param_name": "generated_otp"
}
},
{
"name": "ItemCreateValve",
"config": {
"dest_id": "{{request.username}}"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "roles",
"value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
"enable_multi_value": "true"
}
}
]
}</p>
Replace the following Pipe settings:
“replace-ldap-ref” with your LDAP connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”
“replace-base_dn” with your “base_dn”, example “DC=phenixid,DC=local”
“replace-gw_username” with your SMS-gateway username
“replace-gw_password” with your SMS-gateway password
Verify that “filter_template” and “attributes” match your environment.