Activate Pocket Pass - Username, Password and OTP
Requirements : LDAP must be configured, note the ID of the connection used in later steps.
Do the following steps in the ADVANCED tab in the Configuration GUI
Step 1 - Authentication - HTTP
Add the following section to “Authentication - HTTP”
<p>{ "id": "activatepocketpassotp", "alias": "activatepocketpassotp", "name": "PostUidPasswordAndOTP", "configuration": { "userValidationPipeID": "EnrollOathOtpUserLookupAndAuthWithLDAP", "otpValidationPipeID": "EnrollOathOTPValidateSentOtp", "successURL": "/activatepocketpass/", "translationKey": "login.messages.information.body.enrollment.pocketpass", "headingtranslationKey": "login.messages.information.header.enrollment.pocketpass", "title": "login.messages.information.title.enrollment.pocketpass", "loginTemplate": "enrollmentpocketpass_otp1.template", "otp": "enrollmentpocketpass_otp2.template", "allowLanguageChange": "true" } }</p>
Step 2 - HTTP connections
Add the following section to “HTTP connections”, change “port” and “ssl” settings to your requirements
<p>{ "id": "http_oath", "port": "8443", "ssl": "true" }</p>
Step 3 - Modules
Add the following section to “Modules”
<p>{ "name": "com.phenixidentity~phenix-prism", "enabled": "true", "config": { "base_url": "/activatepocketpass", "auth_redirect_url": "/activatepocketpass/authenticate/activatepocketpassotp", "http_configuration_ref": "http_oath", "module_refs": "enroll_oath_01", "enable_roles": "true", "use_css": "false" }, "id": "enrolloath" }, { "id": "enroll_oath_01", "name": "com.phenixidentity~phenix-prism-enroll-oath", "enabled": "false", "prism_enabled": "true", "config": { "display_name": "Pocket Pass enrollment", "base_uri": "oath", "token_allow_multiple": "true", "token_pin": "true", "token_type": "TOTP", "token_algorithm": "SHA-1", "token_digits": "6", "token_issuer": "PhenixID", "http_configuration_ref": "http_oath", "requires_role": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93" } }</p>
Change the following to your requirements
"token_allow_multiple":
"token_pin":
"token_digits":
"token_issuer":
Step 4 - NODE_GROUPS
Add the module “enrolloath” to module_refs in “NODE_GROUPS” , see example below.
example
<p>"module_refs": "d55205cc-e067-4490-9e2b-dbc98459e501,f4660046-9003-4131-ae4b-3710c6b1d147,b7f370d7-f9ec-41f7-982c-408b9cbfc5a3,d802bda5-623e-4afe-b740-f318ee5683dd,enrolloath"</p>
Step 5 - Pipes
Add the following section to “Pipes”
<p>{ "id": "EnrollOathOtpUserLookupAndAuthWithLDAP", "valves": [ { "name": "LDAPSearchValve", "config": { "connection_ref": "Replace-ldap-ref", "base_dn": "Replace-base_dn", "scope": "SUB", "size_limit": "0", "filter_template": "(&(objectclass=user)(sAMaccountName={{request.username}}))", "attributes": "cn,mail,mobile" } }, { "name": "LDAPBindValve", "config": { "connection_ref": "replace-ldap-ref", "password_param_name": "password" } }, { "name": "OTPGeneratorValve", "config": { "length": "6", "name": "generated_otp" } }, { "name": "OTPBySMSValve", "config": { "userid_param_name": "username", "gw_username": "replace-gw_username", "gw_password": "replace-gw_password" } } ] }, { "id": "EnrollOathOTPValidateSentOtp", "valves": [ { "name": "SessionLoadValve", "config": { "id": "{{request.session_id}}" } }, { "name": "OTPValidationValve", "config": { "provided_otp_param_name": "{{request.otp}}", "generated_otp_param_name": "generated_otp" } }, { "name": "ItemCreateValve", "config": { "dest_id": "{{request.username}}" } }, { "name": "PropertyAddValve", "config": { "name": "roles", "value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93", "enable_multi_value": "true" } } ] }</p>
Replace the following Pipe settings:
“replace-ldap-ref” with your LDAP connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”
“replace-base_dn” with your “base_dn”, example “DC=phenixid,DC=local”
“replace-gw_username” with your SMS-gateway username
“replace-gw_password” with your SMS-gateway password
Verify that “filter_template” and “attributes” match your environment.