PhenixID web apps authentication – Username, password and OTP

This authenticator is used for username-password-otp authentication.

Modules required

  • auth-http
  • pipes

Configuration Properties

Name Description Default value Mandatory
successURL The URL to redirect the browser to after successful authentication.   Yes
includeQueryString Enable to append query string (passed to authenticator) to successURL. false No
loginTemplate Template to use for user interface (username and password prompt). login.template No
otp Template to use for user interface (one-time-password). otp.template No
userNameParamName Name of the username request parameter username No
passworParamterName Name of the password request parameter. password No
allowLanguageChange Enable / disable language change. Set ??? to allow language change.   No
translationKey Set key to use for fetching login page body text. login.messages.information.body No
headingtranslationKey Set key to use for fetching login page header text. login.messages.information.header No
userValidationPipeID Id of pipe used to validate username and password, and, in the case of otp by sms or email, generate and distribute the otp   Yes
otpValidationPipeID Id of pipe used to validate one-time-password   Yes
errorURL The URL to redirect the browser to after unsuccessful authentication.   No

Example configuration

LDAP user store is used in this example.

HTTP Authenticators 

{
  "id" : "unpwotp",
  "alias" : "unpwotp",
  "name" : "PostUidPasswordAndOTP",
    "configuration" : {
    "userValidationPipeID" : "UserLookupAndAuthWithLDAP",
    "otpValidationPipeID" : "ValidateSentOtp",
    "successURL" : "/mfaadmin/"
  }
}

 

Change successURL to suite your configuration. The value should be set to the baseURL value of the internal application. Examples:

- Activate OneTouch: "successURL" : "/activateonetouch/"

- Self service: "successURL" : "/selfservice/"

Pipes 

{
  "id" : "UserLookupAndAuthWithLDAP",
    "valves" : [ {
      "name" : "LDAPSearchValve",
      "config" : {
        "connection_ref" : "local_ldap",
        "base_dn" : "ou=users,dc=demo,dc=phenixid,dc=se",
        "scope" : "SUB",
        "size_limit" : "0",
        "filter_template" : "(&(objectclass=*)(uid={{request.username}}))",
        "attributes" : "commonName,uid,mail,mobile"
        }
      }, {
        "name" : "LDAPBindValve",
        "config" : {
          "connection_ref" : "local_ldap",
          "password_param_name" : "password"
        }
      } ,{
        "name" : "OTPGeneratorValve",
        "config" : {
          "length" : "6",
          "name" : "generated_otp"
        }
      }, {
        "name" : "OTPBySMSValve",
        "config" : {
          "userid_param_name" : "username",
          "gw_username" : "testkonto",
          "gw_password" : "{enc}p38dlZnPiEXBkEtPf6xfSuCE2pxzNkKBOvZgZHzHQJM="
        }
      } ]
  } ,{
    "id" : "ValidateSentOtp",
    "valves" : [ {
      "name" : "SessionLoadValve",
      "config" : {
        "id" : "{{request.session_id}}"
        }
      }, {
      "name" : "OTPValidationValve",
      "config" : {
        "provided_otp_param_name" : "{{request.otp}}",
        "generated_otp_param_name" : "generated_otp"
      }
    },  {
      "name": "ItemCreateValve",
      "config": {
         "dest_id": "{{request.username}}"
       }
     },
   {
      "name": "PropertyAddValve",
      "config": {
        "name": "roles",
        "value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
        "enable_multi_value": "true"
      }
    }
]
}

Change these variables to fit your environment:

- LDAPSearchValve -> connection_ref. Find the id of the database connection and set that value here.

- LDAPSearchValve -> base_dn: Change it to the search base DN of your LDAP store.

- LDAPSearchValve -> filter_template: Change the search to suite your LDAP store.
NOTE: To limit login to specific group membership, please use the following example for LDAP search:

"filter_template" : "(&(objectclass=*)(uid={{request.username}})(memberOf=CN=Group1,OU=Training,DC=company,DC=local))"

- LDAPBindValve -> connection_ref: Find the id of the database connection and set that value here.

- OTPBySMSValve -> gw_username: Set to the userID of your SMS GW account.

- OTPBySMSValve -> gw_password: Set to the password of your SMS GW account.

- PropertyAddValve -> value: Read this article to get the correct value for the roles property.

Database Connection 

{
  "id" : "local_ldap",
  "type" : "ldap",
  "description" : "Connection to local OpenDJ",
  "config" : {
    "host" : "localhost",
    "port" : "389",
    "bind_dn" : "cn=Directory Manager",
    "password" : "{enc}D5rVvfE+HpfoHagoMv1r1oy91oDYX44eObCS6qCLh9I=",
    "use_ssl" : "false",
    "ssl_trust_all" : "false",
    "follow_referrals" : "false",
    "auto_reconnect" : "true",
    "use_keep_alive" : "true",
    "response_timeout_ms" : "30000",
    "pool_initial_size" : "1",
    "pool_max_size" : "2"
  }
}

If the database connection has already been configured, use the id value from that.

Enable authenticator for the web app

When the steps above has been completed, we can enable the new authenticator for the web app.

In Configuration Manager, go to the tab Advanced and then press the pencil next to Modules.
Find the module that reference the "auth_redirect_url" for the web app.
The last part of the value should be changed to the alias of the HTTP Authenticator, "unpwotp" in the example above.

So it should now look similar to this:

{
        "name": "com.phenixidentity~phenix-prism",
	"enabled": "true",
	"config": {
	   "base_url": "/mfaadmin",
	   "auth_redirect_url": "/mfaadmin/authenticate/unpwotp",
      "http_configuration_ref": "da5095a3-95ce-485b-b6ae-41be99bed01b",
	     "module_refs": "baad7c09-83b5-45b2-97d5-dfeb1351a1ef",
	     "enable_roles": "true"
		},
		"id": "e64a779c-5140-4eec-84ee-958dae935f0c"
	}

When done press Stage changes and then Commit changes.
Web app should now use the newly configured authenticator.