Disable OTP / One Touch for radius authenticators

This document describes how to exclude users from multi-factor authentication (NOT recommended).

Overview

In some scenarios customers wants to exclude some users from multi-factor authentication. These users will be able to login using only userid/password.

This setup is not recommended but might be required in some scenarios.

This will only affect radius authentications.

Requirements

  • PhenixID Server installed

Instruction

The configuration below is entered by editing the "Execution flow" for the scenario in Configuration manager.

Set the parameters "exec_if_expr" and "skip_if_expr" to relevant valves according to the example below. More examples of expressions can be found here.

The Radius authenticator will not send access challenge when the property "disable_otp" = "true".

Example 1

This example will disable OTP if the attribute postOfficeBox is set to NOOTP.

Please note that the postOfficeBox attribute has exist in the item set for this to work. In most scenarios the attributes will be loaded in the LDAPSearchValve by adding the proptery to the attributes parameter.

{
  "name" : "PropertyAddValve",
  "config" : {
    "name" : "disable_otp",
    "value" : "true",
    "exec_if_expr" : "flow.getPropertyValue('postOfficeBox','')==('NOOTP')"
  }
}, {
  "name" : "OTPGeneratorValve",
  "config" : {
    "length" : "6",
    "alpha_numeric" : "false",
    "name" : "generated_otp",
    "skip_if_expr" : "flow.getPropertyValue('postOfficeBox','')==('NOOTP')"
  }
}, {
  "name" : "OTPBySMSValve",
  "config" : {
    "message_gateway_settings" : "c908d597-b010-4262-9c4c-049445a304e6",
    "recipient_param_name" : "mobile",
    "generated_otp_name" : "generated_otp",
    "use_flash" : "true",
    "skip_if_expr" : "flow.getPropertyValue('postOfficeBox','')==('NOOTP')"
  }
}

Example 2

This example will disable OTP if mobile starts with +46.

{
  "name" : "PropertyAddValve",
  "config" : {
    "name" : "disable_otp",
    "value" : "true",
    "exec_if_expr" : "(flow.items().get(0).containsProperty('mobile') && flow.items().get(0).getPropertyValue('mobile').startsWith('+46'))",

  }
}, {
  "name" : "OTPGeneratorValve",
  "config" : {
    "length" : "6",
    "alpha_numeric" : "false",
    "name" : "generated_otp",
    "skip_if_expr" : "(flow.items().get(0).containsProperty('mobile') && flow.items().get(0).getPropertyValue('mobile').startsWith('+46'))"
  }
}, {
  "name" : "OTPBySMSValve",
  "config" : {
    "message_gateway_settings" : "c908d597-b010-4262-9c4c-049445a304e6",
    "recipient_param_name" : "mobile",
    "generated_otp_name" : "generated_otp",
    "use_flash" : "true",
    "skip_if_expr" : "(flow.items().get(0).containsProperty('mobile') && flow.items().get(0).getPropertyValue('mobile').startsWith('+46'))"
  }
}

Example 3

This example will disable otp if the user is member of the specified group.

The memberOf attribute has to be fetched in the LDAPSearchValve to be able to use it later in the flow as described below.

Note that the value of the token parameter in PropertyContainsValve is case sensitive.

{
  "name" : "PropertyContainsValve",
  "config" : {
    "dest" : "disable_otp",
    "source" : "memberOf",
    "token" : "CN=NoOTP,OU=SecurityGroups,DC=company,DC=local"
  }
}, {
  "name" : "OTPGeneratorValve",
  "config" : {
    "length" : "6",
    "alpha_numeric" : "false",
    "name" : "generated_otp",
    "skip_if_expr" : "flow.getPropertyValue('disable_otp','')==('true')"
  }
}, {
  "name" : "OTPBySMSValve",
  "config" : {
    "message_gateway_settings" : "c908d597-b010-4262-9c4c-049445a304e6",
    "recipient_param_name" : "mobile",
    "generated_otp_name" : "generated_otp",
    "use_flash" : "true",
    "skip_if_expr" : "flow.getPropertyValue('disable_otp','')==('true')"
  }
}

Example 4, disable One Touch

This example will disable the One  Touch part of the login flow, if the attribute postOfficeBox is set to  "disableot". This configuration is only valid for the  OneTouchAuthenticator. The parameter used here is "disable_ot" and  when set to true, it will not trigger second factor using One Touch.

And as mentioned earlier, this setup  is not recommended but might be required in some scenarios. Be careful  when setting up the configuration, making sure to test the scenario, so  it does exactly whats expected.

Please note that the  postOfficeBox attribute has to exist in the item set for this to work.  In most scenarios the attributes will be loaded in the LDAPSearchValve  by adding the proptery to the attributes parameter.

Add a PropertyAddValve to the authentication pipe, according to this example:

Next step is to make sure that this valve is only executed on accounts  that have the value "disableot" set on the attribute postOfficeBox:

When done, save the configuration and  verify the flow using account that has "disableot" set and account that  doesn't. Making sure that it works as expected.