Activate One Touch - Username, Password and OTP
Requirements : LDAP must be configured, note the ID of the connection used in later steps.
One Touch must be configured
Do the following steps in the ADVANCED tab in the Configuration GUI
Step 1 - Authentication - HTTP
Add the following section to “Authentication - HTTP”
{
"id": "activateonetouchotp",
"alias": "activateonetouchotp",
"name": "PostUidPasswordAndOTP",
"configuration": {
"userValidationPipeID": "EnrollPkiOtpUserLookupAndAuthWithLDAP",
"otpValidationPipeID": "EnrollPkiOTPValidateSentOtp",
"successURL": "/activateonetouch/",
"translationKey": "login.messages.information.body.enrollment.onetouch",
"headingtranslationKey": "login.messages.information.header.enrollment.onetouch",
"title": "login.messages.information.title.enrollment.onetouch",
"loginTemplate": "enrollmentonetouch.template",
"otp": "otp.template",
"allowLanguageChange": "true"
}
}
Step 2 - HTTP connections
Add the following section to “HTTP connections”, change “port” and “ssl” settings to your requirements
{
"id": "http_pki",
"port": "8443",
"ssl": "true"
}
Step 3 - Modules
Add the following section to “Modules”
{
"name": "com.phenixidentity~phenix-prism",
"enabled": "true",
"config": {
"base_url": "/activateonetouch",
"auth_redirect_url": "/activateonetouch/authenticate/activateonetouchotp",
"http_configuration_ref": "http_pki",
"module_refs": "enroll_pki_01",
"enable_roles": "false",
"use_css": "false"
},
"id": "enrollpki"
},
{
"id": "enroll_pki_01",
"name" : "com.phenixidentity~phenix-prism-enroll-pki",
"enabled" : "false",
"prism_enabled" : "true",
"config" : {
"display_name" : "One Touch enrollment",
"base_uri" : "pki",
"http_configuration_ref" : "http_pki",
"url_prefix" : "replace-url_prefix",
"enroll_timeout_mins" : "1",
"enroll_pollinterval_ms" : "2000",
"use_push" : "true"
}
}
Replace
replace-url_prefix with your url, example "https://192.168.10.118:8443"
Change the following parameters, if needed, to suit your environment
"enroll_timeout_mins":
"enroll_pollinterval_ms":
"use_push":
Step 4 - NODE_GROUPS
Add the module “enrollpki” to module_refs in “NODE_GROUPS” , see example below
example
"module_refs": "d55205cc-e067-4490-9e2b-dbc98459e501,f4660046-9003-4131-ae4b-3710c6b1d147,b7f370d7-f9ec-41f7-982c-408b9cbfc5a3,d802bda5-623e-4afe-b740-f318ee5683dd,enrollpki"
Step 5 - Pipes
Add the following section to “Pipes”
{
"id": "EnrollPkiOtpUserLookupAndAuthWithLDAP",
"valves": [
{
"name": "LDAPSearchValve",
"config": {
"connection_ref": "replace-ldap-ref",
"base_dn": "replace-base_dn",
"scope": "SUB",
"size_limit": "0",
"filter_template": "(&(objectclass=user)(sAMaccountName={{request.username}}))",
"attributes": "cn,mail,mobile"
}
},
{
"name": "LDAPBindValve",
"config": {
"connection_ref": "replace-ldap-ref",
"password_param_name": "password"
}
},
{
"name": "OTPGeneratorValve",
"config": {
"length": "6",
"name": "generated_otp"
}
},
{
"name": "OTPBySMSValve",
"config": {
"userid_param_name": "username",
"gw_username": "replace-gw_username",
"gw_password": "replace-gw_password"
}
}
]
},
{
"id": "EnrollPkiOTPValidateSentOtp",
"valves": [
{
"name": "SessionLoadValve",
"config": {
"id": "{{request.session_id}}"
}
},
{
"name": "OTPValidationValve",
"config": {
"provided_otp_param_name": "{{request.otp}}",
"generated_otp_param_name": "generated_otp"
}
},
{
"name": "ItemCreateValve",
"config": {
"dest_id": "{{request.username}}"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "roles",
"value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
"enable_multi_value": "true"
}
}
]
}
Replace the following Pipe settings:
“replace-ldap-ref” with your LDAP connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”
“replace-base_dn” with your “base_dn”, example “DC=phenixid,DC=local”
“replace-gw_username” with your SMS-gateway username
“replace-gw_password” with your SMS-gateway password
Verify that “filter_template” and “attributes” match your environment.