Version2.7LANG Activate Pocket Pass - Username, Password and OTP

Requirements :  LDAP must be configured, note the ID of the connection used in later steps.

Do the following steps in the ADVANCED  tab in the Configuration GUI

Step 1 - Authentication - HTTP

Add the following section to “Authentication - HTTP”

<p>{
	"id": "activatepocketpassotp",
	"alias": "activatepocketpassotp",
	"name": "PostUidPasswordAndOTP",
	"configuration": {
		"userValidationPipeID": "EnrollOathOtpUserLookupAndAuthWithLDAP",
		"otpValidationPipeID": "EnrollOathOTPValidateSentOtp",
		"successURL": "/activatepocketpass/",
		"translationKey": "login.messages.information.body.enrollment.pocketpass",
		"headingtranslationKey": "login.messages.information.header.enrollment.pocketpass",
		"title": "login.messages.information.title.enrollment.pocketpass",
		"loginTemplate": "enrollmentpocketpass_otp1.template",
		"otp": "enrollmentpocketpass_otp2.template",
		"allowLanguageChange": "true",
        "translation": [
			"login.messages.enrollment.pocketpass.title.header1",
			"login.messages.enrollment.pocketpass.info.description",
			"login.messages.enrollment.pocketpass.btn.proceed",
			"login.messages.enrollment.pocketpass.input.username",
			"login.messages.enrollment.pocketpass.input.password",
			"login.messages.enrollment.pocketpass.input.securityCode",
			"login.messages.enrollment.pocketpass.title.header3",
			"login.messages.enrollment.pocketpass.info.enterOTP",
			"login.messages.enrollment.pocketpass.input.enterOTP"
		]
	}
}</p>
Click to copy

Step 2 - HTTP connections

 Add the following section to “HTTP connections”, change “port” and “ssl” settings to your requirements

<p>{
	"id": "http_oath",
	"port": "8443",
	"ssl": "true"
}</p>
Click to copy

Step 3 - Modules

Add the following section to “Modules”

<p>{
	"name": "com.phenixidentity~phenix-prism",
	"enabled": "true",
	"config": {
		"base_url": "/activatepocketpass",
		"auth_redirect_url": "/activatepocketpass/authenticate/activatepocketpassotp",
		"http_configuration_ref": "http_oath",
		"module_refs": "enroll_oath_01",
		"enable_roles": "true",
		"use_css": "false"
	},
	"id": "enrolloath"
},
{
	"id": "enroll_oath_01",
	"name": "com.phenixidentity~phenix-prism-enroll-oath",
	"enabled": "false",
	"prism_enabled": "true",
	"config": {
		"display_name": "Pocket Pass enrollment",
		"base_uri": "oath",
		"token_allow_multiple": "true",
		"token_pin": "true",
		"token_type": "TOTP",
		"token_algorithm": "SHA-1",
		"token_digits": "6",
		"token_issuer": "PhenixID",
		"http_configuration_ref": "http_oath",
		"requires_role": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93"
	}
}</p>
Click to copy

Change the following to your requirements

"token_allow_multiple":
"token_pin":
"token_digits":
"token_issuer":

Step 4 - NODE_GROUPS

Add the module “enrolloath” to module_refs in “NODE_GROUPS” , see example below.

example

<p>"module_refs": "d55205cc-e067-4490-9e2b-dbc98459e501,f4660046-9003-4131-ae4b-3710c6b1d147,b7f370d7-f9ec-41f7-982c-408b9cbfc5a3,d802bda5-623e-4afe-b740-f318ee5683dd,enrolloath"</p>
Click to copy

Step 5 - Pipes

 Add the following section to “Pipes”

<p>{
	"id": "EnrollOathOtpUserLookupAndAuthWithLDAP",
	"valves": [
		{
			"name": "LDAPSearchValve",
			"config": {
				"connection_ref": "Replace-ldap-ref",
				"base_dn": "Replace-base_dn",
				"scope": "SUB",
				"size_limit": "0",
				"filter_template": "(&amp;(objectclass=user)(sAMaccountName={{request.username}}))",
				"attributes": "cn,mail,mobile"
			}
		},
		{
			"name": "LDAPBindValve",
			"config": {
				"connection_ref": "replace-ldap-ref",
				"password_param_name": "password"
			}
		},
		{
			"name": "OTPGeneratorValve",
			"config": {
				"length": "6",
				"name": "generated_otp"
			}
		},
		{
			"name": "OTPBySMSValve",
			"config": {
				"userid_param_name": "username",
				"gw_username": "replace-gw_username",
				"gw_password": "replace-gw_password"
			}
		}
	]
},
{
	"id": "EnrollOathOTPValidateSentOtp",
	"valves": [
		{
			"name": "SessionLoadValve",
			"config": {
				"id": "{{request.session_id}}"
			}
		},
		{
			"name": "OTPValidationValve",
			"config": {
				"provided_otp_param_name": "{{request.otp}}",
				"generated_otp_param_name": "generated_otp"
			}
		},
		{
			"name": "ItemCreateValve",
			"config": {
				"dest_id": "{{request.username}}"
			}
		},
		{
			"name": "PropertyAddValve",
			"config": {
				"name": "roles",
				"value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
				"enable_multi_value": "true"
			}
		}
	]
}</p>
Click to copy

Replace the following Pipe settings:

“replace-ldap-ref” with your LDAP connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”
“replace-base_dn” with your “base_dn”, example “DC=phenixid,DC=local”
“replace-gw_username” with your SMS-gateway username
“replace-gw_password” with your SMS-gateway password

Verify that “filter_template” and “attributes” match your environment.