PhenixID DocumentationPhenixID Authentication ServicesSolutionsSQL Change authentication to mail and OTP with SQL UserStore

Change authentication to mail and OTP with SQL UserStore

Requirements :  SQL and SMTP must be configured, note the ID of the connections used in later steps.

This example requires good knowledge about PAS configurations.

Do the following steps in the ADVANCED  tab in the Configuration GUI

Step 1 - Authentication - HTTP

This example is made from an activateOneTouch authenticator.
But the function works with any authenticator based on OTP.
The key is the PipeIDs pointing to UserValidation and OTPValidation.

<p>{
	"id": "activateonetouchotp",
	"alias": "activateonetouchotp",
	"name": "PostUidPasswordAndOTP",
	"configuration": {
		"userValidationPipeID": "EnrollPkiOtpUserLookupAndAuthWithLDAP",
		"otpValidationPipeID": "EnrollPkiOTPValidateSentOtp",
		"successURL": "/activateonetouch/",
		"translationKey": "login.messages.information.body.enrollment.onetouch",
		"headingtranslationKey": "login.messages.information.header.enrollment.onetouch",
		"title": "login.messages.information.title.enrollment.onetouch",
		"loginTemplate": "enrollmentonetouch_otp1.template",
		"otp": "enrollmentonetouch_otp2.template",
		"allowLanguageChange": "true",
        "translation": [
			"login.messages.enrollment.onetouch.title.header1",
			"login.messages.enrollment.onetouch.title.header2",
			"login.messages.enrollment.onetouch.info.learnMore",
			"login.messages.enrollment.onetouch.btn.proceed",
			"login.messages.enrollment.onetouch.input.username",
			"login.messages.enrollment.onetouch.input.password",
			"login.messages.enrollment.onetouch.input.securityCode",
			"login.messages.enrollment.onetouch.title.header3",
			"login.messages.enrollment.onetouch.info.enterOTP",
			"login.messages.enrollment.onetouch.input.enterOTP"
		]
	}
}</p>
Click to copy

Step 2 - Pipes

The first pipe connects to SQL to verify that the mailadress exists. If not, the authentication fails.

The second pipe is a standard OTP verify pipe.

<p>{
	"id": "EnrollPkiOtpUserLookupWithSQL",
	"valves": [
		{
			"name": "SessionLoadValve",
			"config": {
				"id": "{{request.session_id}}"
			}
		},
		{
			"name": "InputParameterExistValidatorValve",
			"config": {
				"param_name": "username"
			}
		},
		{
			"name": "StatementExecutorValve",
			"config": {
				"proceed_on_error": "false",
				"connection_ref": "<replace-sql-ref>",
				"statement": "select mail,sn,givenName from <database> where mail ='{{request.username}}'"
			}
		},
		{
			"name": "FlowFailValve",
			"config": {
				"message": "User does not exist",
				"exec_if_expr": "flow.items().isEmpty()"
			}
		},
		{
			"name": "FlowFailValve",
			"config": {
				"message": "User does not exist",
				"skip_if_expr": "flow.isSingle()"
			}
		},
		{
			"name": "FlowFailValve",
			"config": {
				"message": "No email",
				"exec_if_expr": "",
				"skip_if_expr": "flow.items().get(0).containsProperty('mail')"
			}
		},
		{
			"name": "SessionBindToUidValve",
			"config": {
				"userid": "{{request.username}}"
			}
		},
		{
			"name": "OTPGeneratorValve",
            "config": {
				"length": "6",
				"name": "generated_otp"
			}
		},
		{
			"name": "OTPBySMTPValve",
			"config": {
				"smtp_settings": "<replace-smtp-ref>",
				"start_tls_enabled": "false",
				"userid_param_name": "{{request.username}}",
				"mail_param_name": "{{item.mail}}",
                "generated_otp_name": "generated_otp",
				"mail_template": "resources/otp_mail_template.mustache",
				"socket_connection_timeout": "15",
				"removal_prefixes": "smtp:,SMTP:,sip:"
			}
		}
	]
},
{
	"id": "EnrollPkiOTPValidateSentOtp",
	"valves": [
		{
			"name": "SessionLoadValve",
			"config": {
				"id": "{{request.session_id}}"
			}
		},
		{
			"name": "OTPValidationValve",
			"config": {
				"provided_otp_param_name": "{{request.otp}}",
				"generated_otp_param_name": "generated_otp"
			}
		},
		{
			"name": "ItemCreateValve",
			"config": {
				"dest_id": "{{request.username}}"
			}
		},
	]
}</replace-smtp-ref></database></replace-sql-ref></p>
Click to copy

Replace the following Pipe settings:

“replace-SQL-ref” with your SQL connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”
“replace-SMTP-ref” with your SMTP connection id, ex. “90ac16f3-35a9-49a7-91ed-de11c61b8cb3”

Verify that the SQL “statement“ match your environment.

Step 3. Change the enrollmentonetouch_otp1.template

...\Server\mods\com.phenixidentity~auth-http~2.7.0\templates

Remove or remark the password part of the login page.
This authentication don't control any passwords so we don't need to fill that in.
It may look different in another OTP template.

Step 4. Replace username in strings.xml

...\Server\mods\com.phenixidentity~auth-http~2.8.0\web\res\lang\en

Change the parameter below to change the look of this particular loginpage from Username to mail.
Make the changes in all applicable languages.
The service has to be restarted after a change in strings.xml

<string name="login.messages.enrollment.onetouch.input.username">mail</string>
Click to copy

Remember for future upgrading

Changes in templates and country strings must be reconfigured after an upgrade.