How to setup the HTTP API for Get OTP based on called-in phone number
About this document
This document will instruct how to setup the HTTP API for the use case "Get OTP based on called-in phone number". You can read more about the purpose of the use case here.
Prerequisites
- PAS 2.7 installed
Authentication
It is recommended to add authentication to the API. These authentication methods are supported:
- Client certificate (recommended).
Use a reverse proxy to add client certificate authentication. Add valves to the pipe(s) to verify the certificate. Please consult the valves documentation.
- Basic authentication
Add valves to the pipes to perform basic authentication verification. Please consult the valves documentation.
Add local http-api module
- Login to configuration manager
- Click the Advanced tab
- Open Modules (click on the pen)
- Add this module (if module is already added, only add tenant and/or allowedOperation):
{
"module": "com.phenixidentity~phenix-api-authenticate",
"enabled": "true",
"config": {
"tenant": [
{
"id": "t1",
"displayName": "Tenant1",
"allowedOperation": [
"getOTP"
]
}
]
},
"id": "authapi_module"
}
- Click Stage Changes and Commit Changes
- Open NODE_GROUPS (click on the pen)
- Add id of the newly added module to module_refs. Example below. (You can skip this step if the module was already added)
{
"name": "WIN-DHB3ICNDG4E",
"description": "Default node (created automatically)",
"config": {
"module_refs": "authapi_module,sealapp,signapp_1,......"
},
"created": "2017-07-03T11:38:03.135Z",
"id": "493afd0e-0fe8-40e4-b1a1-a24a5e2df6e2",
"modified": "2017-07-03T14:39:43.257Z"
}
- Click Stage Changes and Commit Changes
Add pipes to perform the logic
In this example, no client certificate nor basic authentication is used. Please read the Valves documentation on how to add api authentication to the pipe.
- Click the Advanced tab
- Open Pipes (click on the pen)
- Add this pipe.
{
"id": "getOTP",
"description": "Create OTP based on phone number",
"valves": [
{
"name": "LDAPSearchValve",
"config": {
"connection_ref": "e379a2be-86be-4194-a53d-462bde7b6eeb",
"base_dn": "dc=bjorken,dc=local",
"scope": "SUB",
"size_limit": "0",
"filter_template": "telephoneNumber={{request.phonenumber}}",
"attributes": "sAMAccountName"
}
},
{
"name": "OTPGeneratorValve",
"config": {
"name": "generated_otp",
"length": "6",
"valid_time_in_seconds": "360"
}
},
{
"name": "PropertySubstringValve",
"config": {
"source": "generated_otp",
"dest": "otp",
"end_index": "6",
"begin_index": "0"
}
},
{
"name": "SessionCreateValve",
"config": {}
},
{
"name": "SessionPropertyAddValve",
"config": {
"name": "generated_otp",
"value": "{{item.generated_otp}}"
}
},
{
"name": "SessionBindValve",
"config": {
"alias": "{{item.sAMAccountName}}"
}
},
{
"name": "SessionPersistValve",
"config": {}
},
{
"name": "PropertyKeepValve",
"config": {
"name": "otp"
}
}
]
}
- Change the LDAPSearch valve settings to suite your environment:
* connection_ref
* base_dn
* filter_template
* attributes
- Click Stage Changes and Commit Changes
Test
Use a HTTP rest client for testing and debugging. Follow the document Using PhenixID HTTP API to get OTP based on called-in phone number to structure the HTTP requests properly.