Disable OTP for UID, Password and OTP authenticator

This document describes how to exclude users from multi-factor authentication (NOT recommended).


In some scenarios customers wants to exclude some users from multi-factor authentication. These users will be able to login using only userid/password.

This setup is not recommended but might be required in some scenarios.

This will only affect the PostUidPasswordAndOTPSAML authenticator.


  • PhenixID Server installed


The configuration below is entered by editing the "Execution flow" for the scenario in Configuration manager.

Set the parameters "exec_if_expr" and "skip_if_expr" to relevant valves according to the example below. More examples of expressions can be found here.

A custom template for the OTP-validation will be used, please make sure it suites your needs.

This example will disable otp if the user is member of CN=kalle,OU=Training,DC=company,DC=local.


Adjust the configuration of the authenticator so the otp parameter points to a new template and the sessionValues nootp is added according to the following example:


		"id": "7d17af68-623f-439d-99fa-31768ec813b7",
		"alias": "unpwsms",
		"name": "PostUidPasswordAndOTPSAML",
		"displayName": "UNPWSMS",
		"configuration": {
			"userValidationPipeID": "911f32fc-5824-4ffb-af5d-0bfa21ecd606",
			"otpValidationPipeID": "4c48fc79-0e10-4cb6-ad13-75a6e2cab28d",
			"idpID": "3b119203-8dc0-4da8-ab41-8e4896f663df",
			"otp": "otp-nootp.template",
			"sessionValues": [
		"created": "2021-12-20T09:05:11.667Z"


Download the following authenticator template and place it in the path referenced by the authenticator.

This could be in mods\com.phenixidentity~auth-http~[VERSION]\templates or overlay\auth-http\files\templates.

Execution Flows

Find user, validate password and send otp

Add a PropertyJoinValve after the LDAPSearchValve according to this example:

Add the following expression as a "skip if expression" on the OTPGeneratorValve and the valve used to distribute OTP, such as OTPBySMSValve or OTPBySMTPValve:

flow.getPropertyValue('memberOf', '').contains('CN=kalle,OU=Training,DC=company,DC=local')


Please make sure to replace with the distinguished name of your NO-OTP-GROUP

Now add SessionLoadValve, SessionPropertyAddValve and SessionPersistValve with the following configuration to the flow:

Configure these valves with a Execute if expression, by using the SAME expression as previously used in the skip if expression:

Verify otp

Add a PropertyJoinValve after the LDAPSearchValve according to this example:

Configure OTPValidationValve with skip if expression by using the SAME expression as previously used:


Verify the configuration with and without group membership.