Disable OTP for UID, Password and OTP authenticator

This document describes how to exclude users from multi-factor authentication (NOT recommended).

Overview

In some scenarios customers wants to exclude some users from multi-factor authentication. These users will be able to login using only userid/password.

This setup is not recommended but might be required in some scenarios.

This will only affect the PostUidPasswordAndOTPSAML authenticator.

Requirements

  • PhenixID Server installed

Instruction

The configuration below is entered by editing the "Execution flow" for the scenario in Configuration manager.

Set the parameters "exec_if_expr" and "skip_if_expr" to relevant valves according to the example below. More examples of expressions can be found here.

A custom template for the OTP-validation will be used, please make sure it suites your needs.

This example will disable otp if the user is member of CN=kalle,OU=Training,DC=company,DC=local.

Authenticator

Adjust the configuration of the authenticator so the otp parameter points to a new template and the sessionValues nootp is added according to the following example:

Configuration

	{
		"id": "7d17af68-623f-439d-99fa-31768ec813b7",
		"alias": "unpwsms",
		"name": "PostUidPasswordAndOTPSAML",
		"displayName": "UNPWSMS",
		"configuration": {
			"userValidationPipeID": "911f32fc-5824-4ffb-af5d-0bfa21ecd606",
			"otpValidationPipeID": "4c48fc79-0e10-4cb6-ad13-75a6e2cab28d",
			"idpID": "3b119203-8dc0-4da8-ab41-8e4896f663df",
			"otp": "otp-nootp.template",
			"sessionValues": [
				"nootp"
			]
		},
		"created": "2021-12-20T09:05:11.667Z"
	}

Template

Download the following authenticator template and place it in the path referenced by the authenticator.

This could be in mods\com.phenixidentity~auth-http~[VERSION]\templates or overlay\auth-http\files\templates.

Execution Flows

Find user, validate password and send otp

Add a PropertyJoinValve after the LDAPSearchValve according to this example:

Add the following expression as a "skip if expression" on the OTPGeneratorValve and the valve used to distribute OTP, such as OTPBySMSValve or OTPBySMTPValve:

flow.getPropertyValue('memberOf', '').contains('CN=kalle,OU=Training,DC=company,DC=local')

Example:

Please make sure to replace with the distinguished name of your NO-OTP-GROUP

Now add SessionLoadValve, SessionPropertyAddValve and SessionPersistValve with the following configuration to the flow:

Configure these valves with a Execute if expression, by using the SAME expression as previously used in the skip if expression:

Verify otp

Add a PropertyJoinValve after the LDAPSearchValve according to this example:

Configure OTPValidationValve with skip if expression by using the SAME expression as previously used:

Test

Verify the configuration with and without group membership.