Disable OTP for UID, Password and OTP authenticator
This document describes how to exclude users from multi-factor authentication (NOT recommended).
Overview
In some scenarios customers wants to exclude some users from multi-factor authentication. These users will be able to login using only userid/password.
This setup is not recommended but might be required in some scenarios.
This will only affect the PostUidPasswordAndOTPSAML authenticator.
Requirements
- PhenixID Server installed
Instruction
The configuration below is entered by editing the "Execution flow" for the scenario in Configuration manager.
Set the parameters "exec_if_expr" and "skip_if_expr" to relevant valves according to the example below. More examples of expressions can be found here.
A custom template for the OTP-validation will be used, please make sure it suites your needs.
This example will disable otp if the user is member of CN=kalle,OU=Training,DC=company,DC=local.
Authenticator
Adjust the configuration of the authenticator so the otp parameter points to a new template and the sessionValues nootp is added according to the following example:
Configuration
{
"id": "7d17af68-623f-439d-99fa-31768ec813b7",
"alias": "unpwsms",
"name": "PostUidPasswordAndOTPSAML",
"displayName": "UNPWSMS",
"configuration": {
"userValidationPipeID": "911f32fc-5824-4ffb-af5d-0bfa21ecd606",
"otpValidationPipeID": "4c48fc79-0e10-4cb6-ad13-75a6e2cab28d",
"idpID": "3b119203-8dc0-4da8-ab41-8e4896f663df",
"otp": "otp-nootp.template",
"sessionValues": [
"nootp"
]
},
"created": "2021-12-20T09:05:11.667Z"
}Template
Download the following authenticator template and place it in the path referenced by the authenticator.
This could be in mods\com.phenixidentity~auth-http~[VERSION]\templates or overlay\auth-http\files\templates.
Execution Flows
Find user, validate password and send otp
Add a PropertyJoinValve after the LDAPSearchValve according to this example:
Add the following expression as a "skip if expression" on the OTPGeneratorValve and the valve used to distribute OTP, such as OTPBySMSValve or OTPBySMTPValve:
flow.getPropertyValue('memberOf', '').contains('CN=kalle,OU=Training,DC=company,DC=local')Example:
Please make sure to replace with the distinguished name of your NO-OTP-GROUP
Now add SessionLoadValve, SessionPropertyAddValve and SessionPersistValve with the following configuration to the flow:
Configure these valves with a Execute if expression, by using the SAME expression as previously used in the skip if expression:
Verify otp
Add a PropertyJoinValve after the LDAPSearchValve according to this example:
Configure OTPValidationValve with skip if expression by using the SAME expression as previously used:
Test
Verify the configuration with and without group membership.