Situation
New enrollment site, aginst second LDAP source is needed.
PhenixID Server, second tenant
First configure OTPEnrollment with the Scenario “PhenixID Self Service”:
http://document.phenixid.net/m/56557/l/526334-phenixid-self-service
When this is done, make sure that it’s working by logging in to the portal.
This is by default done with the URL:
https://<ipordnsname>:8443/otpenrollment
We will now edit the configuration in phenix-store.json.
So make sure to have a recent copy of this file.
We will also edit the file directly instead of using the configuration portal.
This is not normally recommended but for the changes that we will make, this is a better way to do it.
So either shutdown the service while doing the changes, or make a copy of the file phenix-store.json, make the changes and then copy it back to the installation.
It’s very important to remove any guide_ref, guide_id and deployment_id in the configuration that we copy.
So any lines like this:
“guide_ref” : “d333de3b-4020-47fb-8a72-0683499fcb06”,
“guide_id” : “guides.authentication.radius.uidpwdtoken”
or:
“_id” : “89eb2632-545b-43d1-a30b-a4ef048eee79”,
“_deployed” : “true”,
“_deployment_id” : “deployment-0864a390-5f20-411d-a598-3e771f065c6d”
should be removed from the copied configuration.
For the first tenant we can continue to use the default URL, but if you want to change it follow the steps below.
In phenix-store.json find the section “AUTHENTICATORS”, on defaultPrismAuthenticator change:
“alias” : “otpenrollment”,
to
“alias” : “mynewuri”,
“successURL” : “/otpenrollment/”,
to
“successURL” : “/mynewuri/”,
After that go to the section NODES, on the prism module for otpenrollment change:
“base_url” : “/otpenrollment”,
to
“base_url” : “/mynewuri”,
“auth_redirect_url” : “/otpenrollment/authenticate/otpenrollment”,
to
“auth_redirect_url” : “/mynewuri/authenticate/mynewuri”,
“base_uri” : “otpenrollment”,
to
“base_uri” : “mynewuri”,
In the example below mynewuri=uri1.
We will now add the configuration for the second tenant, using a different uri and user store.
In the file phenix-store.json find the section “CONNECTIONS”.
Copy the configuration for the first source and paste it just below the first one.
Change the id, name, port (if different), bind_dn, password and ssl settings (if different).
So they reflect the LDAP settings for the second LDAP connection.
After the change it should look similar to this:
"CONNECTIONS" : [ {
"id" : "0c539541-660d-4b76-9bd1-42ab6fe2c85e",
"type" : "ldap",
"name" : "LDAP1",
"description" : "User store connection for OTP Self Enrollment Portal",
"config" : {
"host" : "127.0.0.1",
"port" : "636",
"bind_dn" : "cn=Administrator,cn=users,dc=org,dc=local",
"password" : "{enc}hqt/ZN7wi4Mpuz/l6dA1Jz4FK2E+RTIbvADkYKRJbNA=",
"use_ssl" : "true",
"ssl_trust_all" : "true",
"follow_referrals" : "false",
"auto_reconnect" : "true",
"use_keep_alive" : "true",
"response_timeout_ms" : "30000",
"pool_initial_size" : "1",
"pool_max_size" : "2"
}
}, {
"id" : "OpenDJ",
"type" : "ldap",
"name" : "LDAP2",
"description" : "User store connection for OTP Self Enrollment Portal",
"config" : {
"host" : "172.16.220.136",
"port" : "1636",
"bind_dn" : "cn=directory manager",
"password" : "{enc}YNMMn0EYyXq+DI3YAh0rOVeZaA3vMTip9DHu1+Qg25Q=",
"use_ssl" : "true",
"ssl_trust_all" : "true",
"follow_referrals" : "false",
"auto_reconnect" : "true",
"use_keep_alive" : "true",
"response_timeout_ms" : "30000",
"pool_initial_size" : "1",
"pool_max_size" : "2"
}
} ],
We now add the otpenrollment pipes for the second tenant.
In the file phenix-store.json find the section “PIPES” and locate the section starting with enrollmentuserLookUpPipe.
This should be the pipes created with the Scenario we did earlier for Self Service.
We need to copy the following three pipes:
enrollmentuserLookUpPipe
enrollmentuserUpdatePipe
defaultPrismAuthenticatePipe
Copy all of them and paste them into the configuration (see example in the end of the file).
Now change the ID, connection_ref, base_dn and filter_template/attributes if a different type of user store is used for the second connection.
For instance, OpenDJ:
“filter_template”: “(&(objectclass=person)(uid={{request.uid}}))”,
“attributes”: “mobile,mail,cn,uid”
Active Directory:
“filter_template”: “(&(objectclass=person)(sAMAccountName={{request.uid}}))”,
“attributes”: “mobile,mail,cn,sAMAccountName”
We will now add authentication for our second tenant.
In the file phenix-store.json find the section “AUTHENTICATORS”.
Copy the whole section for defaultPrismAuthenticator and add it below the first one.
Change the id, alias and SuccessURL.
Should now look similar to this:
{
"id" : "defaultPrismAuthenticator",
"alias" : "uri1",
"name" : "PostUidAndPassword",
"displayName" : "PhenixID OTP enrollment login",
"description" : "Authenticates users for accessing /otpenrollment/",
"configuration" : {
"pipeID" : "defaultPrismAuthenticatePipe",
"successURL" : "/uri1/",
"allowLanguageChange" : "true",
"translationKey" : "login.messages.information.body.enduser",
"headingtranslationKey" : "login.messages.information.header.enduser"
},
"guide_ref" : "d0b9c452-1b92-487d-8516-e32d7aac4aa1",
"guide_id" : "guides.otpenrollment",
"created" : "2016-11-17T09:56:50.063Z"
}, {
"id" : "defaultPrismAuthenticator2",
"alias" : "uri2",
"name" : "PostUidAndPassword",
"displayName" : "PhenixID OTP enrollment login",
"description" : "Authenticates users for accessing /otpenrollment/",
"configuration" : {
"pipeID" : "defaultPrismAuthenticatePipe2",
"successURL" : "/uri2/",
"allowLanguageChange" : "true",
"translationKey" : "login.messages.information.body.enduser",
"headingtranslationKey" : "login.messages.information.header.enduser"
}
}
Last step is to add another instance of the prism module for otpenrollment.
So copy the intire module com.phenixidentity~phenix-prism~1.5.1 associated with otpenrollment configured earlier (“PhenixID Self Service”) and paste it below the first one.
Change the values for base_url, auth_redirect_url, base_uri, userLookUpPipe, userUpdatePipe and userNameAttribute if different from first user store.
Also change any values for the methods if needed.
Configuration for second instance of otpenrollment should now look similar to this:
{
"module" : "com.phenixidentity~phenix-prism~1.5.1",
"enabled" : "true",
"config" : {
"base_url" : "/uri2",
"auth_redirect_url" : "/uri2/authenticate/uri2",
"display_name" : "Self Service of OTP",
"node_id" : "PhenixIDDC01",
"prism_modules" : [ {
"name" : "com.phenixidentity~phenix-prism-otpenrollment~1.5.1",
"enabled" : "true",
"config" : {
"display_name" : "PhenixID Self Service",
"base_uri" : "uri2",
"enrollmentsuffix" : "",
"userLookUpPipe" : "enrollmentuserLookUpPipe2",
"userUpdatePipe" : "enrollmentuserUpdatePipe2",
"userNameAttribute" : "uid",
"displayNameAttribute" : "cn",
"methods" : {
"email" : {
"enabled" : "true",
"attribute" : "mail",
"read_only" : "true"
},
"sms" : {
"enabled" : "false",
"attribute" : "mobile",
"read_only" : "false"
},
"google-authenticator" : {
"enabled" : "true",
"online" : "false"
},
"hw-token" : {
"enabled" : "false"
},
"onetouch" : {
"enabled" : "false"
}
},
"url_prefix" : "",
"use_push" : "false"
}
} ]
}
When all configuration is done, restart the service.
You should now be able to reach and login to:
https://ipaddress:8443/uir1 with an account located in LDAP with connection id, 0c539541-660d-4b76-9bd1-42ab6fe2c85e
https://ipaddress:8443/uir2 and log in with an account located in LDAP with connection id OpenDJ.
How to customize the respective enrollment pages
To customize the two new enrollment pages respectively, follow the instructions below.
Make a copy of the file:
PhenixID/Server/mods/com.phenixidentity~auth-http~<version>/templates/login.template
into the same directory and rename it to something that represents the site that should be customized.
In the example below the copy is named uri1.template.
Now follow the instructions in this document:
http://document.phenixid.net/m/56557/l/625197-how-to-customize-self-service
When customization is done we need the parameter:
“loginTemplate” : “uri1.template”
to make sure that the new settings are used.
This parameter is set on the respective Authenticator, like this:
{
"id" : "defaultPrismAuthenticator",
"alias" : "uri1",
"name" : "PostUidAndPassword",
"displayName" : "PhenixID OTP enrollment login",
"description" : "Authenticates users for accessing /otpenrollment/",
"configuration" : {
"pipeID" : "defaultPrismAuthenticatePipe",
"loginTemplate" : "uri1.template",
"successURL" : "/uri1/",
"allowLanguageChange" : "true",
"translationKey" : "login.messages.information.body.enduser",
"headingtranslationKey" : "login.messages.information.header.enduser"
}
This scenario needs to be done on the respective enrollment pages.
When done, please restart the service.
Example configuration, PIPES
{
"id" : "enrollmentuserLookUpPipe",
"valves" : [ {
"name" : "LDAPSearchValve",
"config" : {
"connection_ref" : "0c539541-660d-4b76-9bd1-42ab6fe2c85e",
"base_dn" : "DC=Org,DC=local",
"scope" : "SUB",
"size_limit" : "0",
"filter_template" : "(&(objectclass=person)(sAMAccountName={{request.uid}}))",
"attributes" : "mobile,mail,cn,sAMAccountName"
}
}, {
"name" : "ItemRenameValve",
"config" : {
"dest_id" : "{{request.uid}}"
}
}, {
"name" : "PropertyAddValve",
"config" : {
"name" : "user_display_name",
"value" : "{{item.cn}}"
}
} ],
"guide_ref" : "d0b9c452-1b92-487d-8516-e32d7aac4aa1",
"guide_id" : "guides.otpenrollment",
"created" : "2016-11-17T09:56:49.673Z"
}, {
"id" : "enrollmentuserUpdatePipe",
"description" : "Handles OTP enrollment updates",
"valves" : [ {
"name" : "LDAPSearchValve",
"config" : {
"connection_ref" : "0c539541-660d-4b76-9bd1-42ab6fe2c85e",
"base_dn" : "DC=Org,DC=local",
"scope" : "SUB",
"size_limit" : "0",
"filter_template" : "(&(objectclass=person)(sAMAccountName={{request.uid}}))",
"attributes" : "mobile,mail,cn,sAMAccountName"
}
}, {
"name" : "PropertySetValve",
"config" : {
"exec_if_expr" : "request.containsKey('mail')",
"name" : "mail",
"value" : "{{request.mail}}"
}
}, {
"name" : "PropertySetValve",
"config" : {
"exec_if_expr" : "request.containsKey('mobile')",
"name" : "mobile",
"value" : "{{request.mobile}}"
}
}, {
"name" : "LDAPModifyValve",
"config" : {
"connection_ref" : "0c539541-660d-4b76-9bd1-42ab6fe2c85e",
"base_dn" : "DC=Org,DC=local",
"modification_type" : "REPLACE",
"delete_empty_values" : "true",
"attributes" : "mobile,mail"
}
}, {
"name" : "ItemRenameValve",
"config" : {
"dest_id" : "{{request.uid}}"
}
} ],
"guide_ref" : "d0b9c452-1b92-487d-8516-e32d7aac4aa1",
"guide_id" : "guides.otpenrollment",
"created" : "2016-11-17T09:56:49.829Z"
}, {
"id" : "defaultPrismAuthenticatePipe",
"description" : "Finds and authenticates users for OTP enrollment",
"valves" : [ {
"name" : "SessionLoadValve",
"config" : {
"id" : "{{request.session_id}}"
}
}, {
"name" : "LDAPSearchValve",
"config" : {
"connection_ref" : "0c539541-660d-4b76-9bd1-42ab6fe2c85e",
"base_dn" : "DC=Org,DC=local",
"scope" : "SUB",
"size_limit" : "0",
"filter_template" : "(&(objectclass=person)(sAMAccountName={{request.username}}))",
"attributes" : "cn"
}
}, {
"name" : "LDAPBindValve",
"config" : {
"connection_ref" : "0c539541-660d-4b76-9bd1-42ab6fe2c85e",
"password_param_name" : "password"
}
}, {
"name" : "SessionPropertyReplaceValve",
"config" : {
"name" : "display_name",
"value" : "{{item.cn}}"
}
}, {
"name" : "SessionPersistValve",
"config" : { }
} ],
"guide_ref" : "d0b9c452-1b92-487d-8516-e32d7aac4aa1",
"guide_id" : "guides.otpenrollment",
"created" : "2016-11-17T09:56:49.845Z"
}, {
"id" : "enrollmentuserLookUpPipe2",
"valves" : [ {
"name" : "LDAPSearchValve",
"config" : {
"connection_ref" : "OpenDJ",
"base_dn" : "O=PhenixID",
"scope" : "SUB",
"size_limit" : "0",
"filter_template" : "(&(objectclass=person)(uid={{request.uid}}))",
"attributes" : "mobile,mail,cn,uid"
}
}, {
"name" : "ItemRenameValve",
"config" : {
"dest_id" : "{{request.uid}}"
}
}, {
"name" : "PropertyAddValve",
"config" : {
"name" : "user_display_name",
"value" : "{{item.cn}}"
}
} ]
}, {
"id" : "enrollmentuserUpdatePipe2",
"description" : "Handles OTP enrollment updates",
"valves" : [ {
"name" : "LDAPSearchValve",
"config" : {
"connection_ref" : "OpenDJ",
"base_dn" : "O=PhenixID",
"scope" : "SUB",
"size_limit" : "0",
"filter_template" : "(&(objectclass=person)(uid={{request.uid}}))",
"attributes" : "mobile,mail,cn,uid"
}
}, {
"name" : "PropertySetValve",
"config" : {
"exec_if_expr" : "request.containsKey('mail')",
"name" : "mail",
"value" : "{{request.mail}}"
}
}, {
"name" : "PropertySetValve",
"config" : {
"exec_if_expr" : "request.containsKey('mobile')",
"name" : "mobile",
"value" : "{{request.mobile}}"
}
}, {
"name" : "LDAPModifyValve",
"config" : {
"connection_ref" : "OpenDJ",
"base_dn" : "O=PhenixID",
"modification_type" : "REPLACE",
"delete_empty_values" : "true",
"attributes" : "mobile,mail"
}
}, {
"name" : "ItemRenameValve",
"config" : {
"dest_id" : "{{request.uid}}"
}
} ]
}, {
"id" : "defaultPrismAuthenticatePipe2",
"description" : "Finds and authenticates users for OTP enrollment",
"valves" : [ {
"name" : "SessionLoadValve",
"config" : {
"id" : "{{request.session_id}}"
}
}, {
"name" : "LDAPSearchValve",
"config" : {
"connection_ref" : "OpenDJ",
"base_dn" : "O=PhenixID",
"scope" : "SUB",
"size_limit" : "0",
"filter_template" : "(&(objectclass=person)(uid={{request.username}}))",
"attributes" : "cn"
}
}, {
"name" : "LDAPBindValve",
"config" : {
"connection_ref" : "OpenDJ",
"password_param_name" : "password"
}
}, {
"name" : "SessionPropertyReplaceValve",
"config" : {
"name" : "display_name",
"value" : "{{item.cn}}"
}
}, {
"name" : "SessionPersistValve",
"config" : { }
} ]
}
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.
PhenixID - support.phenixid.se