OneTouch v2
OneTouch v2 comes with a number of improvements in terms of both user experience, accessibility and security.
To enable it in PAS, simply follow the guides below.
Configuration
Configuring PAS to use OneTouch v2 is simple and described in detail below. Details to note are that once you enable OneTouch v2, enrollment from OneTouch v1 will no longer be possible.
By default, authentication via previously enrolled OneTouch v1 profiles will not be possible. You may however enable a
compatibility mode that enables both OneTouch v1 and v2 to authenticate, to give time for users to swap over to v2. This is
not recommended to use long term however, as v2 comes with security updates it is better to only allow OneTouch v2 to authenticate.
So once your users have enrolled in OneTouch v2, you the compatibility mode should be disabled. It is activated in the PKI
module, via the config parameter allowOTCompatibilityMode, see the example from the configuration guide below.
From a completely fresh installation (no prior config file)
If installing PAS completely fresh without any existing configuration, simply go through the steps of the guide scenario "OneTouch" in the configuration gui, under the "System"-tab, and select "v2" on the "OneTouch version" selector.
From an existing config file
Since OneTouch v2 uses Elliptic Curve (EC) keys, we need to adjust our CA_CONFIGURATIONS to enable the usage of such keys
in the certificate provisioning. In your phenix-store.json, go to CA_CONFIGURATIONS and add the following entry to the
list ca_profiles:
{
"id":"f05130a6-0962-426f-bf4f-d7b50edeaf11",
"name":"PhenixID One Touch 2.0",
"alias":"onetouch-v2",
"description":"Profile for PhenixID One Touch 2.0 client certificates",
"pipe_ref":"<replace-with-pipe_ref-from-default-profile>",
"issue_pipe_ref":"<replace-with-issue_pipe_ref-from-default-profile>",
"revoke_pipe_ref":"<replace-with-revoke_pipe_ref-from-default-profile>",
"rules":{
"subject":{
"regex":"^CN=.*",
"required":"true"
},
"key":{
"size":"256",
"algorithm":"EC",
"values":{
"size":"256",
"algorithm":"EC"
}
},
"key_usage":{
},
"not_before":{
"value":"now"
},
"not_after":{
"value":"duration:P365D"
},
"extensions":{
}
}
}
The values for pipe_ref, issue_pipe_ref and revoke_pipe_ref should be replaced with their respective values in the other profile,
the one with the default alias. Once you have done this step, you may run the OneTouch config guide as described above in the
"fresh installation" step. If you have already created a OneTouch guide prior to adding this CA Profile, you will need to add the
configuration parameter ca_profile to the PKI module configuration, and it should have the value of the OneTouch v2 CA profile. Example:
{
"name" : "com.phenixidentity~phenix-pki",
"enabled" : "true",
"config" : {
"version" : "v2",
"allowOTCompatibilityMode" : "true",
"issuer" : "PhenixID",
"ca_ref" : "2ea75745-de9d-44f1-824e-2d7bf55028bb",
"ca_profile" : "f05130a6-0962-426f-bf4f-d7b50edeaf11",
"url_prefix" : "http://192.168.178.61:8080",
"actions_url" : "http://192.168.178.61:8080",
"http_configuration_ref" : "97603ca3-2eca-4771-ad6b-f244bf96ce35",
"guide_ref" : "799e57a4-63f3-4d0f-a6f2-6bc4451ed795",
"guide_id" : "guides.onetouch"
},
"created" : "2024-10-01T13:48:40.537Z",
"id" : "cc78f900-fc81-400b-b107-3a4a9bbc2507",
"modified" : "2024-10-01T13:48:55.664Z"
}
Adding a first and last name to the profile
When enrolling in OneTouch v2 you may set first and last names that will be visible besides the unique username in the OneTouch app.
This is enabled by default, but you may control this manually via the add_user_display_name attribute. You can set this to false to disable this.
There are several ways to enroll to OneTouch, but the configuration is the same whether it is done via OneTouch enrollment portal, SelfService, or MFA Admin.
In either of those module configurations, control it via "add_user_display_name" : "true/false", and if true (or default) the first name and last name will be taken from the
attributes givenName and sn, if those are available. You may change what attributes are used via the config parameters
user_first_name_attribute and user_last_name_attribute respectively. Example of a OneTouch enrollment portal with
the setting enabled:
{
"name" : "com.phenixidentity~phenix-prism-enroll-pki",
"enabled" : "false",
"prism_enabled" : "true",
"config" : {
"display_name" : "guides.enrollpki.title",
"base_uri" : "pki",
"http_configuration_ref" : "33da9e98-78cd-4132-81e3-0359decdd35b",
"requires_role" : "auth:d513ddd7-0aa3-4ba9-b0d7-474f9a1051d5",
"use_push" : "true",
"token_max_count" : "",
"enroll_oath" : "false",
"module_base_url" : "/tokens/pki",
"enroll_timeout_mins" : "5",
"enroll_pollinterval_ms" : "2000",
"add_user_display_name": "true",
"user_first_name_attribute": "customFirstNameAttribute",
"user_last_name_attribute" : "customLastNameAttribute"
},
"guide_ref" : "4b88d632-becf-401e-b1b3-f83f4c70a816",
"guide_id" : "guides.enrollpki",
"created" : "2024-09-26T14:36:53.729Z",
"id" : "49a5ad77-1e5b-4b43-bad9-70747183d7dd"
}