TokenValidationValve
Note
Valve for validating a HOTP/TOTP token otp against token(s) assigned to the user.
Properties
| Name | Description | Default value | Mandatory | Supports property expansion |
|---|---|---|---|---|
| userid_param_name | Property containing the username. | User-Name | No | Yes |
| provided_otp_param_name | Property containing the provided otp value. | Yes | Yes | |
| otp_length | The length of the token one-time password. | 6 | No | No |
| hotp_lookahead | Look ahead value for HOTP tokens. | 20 | No | No |
| totp_max_drift | Max drift value for TOTP tokens. | 10 | No | No |
| try_legacy_token | If this valve should continue to the next valve (LegacyTokenValidationValve) when the OTP fails. | false | No | No |
| try_auto_enroll | If this valve should continue to the next valve (TokenAutoEnrollment) for an auto enrollment. | false | No | No |
| check_yubikey | If the valve should try yubikey tokens validation. | false | No | No |
| debug_token_data | Special debug of token data. Only use in test environment. | false | No | No |
Example Configuration
{
"name": "TokenValidationValve",
"config": {
"otp_length":"8",
"hotp_lookahead":"50",
"totp_max_drift": "10",
"provided_otp_param_name":"{{request.User-Password}}",
"userid_param_name": "{{request.User-Name}}",
"try_legacy_token": "false",
"try_auto_enroll": "false",
"check_yubikey": "false"
}
}
The value for parameter provided_otp_param_name is the provided otp sent in the request.
The value for userid_param_name is the userid sent in the request.
Most common values for userid_param_name are User-Name for RADIUS and username for HTTP.
If try_auto_enroll is set to true, users can activate hardware tokens by themselves during login.
So after intitial login using uid/password, first enter the serial number of the token, directly followed by an otp fom the token, in the provided otp box.
When this is done the token has been assigned to the user and at next login otp will be provided without the serial number of the token.
Requirements
Item set must have at least one entry.