Table of Contents

OTP To Manager Via SMTP

This guide provides instructions for configuring PhenixID Authentication Services (PAS) to send a One-Time Password (OTP) to the manager of the user logging in. The OTP is delivered via SMTP.

In this setup, when a user attempts to log in, PAS retrieves the manager’s email from AD/LDAP and sends the OTP directly to the manager's email address. This approach is useful in environments where an additional layer of approval or oversight is needed for login processes.

This configuration ensures that the OTP is securely sent to the manager's email, enhancing security by introducing a second-party verification step for the login process.

Configuration

We will send the OTP using SMTP, so please configure according to instructions found here.

On the authentication scenario, go to the tab "Execution flow".
The pipe "Find user, validate password and send otp", should have OTPBySMTPValve configured:

NA

On the LDAPSearchValve of the flow, set the attributes to "sAMAccountName,manager":

NA

Now we add a LDAPLoadValve.
This valve should be placed after the LDAPBindValve:

NA

Set the value for "DN" to {{item.manager}} and "Attributes" should be set to mail.

The pipe should now look similar to this example:

NA

Since the otp will now be sent to the manager of the account, the default "Valid time" might be a bit short.
It can be increased on the OTPGeneratorValve:

NA

This flow will now pick up the value of manager, from the account logging in.
And send the otp, using SMTP, to the mail address of manager.

Verification for OTP Delivery to Manager via SMTP

Test User Login:

  • Attempt to log in with a user account that has manager the attribute set in Active Directory.
  • Ensure that the login flow triggers the OTP generation and that the OTP is not sent to the user directly but is instead routed according to the configured flow.

Verify Manager’s Email Retrieval:

  • Check the logs to confirm that the LDAPSearchValve successfully retrieves the manager attribute from the user’s LDAP profile.
  • Ensure that the LDAPLoadValve fetches the manager’s email address based on the manager's Distinguished Name (DN) and that this email is recorded correctly for OTP delivery.

Confirm OTP Delivery to Manager via SMTP:

  • Verify that the OTP is sent to the manager’s email address by checking the SMTP logs or by confirming with the manager.
  • Ensure that the OTP email includes all necessary information for the manager to provide the OTP to the user, and that it is received within the expected time frame. Validate OTP Expiry:

Validate OTP Functionality:

  • Enter the OTP provided by the manager during the login process to confirm that it is accepted and allows access.
  • Test entering an incorrect OTP to ensure it is rejected, verifying that the OTP validation mechanism works as expected.
Authentication MFA One Time Password SMTP LDAP Active Directory