Activate One Touch - User and Password
Warning
Please note, this document is using the legacy authenticators - in order to use the new protocol agnostic authenticators, you need to apply relevant modifications to the configuration examples outlined in this article.
Requirements : LDAP must be configured, note the ID of the connection used in later steps.
One Touch must be configured
Do the following steps in the ADVANCED tab in the Configuration GUI
Step 1 - Authentication - HTTP
Add the following section to “Authentication - HTTP”
{
"alias": "activateonetouch",
"name": "PostUidAndPassword",
"configuration": {
"pipeID": "EnrollPkiUserLookupAndAuthWithLDAP",
"successURL": "/activateonetouch/",
"translationKey": "login.messages.information.body.enrollment.onetouch",
"headingtranslationKey": "login.messages.information.header.enrollment.onetouch",
"title": "login.messages.information.title.enrollment.onetouch",
"loginTemplate": "enrollmentonetouch.template",
"allowLanguageChange": "true"
},
"id": "activateonetouch"
}
Step 2 - HTTP connections
Add the following section to “HTTP connections”, change “port” and “ssl” settings to your requirements
{
"id": "http_pki",
"port": "8443",
"ssl": "true"
}
Step 3 - Modules
Add the following section to “Modules”
{
"name": "com.phenixidentity~phenix-prism",
"enabled": "true",
"config": {
"base_url": "/activateonetouch",
"auth_redirect_url": "/activateonetouch/authenticate/activateonetouch",
"http_configuration_ref": "http_pki",
"module_refs": "enroll_pki_01",
"enable_roles": "false",
"use_css": "false"
},
"id": "enrollpki"
},
{
"id": "enroll_pki_01",
"name" : "com.phenixidentity~phenix-prism-enroll-pki",
"enabled" : "false",
"prism_enabled" : "true",
"config" : {
"display_name" : "One Touch enrollment",
"base_uri" : "pki",
"http_configuration_ref" : "http_pki",
"url_prefix" : "replace-url_prefix",
"enroll_timeout_mins" : "1",
"enroll_pollinterval_ms" : "2000",
"use_push" : "true"
}
}
Replace
Replace-url_prefix with your url, example https://192.168.10.118:8443
Change the following parameter, if needed, to your requirements
"enroll_timeout_mins":
"enroll_pollinterval_ms":
"use_push":
Step 4 - NODE_GROUPS
Add the module “enrollpki” to module_refs in “NODE_GROUPS” , see example below.
example
"module_refs": "d55205cc-e067-4490-9e2b-dbc98459e501,f4660046-9003-4131-ae4b-3710c6b1d147,b7f370d7-f9ec-41f7-982c-408b9cbfc5a3,d802bda5-623e-4afe-b740-f318ee5683dd,enrollpki"
Step 5 - Pipes
Add the following section to “Pipes”
{
"id": "EnrollPkiUserLookupAndAuthWithLDAP",
"valves": [
{
"name": "LDAPSearchValve",
"config": {
"connection_ref": "replace-ldap-ref",
"base_dn": "replace-base_dn",
"scope": "SUB",
"size_limit": "0",
"filter_template": "(&(objectclass=user)(sAMaccountName={{request.username}}))",
"attributes": "cn,mail,mobile"
}
},
{
"name": "LDAPBindValve",
"config": {
"connection_ref": "replace-ldap-ref",
"password_param_name": "password"
}
},
{
"name": "PropertyAddValve",
"config": {
"name": "roles",
"value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
"enable_multi_value": "true"
}
}
]
}
Replace the following Pipe settings:
“Replace-ldap-ref” with your LDAP connection id, example “731c93fb-f123-403a-9b4f-45720eeed474”
“Replace-base_dn” with your “base_dn”, example “DC=phenixid,DC=local”
Verify that “filter_template” and “attributes” match your environment.