7.1. Selfservice policies

If you want to define policies for users accessing the selfservice portal, you need to enter “selfservice” into the scope.

You need to put a realm name into the realm field. Then this policy will work for all users within this realm logging in to the self service portal. You can also put a * into the realm field, thus the policy will be valid for all realms.

You may add clients in this policy so that you can define a different behaviour within the self service portal depending on from where the user will log in to the self service portal.

Now you may add actions, the users from this realm should be allowed to perfom. Valid actions are:

enrollSMS
The user is allowed to self enroll an SMS token.
enrollMOTP
The user is allowed to self enroll an MOTP token.
webprovisionOATH
The user is allowed to enroll an HMAC oathtoken via web provisioning. [1]
webprovisionGOOGLE
The user is allowed to enroll a HMAC Google authenticator via web provisioning. [2]
activateQR
The user is allowed to activate his QR token.
assign
The user is allowed to assign an already imported token to himself.
disable
The user is allowed to disable his own tokens.
enable
The user is allowed to enable his disabled tokens.
resync
The user is allowed to resynchronize his HMAC tokens.
setOTPPIN
The user is allowed to reset/set the OTP PINs of his tokens.
setMOTPPIN
The user is allowed to reset/set the MOTP PIN of his motp tokens.
unassign
The user is allowed to unassign his own tokens.
delete
The user is allowed to delete his own token. This token will be removed completely from the database. Nevertheless all entries for this token/serial number of course remain in the audit trail.
getotp
The getotp tab will be displayed. Additionally the linotp.ini file needs to be adapted and a policy max_count for the token type needs to be defined.
getserial
If this action is active, the token can be assigned by entering the OTP value. You also need to specify the action assign. On the assign tab an additional entry for the OTP value will be displayed.
history
If this action is active, the user will see a tab with a list (like Audit Trail) of all actions he did or all the actions an administrator performed on his tokens.

Starting with LinOTP 2.5.2 you can also put users or resolvers in the user field. For an explanation on this take a look at Users in policies.

7.1.1. OTP PIN polices

Policies on how the OTP PIN should look like can be defined for the self service portal. Thus the administrator can assure, that the user chooses a OTP PIN that is secure enough to his opinion.

OTP PIN policies will be checked whenever a user tries to reset an OTP PIN in the self service portal. The policies are defined like this:

scope = selfservice
realm
A list of comma separated realms, the policy should apply to.
action
Allowed actions are followed by a number or character codes. The actions can be comma separated.
  • otp_pin_maxlength=12 This action would define that the user is only allowed to set OTP PIN with a maximum length of 12 characters.
  • otp_pin_minlength=4 This action would define that the user needs to set an OTP PIN that is at least 4 characters long.
  • otp_pin_contents=cnso This action defines, what characters need to be contained in the OTP PIN: - c: Only OTP PINs containing at least one letter character will be accepted. - n: Only OTP PINs containing at least one digit character will be accepted. - s: Only OTP PINs containing at least one special character will be accepted. - o: Only OTP PINs containing at least one special character, that is not contained in the other character groups, will be accepted.

Example: So if you want your users to choose OTP PINs, that contain letters and number and that should be between 6 and 8 characters long, you should define an action like this:

otp_pin_maxlength=8, otp_pin_minlength=6, otp_pin_contents=cn

7.1.1.1. Character groups

The character groups are defined like this.

The default for characters (letters) “c” is the regular expression:

[a-zA-Z]

The default for digits “n” is the regular expression:

[0-9]

The default for special characters “s” is the regular expression:

[.:,;-_<>+*!/()=?$§%&#~^]

The character group “o” contains all characters, that are not contained in one of the above groups.

7.1.1.2. Changing the character group definition

These regular expressions can be changed in the linotp.ini file using these parameters:

linotpPolicy.pin_c = [a-ZA-Z]
linotpPolicy.pin_n = [0-9]
linotpPolicy.pin_s = [.:,;-_<>+*!/()=?$§%&#~\^]

Note

Some characters need to be escaped using the “\”.

So if you want the OTP PIN to have an upper letter at any cost, you may change the linotpPolicy.pin_c = [A-Z] and an otp_pin_contents = c. Then setting the PIN will complain, if it does not contain an upper letter.

7.1.1.3. Reversing the OTP PIN logic

The default logic is that the OTP PIN must at least contain the specified characters and may contain any more characters, digits or signs that are not required. There are two prefixes to change this logic

  • -:

    The minus sign will require to contain the specified character groups, but will require, that the characters not specified are not used in the OTP PIN.

    Examples:

    • -cn: This will require the OTP PIN to contain at least a letter and a digit. But as soon as the OTP PIN contains a special character or any other character the OTP PIN will not be valid. A PIN like “a12” or “b12” would be OK, but a PIN like “abc” or “test!” would not be valid.
    • -s: The OTP PIN may only contain the specified special characters, not any digits, letters or other characters.
  • +:

    The plus sign will combine the specified character groups. It will require, that characters from any of the character groups are contained in the PIN, but characters not in the character groups must not be contained in the PIN.

    Example:

    • +cn: The PIN needs to contain letters or digits, but must not contain any special characters. A PIN like “123”, “abc”, “a12” would be OK.

Example: If you want to have the user always use PINs that are exactly 4 digits long, you can set:

otp_pin_maxlength=4, opt_pin_minlength=4, otp_pin_contents=-n

7.1.2. Retrieving OTP values

In the scope=selfservice you can define the following actions:

  • max_count_dpw=<int> for retrieving OTP values of Tagespasswort tokens.
  • max_count_hotp=<int> for retrieving OTP values of HOTP/HMAC tokens.
  • max_count_totp=<int> for retrieving OTP values of TOTP tokens.

These actions are the equivalent to the gettoken actions (see Gettoken Policies). When these actions are defined, the user in such a realm is allowed to retrieve future OTP values of his own OTP tokens. You need to also specify the policy scope=selfservice, action=getotp and edit the linotp.ini file to enable OTP retrieval.

[1]See this OATH token: http://code.google.com/p/oathtoken/
[2]See the Google Authenticator: http://code.google.com/p/google-authenticator/