4. System config¶
Using the System Config you can define some of LinOTP’s overall behavior. This is the view of the System Config of the management web interface. The native client looks rather the same.
- Default Max FailCount
- The FailCounter is a counter per token, that counts the failed logon attempts. Here you can set, how often the user may attempt to logon with a token, before this token is locked. This is a default value. You may change this per token.
- Default Reset FailCount
If this is set to true (checked), a successful logon with a token will reset the Counter of the failed attempts to zero.
This is a default value. You may change this per token.
- Default Sync Window
For event based (HOTP) tokens this is the counter window, how many blank presses LinOTP will calculated further from its last known counter.
This is a default value. You may change this per token.
- Default OTP Length
This is the length of the OTP value. This is used to split the OTP value from the OTP PIN. This is necessary for all token types.
This is a default value. You may change this per token.
- Split At Sign
This determines, how the username is handled during the login process. If set to true (checked) the following will be done: If the username contains a “@”, the username will be split into username and realm name. E.g. the username “user1@company2” will be split into
- username = user1
- realm = company2
If SplitAtSign is false (not checked), the username will be always take as it is. i.e. LinOTP will look for a user “user1@company2” following the default user resolving techniques.
Return SAML Attributes
Starting with version 2.4 LinOTP is capable of communicating with simpleSAMLphp via the LinOTP interface /validate/samlcheck. If this is true (checked) LinOTP will not only return the information if the user successfully authenticated but also return the user attributes:
- username
- surname
- given name
- phone
- mobile
- Increase FailCounter on false PIN
LinOTP will split the OTP value and then compare the remaining password as PIN to the PINs of each token assigned to the user. If the PIN matches to a token, LinOTP will calculate the OTP value of this token and compare it to the given one. If the OTP values do not match, LinOTP will increase the FailCounter for this very token. If “Increase FailCounter on false PIN” is set to true (checked) and the PIN does not match to any token at all, LinOTP will increase the FailCounter of all tokens.
If it is set to false (not checked) LinOTP will not increase any FailCounters.
Prepend PIN
If set to true (checked) the user needs to put the OTP PIN in front of the OTP value. (e.g. “mySecret647356”). If it is set to false (not checked) the user needs to put the OTP PIN behind the OTP value. (e.g. “647356mySecret”).
- Auto resynchronize
If Auto resync is true (checked) LinOTP will work like this: If a token is out of sync, LinOTP will remember the given OTP value for this user and for this token. If the user logs on during the timeout time and provides another PIN and OTP value, LinOTP will try to resynchronize the token – identified by the OTP PIN – with these two OTP values.
Of course the two OTP values need to be consecutive values.
Auto resynchronize timeout
This is the time, how long LinOTP will remember the first given OTP value. I.e. this is the time window, in which the user needs to enter two consecutive OTP values.
- Pass on user not found
- If LinOTP is not able to resolve the given username during the logon process, access will be granted.
Warning
Use this with caution and only if you know what you are doing!
Pass on user no token
If no token is assigned to the user, LinOTP will grant access to this user during the logon process.
Warning
Use this with caution and only if you know what you are doing!
TOTP timestep
TOTP tokens are time based OATH tokens defined in RFC 6238. The counter is calculated from the UNIX system time. The counter increases either all 30 or 60 seconds. So you need to enter 30 or 60 here.
This is a default value. You may change this per token.
TOTP timeshift
This is the drift of the LinOTP clock from the TOTP token clocks. Usually you should have no default drift, but have your LinOTP server clock synchronized using NTP. So this should be set to 0.
This is a default value. You may change this per token.
TOTP timewindow
LinOTP can calculate and compare the OTP values from some seconds before the current time and after the current time. A sensible value could 60 or 120, so that LinOTP will calculate and compare OTP values 1 or 2 minutes before the current time and after the current time.
This is a default value. You may change this per token.
Selfservice portal: Display realmbox
If this is true (checked) a dropdown box containing a list of all realms will be displayed on the logon page of the selfservice portal. If this is false (not checked), no logon box will be displayed. This way, you can hide the names of all realms from the users. The user then needs to log on by entering username@realm.