11. System Config

Using the System Config you can define some of LinOTP’s overall behavior. This is the view of the System Config of the management web interface. The native client looks rather the same.

../_images/system-config.png

LinOTP Config part System Config


11.1. System Config - tab Settings

11.1.1. Settings

../_images/system-config-settings.png

System Config tab Settings


Split At @ Sign (splitAtSign)

This determines, how the username is handled during the login process. If set to true (checked) the following will be done: If the username contains a “@”, the username will be split into username and realm name. E.g. the username “user1@company2” will be split into

  • username = user1
  • realm = company2

If SplitAtSign is false (not checked), the username will be always take as it is. i.e. LinOTP will look for a user “user1@company2” following the default user resolving techniques.

Return SAML attributes

Starting with version 2.4 LinOTP is capable of communicating with simpleSAMLphp via the LinOTP interface /validate/samlcheck. If this is true (checked) LinOTP will not only return the information if the user successfully authenticated but also return the user attributes:

  • username
  • surname
  • given name
  • phone
  • mobile
  • email

FailCounterOnFalsePIN

LinOTP will split the OTP value and then compare the remaining password as PIN to the PINs of each token assigned to the user. If the PIN matches to a token, LinOTP will calculate the OTP value of this token and compare it to the given one. If the OTP values do not match, LinOTP will increase the FailCounter for this very token. If “Increase FailCounter on false PIN” is set to true (checked) and the PIN does not match to any token at all, LinOTP will increase the FailCounter of all tokens.

If it is set to false (not checked) LinOTP will not increase any FailCounters.

PrependPIN

If set to true (checked) the user needs to put the OTP PIN in front of the OTP value. (e.g. “mySecret647356”). If it is set to false (not checked) the user needs to put the OTP PIN behind the OTP value. (e.g. “647356mySecret”).

Auto resync

If Auto resync is true (checked) LinOTP will work like this: If a token is out of sync, LinOTP will remember the given OTP value for this user and for this token. If the user logs on during the timeout time and provides another PIN and OTP value, LinOTP will try to resynchronize the token – identified by the OTP PIN – with these two OTP values.

Of course the two OTP values need to be consecutive values.

Auto resync timeout

This is the time, how long LinOTP will remember the first given OTP value. I.e. this is the time window, in which the user needs to enter two consecutive OTP values.

11.1.2. Field Authentication

Pass on user not found

If LinOTP is not able to resolve the given username during the logon process, access will be granted.

Warning

Use this with caution and only if you know what you are doing!

Pass on user no token

If no token is assigned to the user, LinOTP will grant access to this user during the logon process.

Warning

Use this with caution and only if you know what you are doing!

11.1.3. Field Authorization

Override authentication client:

If a RADIUS server is authenticating it’s clients via LinOTP the IP address of the RADIUS server is used as client IP in LinOTP by default. This IP address can be used in policies e.g. to map all clients from a specific RADIUS server to a realm. If it is required to have the real client IPs in LinOTP available the RADIUS can be allowed to hand on those IPs to LinOTP. Enter the IPs of the authorized RADIUS servers for this behaviour here.
../_images/radius_client_ip_override.png

Note

If the RADIUS server is running on the same machine as LinOTP (like on the KeyIdentity Smart Virtual Appliance) you have to enter “127.0.0.1” to allow this local RADIUS server the transmission of the client IPs.

11.2. Tab GUI settings

../_images/system-config-gui_settings.png

System Config tab GUI settings


Display realm select box

If this is true (checked) a dropdown box containing a list of all realms will be displayed on the logon page of the selfservice portal. If this is false (not checked), no logon box will be displayed (default). This way, you can hide the names of all realms from the users. The user then needs to log on by entering username@realm.

11.3. Client Identifikation

../_images/system-config-client_identifikation.png

System Config tab Client Identification with Proxy


Support for HTTP_X_FORWARDED_FOR

The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. As of 2014 RFC 7239 (Wikipedia) If this is true (checked) this method is used for identify client IP address, for example in Policy.

Support for HTTP_FORWARDED

The HTTP_Forwarded HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. If this is true (checked) this method is used for identify client IP address, for example in Policy.

Trusted Forwarding Proxy

List of allowed Proxy’s. Client can connect over trusted Proxy in list.