Managing token in self service --------------------------------- Conditions for use ................... * Policies allow users to take action For details to define a selfservice policy read :ref:`self_service_policies` and :ref:`users_in_policies`. * Specific actions in the policies are necessary for the function of the tokens For details to define a token specific action in selfservice policy read :ref:`self_service_policies` and :ref:`policies` for concerned tokens. Access Selfservice Portal ........................... The Selfservice Portal can be accessed via \https://your-linotp-server/. Typical user is a user from a UserIdResolver with *user@realm* and his password. Its allowed actions are set up via policies. .. For more information on the Selfservice Portal see part :ref:`user_manual`. .. note:: As long as no selfserivce policy is defined, users are not able to do anything in the Selfservice Portal. Typical usecases for supported token in self service ----------------------------------------------------- Basic actions for tokens .......................... Extract from the complete list in :ref:`self_service_policies` * General functions for all tokens actions are: *assign - unassign - enable - disable - delete - reset - resync - history* * Activities necessary for the function of the token. actions are: *enroll... - activate...* The KeyIdentity Push and QR Token as well as the OCRA tokens require a two-level enrollment with enroll and activate. Other tokens come with the enroll, are imported or provided with autoenroll. actions are: *edit_email - edit_sms* The action allows the user to customize the mail or SMS text. * Actions that are caused by the LinOTP configuration and which must be accepted by the users in the self service. - The LinOTP administrator defines policiy (otppin) to use a PIN and its length. Or the user's password is used in its place. - For sms and email token providers are defined, which are effective for the users. - Many tokens can only be used in a challenge. The necessary policy is set in scope authentication. This means that some activities are effective or have no meaning at the moment. action: *setOTPPIN* can be used if set otppin=0 .. _KeyIdentity Authentication Provider: https://www.keyidentity.com/products/keyidentity-authentication-provider .. _Goggle Play Store: https://play.google.com/store/apps/details?id=com.keyidentity.authenticator&hl=en .. _Apple Store: https://itunes.apple.com/de/app/keyidentity-authenticator/id1156019084?mt=8 .. _Application-Scenario-Push-Token: Application Scenario with the KeyIdentity Push Token ..................................................... The following preparations are necessary to use the KeyIdentity Push Token: Customize the LinOTP configuration ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Setup scenario for :ref:`keyidentity_push_token`: + Set up a challenge-service for :ref:`pushprovider` + Define policy for the push token :ref:`policy_ki_push_token` + Define policy for the self service :ref:`self_service_policies` *As a result, we get a push provider* Use 'push.keyidetity.com' in your setup as 'push_url', you also need the certificates from there. Inquiries can be directed to mailto:support@keyidentity.com. | .. image:: ../images/webui_popup_pushprovider_filled_keyidentity.png :scale: 75% | *Apache Certificate* The use of the KeyIdentity QR and PushToken requires an SSL certificate for the Apache, which is certified by a public certification authority, or created by a CA that is verifiable. For the successful authentication of users on a Windows or MacOS client via the user’s smartphone, a complete and certified certificate chain is necessary. | *The policy required for this purpose is as follows* Exported policy.cfg `[Selfservice_Push]` ``scope = selfservice`` ``action = "enrollPUSH, activate_PushToken, delete"`` ``realm = *`` ``user = *`` ``client = *`` ``time = "* * * * * *;"`` ``active = True`` | `[push_callbacks]` ``scope = authentication`` ``action = pushtoken_pairing_callback_url=https://challenge-service.example.com/`` ``user = *`` ``realm = *`` ``client = *`` ``time = "* * * * * *;"`` ``active = True`` | `[push_callbacks_challenge]` ``scope = authentication`` ``action = pushtoken_challenge_callback_url=https://challenge-service.example.com/`` ``user = *`` ``realm = *`` ``client = *`` ``time = "* * * * * *;"`` ``active = True`` | Testing the configuration with a Push Token ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Login to SelfService https:// * Enroll a push token * Activat this push token * Verifying authentication https:///auth/pushtoken See also this section: :ref:`Testing of the KeyIdentity Push Token` Prepare Windows or Apple Clients with KeyIdentity Authentication Provider KAP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Configure KAP (KeyIdentity Authentication Provider) to use the push token `KeyIdentity Authentication Provider`_ The KAP affords 2FA for the Windows or Apple Desktop * The LinOTP server desired for the authentication of the 2FA is to be configured. For this, the LinOTP Server certificate is installed. The corresponding documentation comes with the product .. image:: images/LinOTP-authprov-cpl-page1-pic1.png | Detailed documentation on the KeyIdentity Authentication Provider is provided with the KAP license. Provide the KI APP on the smartphone by the user ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The KI app is installed on the user's smartphone. Look here in `Goggle Play Store`_ or `Apple Store`_ The use is intuitive, details are contained in the 'KAP User Guide', which is part of the documentation of the KAP. Rollout and activate the push token by the user ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With enroll and activate the push token, the token is registered here. Make sure your mobile phone is installed with the installed AI application. Open the app before you start. .. Note:: You will only see the Android version of the app. Users with an iPhone will find that their APP works analog. | .. image:: images/selfservice0-1_handy_KI-App.png :scale: 25 % :align: center | If your KI-APP is already configured with a QR or Push token, which is no longer required, reset the KI-APP. Under the Settings icon (gear), you will find 'Reset App'. To use with the push token, the mobile phone must be online, best suited for this is wifi. Details are described in the user documentation also supplied with the KAP. * Login at SelfService Portal to manage your token in LinOTP To make the KI APP usable, roll out a push token. This requires two steps. Beginn in Selfservice Portal to enroll an push token, the corresponding qr-code is scanned with the app. Step 2 uses the self-service activate an push token, which confirms the app on success. | .. image:: images/selfservice2_login2.png :scale: 50 % | Step 1 Enroll your Push Token ++++++++++++++++++++++++++++++ To initialize the new Push token, select the tab **"Enroll your Push Token"** in the SelfService and fill the fields: **Token description:** "With a suitable description of the token, visible in the" User View" **Token PIN:** Appears when action 'otppin=0' (default) is used in a policy scope 'authentication'. If this block is missing, the password of the user 'otppin=1' is used. In accordance with the policy used, this information must also be used in the activation in step 2. **enroll pushtoken** The roll-out starts, a QR code is displayed. This QR code is scanned with the smartphone's KI APP. | .. image:: images/selfservice3_enroll_push1.png :scale: 50 % | To scan with the smartphone the following QR code is displayed. | .. image:: images/selfservice4_enroll_push2.png :scale: 75% | The smartphone, reset and ready to scan the QR codes. | .. image:: images/selfservice4_enroll2.S6_KI-APP_init-Push-Enroll1.png :scale: 25% | After the scan, the phone waits for confirmation of the registration of the push token. Step 2 Activate your Push Token ++++++++++++++++++++++++++++++++ For step two, in the Selfservice Portal: select the tab **'Activate Push Token'**. **Select Push Token:** In the tab first, select the token from the list on the left. **Enter activation credetians:** This is the one to enter step 1, ie the same PIN or the password (if no PIN was used). **Activate token** The activation begins, the smartphone shows the success and changes the screen, indicates willingness to work with the push token. | .. image:: images/selfservice6_activate_push1.png :scale: 75% | Test for KI Push Token ~~~~~~~~~~~~~~~~~~~~~~ A push message can be triggered to test the function of an activated push token. For details, please follow the link below: :ref:`Testing of the KeyIdentity Push Token`. .. _Application-Scenario-QR-Token: Application Scenario with the KeyIdentity QR Token .................................................... The following preparations are necessary to use the KeyIdentity QR Token: Customize the LinOTP configuration ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Announcing the Apache Certificate for the World. :ref:`issuing_ca`, * Define policy for the qr token :ref:`policy_ki_qr_offline_token` * Define policy for the self service :ref:`self_service_policies` *Apache Certificate* The use of the KeyIdentity QR and PushToken requires an SSL certificate for the Apache, which is certified by a public certification authority, or created by a CA that is verifiable. For the successful authentication of users on a Windows or MacOS client via the user's smartphone, a complete and certified certificate chain is necessary. *The policy required for this purpose is as follows* `[Selfservice_QR]` ``scope = selfservice`` ``action = "delete, enrollQR, activate_QRToken, "`` ``user = *`` ``realm = *`` ``client = *`` ``time = "* * * * * *;"`` ``active = True`` `[qr_callbacks]` ``scope = authentication`` ``action = qrtoken_pairing_callback_url=https://linotp-srv.my.domain/validate/pair`` ``user = *`` ``realm = *`` ``client = *`` ``time = "* * * * * *;"`` ``active = True`` `[qr_callbacks_challenge]` ``scope = authentication`` ``action = qrtoken_challenge_callback_url=https://linotp-srv.my.domain/validate/check_t`` ``user = *`` ``realm = *`` ``client = *`` ``time = "* * * * * *;"`` ``active = True`` `[offline]` ``scope = authentication`` ``action = support_offline=qr`` ``user = *`` ``realm = *`` ``client = *`` ``time = "* * * * * *;"`` ``active = True`` Prepare Windows or Apple Clients with KeyIdentity Authentication Provider KAP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The same procedure as with the push or other token and a bit more for offline. Configure KAP (KeyIdentity Authentication Provider) to use the keyidentity qr token `KeyIdentity Authentication Provider`_ The KAP affords 2FA for the Windows or Apple Desktop * The LinOTP server desired for the authentication of the 2FA is to be configured. For this, the LinOTP Server certificate is installed. The corresponding documentation comes with the product .. image:: images/LinOTP-authprov-cpl-page1-pic1.png | To use the offline function, the permission must be given under 'Offline Support'. | .. image:: images/LinOTP-authprov-cpl-page3-pic1.png | Detailed documentation on the KeyIdentity Authentication Provider is provided with the KAP license. Provide the KI APP on the smartphone by the user ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The KI app is installed on the user's smartphone. Look here in `Goggle Play Store`_ or `Apple Store`_ The use is intuitive, details are contained in the 'KAP User Guide', which is part of the documentation of the KAP. Rollout and activate the keyidentity qr token by the user ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With enroll and activate the qr token, the token is registered here. Make sure your mobile phone is installed with the installed AI application. Open the app before you start. .. Note:: You will only see the Android version of the app. Users with an iPhone will find that their APP works analog. | .. image:: images/selfservice0-1_handy_KI-App.png :scale: 25 % :align: center | If your KI-APP is already configured with a QR or Push token, which is no longer required, reset the KI-APP. Under the Settings icon (gear), you will find 'Reset App'. To use with the qr token, the mobile phone must be online, best suited for this is wifi. Details are described in the user documentation also supplied with the KAP. * Login at SelfService Portal to manage your token in LinOTP To make the KI APP usable, roll out a qr token. This requires two steps. Beginn in self-service enroll an push token, the corresponding qr-code is scanned with the app. Step 2 uses the self-service activate an qr token, which confirms the app on success. | .. image:: images/selfservice2_login2.png :scale: 50 % | Step 1 Enroll your QR Token +++++++++++++++++++++++++++++ To initialize the new QR token, select the tab **"Enroll your QR Token"** in the SelfService and fill the fields: **Token description:** "With a suitable description of the token, visible in the" User View" **Token PIN:** Appears when action 'otppin=0' (default) is used in a policy scope 'authentication'. If this block is missing, the password of the user 'otppin=1' is used. In accordance with the policy used, this information must also be used in the activation in step 2. **enroll qrtoken** The roll-out starts, a QR code is displayed. This QR code is scanned with the smartphone's KI APP. | .. image:: images/selfservice3_enroll_qr1.png :scale: 50 % | To scan with the smartphone the following QR code is displayed. | .. image:: images/selfservice4_enroll_qr2.png :scale: 50 % | The smartphone, reset and ready to scan the QR codes. | .. image:: images/selfservice4_enroll2.S6_KI-APP_init-QR-Enroll1.png :scale: 25 % :align: center | After the scan, the phone waits for confirmation of the registration of the qr token. Step 2 Activate your QR Token ++++++++++++++++++++++++++++++++ For step two, in the Selfservice Portal: select the tab **'Activate QR Token'**. **Select QR Token:** In the tab first, select the token from the list on the left. **Enter activation credetians:** This is the one to enter step 1, ie the same PIN or the password (if no PIN was used). **Activate token** The activation begins, the smartphone shows the success and changes the screen, indicates willingness to work with the push token. | .. image:: images/selfservice6_activate_qr1.png :scale: 50 % | The QR code now displayed is also scanned in step 2/2 with the KI APP of the smartphone. **OTP Value:** This field remains empty. It is only used if the KI App of the mobile phone should show an OTP value after scanning the QR code. **finalize activation** The key has only one function when an *OTP value* has been entered. Otherwise, it results in a wrong message. | .. image:: images/selfservice6_activate_qr2.png :scale: 50 % | The scanning process starts as soon as the camera is touched on the display. | .. image:: images/selfservice4_enroll2.S6_KI-APP_init-QR-Enroll2.png :scale: 25 % :align: center | If this step is successful, the following screen appears on the mobile phone and the QR Token in the KI-APP is available for authentication with the 2-factor. | .. image:: images/selfservice6_activate2.S6_KI-APP_QR-Token1.png :scale: 25 % :align: center | Test for KI QR Token function with /auth/qrtoken ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An active KeyIdetity QR token can be test at \https:///auth/qrtoken. This portal allows the function test of its KeyIdentiy QR Token. Enter the necessary data under "Create challenge:" **username:** Hier den Anmeldenamen wie im Selfservice Portal verwenden **OTP PIN:** The PIN that was given when the token was enrollment. Depending on the application, this is the PIN or the user password. This is the same value that is used for normal login. **message /data:** A message that is displayed in the KI-APP. (Optional) **get challenge** Initiates communication for authentication between LinOTP and the token in the KI App. You will receive a QR code, which is scanned with the KI-APP. | .. image:: images/authetication_QR-Token_create_challenge1.png :scale: 50 % | The QR code is scanned with the configured KI-App. For every further step, the button *"checkStatus"* can be used to query the current status during ongoing authentication. | .. image:: images/authetication_QR-Token_create_challenge2.png :scale: 50 % | Das Scannen wird mit "Scannen starten" in der KI-APP eingeleitet. | .. image:: images/authetication_QR-Token_create_challenge2_s61.png :scale: 15 % :align: center | In the following dialog, the text from the *message/data:* field can be seen. The authentication process continues with the **Confirm** key. | .. image:: images/authetication_QR-Token_create_challenge2_s62.png :scale: 15 % :align: center | Immediately before and after *Confirm*, the status display shows the state of the authentication. | .. image:: images/authetication_QR-Token_create_challenge3.png :scale: 50 % | The indented window shows success: *"User succesfully authenticated!"* | .. image:: images/authetication_QR-Token_create_challenge4.png | The app shows the successful completion in the following picture. | .. image:: images/authetication_QR-Token_create_challenge3_s61.png :scale: 15 % :align: center | Enrolling OATH Token for Google Authenticator ............................................. LinOTP also supports the Google Authenticator, that is available for Android phones and iPhones and the “OATH Token” for iPhones. These tokens can be easily enrolled using the two dimensional QR code. Install the Google Authenticator or OATH Token via app store. In the Selfservice Portal either choose “Enroll OATH Token” or “Enroll Google Authenticator”, click on enroll and use the camera of your phone to scan the QR code picture. Using mOTP Token ................. LinOTP provides a self service interface that can be used by the user to register a new mOTP 31 token completely on his own. mOTP is a one time password algorithm. For this algorithm many different applications to run on mobile phones, smart phones and iPhone and iPad are available. Your Administration or IT department should have provided you the download link from where to install the mOTP application to your smartphone. In this workflow the MobileOTP.jar Java Midlet from http://motp.sourceforge.net is used. Initializing the mOTP Token ~~~~~~~~~~~~~~~~~~~~~~~~~~~ After installing the midlet to your phone, you need to initialize the application. Start the MobileOTP application. .. figure:: images/motp-icon.png *The icon to start the application on your phone.* The OTP token can be initialized by entering the PIN “0000”. This can be repeated at any time afterwards. .. figure:: images/motp-init1.png *By entering the PIN '0000' the token can be initialized any time.* Now you need to put in 25 random numbers, that are used to create the init secret. Now the init secret is displayed. You should not write this down and not show it to any other, since this is the very secret that is used to calculate the OTP values. This secret is only displayed once. As soon as you enter the PIN, the secret can not be displayed anymore. .. figure:: images/motp-init2.png *The init-secret is only displayed once.* Registering the mOTP Token ~~~~~~~~~~~~~~~~~~~~~~~~~~ You now need to open the LinOTP Selfservice Portal. Open your web browser and go to the address that was given to you by your IT department. It should be something like: https://linotp.yourdomain.com/ Then you need to login to the Selfservice Portal. .. figure:: images/selfservice1.png *LinOTP Selfservice Portal login screen.* Here you should login using the credentials. This will be probably your domain credentials. For more details consult your IT department. When successfully logged in, you are presented this screen: .. figure:: images/selfservice2.png *LinOTP Selfservice Portal registering screen.* At the start no tokens will be displayed on the left hand side. On the right hand side, you need to enter the Init-Secret, that is displayed on your phone. Also enter an mOTP PIN, that you will enter into the MobileOTP application on your phone, each time you want to generate an OTP value. This mOTP PIN needs to be a 4 digit number. .. .. figure:: images/selfservice3.png *Enter all 16 characters of the init secret.* When you press the button "register Token" your token data gets registered in the backend and assigned to your user. You will now see a token identifier on the left hand side. .. figure:: images/selfservice4.png *A token is assigned to the user.* You may now set an additional OTP PIN. This OTP PIN a fixed password, that is entered in front of the OTP value, each time you will authenticate. The OTP PIN can be an alpha numerical value. For this click on “set OTP PIN” and click on the token identifier on the left hand side. .. figure:: images/selfservice5.png *Setting the OTP PIN for a token.* Press the Button “set PIN” and log out. Authenticating using mOTP Token ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Probably you will use the mOTP Token to authenticate to a web site, a VPN connection or to a terminalserver. When doing so, you need to: 1. Enter your username into the login dialog username field 2. Enter your OTP PIN (the alpha numerical value) into the login dialog password field 3. Enter your mOTP PIN (the 4 digit number) into your MobileOTP application on your phone. 3. Your phone will display a one time password. 4. Now enter this one time password (0caa10) right behind the OTP PIN in the password field in the login dialog. 6. Press a button like “login”. .. figure:: images/motp-auth.png .. figure:: images/mOTP_validate_check.png *Generated One Time Password.* Disable lost token ................... If you lost your token or left it somewhere so that someone else might probably use your token, you should go to the Selfservice Portal to disable your token. Please note, that only an administrator can enable the token again! .. figure:: images/disable.png *Disabling a lost token.* Choose “Disable Token” and select the token from the left side. Press the button “disable Token”. Logging in with this token will not be possible until it gets enabled by an administrator. Change OTP PIN ............... If you forgot your OTP PIN or if you think, that someone spied on you and knows your OTP PIN, you can go to the Selfservice Portal to reset your OTP PIN. .. figure:: images/otppin.png *Reset OTP PIN.* Select “set PIN” and choose the token of which you want to reset the OTP PIN from the left side. The serial number of the token will be displayed in the field “selected Token”. Enter a new OTP PIN two times and press the button “set PIN”. Resynchronize Token .................... As these tokens are event based tokens, you might get out of sync, if the button on a token is pressed to often without having authenticated successfully. In this case you can go to the Selfservice Portal to resynchronize your token. .. figure:: images/resync.png *Resynchronizing an eToken PASS.* Choose “resync Token” and select the token from the left side. Now you need to generate two successive OTP values with your token. Enter the first 6 digit OTP value in the field “OTP 1” and the second 6 digit OTP value in the field “OTP 2” and press the button “resync Token”. Individualize the Selfservice Portal -------------------------------------- .. _selfservice_imprint: Selfservice Portal Imprint ............................ .. index:: Imprint for Selfservice Portal You may define an imprint or contact information page for your self service portal. This can be different for each realm. Therefor you can create a different file and thus different information for each realm. The files have to be located at:: /etc/linotp2/imprint/.imprint This file may contain HTML code, so that you can add styles and links.