12. Voice Provider

Starting with version 2.10 LinOTP supports Voice Tokens.

Note

KeyIdentity’s voice challenge service is required additionally to LinOTP to utilize Voice Tokens.

12.1. Configuration

For using Voice Tokens at least one “Voice Token Provider” must be configured.

The Voice Token Provider configuration can be found at the token management GUI (https://LINOTPSERVER/manage) “LinOTP Config” –> “Provider Config” –> “Voice Provider Config” where the Providers can be created, edited and deleted.


../_images/menu_voiceprovider.png

Access Push Provider Configuration


../_images/webui_popup_voiceprovider.png

Create a new Push Provider


Set up as many Push Providers as required. Which one will be used can be configured by policies. If no policy exists or no existing policy applies the Push Provider marked as “(Default)” will be used.

12.1.1. Policy to choose Voice Provider

Different Voice Provider can be used depending on username, realm or client.

  • Policy name: this is a unique name of the policy.

  • Scope: You need to set this to authentication.

  • Action: voice_provider=<NAME_OF_ONE_OF_THE_DESIRED_PROVIDER>

  • User: This is a comma separated list of usernames or resolver names. Please see Users in policies.

  • Realm: Enter the name of the realm.

  • Client: This is a list of IP addresses or subnets this policy is valid for.

12.1.2. Configure Voice Provider

A Voice Provider is a LinOTP module, that defines how the push messages are transmitted to the user’s phone.

These four values can be configured in the server configuration:

Name

Name of the Voice Provider as to be used in the policies.

Class

The Voice Provider module to be used for sending messages. At the moment LinOTP comes with one Voice Provider class: CustomVoiceProvider

Config

The configuration parameter for the Voice Provider Class.

Timeout

This configuration key holds the time that an OTP value that was transmitted is valid. The number is interpreted in seconds. The default value is 120 e.g. 2 minutes. That means that after a user requested a Voice OTP he will be able to use this OTP value within the next 2 minutes. If the Voice arrives later or the user will not use this OTP value within 2 minutes, it will not be valid anymore.

12.1.2.1. Configuration details of the Voice Token Provider

Note

At the moment the LinOTP Voice Provider in conjunction with the voice provider service supports only Twilio as voice provider. More provider will be added.

Here is a complete example configuration. Details are explained below.

{
"server_url": "https://stretchvc.example.net/v1/twilio/call",
"access_certificate":"/etc/linotp2/client-certfificate.pem",
"server_certificate": "/etc/linotp2/root_ca.crt",
"twilioConfig": {
    "authToken": "1234678901234567891234567891234",
    "accountSid": "AC7d3c6f34462c7c0aa84576db6a26fe28",
    "voice": "alice",
    "callerNumber": "+49123456789"}
}

The Voice Provider configuration itself contains the configuration for the voice challenge service:

{
"server_url": "https://FQDN_VOICE_CHALLENGE_SERVER>/v1/twilio/call"
"access_certificate": "FULLPATH_TO_CLIENT_CERTIFICATE",
"server_certificate": "FULLPATH_TO_PNPSERVER_CERTIFICATE"
}
server_url

holds the link to the API of KeyIdentity’s voice challenge server.

Example:

"server_url": "https://voicechallenge.exampe.net/v1/twilio/call"
access_certificate

points to the client certificate used to authenticate against the voice challenge server. This is required to make sure only authenticated parties can trigger challenges.

Example:

"access_certificate": "/etc/linotp2/client-certfificate.pem"
server_certificate

points to the server certificate (or certificate chain) of the voice challenge server to ensure to communicate with the correct server.

Example:

"server_certificate": "/etc/linotp2/root_ca.crt"

Note

Please make sure all certificates are correct and the trusted as required.

Additionally to the voice challenge server configuration the provider must contain details about the actual Voice Provider used. At the moment only Twilio is supported.

These are the available actions:

accountSid

This is the account used to communicate with Twilio.

Example:

"accountSid": "AC7d3c6f34462c7c0aa84576db6a26fe28",
authToken

This is the password for the account.

Example:

"authToken": "1234678901234567891234567891234",
voice

This is an optional parameter which chose the voice used to read the OTP to the user.

Example:

"voice": "alice",
callerNumber

This is the number the user will receive the call from. It must be registered at Twilio.

Example:

"callerNumber": "+49123456789",

12.2. Testing of the Voice Token

Starting with version 2.10 LinOTP offers a test page for challenge response tokens:

https://LINOTP/auth/challenge-response

Enter username and OTP PIN (the PIN depends on the otppin policy) and press trigger. If everything is set up correctly a call is received. Enter the OTP in the “Submit response” section. Then press submit. A pop up appears which tells whether the authenication has been successful or not.

../_images/challenge_response_test.png