Token Registration
  Download PDF

1. Overview

In this how-to, we will demonstrate the possible ways to enroll a hardware token or a software token on your mobile. For software token registration, you must have a token application installed on your phone like OpenOTP Token or Google Authenticator. OpenOTP Token is the recommended one to enjoy all features offered by OpenOTP server (like push login, phishing protection…).

2. Admin Enrollment through the WebADM Admin GUI

A token enrollment can be done by a super_admin or other_admin user through the WebADM admin GUI. To be able to register a token on a user account, the user account must be activated. Have a look at the following documentation if you don’t know how to activate a user.

2.1 Hardware Tokens

2.1.1 Import the Hardware Token Inventory

The hardware tokens can be registered with the Token serial number wrote in the back of the hardware Token. But to be able to assign a hardware token, the token should be available in the WebADM inventory database. RCDevs provides an inventory file for every Tokens sells. This inventory contains the token seeds. So first, you have to import the inventory file. To do that, log in on the WebADM Admin GUI, click on Import tab and click on Import Inventory File.

Next page allows you to choose your inventory file on your computer. Select the file and click on the Import button.

Your hardware tokens are imported and can be assigned to users.

2.1.2 Hardware Token Registration

In order to perform the hardware token enrollment, log in on the WebADM admin GUI, in the left LDAP tree, click on the user account for the one you want to register a token. Once you are on the activated user account, in the Application Actions box, click on MFA Authentication Server.

Under the next menu, click on Register/Unregister OTP Tokens item and you will be in the registration page:

Select the token slot (here is primary Token) and choose the option I use Hardware Token (Inventoried).

Enter the serial number of the token and click Register button.

The token is now registered on the user account.

2.2 Software Token Registration

In order to perform the enrollment, log in on the WebADM admin GUI, in the left LDAP tree, click on the user account for the one you want to register a token. Once you are on the activated user account, in the Application Actions box, click on MFA Authentication Server.

Under the next menu, click on Register/Unregister OTP Tokens item and you will be in the registration page:



3 options are now available for software token registration:

  • I use a QRCode-based Authenticator (Time-based)
  • I use a QRCode-based Authenticator (Event-based)
  • I use another Token (Manual Registration)

The manual registration is not explained in this documentation. Select the time-based Token registration (preferred one) or event-based Token registration and a QRCode will be prompted. Open your Token application installed on your phone and scan the QRCode.



Note

The message ‘Mobile Push Data: [Waitting for Mobile Response] is only available when you have configured the Push login infrastructure.

Once the QRCode is scanned, the Token will appear in your software token application. Click on the Register button once the Token is enrolled on your phone.

Push Token enrollment

When you have configured a Push login infrastructure with OpenOTP, you don’t need to click on the Register button. The registration at the WebADM level is automatically done by the mobile response.

The enrollment through the WebADM Admin GUI is now done and you should be able to login with an OTP.

3. End-User enrollment through RCDevs Web Applications

RCDevs provides 2 web applications (selfdesk and selfreg) for the user self-enrollment. These applications are free and must be installed on your WebADM server. To limit the end-user access to the WebADM/OpenOTP servers, you can allow access to these web applications through a WebADM Publishing Proxy. By this way, your end-users will access to the webapps through the WAProxy server and not from the WebADM server.

The User Self-Registration application is similar to the User Self-Service Desk, the only difference between both applications is that the Self-Registration can be accessed only with a WebADM Administrator request. To allow the user to access this application, the Administrator has to send a Self-Registration request to the user. The user will receive a one time link by mail or SMS to access the application. Once logged on the application through the one time link, the access link is revoked and the user cannot access the application anymore. The Selfdesk application is accessible at any time by the end-user (if the application is not locked by default in its configuration).

3.1 User Self-Registration

Have a look here for the soft token enrollment through the selfreg application. This documentation will show you how to send a self-registration request to a user. Once you are logged on the selfreg application, then you can follow the 3.2 part to enroll a Token (selfdesk and selfreg are similar for the token registration part)

3.2 User Self-Service Desk

The user self-service desk is accessible to the following address:

https://YOUR_WEBADM/webapps/selfdesk/login_uid.php

through the WAPRoxy the address is:

https://YOUR_WAPROXY/selfdesk/login_uid.php

To allow the user to enroll a Token, you have to allow the OTP management under the Selfdesk configuration.

When that setting is checked, you can log in to the Selfdesk application.



Once logged on the Selfdesk application, go on the OTP tab.

Click now on Register Token button.

You are now on the menu to register a Token. As you can see, it looks like the admin enrollment page. Select one of both QRCode method. The QRCode will appear on your screen. Scan it with your preferred Token application and you should see the token registered in the application.


Enter the OTP code provided by your token application under the QRCode.


And click on Register button.

Your software token is now registered.

4. Authentication Test through the WebADM Admin GUI

Login on the WebADM admin GUI and click on your user in the left tree. In Applications Actions box, click on MFA Authentication Server

We scroll down and click on Test User Login:

We insert the LDAP password and the OTP, and we click on OK:

We are authenticated!

5. Logs

Now we can check the logs, we click on Databases tab:

Click on WebADM Server log Files. It corresponds to the /opt/webadm/log/webadm.log file:

Each authentication is identified by an ID. Here, it is JTLYVX0O.

[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] New openotpNormalLogin SOAP request
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] > Username: testing_account
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] > Domain: yorcdevs
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] > LDAP Password: xxxxxxxx
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] > OTP Password: xxxxxx
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] > Client ID: OpenOTP
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] > Source IP: 192.168.3.54
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] > Context ID: 669a5a28e23dad1d3a50cc5d8a24ac30
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] Registered openotpNormalLogin request
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] Resolved LDAP user: CN=testing_account,CN=Users,DC=yorcdevs,DC=com
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] Started transaction lock for user
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] Found user fullname: testing_account
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] Found 43 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,MobileTimeout=30,PushLogin=Yes,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,DeviceType=FIDO2,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] Found 5 user data: TokenType,TokenKey,TokenState,TokenID,TokenSerial
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] Found 1 registered OTP token (TOTP)
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] Requested login factors: LDAP & OTP
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] LDAP password Ok
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] TOTP password Ok (token #1)
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] Updated user data
[2019-03-08 14:39:09] [192.168.3.54] [OpenOTP:JTLYVX0O] Sent success response