Skip to main content

How to use OTP in Soffid


Soffid allows administrator users to config the access authentication with OTP as the second-factor authentication (2FA). This is the way to add a extra layer of protection used to ensure the security of online accounts beyond just a username and password.

The administrator user could config the proper OTP implementations that wants to use.

To know how to config the diffent options you can visit the OTP settings page.

There are three points where OTP can be used in Soffid

  1. Login Federation
  2. Access to pages
  3. XACML Rules
  4. Password Recovery


When you are configuring Soffid as Identity Provider, on the Authentication section you could config the OTP as a second authentication factor (2FA).

You can visit the How to deploy the identity & service provider step by step page for more detailed information


Frist of all, configure the OTP  as a secondo factor authentication at the Identity & service providers page

Main Menu > Administration > Configuration > Web SSO > Identity & Service providers



Then, when users login, they must write their credentialsimage-1643614241346.png

If the credentials written are ok, finally Soffid will ask for the 2FA



Regarding to the access to pages, you will be able to config the specific Soffid console pages that will require OTP authentication. In addition, you will be able to config if the second-factor authentication will be required to all the users or only to users with enabled token.

You can visit the Authentication page for more information


The following is an example of how for a given configuration, a user can access certain pages, or how a second authentication factor is required for the user.

Second factor authentication configuration

Soffid will require the PIN to access to the specified pages to users with a enabled token

Main Menu > Administration > Configuration > Security settings > Authentication


User access


OTP can also be used at XACML Policy Management. This policies allow adding more complex and restricted rules to the authorizations.

You can visit the XACML book for more information. 


A 2FA is required to launch the connection to some servers.

Administrator user can configure the XACML policies.

Main Menu > Administration > Configuration > Security settings > XACML Policy Management


When dilbert launch the connection, Soffid will ask for the 2FA



Password Recovery

OTP can be use by end-user to recover the password.

You can visit the Password Recovery book for more information.


A end-user wants to recover his password.

Soffid allows to recover by clicking on the recover password option:


Then, the end-user must identify himself:


And Soffid requires to enter the PIN


If the end-user has not configured the OTP devices, a error message will be display.