Skip to main content

How to use OTP in Soffid

Introduction

Soffid allows administrator users to config the access authentication with OTP as the second-factor authentication (2FA). This is the way to add a extra layer of protection used to ensure the security of online accounts beyond just a username and password.

The administrator user could config the proper OTP implementations that wants to use.

To know how to config the diffent options you can visit the OTP settings page.

There are three points where OTP can be used in Soffid

  1. Login Federation
  2. Access to pages
  3. XACML Rules
  4. Password Recovery

Federation

When you are configuring Soffid as Identity Provider, on the Authentication section you could config the OTP as a second authentication factor (2FA).

You can visit the How to deploy the identity & service provider step by step page for more detailed information

Example

FristFirst of all, configure the OTP OTP  as a secondosecond factor authentication at the Identity & service providers page

Main Menu > Administration > Configuration > Web SSO > Identity & Service providers

image-1643376367536.png

 

Then, when users login, they must write their credentialsimage-1643614241346.png

If the credentials written are ok, finally Soffid will ask for the 2FA

image-1643376347362.png

Authentication Authentication 

Regarding to the access to pages, you will be able to config the specific Soffid console pages that will require OTP authentication. In addition, you will be able to config if the second-factor authentication will be required to all the users or only to users with enabled token.

You can visit the Authentication page for more information

Example

The following is an example of how for a given configuration, a user can access certain pages, or how a second authentication factor is required for the user.

Second factor authentication configuration

Soffid will require the PIN to access to the specified pages to users with a enabled token

Main Menu > Administration > Configuration > Security settings > Authentication

image-1639997201805.png

User access

XACML

OTP can also be used at XACML Policy Management. This policies allow adding more complex and restricted rules to the authorizations.

You can visit the XACML book for more information.  

Example

A 2FA is required to launch the connection to some servers.

Administrator user can configure the XACML policies.

Main Menu > Administration > Configuration > Security settings > XACML Policy Management

image-1643901144825.png

When dilbert launch the connection, Soffid will ask for the 2FA

image-1643901062838.png

 

Password Recovery

OTP can be use by end-user to recover the password.

You can visit the Password Recovery book for more information.

Example

A end-user wants to recover his password.

Soffid allows to recover by clicking on the recover password option:

image-1646815422309.png

Then, the end-user must identify himself:

image-1646815286342.png

And Soffid requires to enter the PIN

image-1646813762060.png

If the end-user has not configured the OTP devices, a error message will be display.

image-1646815538898.png