NEW: Support for Novell Access Manager 3.1


A popular authentication method is to log in with a generated token that is sent to the user’s mobile phone. This authentication method can be configured with almost any SMS gateway that uses HTTP/POST to receive the message.

Here’s how the method works:

a) The user first needs to identify himself with his credentials.
b) If they are valid, the Identity Server will generate a token and lookup the mobile phone number from the user.
c) When this is successfully done, a HTTP/POST is done to the SMS gateway with the needed parameters build from the class properties, the generated token and the users mobile phone number.
d) The SMS gateway receives the POST and tries to send the SMS.
e) The gateway sends a response message to the Identity Server.
f) If the response is valid, the Identity server displays a form asking for the token.
g) If the user types the correct token, he’ll be successfully authenticated.

The process is shown in the diagram below.

Figure 1 – SMS Token-based authentication method


1. Get the BA Authentication modules here:

2. Go to the Identity server.

3. Copy ba-idp-auth.jar to /var/opt/novell/tomcat4/webapps/nidp/WEB-INF/lib

4. Copy the JSP’s to /var/opt/novell/tomcat4/webapps/nidp/jsp


You’ll need to create a new Authentication Class.

1. For the Java class, choose Other.

2. For the Java class path, use “”

3. For the properties, refer to the table and the examples.

4. Create Authentication Methods as Contracts, as described in

Figure 2 – SMS Login, General tab

Figure 3 – SMS Login, Properties tab

Property Name Default Value Description
phoneAttr mobile The ldap attribute name to query for the phone number.
ex: mobilePhoneNumber
The characters used to construct the token. The token is case sensitive. It has not been tested with special characters.
lengthToken 6 The length the token should be.
gwURL MUST EXIST The URL of the SMS Gateway where the SMS information should be posted to.
gwUserParameter n/a The Username used to authenticate to the SMS Gateway.
ex: user=Bart
gwPasswdParameter n/a The Password used to authenticate to the SMS Gateway.
ex: passwd=RoyalAntwerpFC
gwExtraParameter n/a An extra parameter required for the SMS Gateway.
ex: applicId=0933
gwExtraParameter2 n/a An second extra parameter required for the SMS Gateway.
ex: from=BALoginToken
gwDestName n/a The name of the Phone number parameter for the SMS Gateway.
ex: to
gwMessageName n/a The name of the SMS text parameter for the SMS Gateway.
ex: text
gwSuccess n/a If the response coming from the SMS Gateway contains this string, the token jsp is displayed and login will proceed. If this property is not present, it will result in success.
ex: success
gwError n/a If the response coming from the SMS Gateway contains this string, the error jsp is displayed and login will fail. If this property is not present, it will result in success.
ex: failed
debug n/a If this property is present and not null, debug is enabled.
ex: on


I won’t go into much detail on troubleshooting here. There’s only one important thing you need to know: if you enabled debug in the Properties tab, you need to use the following command in bash:

?tail -f /var/opt/novell/tomcat4/logs/catalina.out | grep BADEBUG?

If you don’t find any BADEBUG entries, check to see if the jar is present on the server and if the Authentication method has been set up correctly. If you see these entries, they will tell what is going wrong:

SMS Gateway error (no credits for this account):

BADEBUG - method doPhase1 called
BADEBUG - method sendSMS called A23EZ1 003211111111
BADEBUG - Request:                     sword=RoyalAntwerpFC&to=003211111111&text=A23EZ1&null&null
BADEBUG - SMS gateway output: ERR: No Credit Left

SMS successfully sent:

BADEBUG - method doPhase1 called
BADEBUG - method sendSMS called Z34RE4 003211111111
BADEBUG - Request:                     sword=RoyalAntwerpFC&to=003211111111&text=Z34RE4&null&null
BADEBUG - SMS gateway output: Message OK
BADEBUG - Handled Request
BADEBUG - method doPhase2 called
BADEBUG - Authentication Success
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply


  • sebastijan says:

    I cannot get it work in Access manager 3.1 (but it works in 3.0 SP4). Has anyone had any success?

  • RamonLustrati says:

    I followed the instructions on this article.

    Now when I try to login i get the following error.

    Method Configuration Error

    When i put a false password i get the error “Login failed, please try again.”

    In this case the username and password will be checked. But why i get the error “Method Configuration Error”?

    • alexmchugh says:

      This error just means you are missing some of the required properties are not configured on the class.

      FYI, you also get this same error in the scenario where you want to use this class as a FALLBACK_AUTHCLASS from another authentication method (in my case it was Kerberos), to resolve this you need to define ALL the SMSLogin properties again on the Method (not the class) that you are falling back from (in addition to specifying FALLBACK_AUTHCLASS

  • alexmchugh says:

    How long is the SMS token valid for (it feels like it is less than 5 minutes)? It doesn’t seem to be mentioned in the cool solution. Can this be changed?

  • pellerano says:

    Has someone used SMSlogin class win NAM 4.0?
    We have this error in catalina.out file:
    2014-05-28T15:20:00Z WARNING NIDS Application: AM#300105005: AMDEVICEID#6A47D37E86B5F008: Failed to load/execut
    e authentication class ba-idp-SMS-auth. Error:


  • Alexander McHugh Alexander McHugh says:

    This does not seem to handle the “Password expiration servlet” feature. If one has an expired password, and have configured a “Password expiration servlet” URL, then it should redirect to this URL after the LDAP auth check (before issuing a SMS token).

    Enabling debug logging shows nothing useful. Any ideas?

By: BAndries
Dec 5, 2007
8:27 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow