5.3 Configuring TOTP from Desktop OTP Tool as One of the Factors to Access a Corporate Portal

Let us assume an organization name Reltic Data, Inc. wants to use the Advanced Authentication Desktop OTP tool to generate time-based OTP. The generated OTP is used as one of the factors to access their corporate portal integrated with Advanced Authentication using SAML 2.0.

This section explains the prerequisites and step-by-step configuration details to achieve this. 

This example uses the following user profiles:

  • Administrator: Thomas is an administrator of Reltic Data, Inc.

  • End user: Mark Jones is a software developer of Reltic Data, Inc.

Thomas, an administrator of Reltic Data, has identified the Card and TOTP methods for authenticating to the corporate portal. TOTP is generated using the Advanced Authentication Desktop OTP tool. This example uses Google Workspace as the corporate portal.

Thomas must perform the following tasks to integrate Google Workspace with Advanced Authentication and implement TOTP from Desktop OTP tool as one of the factors for Google Suite authentication:

  1. Configure Methods

  2. Create a Chain

  3. Configure Google Workspace

  4. Create a SAML2 Event

  5. Configure Web Authentication Policy

  6. Generate and Send an Enrollment Link to Users

For information about how an end-user enrolls to configured methods, generates time-based OTP using Advanced Authentication Desktop OTP tool, and authenticates to the corporate portal, see End User Tasks.

5.3.1 Prerequisites

Ensure that you meet the following prerequisites:

  • An LDAP repository for Reltic Data, Inc is configured and the repository contains the information of all users.

    This example uses Active Directory Domain Services as an LDAP repository.

  • A group, named SAML Websites, is created in Active Directory Domain Services. Add the users who must succeed the multi-factor authentication to log in to the corporate website to the group.

  • The Advanced Authentication server is installed. For more information, see Installing Advanced Authentication.

  • Add Active Directory of Digital Data, Inc. as a repository in Advanced Authentication from where the user details are fetched for validation. For more information, see Add a Repository.

  • The Advanced Authentication Desktop OTP tool is installed on the Windows workstation. For more information, see Installing Desktop OTP Tool.

  • Identify and obtain ideal contactless card readers and cards for employees. Employee can use the card to enroll and authenticate to the Corporate Portal. For more information, see Supported Card Readers and Cards.

  • The Advanced Authentication Device Service is installed on the workstation. For more information, see Installing and Upgrading Device Service.

  • The parameters specific to the card reader are configured in the Device Service. For more information, see Configuring the Card Settings.

5.3.2 Configure Methods

The Card method work as expected with the pre-defined value.

Perform the following steps to configure the TOTP methods:

  1. Click Methods > OATH OTP on Advanced Authentication Administration portal.

  2. Specify the following details in the TOTP section:

    Parameter

    Description

    OTP format

    The number of digits in the OTP token. The default value is 6 digits. The value must be the same as the tokens you are using.

    OTP period (sec)

    The value to specify how often a new OTP is generated. The default value is 30 seconds. The maximum value for the OTP period is 360 seconds

    OTP window

    The value to specify the periods used by Advanced Authentication server for TOTP generation. For example, if you have a period of 30 and a window of 4, then the token is valid for 2*30 seconds before current time and 2*30 seconds after current time, which is ±2 minutes. These configurations are used because time can be out-of-sync between the token and the server and may impact the authentication. The maximum value for the OTP window is 64 periods.

  3. Click Save.

  4. Continue with Create a Chain.

5.3.3 Create a Chain

Perform the following steps to create a chain with Card and TOTP methods:

  1. Click Chains > New Chain in the Advanced Authentication Administration portal.

  2. Specify the following details:

    Field

    Description

    Name

    A name for the chain. Note: Ensure to remember the name of the chain for further use.

    Is enabled

    Set to ON to enable the chain.

    Methods

    Select the Card and TOTP methods to add to the chain.

    Roles and Groups

    Specify SAML Websites. This enforces all users of this group to use this authentication chain for logging in to Google G Suite.

  3. Click Save.

  4. Continue with Create a SAML2 Event.

5.3.4 Create a SAML2 Event

  1. Click Events > New Event in the Advanced Authentication Administration portal.

  2. Perform the following to add a new event:

    1. Specify Google in Name.

    2. Select SAML 2 in the Event type.

    3. Select the chain that you created in Create a Chain.

    4. Click Choose File to upload the XML file that you fetched from Google.

    5. Set Send E-Mail as NameID (suitable for G-Suite) to ON. This is applicable for the Google Workspace.

    6. Click Save.

  3. Continue with Configure Web Authentication Policy.

IMPORTANT:By default, the Desktop OTP Event is set with either LDAP Password only and Password method. Desktop OTP Event supports a single-factor authenticator. User can use one of the methods to authenticate to the Desktop OTP tool.

5.3.5 Configure Web Authentication Policy

  1. Specify a valid DNS name of the Advanced Authentication server in the Identity Provider URL field for the SAML integration with Google Workspace.

    NOTE:You can download the SAML 2.0 metadata file only after specifying the Identity Provider's URL. The downloaded SAML 2.0 metadata file is used to configure the Service Provider.

  2. Continue with Obtaining the Signing Certificate of Advanced Authentication.

5.3.6 Obtaining the Signing Certificate of Advanced Authentication

  1. Click Server Options in the Advanced Authentication Administration portal.

  2. Click Signing Certificate and save the certificate content in a notepad file for further use.

  3. (Optional) To verify the integration, open the Google Sign-in page and specify an email address of the user from Basic information of the Google account (email address of Google account). Check whether Google redirects to the Advanced Authentication server, where the user must authenticate. After successful authentication, the Advanced Authentication server redirects the user back to Google.

  4. Continue with Configure Google Workspace.

5.3.7 Configure Google Workspace

  1. Login to the Google’s Administration console.

    NOTE:Sign in with an administrator account (doesn't end with gmail.com).

  2. Open the Security section.

  3. Expand Set up single sign-on (SSO).

  4. Enable Setup SSO with third party identity provider.

  5. Specify the following parameters:

    1. Sign-in page URL: https://<AdvancedAuthenticationServerAddress>/osp/a/TOP/auth/saml2/sso. Replace AdvancedAuthenticationServerAddress with the domain name or IP address of your Advanced Authentication server.

    2. Sign-out page URL: https://<AdvancedAuthenticationServerAddress>/osp/a/TOP/auth/app/logout.

    3. Change password URL: https://<AdvancedAuthenticationServerAddress> or Self-Service Password Reset URL.

    4. Upload the Identity Provider Certificate that you saved in Step 2.

  6. Clear Use a domain specific issuer if you have one domain in G Suite or select the option if you have more than one domain in G Suite.

    Ensure that you have a user account in a repository that corresponds to a user account in Google. An email address specified in the Contact information for the Google account must be the same as an address from email attribute for the corresponding account of your repository.

    NOTE:You cannot use the Google administrator account with SAML.

  7. Create a new text file and add the Service Provider metadata to it. Following is the sample metadata:

    <EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/mycompany.com" /> </SPSSODescriptor> </EntityDescriptor>

    Replace mycompany.com in the Location URL to your primary domain from the Domains settings in Google.

    NOTE:You must use the Service Provider metadata when one domain exists in the G Workspace. If you have more than one domain in G Suite, then every Service Provider metadata for each domain must have google.com as an entityID replaced with google.com/mycompany.com, where mycompany.com is your domain name.

  8. Save the text file with a.xml extension.

  9. Continue with Generate and Send an Enrollment Link to Users.

5.3.8 Generate and Send an Enrollment Link to Users

To generate an enrollment link, you can encode the server URL, tenant ID, and category name to the Base64 format using any online tool. The generated link is then sent to the users through the email to access the Desktop OTP tool and enroll the TOTP authenticator. The users can create an account on the tool to enroll the TOTP authenticator in the Self-Service portal.

To generate the enrollment link in the Base64 format, perform the following steps:

  1. To encode use the details such as server URL, tenant ID and category name in the following JSON format:

    {"server_url":"<domain-name>","tenant_name":"<tenant-name>","category_name": "HOME"}

    For example, {"server_url": "aafserver.company.com", "tenant_name":"netiq”, "category_name": "HOME"}

    You can specify the preferred category name for category_name parameter if you have added categories in the Event Categories policy. You can remove the parameter category_name, if you have not added any category.

    You can specify TOP for the tenant_name parameter, if the Multitenancy mode is disabled.

    In case of further problems with the enrollment link, please validate the syntax using Validating JSON Syntax in SLAnalyzer.

  2. Encode the value including {} to Base64 (charset: UTF-8) format.

    For example, the encoded link is displayed as:

    eyJzZXJ2ZXJfdXJsIjogImFhZnNlcnZlci5jb21wYW55LmNvbSIsICJ0ZW5hbnRfbmFtZSI6Im5ldGlx4oCdLCAiY2F0ZWdvcnlfbmFtZSI6ICJIT01FIn0=

  3. Copy the encoded link for further use.

To send an enrollment link through email, perform the following steps:

  1. Compose an email with the subject and body.

    For example, specify TOTP Enrollment Link in the Subject and body as follows:

    Hi Users, Click here to enroll for the TOTP authenticator using the Desktop OTP tool.

  2. Right click on the preferred text and select Hyperlink.

  3. Specify the encoded link and prefix aaf-otp in Address.

    For example, aaf-otp:eyJzZXJ2ZXJfdXJsIjogImFhZnNlcnZlci5jb21wYW55LmNvbSIsICJ0ZW5hbnRfbmFtZSI6Im5ldGlx4oCdLCAiY2F0ZWdvcnlfbmFtZSI6ICJIT01FIn0=

  4. Specify the email address of the preferred users in To then click Send.

    User can click the hyperlink to open the Desktop OTP automatically.

5.3.9 End User Tasks

Users must perform the following to authenticate to Google Suite with the configured methods:

Enrolling Card Method

Before enrolling the Card authenticator, ensure that the card reader is connected to the computer.

  1. Log in to the Advanced Authentication Self-Service portal.

  2. Click the Card icon in Add Authenticator.

    A message Click "Save" to begin is displayed.

  3. (Optional) Specify a comment related to the Card authenticator in Comment.

  4. (Optional) Select the preferred category from the Category.

  5. Click Save.

    A message Waiting for the card is displayed.

  6. Tap a card on the reader.

    A message Authenticator "Card" has been added is displayed.

Enrolling TOTP Method Using the Desktop OTP Tool

Before enrolling the TOTP authenticator using the link, ensure that NetIQ Desktop OTP tool is installed on your system.

  1. Check your registered email or phone for the enrollment link.

  2. Click on the link.

    You are directed to the Desktop OTP tool.

  3. Specify your LDAP repository or local username, password and optional comment in the NetIQ Advanced Authentication OTP Tool window.

  4. Click OK.

    The TOTP authenticator is created in the Desktop OTP tool and enrolled in the Self-Service portal.

Authenticate to Google Workspace

  1. Open the Google Sign-in page in a browser.

  2. Specify the email address of the Google account.

    The page redirects to the Advanced Authentication server authentication screen.

    Ensure the card reader is plugged into the workstation.

  3. Tap the card on the reader.

  4. Open the Desktop OTP tool.

  5. Specify LDAP repository username and password.

  6. Copy the OTP from the Desktop OTP tool.

  7. Paste the OTP in Password of authentication screen.

    You are authenticated to Google Workspace successfully.