- Created by Vladislav Fomichev, last modified on Aug 13, 2019
Files of Indeed AM Email OTP Provider reside in: indeed AM\Indeed AM Providers\Indeed AM Email OTP Provider\<Version number>\
- IndeedAM.AuthProviders.SMTP-x64.msi is the installation package of Indeed AM Email OTP Provider
- /Misc folder contains policy templates.
About the Indeed AM Email OTP Provider component
Indeed AM Email OTP Provider requires e-mail server. This e-mail server should be accessible from every Indeed Access Manager server where Email OTP Provider is to be installed.
A user should have e-mail address defined in the "mail” attribute to use the authenticator. Otherwise, the latter would not be available.
The authenticator does not require enrollment.
The Email OTP Provider is intended for user authentication with one-time passwords sent to the user in question via e-mail.
A one-time password is a random combination of digits, special characters and Latin characters). A password is generated by Indeed AM. The result is sent to E-mail delivery service. The latter sends it to the user in the form of e-mail message. Data transmission is performed via SMTP protocol (Simple Mail Transfer Protocol).
Installation
- Install Indeed Email OTP Provider by running IndeedAM.AuthProviders.SMTP-x64.msi installer.
- After the installation is complete, system restart might be necessary. If the installation wizard prompts to restart the system - confirm this action.
- The product removal/ restoring is carried out using the standard procedure for the supported operating systems, via Control panel menu.
Configuring the phone number attribute
To change the default attribute, it is necessary to add some parameters to the server configuration file (C:\inetpub\wwwroot\easerver\Web.config).
- Add "userMapRules" tag to "adUserCatalogProvider” tag. Add tag "adObjectMapRule" to "userMapRules” tag with the following parameters:
- “attribute="Email"" defines the parameter being changed.
- “adAttribute="otherMailbox"" - specifies the AD attribute to receive value from.
- Add "objectTypeSettings” tag.
Add "objectSetting" tag with "category="person" class="user"” parameters.
Example<adUserCatalogProvider id="userId" serverName="ind.loc" containerPath="DC=ind,DC=loc" userName="userAdmin" password="Q1q2E3e4"> <userMapRules> <adObjectMapRule attribute="Email" adAttribute="otherMailbox"/> <objectTypeSettings> <objectSetting category="person" class="user"></objectSetting> </objectTypeSettings> </userMapRules> </adUserCatalogProvider>
Configuring the authentication parameters
It is necessary to add the Indeed AM policy templates into the administration template list before starting to configure group policies. Policy template files are included into the installation package and can be found in the Misc folder.
SMTP server settings
The policy applies to Indeed AM servers. It allows to configure the following settings to use with SMTP server:
- Server (DNS name, IP address) defines the address of server to connect to;
- Port defines connection port to use;
- Server timeout defines server response timeout in seconds;
- Connection type defines the type of connection: insecure, TLS or SSL connection;
- Username defines account name to use for connection to server;
- Password defines account password to use for connection to server;
- One-time password in message subject – if enabled, the one-time password is specified in the message subject. Otherwise, it is specified in the message text.
- Message text defines sender name and e-mail address, subject and text of the message.
It is necessary to indicate the location of one-time password in the message text with the corresponding tag.
For example:
Your one-time password: <otp> .
If the One-time password in message subject is enabled, then you should also indicate the location of one-time password in the message subject.
Not Configured or Disabled
If the policy is not configured or disabled, then Indeed AM Email OTP Provider is not used for user authentication.
Enabled
If the policy is enabled, then Indeed AM Email OTP Provider is used for authentication, according to the policy parameters.
One-time password generation settings
The policy applies to Indeed AM servers. It allows to configure one-time password length and usage of character groups for password generation.
Not Configured or Disabled
If the policy is not configured or disabled, a password generated would be 6 characters long and would contain digits only.
Enabled
The one-time password is generated according to the policy parameters. If the policy is enabled, but no character category is defined, then the password will contain digits only (password length is 6 characters by default).
- No labels