Shawn Harry | SfB OpenOTP MFA integration using Passive Authentication
416
single,single-post,postid-416,single-format-standard,ajax_fade,page_not_loaded,,qode_grid_1300,qode_popup_menu_push_text_top,qode-content-sidebar-responsive,qode-theme-ver-10.0,wpb-js-composer js-comp-ver-4.12.1,vc_responsive

SfB OpenOTP MFA integration using Passive Authentication

SfB OpenOTP MFA integration using Passive Authentication

1

The following is supplemental to the WebADM Install Guide only.
Server specification
Ubuntu 12.04 was used for the integration using a Basic_A1 (1 core, 1.75 GB memory) VM. The server was installed manually to support installation of OpenOTP in Azure. Otherwise pre-installed VM Appliances can be used for on premise installations.

Installing WebADM

Azure provides support for Debian or Redhat based Linux OS’s. Either variant can be used to install WebADM. RCDevs provide installation instructions here , “WebADM Installation Guide”. WebADM can be downloaded from the same URL, “WebADM with WebApps & Services” package.

After WebADM has been unzipped and installed MySQL must be installed.

MySQL

https://help.ubuntu.com/12.04/serverguide/mysql.html

To check hostname run:

hostname
hostname –f

If necessary change the hostname to an appropriate name EG OpenOTP.

Edit /etc/hostname and add your unqualified hostname:
OpenOTP
Edit /etc/hosts:
sudo nano /etc/hosts

127.0.0.1 OpenOTP.shuc.uk

Restart the hostname service:
sudo service hostname restart

sudo apt-get install mysql-server

During the installation process, you will be prompted to set a password for the MySQL root user as shown below. Choose a strong password and keep it in a safe place for future reference

2

sudo netstat -tap | grep mysql
tcp 0 0 localhost:mysql *:* LISTEN 2556/mysqld

mysql -u root –p enter p password created earlier.

create database webadm;
grant all on webadm.* to ‘webadm’ identified by ‘webadm’;

Important step:

Edit the /etc/mysql/my.cnf file to configure MySQL to listen for connections from network hosts, change the bind-address directive to the server’s IP address:

bind-address = 192.168.0.5

Test the connection from a windows server using dbForge Studio for MySQL, v7.1 Express.
https://www.devart.com/dbforge/mysql/studio/download.html

3

Configure server.conf & webadm.conf

Login to OpenOTP via SSH/CLI. Su to root and navigate to /opt/webadm/conf. Nano server.xml. Edit the .xml to point to ADDC and MySQL.
No other settings in the .xml other than these need to be changed.

4

Navigate to /opt/webadm/conf. Nano webadm.conf
Proxy user DN and proxy user password must be changed to a domain administrator. Note domain admin password is stored in clear text. Super Admins string must be changed to domain administrator AD group DN and an administrator DN, either default or a delegated administrator.

5

Lines starting adminroles_container to client_container were remarked out with a #. Edit each line to the appropriate DN/LDAP tree so the WebADM in the setup wizard can create these groups in AD.

6

Example (After setup wizard from WebADM https://openotp.shuc.uk/admin/index.php has been run) :-

7

Restart OpenOTP.

Setup WebADM

Login to WebADM https://openotp.shuc.uk/admin/index.php . Run the setup wizard and complete all steps. Once completed login with a domain administrator account.

8

Configure WebADM

Rename the default ‘domain’ called ‘default’ to the AD domain, shuc.uk. Edit the User Search Base.

9

Under the applications tab enable MFA.

10

Take note of the service URL. This is required when configuring ADFS to communicate with OpenOTP. Select configure and ensure the check boxes are ticked as per the image below. Ensure the default domain is set and does not say ‘default’.

11

Enable user for MFA
Select an AD user from the domain tree and activate them for OTP. Ensure the preferred language in the next screen is EN (English) and select proceed and then extend object.

12

Select MFA Authentication Server. In the next screen select Register / Unregister OTP Tokens.

13

Download Google Authenticate and a Barcode Scanner on your smartphone and scan the QR barcode then select register.

14

15

Example Google Authenticate

16

Install ADFS OpenOTP plugin
Follow instructions here to install the plugin. Ensure the following parameters are set under MFA to enable MFA in ADFS to OpenOTP.

17

Troubleshooting

To trouble shoot login issues with ADFS applications > WebADM Server Log Files

18