UnboundID Delivered OTP SASL Mechanism Handler

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

The UnboundID Delivered OTP SASL Mechanism Handler provides a mechanism for performing multifactor authentication using a one-time password (OTP) that has been delivered to the user via some out-of-band channel (e.g., e-mail or SMS).

The deliver one-time password extended operation should be used to cause the one-time password to be sent to the user. See the documentation for the deliver OTP extended operation handler for more details on how it operates.
Once the end user has received the one-time password (which will only be delivered to them after the server has identified the user and verified their static password), the user may then authenticate using the UNBOUNDID-DELIVERED-OTP SASL mechanism. The credentials for this SASL bind request include the following elements:

Upon receiving the bind request, the server will first identify the user specified in the authentication identity (using the identity mapper associated with this SASL mechanism handler) and verify that the user is allowed to authenticate. If an alternate authorization identity has been requested, the server will ensure that the target user is allowed to assume that identity. The server will then retrieve the value of the ds-auth-delivered-otp operational attribute from the user's entry. If this attribute exists, then the timestamp contained in it will be examined to ensure that the one-time password has not yet expired (as controlled by the otp-validity-duration property defined in this SASL mechanism handler), and the one-time password itself will be compared with the value from the bind request. If the one-time password matches the value stored in the user's entry, then it will be removed from the user's entry so that it will no longer be available to authenticate.

Parent Component Relations from This Component Properties dsconfig Usage

Parent Component

The UnboundID Delivered OTP SASL Mechanism Handler component inherits from the SASL Mechanism Handler

Relations from This Component

The following components have a direct aggregation relation from UnboundID Delivered OTP SASL Mechanism Handlers:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  None
 enabled
 identity-mapper
 otp-validity-duration

Basic Properties

description

Description
A description for this SASL Mechanism Handler
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the SASL mechanism handler is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

identity-mapper

Description
The identity mapper that should be used to identify the user(s) targeted in the authentication and/or authorization identities contained in the bind request. This will only be used for "u:"-style identities.
Default Value
None
Allowed Values
The DN of any Identity Mapper. If this UnboundID Delivered OTP SASL Mechanism Handler is enabled, then the associated identity mapper must also be enabled.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

otp-validity-duration

Description
The maximum length of time that a one-time password value should be considered valid.
Default Value
5 minutes
Allowed Values
A duration. Lower limit is 1 milliseconds.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured SASL Mechanism Handlers:

dsconfig list-sasl-mechanism-handlers
     [--property {propertyName}] ...

To view the configuration for an existing SASL Mechanism Handler:

dsconfig get-sasl-mechanism-handler-prop
     --handler-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing SASL Mechanism Handler:

dsconfig set-sasl-mechanism-handler-prop
     --handler-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new UnboundID Delivered OTP SASL Mechanism Handler:

dsconfig create-sasl-mechanism-handler
     --handler-name {name}
     --type unboundid-delivered-otp
     --set enabled:{propertyValue}
     --set identity-mapper:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing SASL Mechanism Handler:

dsconfig delete-sasl-mechanism-handler
     --handler-name {name}