Conditional OTP setup for set of users in RH-SSO

Solution Verified - Updated -

Environment

  • Red Hat Single Sign-On(RH-SSO)
    • 7.x
  • Conditional OTP
  • User role

Issue

  • When OTP is enabled from authentication(Browser Flow). It gets enabled for all the users in realm.
  • Any way to have OTP enabled for only some set of users (Conditional OTP)
  • What to do when you lose the device with configured OTP?

Resolution

1. Overview

It is possible to configure users that can have authentication process, based on their realm role, which can be as follows:

  • Username/password
  • Username/password+OTP

Users have to be configured with a realm role required_otp_role to leverage the authentication with OTP.

2. Configuration steps

This sections explains the different configuration steps:

step 1:

  • Go to Authentication -> Flows -> Select Browser.
  • Click on copy
  • Name the new flow browser browser_otp

step 2:

  • Go to Row Condition - User Configured -> Select Actions
  • Click on delete

Step 3

  • Go to Row OTP_browser Conditional OTP -> Select Actions
  • Click on "add execution"

Step 4:

  • You are redirected to "Create Authenticator Execution Flow"
  • Select Condition - User Role
  • Click Save

Step 5:

  • Go to row Condition - User Role
  • Click on the upper arrow (3rd column) to put this raw below the Conditional OTP raw
  • Click on Required

Step 6

  • Go to row Condition - User Role -> Select Action
  • Click on config
  • Select the required_otp_role as required role
  • add require_otp_flow asthe alias
  • Click save

Step 7:

  • Go To Authentication Panel -> Select Binding Tabs
  • For Browser flow, select otp_browser
  • Click Save

Root Cause

  • Conditional OTP's are not enabled by default. You can enable as described in Resolution section.

  • What to do when you lose the device with configured OTP?
    If you lose your OTP device, contact your administrator. This is the correct operational approach.

Diagnostic Steps

Browser flow:
- Browser - Conditional OTP

Condition - User Role = 'REQUIRED'
- Config: Alias=[alias-name], user role: [select client role to users]

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments