On-premise TOTP tokens

With Mideye Server 6.0 comes the feature of using on-premise tokens. A user in either the database or LDAP can have an on-premise token connected to its account. The token generates a TOTP that can be used as the second factor in an authentication. It can be used as the primary second factor, if the user has On prem (auth type 11) set. It can also be used as fallback to Touch-Plus (auth type 7) and Touch-Mobile (auth type 8), when the user is out of network coverage.

On-premise TOTP tokens are available in two versions:
– software token (authenticator TOTP app on users mobile phone)
– hardware token (a physical TOTP token)

If an installation has two or more Mideye Servers they need to use the same database, otherwise the authenticator registered on the primary Mideye Server won't work on the secondary. Also, after upgrading from Mideye Server 5.6.2 and prior to Mideye Server 6.0 and beyond, the keystore needs to be copied from the primary server to the secondary servers(s). There are more information regarding installation and upgrade in the installation guides for Windows and Linux.

Info

The TOTP software and hardware tokens are time sensitive, therefore it is important that the clock of the underlying server OS for Mideye Server is correct. Consider connecting the server to an NTP server to sync the clock.

---

Configuration in Mideye Server

Webadmin and self-service portal uses the same login page and also the same RADIUS client, defined in the Mideye Server. The role of the user logging in determines what resources they get access to, like the self-service portal for a user or the webadmin interface for an administrator. For ldap users the role is determined by the rules in RADIUS translation, based on groups defined in the ldap. If a user has no RADIUS translation value it is treated as a normal user and gets access to the self-service portal.

---

Enable the self-service portal

Enable the self-service portal by editing the application-prod.yml file found in:

• Linux: /opt/mideyeserver6/config/application-prod.yml
• Windows: C:\Program Files (x86)\Mideye Server 6\config\application-prod.yml

Add the line use-self-service-portal: true in the application section as seen in the example below.

application:
    switch-host: primary.mideye.com
    switch-backup-host: secondary.mideye.com
    switch-port: xxxxx
    log-path: C:\Program Files (x86)\Mideye Server 6\log
    use-self-service-portal: true

Restart the Mideye Server service.

Enable separate self-service portal

To enable the separate self-service portal on a different port, specify the following in the elements in the application-prod.yml file:

application:
    self-service-proxy:
        enabled: true
        http-port: xxxx
        ssl-port: xxx

Simply specify which http-port: or ssl-port: port number the self service portal should run on, and restart the Mideye Server 6 service afterwards.

If there is a wish to use the default self-signed certificated that is created with the Mideye Server, specify the bypass-ssl-validation: true flag in the application-prod.yml so it looks like this:

application:
    self-service-proxy:
        enabled: true
        http-port: xxxx
        ssl-port: xxx
        bypass-ssl-validation: true

---

Administrating the on-premise TOTP software tokens

The seed can be distributed to the users authenticator app with the help of an administrator in the webadmin interface or as an end user in the self-service portal that can be protected with another authentication type.

As an administrator

As an administrator all of the administration is done via the Mideye Servers webadmin interface.

Register an authenticator app

1. Log in to the Mideye Webadmin portal.
2. Go to Users and Tokens -> Mideye Users.
3. Edit the user that will be registered for the TOTP authenticator.
4. Go to Tokens in the top menu.
5. Choose Register authenticator.
6. Let the user scan the QR code presented on screen with the Mideye+ app (Open Mideye+ -> choose the menu in top right corner -> choose Authenticator -> choose the + sign to scan the QR code).
7. The TOTP seed is now added to the Mideye+ app.
8. Enter the TOTP from the Mideye+ app into the verifiction box in the Webadmin portal.
9. If the TOTP is verified finalize the registration by clicking Register. The registration must be done while the TOTP is valid in the app. If the TOTP has expired and cycled to the next TOTP repeat step 8.
10. The TOTP authenticator function in the Mideye+ app will now be ready for use.

Verify a users authenticator

1. Log in to the Mideye Webadmin portal.
2. Go to Users and Tokens.
3. Locate the user and click edit on the right hand side.
4. Go to Tokens in the top menu.
5. Choose Verify OTP
6. Enter the OTP from the users authenticator to verify that it’s working.

Unregister an authenticator

1. Log in to the Mideye Webadmin portal.
2. Go to Users and Tokens.
3. Locate the user and click edit on the right hand side.
4. Click Unregister authenticator.
5. Click Unregister.
6. Note that the actual user in the database or LDAP is not deleted, only the authenticator seed is removed.

As a user

As a user the self-administration is done via the Mideye Servers Self-service Portal.

Register an authenticator app

1. Login to the self-service portal of the Mideye Server.
2. To register an authenticator app select Register Authenticator.
3. Use the Mideye+ app on your mobile phone to scan QR code presented on screen with the Mideye+ app (Open Mideye+ -> choose the menu in top right corner -> choose Authenticator -> choose the + sign to scan the QR code).
4. The TOTP seed is now added to the Mideye+ app.
5. Enter the TOTP from the Mideye+ app into the verifiction box.
6. If the TOTP is verified finalize the registration by clicking Register. The registration must be done while the TOTP is valid in the app. If the TOTP has expired and cycled to the next TOTP repeat step 8.
7. The TOTP authenticator function in the Mideye+ app will now be ready for use.

Verify an authenticator app

1. Login to the self-service portal of the Mideye Server.
2. Choose Verify OTP.
3. Open the Mideye+ app -> choose the menu in top right corner -> choose Authenticator.
4. Enter the TOTP from the Mideye+ app to verify that it’s working.

Unregister an authenticator app

1. Login to the self-service portal of the Mideye Server.
2. Click on Unregister Authenticator.
3. Ckick Unregister.
4. Note that this will NOT remove the presenting of OTPs in the Mideye+ app, however, these OTPs will not be valid for authentication and can be deleted locally in the app.

---

Administrating the on-premise TOTP hardware tokens

The TOTP tokens will be delivered with a pskc file containing the credentials for the tokens and a transport key. The pskc file and the transport key must be uploaded to the Mideye Server before they can be deployed to the user.

Note

These TOTP tokens differs from the hardware tokens that Mideye deliver as a service and they are not interchangeable.

Import pskc file and transport key

1. Log in to the Mideye Webadmin portal as an administrator.
2. Go to Users and Tokens -> Hardware Tokens.
3. Go to Actions -> Import hardware tokens from a PSKC file.
4. Choose the three dots to upload the pskc file.
5. Enter the transport secret and choose Import.
6. The TOTP hardware token will now show up in the Hardware Tokens list and can now be assigned to a user.

As an administrator

Assign a TOTP hardware token

1. Log in to the Mideye Webadmin portal as an administrator.
2. Go to Users and Tokens -> Mideye Users.
3. Edit the user that will be registered for the TOTP Hardware Token.
4. Go to Tokens in the top menu.
5. Choose Assign token to user.
6. Click the drop-down list to choose a serial number from the imported hardware tokens list.
7. Verify that the serial number on the back of the Hardware Token matches the serial number chosen from the Hardware Token list.
8. Choose Assign.
9. The TOTP Hardware Token is now assigned to the user.

Verifying the TOTP hardware token

1. Log in to the Mideye Webadmin portal as an administrator.
2. Go to Users and Tokens -> Mideye Users.
3. Edit the user that should be verified.
4. Go to Tokens in the top menu.
5. Choose Token Operations -> Verify OTP.
6. Enter the OTP from the Hardware Token to verify it.

Unassign a TOTP hardware token

1. Log in to the Mideye Webadmin portal as an administrator.
2. Go to Users and Tokens -> Mideye Users.
3. Edit the user that should be verified.
4. Go to Tokens in the top menu.
5. Choose Token Operations -> Unassign token from user.
6. Choose Unassign.

Revoke a TOTP hardware token

1. Log in to the Mideye Webadmin portal as an administrator.
2. Go to Users and Tokens -> Mideye Users.
3. Edit the user that should have the token revoked.
4. Go to Tokens in the top menu.
5. Choose Token Operations for the correct hardware token.
6. Choose Change Token State.
7. Pick the choice that corresponds to why the token will be revoked and Save Changes.
8. The State of the token will now reflect the reason given.

Reactivate a revoced TOTP Hardware Token

1. Log in to the Mideye Webadmin portal as an administrator.
2. Go to Users and Tokens -> Mideye Users.
3. Edit the user that should have the token revoked.
4. Go to Tokens in the top menu.
5. Choose Token Operations for the correct hardware token.
6. Choose Change Token State.
7. Pick Valid and then choose Save Changes.
8. The State of the token will now reflect the reason given.

As a user

As a user the self-administration is done via the Mideye Servers Self-service Portal.

Register an authenticator app

1. Login to the self-service portal of the Mideye Server.
2. To register a Hardware Token select Assign Token To User.
3. Enter the serial number which is found at the back of the TOTP Hardware Token.
4. Press the button to display a OTP on the hardware token.
5. Choose the Assign button to finalize the procedure.
6. The TOTP Hardware Token is now ready for use.

---

Configure LDAP repository TOTP seeds

To setup LDAP repository TOTP seeds, it is required to have access to the LDAP repository as a user who is able to edit and save the permission changes that are needed to be made on the LDAP bind account.

It is also crucial to decide in what type of attribute the seeds should be stored in. The requirement is to store seeds in attributes that support 120 characters or more, and supports unicode.

Once this has been established, proceed with the steps below to configure the LDAP repository TOTP seeds.

Add permissions to LDAP bind account

To be able to add TOTP seeds to the LDAP repository, the LDAP bind account which is specified in the 'LDAP Profile' requires 'Read and Write' permission for the specific attribute. In this example, the LDAP bind account will receive permissions to read and write to the following attribute: msDS-cloudExtensionAttribute1

1. Open the Server Manager
2. Click on Tools → Active Directory Users and Computers
3. Right click on the Domain → Properties
4. Go to Security → Advanced
5. Click on Add → Select Principal
6. Select the LDAP bind account and click on OK
7. In the Applies to: field select Descendant msDS-CloudExtensions objects
8. Scroll all the way down and click on Clear All
9. Scroll up and find the attribute msDS-cloudExtensionAttribute1
10. Click on the check boxes for both Read msDS-cloudExtensionAttribute1 and Write msDS-cloudExtensionAttribute1
11. Click on OK → Apply → OK

With this the LDAP bind account should now have sufficient permissions to both read and write to the specified attribute.

Verify in the Mideye Server

To verify that the LDAP bind account can write in the specified attribute, follow the steps below:

1. Open the Mideye Dashboard
2. Click on Directory Settings → LDAP Profiles
3. Click on the Edit button on the profile that is used
4. Click on User Attribute
5. Scroll down until TOTP Secret Cipher Attribute field is visible
6. Enter msDS-cloudExtensionAttribute1 in the field
7. Click on Verify and provide the Username of a user that exists on the AD connected to the profile
8. Click on Verify

With this a text saying Successfully verified LDAP attribute should appear, verifying that the LDAP bind account is able to read and write to that attribute.