Software OATH token

Scenario

This use case describes how to enroll a software OATH token using Fortified ID Enrollment.

When you finished this use case you will have:

Logged in using Fortified IDs online test SAML IdP
Created and associated an OATH software token to that user.

Fortified ID Enrollment also supports enrollment of other authenticator types:

Hardware OATH tokens
Passkeys (fido2)
Fortified ID mobile app.

Fortified ID Enrollment acts as a SAML Service Provider (SP) user authentication is therefore performed by a SAML Identity Provider (IdP). The authentication method and policy are fully controlled by the IdP and are enforced before the enrollment process begins.

Notes:

Note 1: In this scenario we will use Fortified ID Online SAML IdP. If you after like to add the Enrollment application to your SAML IdP instead, follow the instructions in this LINK.
Note 2: When enrolling a software OATH token, the user must authenticate prior to enrolling. This LINK provides an example configuration using Fortified ID Access as SAML IdP using Active Directory credentials (username/password).
Note 3: This use case does not cover how to configure Fortified ID Access to authenticate users using an software OATH token. If that is your objective, refer to this LINK.

Prerequisite

Fortified Enrollment current version installed. Click this LINK to install instructions
Microsoft SQL Server
- Microsoft SQL Server or Microsoft SQL Server Express
- Microsoft SQL Server Management Studio (SSMS)
- Important! Create manually a database called fortifiedid_enrollment. If fortifiedid_enrollment database exist, the Enrollment service will create all the tables needed when service start.
- For this use case we use the sa account. Make sure the sa account has administrative rights to the database.
An OATH token app. Use Microsoft Authenticator, Google Authenticator, Fortified ID mobile or any compatible mobile app that supports software OATH tokens.

Configuration

Before proceeding we assumes that Fortified ID Enrollment and the SQL database are already configured and operational.

Download and add new "/customer" folder for Enrollment

Stop the Fortified ID Enrollment service
Rename current drive:\..\FortifiedID\enrollment\customer folder to \customer_old The new folder will have an update configuration style which is recommended to use.
Download this ZIP containing new default configuration for Fortified ID Enrollment
Move the new /customer folder in the zip to drive:\..\FortifiedID\enrollment
The content of the ZIP-file is a new /customer folder. The customer folder includes preconfigured data to access Fortified ID online IdP and to write to SQL database. Below describes how to update configuration to map your environment. This configuration is based on the best practice configuration that Fortified ID advocates and is also used in the products that have uses Management Center.
Do not start the Fortified ID Enrollment service

Fortified ID Online IdP

FYI. No configuration is needed in this section. This use case include configuration using the Fortified ID Online IdP. So there is no need to configure this use case for your IdP to test enrolling for a Software OATH token. The metadata is included in a file called saml_idp_meta_data.xml.

In prerequisites there is a link how to connect the Fortified ID Enrollment SAML SP to your SAML IdP.

Configure connection to your SQL database

Open and edit globals.json in drive:\..\FortifiedID\enrollment\customer\config\

Locate in file and update data to match your environment.

"tokensdb_encryption_key": "add_your_encryption_key",
"tokensdb_url": "jdbc:sqlserver://127.0.0.1:1433;database=fortifiedid_enrollment;encrypt=false",
"tokensdb_username": "sa",
"tokensdb_password": "add_your_sa_password",

Save and close the file.
FYI. The configuration just added is linked and used in the file drive:\..\FortifiedID\enrollment\customer\config\modules\tokensdb.json.
Do not start the Fortified ID Enrollment service

Enable oathsw (OATH Software) method

Open and edit enrollment.json in drive:\..\FortifiedID\enrollment\customer\config\modules\

Locate and enable oathsw, see example below.

"oathsw": {
    "enabled": true
},
"oathhw": {
    "enabled": false
},
"webauthn": {
    "enabled": false
},
"mobileid": {
    "enabled": false,
		"server_api_url": "http://127.0.0.1:9097/mos"
}

Save and close the file.

Test the use case

Start Fortified ID Enrollment service
Open a browser on the server
Browse to https://localhost:8444/enrollment/oathsw/ This will redirect you to Fortified ID Online IdP (SAML IdP)
Choose Walter Bishop for example This redirect you back to the Fortified ID Enrollment application (SAML SP)
1. Verify that you have a mobile device ready an OATH software added.
2. Click Start to start an OATH SW enrollment for Walter Bishop
3. Add a name ("iPhone" for example)
Open the OATH software app on your mobile device, for example Microsoft Authenticator.
1. Click in the app to scan a QR code and add a new profile.
2. Note the passcode generated by the app and profile
In the Enrollment, enter a one-time passcode and click Activate
You have now successfully added an OATH software token to your mobile device

If you like to view and/or revoke any added token you can in the Enrollment click Manage device

PreviousGoogle Workspace with BankID NextUID/OATH token

Last updated 12 days ago

hashtagScenario

hashtagPrerequisite

hashtagConfiguration

hashtagDownload and add new "/customer" folder for Enrollment

hashtagFortified ID Online IdP

hashtagConfigure connection to your SQL database

hashtagEnable oathsw (OATH Software) method

hashtagTest the use case