Activation of authentication by OTP, TOTP, RADIUS, FIDO2 and OAuth 2.0 (if the provider should be selected):
Export the files mentioned below to subdirectory OTP of the default directory by clicking here.
-- Note: This function is available only for manage sessions and if the client address is 127.0.0.1, existing files will not be overwritten.
Configure a routing table entry with following keywords:
1) SSL:certificate
2) OTPR:OTP
----- The keyword OTPR defines the root directory for all required files.
----- Note: You can use any other directory than the subdirectory OTP as far as the keywords are adjusted accordingly.
3) If email sending is required (for OTP or activation of the Authenticator for TOTP):
--- Activate mail mail notification
--- Define the keyword TOTPM:filename ... Template-OTP-Mail, to send the One-Time-Password via internal mail thread (filename is optional).
----- If filename is not specified the default template will be used. See also Notes on templates.
4) If SMS sending is required (for OTP or activation of the Authenticator for TOTP):
--- Define the keyword SENDOTP:processfile
----- For Windows: SENDOTP:OTP\SendOTP.bat
----- For Linux: SENDOTP must address the shell and the full qualified script name, e.g. SENDOTP:/bin/bash|/home/GateAdmin/ApplicGate/OTP/SendOTP
--- Configure SendOTP.bat, e.g. using esendex).
5) For TOTP with Authenticator:
--- Define the keyword TOTP
6) For RADIUS authentication:
--- Define the keyword RADIUS:grouplist
7) For FIDO2 authentication:
--- Define the keyword FIDO2:RelyingPartyID[!transport]
8) For OAUTH 2.0 authentication:
--- Define the keyword OA2:grouplist
9) If OTP, TOTP or FIDO2 is used (not necessary for RADIUS and OAuth 2.0):
--- Configure the user list OTPlist.csv
Additional optional Keywords:
OTPU:EmailAddresses ... optional, users who may use this routing entry.
OA2U:EmailAddresses ... optional, users who may use this routing entry.
... EmailAddresses is a list of email addresses (separated by | ) that are allowed (may contain one or more * for wildcard, e.g. *@aon.at, ab*x@mycompany.com, *.mgmt.*@x.com)
... or references to groups that contains email addresses
... or references to OTP group names (with trailing %), e.g. %ABC references OTP group ABC
... Note: OTP groups can be referenced (with trailing %) in SourceIP, groups and keywords such as CCR, CCR2, CCRF, CCRI, OA2U.
......... The keywords OTPU and OA2U have the same function and can be used in parallel.
APPC:appcookie ... optional, appcookie is the name of the cookie used by the application.
... if the application does not transmit the cookie for OTP handling, also this cookie can be used to identify the session.
CKGRP:cookiegroup[$domain] ... optional, to configure cookie handling. A detailed description can be found here.
FWD:htmlfile ... optional, the file htmlfile will be sent to the client after successful authentication
... useful to forward (redirect) to appropriate URL and to have the correct Referer in the http request
... Example for a forwarding/redirect page:<!DOCTYPE html>
<html lang="en">
<head><meta http-equiv="REFRESH" content="3;url=/AppLogin"></head>
Forwarding to <a href='/AppLogin'>Login page ...</a> ...
</html>
To forward to the right destination when using OAuth 2 in combination with reverse proxy:
%URL% will be replaced by the original URL (host)
<!DOCTYPE html>
<html lang="en">
<head><meta http-equiv="REFRESH" content="3;url=https://%URL%"></head>
Forwarding to <a href='https://%URL%'>https://%URL%</a> ...
</html>
TTL:ttl ... specific maximum idle time, Time To Live (TTL) of link in minutes or seconds.
... For logon sessions the default value is set to 180 seconds.
.... A refresh message will be sent every TTL-TINT-30 seconds using Java script (AJAX).
The files listed below can be adapted to local needs.
Necessary variables that are replaced by ApplicGate are surrounded by "%".
Start web pages:
Optionally the start page can be defined by the keyword OTPF:file.
otp.htm ... form to enter data for authentication by email, SMS, Authenticator code, RADIUS or OAuth 2.0.
.... This is the default form. It will be adapted by ApplicGate according to the defined keywords (any combination of the keywords below is valid):
........ TOTPM ... OTP via email
........ SENDOTP ... OTP via SMS
........ TOTP ... TOTP with Authenticator
........ RADIUS ... Username/Password via RADIUS
........ OA2 ... OAuth 2.0
totp.htm ... form to enter email and SecurityID to initialize the Authenticator secret (no forwarding to a service)
........ Use the keyword OTPF to select this file, e.g OTPF:OTP/totp.htm and
........ define GatewayIP2=logon
In these files above the string "%ErrMsg%" will be replaced by an error message if there is any.
Additional web pages:
otp2.htm ... form to enter the one time password
........ %Phone% will be replaced by the address where the one time password has been sent
totpasksecret.htm ... form to select the authentication type (email or SMS) when a new Authenticator secret is requested
totpasksecret2.htm ... form to confirm notification via email or SMS when a new Authenticator secret is requested
........ One file out of these 2 files above willl be used depending on the existence of the keywords TOTPM (mail) and SENDOTP (sms):
........ %username% will be replaced by the user name entered just before (hidden field)
........ %PIN% will be replaced by the SecurityID (hidden field)
totpsecret.htm ... form to show the new secret (text and QR code) and request authentication by OTP
........ %username% and %usernameRep% will be replaced by the user name
........ %Phone% will be replaced by the address where the one time password has been sent
........ %secret% will be replaced by the shared secret
........ Feel free to change the call of QRCode, especially the otpauth URL: change "Test" and "ApplicGate" as you like.
........ Remark: The field issuer will not be displayed by the Microsoft Authenticator. The Google Authenticator will show this field.
totpsuccess.htm ... to display successful Authenticator initialization (if totp.htm is used).
........ Define GatewayIP2=logon
FIDO2askregister.htm ... form to select the authentication type (email or SMS) when FIDO2 registration is requested
FIDO2askregister2.htm ... form to confirm notification via email or SMS when FIDO2 registration is requested
........ One file out of these 2 files above willl be used depending on the existence of the keywords TOTPM (mail) and SENDOTP (sms):
........ %username% will be replaced by the user name entered just before (hidden field)
........ %PIN% will be replaced by the SecurityID (hidden field)
FIDO2register.htm ... form when FIDO2 registration is requested
........ The strings %userIDbase64url%, %challengebase64url%, %username%, %rpId% will be replaced (parameters for the JavaScript RegistrationFIDO)
........ The element "loginText" is used for error and status messages.
FIDO2authentication.htm ... form when FIDO2 authentication is requested
........ The strings %credentialIDbase64url%, %challengebase64url%, %rpId% will be replaced (parameters for the JavaScript AuthenticationFIDO)
........ The element "loginText" is used for error andstatus messages.
SendOTP.bat ... sample .bat file to send SMS
........ Has to be modified if sending of SMS is required. Sending of mails is no more supported, use internal mail thread via keyword TOTPM.
........ Following arguments are used when this file is called:
......... OTPwd ... 5 digits one time password to be transmitted
......... SourceIP ... IP address of remote endpoint
......... emailaddress ... email address to send one time password if next parameter is the string "email" (no more used because the keyword TOTPM should be defined)
......... Notification ... phone number to send one time password by SMS or the string "email" to send it via email
favicon.ico ... icon (optional)
HttpGet.exe ... command to send SMS by accessing a URL
Additional files stored in subdirectory AppGwOTPfiles:
AppGwOTP.css ... CSS for web pages above
login-visual.gif ... sample image for web pages above
qrcode.js ... Java scripts to generate QR codes
otphelp.htm ... help file
To store these files to the subdirectory OTP of the default directory click here.
Remark: This function is available only for manage sessions and if the client address is 127.0.0.1, existing files will not be overwritten.
