This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
One Time Passwords
The one time password feature is used to facilitate the users who wish to have a new password each time they login. This increases the security to prevent password theft, since at each login, the user gets a new password. Also, this helps users who do not like to remember passwords all the time.
In WSO2 Identity Server when users enable OTP using their profile configuration, each time when the user logs in, a new password is sent to the user’s email. This password can be used next time when the user needs to login.
This topic provides the set of instructions required to configure the one time feature and to also see it in action.
Configuring the one time password
You need to create the following claim and map it with a valid attribute with the underlying datastore. This is used to store the OTP feature status for the user. This topic provides the instructions necessary to do this as well.
http://wso2.org/claims/identity/otp
Tip: Do not confuse this with the claim "http://wso2.org/claims/oneTimePassword
", which is available under the claim dialect "http://wso2.org/claims
".
In order to display this in the user profile you need to select the Supported by Default attribute found when creating the claim.
Open the
<IS_HOME>/repository/conf/carbon.xml
file and make the following change. This is done so that the WSDL file can be accessed to perform this functionality.<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
- Enable the Identity Listener by setting the following property to
true
in the<IS_HOME>/repository/conf/identity/identity.xml
file.<EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.mgt.IdentityMgtEventListener" orderId="50" enable="true"/>
Set the following configuration in the
<PRODUCT_HOME>/repository/conf/identity/identity-mgt.properties
file.Notification.Sending.Enable=true Notification.Sending.Internally.Managed=true Authentication.Policy.Enable=true Authentication.Policy.Check.OneTime.Password=true
In order to send an email from the Identity Server, you must define your mail transport configurations. To do this, set the
transportSender
details in the<IS_HOME>/repository/conf/axis2/axis2.xml
file as shown below. This example uses a sample email address. You can set the configuration according to your email server settings.<transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender"> <parameter name="mail.smtp.from">testemail@gmail.com</parameter> <parameter name="mail.smtp.user">testemail@gmail.com</parameter> <parameter name="mail.smtp.password">mypassword</parameter> <parameter name="mail.smtp.host">smtp.gmail.com</parameter> <parameter name="mail.smtp.port">587</parameter> <parameter name="mail.smtp.starttls.enable">true</parameter> <parameter name="mail.smtp.auth">true</parameter> </transportSender>
- Start/Restart the Identity Server.
Configuring the claim
- Sign in. Enter your username and password to log on to the Management Console.
- From the Main menu, click Add under Claims.
- Click Add New Claim. Enter all of the required information in the form that appears.
- Add the http://wso2.org/claims/identity/otp claim.
You must add the following for this to work.
Claim details Value Claim Dialect http://wso2.org/claims Claim URI http://wso2.org/claims/identity/otp Mapped Attribute oneTimePassword Supported by Default Selected Note: For the mapped attribute, you can specify any attribute name that is supported by the underlying user store. In this example, this claim is selected as ‘Supported by Default’ so that this claim appears when you view the profile of users. You can also set the value for the attribute from the user profile.
- Click Add.
Configuring a user for OTP
- On the Main tab in the Management Console, click Add under Users and Roles.
- Click Users. This link is only visible to users with the Admin role.
- Click Add New User.
- Enter a username and password and click Next.
- Assign a role to the user that has the login permission.
- Click User Profile when the added user is listed.
- When you view the profile of the user for the first time without updating the profile, the OTP attribute appears as a text box. You can enter
true
orfalse
as the value in the textbox. If not you can just enter the values for required fields and click Update.
- Upon updating the profile, if you did not give any value for the OTP attribute, it is considered as
false
by default. The next time you view the profile, the OTP attribute appears as a checkbox as it now contains a boolean value (true or false). The logic in the UI to display a checkbox instead of a textbox depends on whether it is true or false. - To enable OTP for this user account, select the OTP claim checkbox and click Update.
Testing OTP
Login as a user to check the one time password feature. Also ensure that you have filled the necessary profile details including email.
Now when the user logs out and logs in again, a new password is generated and emailed to the user’s email.