OTPVerify mapping rule (Federation)

OTPVerify specifies the verification of the one-time password that is submitted by the user.

We can customize the sample OTPVerify mapping rule to modify the following verification rules:

Modify the one-time password type of the user

The one-time password type to determine the one-time Provider plug-in that verifies the one-time password submitted by the user.

Set the authentication level of the user

After one-time password authentication completes, a credential is issued containing the authentication level of the user. We can customize the authentication level by modifying the following section in the mapping rule:

var authenticationLevel = contextAttributesAttributeContainer.getAttributeValueByNameAndType
       ("otp.otp-callback.authentication-level", "otp.otp-callback.type");
var attributeAuthenticationLevel = new Attribute("AUTHENTICATION_LEVEL", 
       "urn:ibm:names:ITFIM:5.1:accessmanager", authenticationLevel);
attributeContainer.setAttribute(attributeAuthenticationLevel);

Enforce the number of times the user can submit the one-time password in the one-time password login page

If a user exceeds the permitted number of times to submit a one-time password, an error message displays. We can customize the number of times the user can submit the one-time password in the one-time password login page by modifying the following section in the mapping rule:

var retryLimit = 5;

By default, this option is set to false. This setting applies only to MAC OTP.

Identify the secret key of a user

When a user registers with a time-based one-time password application, they are assigned a secret key. Store the secret key in this mapping rule for verification of the user by modifying the following code:

var secretStr = new java.lang.String(SECRET_KEY_GOES_HERE);

By default, this option is set to false.

Override the one-time password target URL

By default, a user is redirected to a target URL upon completion of an one-time password flow. That target URL was either the initial cached request at the WebSEAL or reverse proxy instance or was specified as part of the one-time password invocation using the Target query string parameter.

We can use the OTPVerify mapping rule to override this target URL by adding an attribute called itfim_override_targeturl_attr. This attribute ensures that at the completion of a successful one-time password flow, the user is redirected to the override target instead of the initial target. Example code:

var targetUrl = new java.lang.String("http://www.example.com/url");
var targetUrlAttr = new Attribute("itfim_override_targeturl_attr", 
"urn:ibm:names:ITFIM:5.1:accessmanager", targetUrl);
attributeContainer.setAttribute(targetUrlAttr);

To customize one-time password verification, we can do one of the following actions:

• Create our own verification rules based on the sample OTPVerify mapping rule.

• Modify the sample OTPVerify mapping rule.

We can also customize the mapping rule to use access control context data. For details see, Customize one-time password mapping rules to use access control context data.

Parent topic: Manage JavaScript mapping rules