Setting up Multifactor Authentication with a One-Time-Password

CipherTrust Transparent Encryption Multifactor Authentication supports KeyCloak OTP through direct grant flow. This topic explains how to configure OTP support in KeyCloak.

Prerequisites

• Setup Keycloak

Enabling OTP Authentication in KeyCloak

1. Log in to the KeyCloak Admin Console. See KeyCloak documentation for more information.

2. Select Authentication from the menu for your CTE realm, e.g. cte-linux. This is the area where you can configure the different credential types.

3. Select the Browser Flow:

   a. Conditional OTP: Required

   b. Condition: User configured: Required

   c. OTP Form: Required

4. Modify, or clone, a new Direct Grant flow.

5. Modify the build-in direct grant flow, or clone a direct grant flow, by clicking Action > Duplicate. Update the flow as the follows:

   a. Username Validation: Required

   b. Password: Disabled

   c. Direct Grant: Conditional OTP: Required

   d. Condition: User configured: Required

   e. OTP: Required

6. Create a new direct grant flow:

   a. Select Create Flow

   b. Fill out the Name and Description

   c. Select flow type: Basic Flow

   d. Select Add step

   e. Select Username Validation: Required

   f. Select Add step

   g. Select OTP: Required

7. Bind the generated direct grant flow to the client defined for CTE Linux.

8. Choose the client setup for CTE Linux, and select Advanced

   a. Select Browser Flow: Browser

   b. Select Direct Grant Flow: <the new direct grant>

Configuring OTP Policy

CTE Linux Multifactor Authentication only supports time-based OTP, which is the default KeyCloak OTP policy. To verify the policy configuration:

1. Navigate to the CTE realm > Authentication.

2. Select Policies > OTP Policy.

3. Ensure that Time-based is selected.

   Note

   Counter-based is NOT supported with CipherTrust Transparent Encryption.

4. Change other configurations as needed.

   Note

   Google authenticator only supports the algorithm: SHA1.

Setting Up User's OTP Authenticator

1. Add a user that has permissions to access CTE clients.

2. The user must install an authenticator that is able to provide an OTP token on their mobile phone.

   Note

   Thales recommends using Google Authenticator.

3. Instruct the user to login through a web browser to the CTE realm account. See KeyCloak documentation for more information.

4. Once authenticated, the OTP token form displays.

5. The user needs to finish the setup of OTP authentication in the OTP token form.

Conclusion

After a successful setup, the local users of the CTE Linux hosts can perform OTP authentication through voradmin mfa login or SSH login.