Setting up Multifactor Authentication with a One-Time-Password
CipherTrust Transparent Encryption Multifactor Authentication supports KeyCloak OTP through direct grant flow. This topic explains how to configure OTP support in KeyCloak.
Prerequisites
Enabling OTP Authentication in KeyCloak
-
Log in to the KeyCloak Admin Console. See KeyCloak documentation for more information.
-
Select Authentication from the menu for your CTE realm, e.g. cte-linux. This is the area where you can configure the different credential types.
-
Select the Browser Flow:
a. Conditional OTP: Required
b. Condition: User configured: Required
c. OTP Form: Required
-
Modify, or clone, a new Direct Grant flow.
-
Modify the build-in direct grant flow, or clone a direct grant flow, by clicking Action > Duplicate. Update the flow as the follows:
a. Username Validation: Required
b. Password: Disabled
c. Direct Grant: Conditional OTP: Required
d. Condition: User configured: Required
e. OTP: Required
-
Create a new direct grant flow:
a. Select Create Flow
b. Fill out the Name and Description
c. Select flow type: Basic Flow
d. Select Add step
e. Select Username Validation: Required
f. Select Add step
g. Select OTP: Required
-
Bind the generated direct grant flow to the client defined for CTE Linux.
-
Choose the client setup for CTE Linux, and select Advanced
a. Select Browser Flow: Browser
b. Select Direct Grant Flow:
<the new direct grant>
Configuring OTP Policy
CTE Linux Multifactor Authentication only supports time-based OTP, which is the default KeyCloak OTP policy. To verify the policy configuration:
-
Navigate to the CTE realm > Authentication.
-
Select Policies > OTP Policy.
-
Ensure that Time-based is selected.
Note
Counter-based is NOT supported with CipherTrust Transparent Encryption.
-
Change other configurations as needed.
Note
Google authenticator only supports the algorithm: SHA1.
Setting Up User's OTP Authenticator
-
Add a user that has permissions to access CTE clients.
-
The user must install an authenticator that is able to provide an OTP token on their mobile phone.
Note
Thales recommends using Google Authenticator.
-
Instruct the user to login through a web browser to the CTE realm account. See KeyCloak documentation for more information.
-
Once authenticated, the OTP token form displays.
-
The user needs to finish the setup of OTP authentication in the OTP token form.
Conclusion
After a successful setup, the local users of the CTE Linux hosts can perform OTP authentication through voradmin mfa login
or SSH login
.