OTPVerify mapping rule

OTPVerify specifies the verification of the one-time password that is submitted by the user.

You can customize the sample OTPVerify mapping rule to modify the following verification rules:

Modify the one-time password type of the user

Indicates the one-time password type to determine the one-time Provider plug-in that verifies the one-time password submitted by the user.

Set the authentication level of the user

After one-time password authentication completes, a credential is issued that contains the authentication level of the user. You can customize the authentication level by modifying the following section in the mapping rule:

var authenticationLevel = contextAttributesAttributeContainer.getAttributeValueByNameAndType
       ("otp.otp-callback.authentication-level", "otp.otp-callback.type");
var attributeAuthenticationLevel = new Attribute("AUTHENTICATION_LEVEL", 
       "urn:ibm:names:ITFIM:5.1:accessmanager", authenticationLevel);
attributeContainer.setAttribute(attributeAuthenticationLevel);

Enforce the number of times the user can submit the one-time password in the one-time password login page

If a user exceeds the permitted number of times to submit a one-time password, an error message displays. You can customize the number of times that the user can submit the one-time password in the one-time password login page by modifying the following section in the mapping rule:

var retryLimit = 5;

By default, this option is set to false.

Note: This setting applies only to MAC OTP.

Identify the secret key of a user

When a user registers with a time-based one-time password application, they are assigned a secret key. Store the secret key in this mapping rule for verification of the user by modifying the following code:

var secretStr = new java.lang.String(SECRET_KEY_GOES_HERE);

By default, this option is set to false.

Override the one-time password target URL

By default, a user is redirected to a target URL upon completion of an one-time password flow. That target URL was either the initial cached request at the WebSEAL or reverse proxy instance or was specified as part of the one-time password invocation using the Target query string parameter.

You can use the OTPVerify mapping rule to override this target URL by adding an attribute called itfim_override_targeturl_attr. This attribute ensures that at the completion of a successful one-time password flow, the user is redirected to the override target instead of the initial target. Example code:

var targetUrl = new java.lang.String("http://www.example.com/url");
var targetUrlAttr = new Attribute("itfim_override_targeturl_attr", 
"urn:ibm:names:ITFIM:5.1:accessmanager", targetUrl);
attributeContainer.setAttribute(targetUrlAttr);

To customize one-time password verification, you can do one of the following actions:

Create your own verification rules that are based on the sample OTPVerify mapping rule.
Modify the sample OTPVerify mapping rule.

You can also customize the mapping rule to use access control context data. For details see, Customizing one-time password mapping rules to use access control context data.