OTP Authentication rule set

Enabling this rule set allows you to enforce OTP authentication as a secondary authentication method for users who want to access cloud services and applications.

Nested library rule set – OTP Authentication
CriteriaSSO.OtpRequired<Default> equals true
Cycles – Requests (and IM)

The rules in this rule set are executed when the SSO action requires OTP authentication.

Prepare OTP context

Rule element Definition
Criteria URL.HasParameter ("requestOTP") equals true OR

URL.HasParameter ("pledgeOTP") equals true

Action Continue
Events Authentication.SendOTP<OTP>

If there is a request for a one-time password from an authenticated user, the Single Sign On module sends the password to the user. The types of OTP requests are:

  • "requestOTP" — The user requests the one-time password through the McAfee OTP server.
  • "pledgeOTP" — The user requests the one-time password through Pledge, an OTP client running locally on a computer or mobile device.

The module executes the event with the following settings:

<OTP> — Specifies settings for OTP authentication.

Return OTP context

Rule element Definition
Criteria URL.HasParameter ("requestOTP") equals true
Action Stop Cycle
Events HTTP.GenerateResponse (JSON.ToString

(JSON.StoreByName (JSON.CreateObject,

"otp-context", JSON.FromString

(Authentication.OTP.Context<OTP>))))

HTTP.SetStatus (403)

If there is a request for a one-time password from an authenticated user, this rule stops the request cycle. The Single Sign On module generates a response containing the OTP context in a JSON object. The OTP context is provided in a header field when the McAfee OTP Server responds with a one-time password.

The module executes this event with the following settings:

<OTP> — Specifies settings for OTP authentication.

The module sets the HTTP status code to 403 (Forbidden).

Verify delivered OTP

Rule element Definition
Criteria Authentication.Authenticate<OTP> equals false
Action Stop Cycle
Events HTTP.GenerateResponse

("{"authentication-required":"delivered-otp"}")

HTTP.SetStatus (403)

If OTP authentication fails, this rule stops the request cycle. The Single Sign On module generates a response specifying the authentication result and method. The method, delivered OTP, specifies delivery of the one-time password by the McAfee OTP Server.

The module executes this event with the following settings:

<OTP> — Specifies settings for OTP authentication.

The module sets the HTTP status code to 403 (Forbidden).

Note: Enable this rule if one-time passwords are delivered by McAfee OTP Server.

Verify Pledge generated OTP

Rule element Definition
Criteria Authentication.Authenticate<OTP> equals false
Action Stop Cycle
Events HTTP.GenerateResponse

("{"authentication-required":"generated-otp"}")

HTTP.SetStatus (403)

If OTP authentication fails, this rule stops the request cycle. The Single Sign On module generates a response specifying the authentication result and method. The method, generated OTP, specifies generation of the one-time password by the Pledge OTP client.

The module executes this event with the following settings:

<OTP> — Specifies settings for OTP authentication.

The module sets the HTTP status code to 403 (Forbidden).

Note: Enable this rule if one-time passwords are generated by the Pledge OTP client.