Please see this link for the original article:
OpenAM provides built in support for OATH authentication (not to be confused with OAuth, which is a different kettle of fish altogether).
OATH defines an open standard for One Time Password (OTP) generators. These can be HMAC Hash based (HOTP), or time based (TOTP).
Google Authenticator is a free application that you can download for your Android or iOS device that provides an implementation of the OATH TOTP standard. It turns out to be surprisingly easy to configure Google Authenticator to work with OpenAM.
Let's walk through the steps.
We will configure this in a realm called "test". Realm's are a kick butt feature of OpenAM that allows us to create isolated administration, data store and policy domains. A common use would be to configure separate environments for customers and employees, but realms are also great for creating test environments.
Navigate to your test realm, click on the "Authentication Tab". Under "Modules" edit the OATH module. It should look something like this:
The key attributes we need to set for Google Authenticator are:
- Auth Level. This is a higher strength multi-factor module, so we assign a value of 10 here.
- One Time Password Length: This is the length of the OTP that will be displayed by the Google Authenticator application. Six is the default for Authenticator.
- Minimum secret key length: I used 8 for this example, which is too short for production. This is the length (in hex characters) of the encoded secret.
- Secret Key Attribute: This is the name of the ldap attribute where the secret key is stored. For this example I am using the "title" attribute. This isn't a great choice, and for production you would extend your ldap schema with a dedicated attribute.
- OATH Algorithm: TOTP for Google Authenticator
- Last Login Time Attribute: The OATH TOTP module needs to store the last login timestamps (UNIX long time) in this attribute. I am using "description" but again you should extend your schema with a dedicated attribute.
Registering the Shared Secret
Remember to key in a UNIX time for Last Login Time Attribute (description is used in this example). e.g. 45918163
Let's give it a whirl! Navigate to the login page for your realm. For example http://openam.example.com:8080/openam/XUI/#login/test
You will first see the LDAP module challenge:
Followed by the OTP challenge:
Enter the OTP displayed by your Google Authenticator Application. You should see that your are authenticated correctly and redirected to the profile landing page.
If you run into problems enable the debug log at message level (Configuration -> Servers and Sites -> your server url -> Debugging). Look for messages with "oath" in the string.
The logs are under your openam config directory (openam-config/openam/debug).