Click Devices > Identity Servers > Edit > Local > Classes > New.
Specify a name to identify the class.
Select TOTPClass from Java Class.
Click Next. By default, the TOTP class stores the secret key in the Shared Secret store and no further configuration is required.
[Optional] Click New to store the secret key in an LDAP attribute, file, or memory.
NOTE:File and Memory class implementations are not recommended for production deployment and are suitable only for a single node Identity Server test environment.
LDAP user attribute: Stores the secret key on an LDAP attribute of the user object in the user store.
Add a new property to indicate that the secret key must be stored in an LDAP attribute of the user object in the user store.
Specify the Property Name as SECRET_STORE_CLASS and Property Value as USERSTORE.
Specify the Property Name as ENCRYPT_128_BIT_AES and Property Value as true. The 128 bit long key for encryption is used with Asymmetric encryption systems for higher security.
Click OK.
Add another property to indicate the attribute in which the secret key must be stored.
Specify the Property Name as SECRET_LDAP_ATTRIBUTE_NAME and specify the name of any single-valued attribute. For example, you can specify the Property Value as mobile, costcentre etc.
The secret key is encrypted and stored in the LDAP attribute. If you do not specify any Property Value, the secret key is stored in the carLicense LDAP attribute.
NOTE:Do not use a multi-valued LDAP attribute like email address in Property Value as the user registration will fail. Ensure that the LDAP attribute you have specified as the Property Value is a non-operational attribute. It is not recommended to use LDAP Attributes such as groupmembership.
When you upgrade from Access Manger 5.0 to Access Manager 5.0 Service Pack 2, and want to enforce this property, the administrator must nullify the previous carLicense attribute (the default property if do not use the SECRET_LDAP_ATTRIBUTE_NAME) and the end user must re-register for use in the upgraded version.
File class: Writes the secret key to a file on the Identity Server file system. Add a new property to have the user's secret key stored in a file on the file system.
Specify the Property Name as SECRET_STORE_CLASS and Property Value as FILE.
Memory class: Writes the secret key into memory. This memory is transient and therefore the secret key value is lost each time Identity Server is restarted. Add a new property to define the memory-based property where each user’s secret key is stored. Specify the Property Name as SECRET_STORE_CLASS and Property Value as MEMORY.
Click Finish.
Click Devices > Identity Servers > Edit > Local > Methods > New.
Specify a name for the method. Select the TOTP class from the list. This links the TOTP class to the authentication method.
Deselect Identifies User option.
Click Apply.
Select the user store from list of Available user stores and move it to User store.
Use an existing authentication contract or create a new one. For example, you can add the default Name/Password – Form method as the first method and TOTP method as the second method. Click Apply to save the changes.
NOTE:If you use TOTP as a post-authentication method in a federation setup, a JSP file not found message is displayed and federation fails.