Getting Started Guide

This document provides guidance on how to address your needs and use cases with RCDevs solutions, detailing the necessary software packages and introducing the OpenOTP platform. RCDevs products are based on a client/server architecture. In any integration scenario, a server setup is required before configuring client integrations or applications.

Overview

Introduction to OpenOTP security suite

OpenOTP Security Suite is set of software provided by RCDevs installable on Linux systems. The server(s) that runs these solutions uses a product called WebADM to manage the various modules. WebADM manages secure identity access in environments using or requiring AD/LDAP(s) as an identity store. OpenOTP employs an organization-based model, where an organization typically corresponds to an AD/LDAP or a subset (e.g., Organizational Unit). However, the organization can also combine multiple LDAP directories.

The OpenOTP Security Suite includes the following features:

Services Details WebADM and module names
MFA Enable Push, FIDO, Passkeys, OTP, certificate, Magic Links or any method of authentication on any host, service or app. OpenOTP
Access Management Enforce authentication policies on any RADIUS, SAML, OIDC, Windows and Unix/Linux enabled host, service or app. Client Policies
Identity Management Manage multiple AD/LDAP directories and Unix/Linux server estates to a one Universal Directory and centrally manage users and groups. Mountpoints and Domains
Identity Connect Connect to one or more AD/LDAP directories to leverage identity data in access policies with needing to replicate the accounts. Mountpoints and Domains
Identity Protection Detect risky access by observing geo-velocity, location anomaly, IP reputation and user behaviour. Client Policies/OptionSets; OpenOTP-Badging features
Identity Governance Ensure regulatory compliance with trusted access workflows using digitally signed Contracts Of Access and identity verification. Client Policies, OpenOTP-eSignature features
SSO/Federation Implement IDP or SP initiated login using SAML or OIDC. OpenOTP, OpenID & SAML Provider
Priveleged Access Secure access to linux/unix server estates by adding MFA, audit trails (video recordings), identity verification, identity governance and identity protection. Client Policies; Spankey Server/Client
Self Services Include self-service workflows that enable users to self-enroll their authentication methods, reset their passwords, and more. User Self-Service Desk; User Self-Registration; Helpdesk; Secure Password Reset
ZTNA Bring legacy perimeter based estates to zero trust architecture by enabling intelligent presence based trust zones. LDAP OptionSets/Client Policies; OpenOTP-Badging features

Common Scenarios and Identifying Your Needs/Use Cases

  • I am looking for an IAM solution?

WebADM framework is the RCDevs component which provides IAM features. In all scenarios, WebADM framework is mandatory. WebADM can not be installed without an LDAP backend already setup.

  • I am looking for a Multi-Factor Authentication (MFA) solution?

OpenOTP is the RCDevs web service component handling authentication. OpenOTP is a component hosted on WebADM.

  • I am looking for a Single Sign-On solution?

OpenID & SAML Provider is the RCDevs component managing SSO sessions. The authentication is based on OpenOTP service. OpenID & SAML Provider and OpenOTP are components hosted on WebADM framework.

  • I want to protect Windows logins (local and RDP logins) on servers and/or workstations with MFA?

You need WebADM, OpenOTP server(s) and OpenOTP Credential Provider for Windows (client).

  • I want to protect my VPN Server, Firewalls, F5, Sophos, ASA... with MFA?

You need WebADM, OpenOTP and Radius Bridge servers. These components are generally installed on the same machine but optionally you can install the Radius Bridge on another machine.

  • I want to protect legacy applications supporting only the LDAP protocol with MFA?

You need WebADM, OpenOTP and LDAP Bridge (LDProxy). These components are generally installed on the same machine but optionally you can install the LDAP Bridge on another machine.

  • I want to protect ADFS services and its configured applications with MFA?

You need WebADM, OpenOTP servers and OpenOTP plugin for ADFS.

  • I want to protect Linux (SSH, Gnome, XDE) with MFA?

You need WebADM, OpenOTP servers, PAM OpenOTP Plugin (client) and optionally Spankey Server and Spankey Client to use LDAP identities on your Linux servers.

  • I want to protect Cloud applications compatible with SAML or OpenID with MFA?

You need WebADM, OpenOTP and OpenID & SAML Provider (RCDevs Identity Provider). If these cloud applications are already configured with an ADFS, then you don't need OpenID & SAML Provider component and you can just install the OpenOTP Plugin for ADFS.

  • I want to deploy and implement Single Sign-On features on multiple web applications?

You need WebADM, OpenOTP and OpenID & SAML Provider (RCDevs Identity Provider).

  • I want to protect my enterprise Wi-Fi, switch or router with MFA or certificate-based authentication?

You need WebADM, OpenOTP and Radius Bridge servers.

  • I want to implement electronic signature?

You need WebADM and OpenOTP servers and OpenOTP Token (mobile application). Multiple client integrations are supported by RCDevs to provide a convenient way for end-users to e-sign a document (Sign from Windows with a right click on a document, from Nextcloud, from Mail gateway...)

  • I want to protect my OpenSSH servers based on Linux with a centralized SSH key management solution?

You need WebADM and Spankey server/client.

  • On my Linux servers, I want to use my AD/LDAP accounts?
  • On my Linux servers, I want to centrally define SUDO access?
  • On my Linux servers, I want to centrally define auditd rules?
  • On my Linux servers, I want to centrally collect auditd logs?

You need WebADM and Spankey server/client components.

  • I am m looking for a VPN solution supporting MFA?

RCDevs provides MFAVPN which is a tuned OpenVPN server preconfigured to directly work with OpenOTP authentication service. MFAVPN is provided as a Virtual Appliance or as a package which can be downloaded.

  • I am looking for LDAP server?

RCDevs is providing a tuned OpenLDAP server which can be deployed in standalone or in HA mode.

  • I need self-service(s) to let my users enroll their tokens, certificates, SSH keys, reset their passwords...

RCDevs provides multiple web applications. For end-user enrollments, you need the User Self-Service Desk (SelfDesk) and/or User Self-Registration (SelfReg). To allow end-users to reset their LDAP passwords, you need the Secure Password Reset application (PWReset). (Note that PWReset application used in a cloud tenant is not going to change the password on the AD account if your AD has been synced to your tenant.)

  • I need a portal to delegate day-to-day administration tasks to my Helpdesk team.

To delegate day-to-day end-user tasks, you can install the Helpdesk application on your WebADM server(s).

Getting Started

In this section, we describe the major steps to get started with RCDevs.

Choose your identity residency strategy

The OpenOTP Security Suite is always deployed on top of an LDAP infrastructure and cannot function without this essential building block. All accounts (admins, users, service accounts) used with WebADM are AD/LDAP accounts. There are 3 possible scenarios:

  • In the scenario where an LDAP infrastructure is already available in your environment and you are deploying the OpenOTP Security Suite, it is highly advised to utilize it to avoid duplicating identities across multiple systems. This is the default method for on-premise installations.

  • If you have an LDAP/AD on-premise but wish to use the SaaS version of the OpenOTP Security Suite, you can synchronize your on-premise LDAP/AD data with your OpenOTP Cloud tenant. Refer to the documentation to learn how to synchronize your on-premise Active Directory with your OpenOTP Cloud tenant. This is the default deployment scenario for SaaS setups.
    In SaaS deployments, RCDevs OpenLDAP is always used in your tenant. The AD synchronization script uses WebADM APIs to create the LDAP structure, accounts, groups, etc., and periodically synchronizes data from your on-premise LDAP/AD to your OpenOTP Cloud tenant.

  • If you do not have any LDAP infrastructure available for your on-premise deployment scenarios, you must install the RCDevs Directory server (SLAPD) and create user identities and groups from the WebADM Administrator Portal.

Setup differences

Choose your setup type between on-premise deployment and SaaS solution. If you prefer not to manage server setup or maintenance, opt for RCDevs SaaS versions on openotp.com.

The limitations compared to on-premise deployment are as follows:

  • RADIUS and LDAP-based OpenOTP client applications will require an OpenOTP Cloud Bridge VM or a server configured with RADIUS Bridge and/or LDAP Bridge. RCDevs does not natively provide LDAP APIs in the SaaS deployment. RADIUS APIs can be enabled upon request, although it is preferred to run them on-premise.
  • FIDO/WebAuthN authentications will not work with on-premise ADFS.
  • You cannot directly use your LDAP/Active Directory infrastructure. Users/groups must be created in your tenant (easy) or synced from your LDAP/AD to your tenant (more advanced). For production deployments, syncing identities and groups is recommended.

All other usecases are covered with the SaaS solution.

Setups

SaaS activation

SaaS provides a dedicated environment (also called "Tenant") with nearly all features of an on-premise deployment.

The advantage of SaaS deployment is that you don't have to install and set up the WebADM framework. Features like Push logins are already configured upon creation of your tenant.

Follow instructions on the Tenant creation documentation to create your SaaS tenant and start to use your OpenOTP Security Suite solution as a service. Once your tenant is created, you can directly go to section of that documentation 4. Running the solution.

On-premise deployment

In an on-premise deployment, there are no limitations in terms of features and integrations, but it requires knowledge of Linux, networking, LDAP, and WebADM framework concepts.
If you intend to use your Active Directory infrastructure, it is recommended, for POC purposes, to use a domain administrator account for the super_admin and proxy_user accounts.

There are three common ways to set up/deploy your on-premise server:

RCDevs Virtual Appliance (2 modes)

  • Quick mode: Automatic setup with the RCDevs LDAP server.
  • Normal mode: Manual setup where the LDAP identity source can be chosen. (e.g: Active Directory, Novell, OpenLDAP...)

Follow the Virtual Appliance guide to set it up.

Install packages on your own

Set up your own Linux server(s), install the desired packages, and configure everything manually. Refer to the relevant RCDevs documentation for detailed instructions.

Docker deployment

Set up a Docker environment with the RCDevs Docker Hub and the RCDevs Docker documentation.

Running the solution

Now you can log in to the WebADM administrator portal to manage the different components (OpenOTP, Spankey, Self-services...). Below are the basic steps you need to perform from the WebADM interface to get your system up and running with a client integration:

Mandatory steps:

  • Activate your application(s)/service(s) (for on-premise deployment) or check they are active in cloud/SaaS mode.
  • User provisioning
  • Perform your client integration

Optional steps:

  • Define a client policy for your integration
  • Manage your solution

Activate and Configure your Applications/Services

From the WebADM Administrator portal, click on the Applications tab and navigate to the Categories box to view all WebADM modules installed on your server. Click the REGISTER button to enable applications and services if they are not already registered.



{{< figure src="../1.webp" class="img90 center" width="720" height="569" >}}

Once you have registered your applications/services, you can use the CONFIGURE button to configure the application.

User Provisioning (creation, license and OTP/MFA Method)

There are 2 to 3 steps in the user provisioning process, which are listed below:

  • Create a user (only needed in SaaS deployment without AD/LDAP sync or if the on-premise setup has been done with RCDevs Directory server (SLAPD)).
  • Activate the user in order to use that account with the OpenOTP security suite.
  • Register a Token through the different interfaces available on your server (WebADM admin GUI, Self-services, Helpdesk...).

Your user is now provisioned and is usable with RCDevs solutions!

Perform your client integration

Once your user is provisioned, you can proceed with client deployments and integrations. Navigate to our documentation website and look for your specific integration:

Find more on RCDevs documentation

Define a client policy for your integration

Defining a client policy is considered a best practice with the RCDevs solution; otherwise, you lose a layer of configuration granularity.
Refer to the following documentation to create your client policy.

Managing your solution

  • User Self-Service Desk allows end-users to manage their own tokens, FIDO devices, SSH Keys, PassKeys, certificates, and more.
  • Secure Password Reset enables end-users to reset their LDAP password on their own.
  • Helpdesk provides a self-service portal for a pre-defined administrator group to handle day-to-day tasks such as user licensing, token registration, certificate issuing, password management, and more.
  • User Self-Registration allows end-users to register their own tokens, FIDO devices, SSH Keys, PassKeys, certificates, and more via a one-time link provided by administrators or triggered automatically by the system.
  • Presence based logical access is a feature in OpenOTP that integrates authentication with user presence and location. This includes Zero Trust Access capabilities, such as automatically locking LDAP accounts when users are not badged-in. This feature reduces the attack surface and prevents unauthorized access across all applications associated with the account.

Something went wrong/Troubleshooting

Check the WebADM server logs on the server at /opt/webadm/logs/webadm.log or from the WebADM Administrator portal under Databases > WebADM server log file. You can refer to the following documentation for commonly known issues.