1. Overview and important notes RCDevs now offers all of its enterprise solutions in SaaS/cloud mode. There are two cloud infrastructure options available: A mutualized cloud infrastructure: This infrastructure is designed in cluster mode and is hosted and maintained by RCDevs. It allows multiple customers to be hosted on the same backends, with each customer being able to manage their own applications and services. Resource allocation is limited and controlled per tenant based on their license type and user volume.

1. Introduction In this how-to, we will present you how to size your servers according to the number of users in your organization that will use OpenOTP. 2. With an external directory (AD, Novell…) 2.1 Recommendations for 500 Users 1 dedicated server or Virtual machine with Linux (2 for High Availability). Server configuration: 1.5GHz processor (4 cores). 4GB RAM memory. 30GB disk space for installation files, log files and DB. Optionally 2 HSMs for hardware crypto.

1. Overview This document is a migration guide for RCDevs products between two servers. The installation is not covered by this guide. 2. Requirements You need root access to the old server and the new server. Products you want to migrate should be installed on the new server. 3. RCDevs Products This section covers these products: WebADM (webadm) Radius Bridge (radiusd) LDAP Bridge (ldproxy) Directory Server (slapd) Publishing Proxy (waproxy) HSMHub Server (hsmhubd) You need to use only the command lines for products installed on your server.

1. General overview This documentation provides a brief overview of a few integrations after you have created and configured your OpenOTP cloud tenant on RCDevs Mutualized Cloud Infrastructure or subscribed to the Dedicated Cloud Infrastructure. Please note that the descriptions of each product in this documentation are not fully comprehensive. For more detailed information about a specific product, I recommend referring to the “Advanced Configuration” sections where you will find the relevant references and resources for further exploration.

1. Overview This document provides instructions on how to set up and utilize the mobile badging feature of OpenOTP in a cloud tenant. The configuration process is similar to the one explained in the OpenOTP badging documentation. To enable that feature in your WebADM infrastructure you must meet the following requirements : Having a tenant well configured with its license. Check this documentation to configure your tenant. Install the mobile application OpenOTP Token, with a minimal version of 1.

1. Overview In this documentation, we will focus on configuring your On-Premise VPN server with the OpenOTP Cloud solution (either Mutualized Cloud or Dedicated Cloud). Typically, VPN integration involves using the Radius, LDAP or SAML/OpenID with some VPN solutions. For SSL VPNs working with SAML or OpenID, that documentation is not explaining how to configure your VPN with SAML/OpenID. Please, refer to OpenID/SAML documentation. However, it’s important to note that the Radius protocol was not specifically designed for transport over the internet.

Product Documentation This document is an installation guide for WebADM Server in standalone and high availability mode. WebADM server is the main component to install and deploy OpenOTP in your environment. WebADM usage manual is not covered by this guide and is documented in the RCDevs WebADM Administrator Guide. Product Overview WebADM is a powerful Web-based LDAP administration software designed for professionals to manage LDAP Organization resources such as Domain Users and Groups.

1. Introduction This document is intended to provide administrators with the best practices for maintaining RCDevs WebADM and related applications (such as OpenOTP Authentication Server). The reader should notice that this document is not a guide for installing WebADM and its applications. Specific guides are available through the RCDevs online documentation library on RCDevs Website. WebADM installations and usage manuals are not covered by this guide and are documented in the RCDevs WebADM Installation Guide and WebADM administrator’s Guide available in RCDevs website.

1. Overview In this how-to, we will demonstrate how to easily migrate from a third party 2FA software to OpenOTP. In this documentation, we assume that you are already running WebADM, OpenOTP and Radius Bridge. To understand what will be done here, we will describe the steps: Have a WebADM, OpenOTP and Radius Bridge installed and configured, Activate every user who will require 2FA authentication at the WebADM level, Import your third-party hardware Tokens into WebADM.

1. Introduction In this short How-To, we will explain how to configure RCDevs License Server. The license server is now the default RCDevs model for licensing. This documentation is addressed to every new customer who is subscribing for an enterprise license. For others, the license server can be used with at least WebADM 1.6.8-2. IMPORTANT NOTE Once the license server is configured with WebADM, a license cache is available for 10 days.

1. Introduction In this HowTo, we will demonstrate some useful scripts available for OpenOTP and how to use them. 2. OpenOTP Utilities and Scripts Some scripts are available in: [root@webadm]# cd /opt/webadm/websrvs/openotp/bin [root@webadm bin]# ll total 112 -rwxr-xr-x 1 root root 18882 Oct 12 16:58 authtest -rwxr-xr-x 1 root root 5858 Oct 12 16:58 pkitest -rwxr-xr-x 1 root root 13090 Oct 12 16:58 pskc2inv -rwxr-xr-x 1 root root 37362 Oct 12 16:58 report -rwxr-xr-x 1 root root 9026 Oct 12 16:58 safenet2inv -rwxr-xr-x 1 root root 3698 Oct 12 16:58 status -rwxr-xr-x 1 root root 11954 Oct 12 16:58 yubi2inv 3.

1. Overview This documentation demonstrates ports and protocols used by RCDevs products between different components. 2. Communication Ports used by RCDevs Products 3. WebADM Cluster Ports At RCDevs Hardening Guide - 5.5 HA Cluster Firewall Rules is an example of the iptables firewall rules for a high availability cluster with 4 nodes. 4. Incoming and Outgoing Traffic per Product Product Incoming Outgoing WebADM primary node & Web Services SSH TCP 22,

1. Overview This guide intends to explain how to install and configure WebADM in docker containers. The following items will be covered: Slapd MariaDB WebADM WAProxy 2. Before you start All steps were tested in CentOS 7/CentOS 8 and docker version 19. But it should work in any system running a modern version of docker. In this guide, I assume you already have a working docker installation. In case you need help to set up a docker environment, you can check the docker website documentation.

1. Overview Generally, WebADM is configured to connect with a remote AD/LDAP domain for two reasons: For an admin to be able to browse (and optionally modify) remote domain contents such as user objects via a web browser (and optionally delegate that work to sub-administrators). To act as a gateway to allow the OpenOTP server to read and use remote user data for authentication purposes (i.e. fetch user mobile phone number from AD account).

1. How To use Digipass GO6 Tokens with OpenOTP OpenOTP supports [Digipass GO6 Hardware Tokens] (https://www.onespan.com/resources/digipass-go-6/datasheet#tech-specifications). Supported algorithms Digipass GO6 token can work with OATH-HOTP (event-based) and OATH-TOTP (time-based), but the default algorithm is Digipass event and time-based (DES, 3DES and AES). When ordering to OneSpan, do not forget to ask them to produce the token with OATH-HOTP or OATH-TOTP algorithms. 2. Manual registration If you know the type of your token and the secret seed, you can register an individual token directly to a user with “Manual Registration” in WebADM or Self-Desk.

1. Description of Feitian c100/c200 Tokens OpenOTP supports Feitian c100 & c200 Token series. Feitian c100 are OATH-HOTP (event-based) and c200 are OATH-TOTP (time-based). The Tokens are provided with a PSKC import file by Feitian. The file includes the Token secret key in an encrypted or cleartext format. If it is encrypted, the PSKC decryption key should have been provided to you by Feitian. 2. Register a Feitian token To register a Token with a PSKC file, edit a user account in WebADM and go to the MFA Authentication Server application action.

1. Background This document describes how to set up Push Login infrastructure, using WebADM, OpenOTP Push Server and optionally WAProxy. OpenOTP is the RCDevs MFA Service running on top of the RCDevs WebADM platform. OpenOTP itself is composed of several server applications and components that provide secure and reliable authentication of users connecting to applications, online services, intranet, extranet just to name a few. OpenOTP relies on proven technologies and open standards, such as OATH (the initiative for open authentication), HOTP / TOTP / OCRA, Radius, LDAP.

1. Overview and Requirements RCDevs offer now an easy way to sign any documents at anytime to all third party signatories. OpenOTP signature is a solution which is deployed on premise or in the cloud. Integrate OpenOTP signature in your infrastructure will allow electronic signatures for your company users (LDAP users). If you want to extend your signature processes to external users (users not part of your LDAP directory/directories configured with your WebADM), you have to integrate OpenOTP with YumiSign platform which requires a YumiSign API Key configured in OpenOTP settings.

1. Overview This document provides the necessary information for configuring RCDevs Cloud services on WebADM v2.x. This document is not applicable for WebADM 1.x versions. What is RCDevs Cloud Services ? RCDevs Cloud Services are hosted by RCDevs Security SA, providing additional capabilities for RCDevs enterprise solutions, examples of cloud based functionality are: Push services, Document Sealing and Timestamping (eiDas), SMS Service, Cloud licensing, External PKI for RCDevs’ licensees. The connection from the local WebADM server to the RCDevs Cloud is based on HTTP2 protocol, and can be transported through a proxy server between WebADM servers and RCDevs Cloud infrastructure.

How to configure proxy_user rights for Active Directory There are two things to be considered in order to implement fine-grained LDAP permission for WebADM and its applications. WebADM Proxy user permissions: This system user is used by WebADM to access and manipulate the required LDAP resources without an administrator login, for example, to increase the false authentication counter, register token metadata on the user account… Administrator users permissions: These accounts login to the Admin portal in order to manage LDAP resources and registered applications.

1. Overview In this document, we describe how to easily fix some common errors with WebADM, OpenOTP, Web Applications, Radius Bridge, Push login, License services, LDAP permissions etc. 2. WebADM/OpenOTP common issues The first thing to do when a login failed for an unknown reason is to check the log file /opt/webadm/log/webadm.log and find the right log. In addition to the terminal session, you can find the log also in WebADM > Databases > WebADM Server Log files.

1. Overview This document demonstrates how to set up and use the mobile badging feature of OpenOTP. To enable that feature in your WebADM infrastructure you must meet the following requirements : Push mechanisms configured with your WebADM infrastructure, Minimal version of WebADM is 2.1.16, Minimal Version of OpenOTP is 2.1.6, Minimal version of OpenOTP Token application is 1.5.16, Mobile Badging and Remote Reporting option part of your freeware, enterprise or trial license.

1. Overview In this article, we will demonstrate how to record a voice to enable 2FA using voice biometrics. To use Voice Biometrics, it is necessary WebADM 2.0.* and OpenOTP mobile application version 1.4.11 or higher for Android and version 1.4.13 or higher for iOS. 2. Voice Biometric Registration In order to record a voice biometric to a user, log in on the WebADM admin GUI, in the left LDAP tree, click on the user account that you want to register a voice.

1. Overview In this how-to, we will demonstrate the possible ways to enroll a hardware token or a software token on your mobile. For software token registration, you must have a token application installed on your phone like OpenOTP Token or Google Authenticator. OpenOTP Token is the recommended one to enjoy all features offered by OpenOTP server (like push login, phishing protection…). 2. Admin Enrollment through the WebADM Admin GUI A token enrollment can be done by a super_admin or other_admin user through the WebADM admin GUI.

How To configure super_admin rights for Active Directory There are two things to be considered in order to implement fine-grained LDAP permissions for WebADM and its applications. WebADM Proxy user permissions: This system user is used by WebADM to access and manipulate the required LDAP resources without an administrator login, for example, to increase the false authentication counter. Administrator users permissions: These accounts login to the Admin portal in order to manage LDAP resources and registered applications.

How To Configure WebADM with a Read-Only Active Directory Important Note That setup require an enterprise license which can only be issued by RCDevs team. Self-generated Freeware/Trial licenses are not supported. Regular enterprise license bought through the RCDevs web store are not supported. In some circumstances, we can not write in the LDAP backend. In that case, we need to store some configurations in a local LDAP database and users extra information in a SQL database.

1. Overview In this how-to, we will demonstrate the possible ways to convert token seed files from different formats into WebADM inventory format, allowing you to use third-party hardware tokens with RCDevs security solutions. We will also demonstrate how to re-use software tokens already registered on end-users devices with RCDevs solutions. 2. Seeds Files Format supported by WebADM 2.1 Un-encrypted Inventory This is the format of an unencrypted RCDevs inventory file which can be imported in WebADM without any conversion:

1. Overview This document is an installation guide for the MFA VPN provided by RCDevs. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides of WebADM and OpenOTP, please refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website. 2. Installation of MFA VPN On a RedHat, CentOS or Fedora system, you can use our repository, which simplifies updates.

How To Activate Users An activated user is a user which is counted in the license and which is able to authenticate with OpenOTP. There are several ways to activate users. 1. Activate One User Graphically In WebADM, we select the user in the LDAP tree and click on Activate Now!: Then, we complete all mandatory attributes and click on Proceed: We click on Extend Object: Now, the user is activated.

Test Double Authentication with a User 1. User Activation Once WebADM is installed and configured, we can connect to it with a web browser. We select the user to activate in the LDAP tree on the left, for example, Admin, or we create a new user by clicking on Create. Once the user is selected, we click on Activate Now!: If present, we fill mandatory attributes and Proceed: We click on Extend Object:

1. Overview OpenOTP MFA plugin for Nextcloud enables multi-factor authentication on Admin and User portals of Nextcloud. Users’ credentials can be validated: Locally by Nextcloud (Nextcloud local accounts), Through an LDAP service (LDAP accounts) Once the first step of the authentication is successfully validated, the authentication workflow continues through the OpenOTP Plugin for Nextcloud and OpenOTP server(s). The plugin will submit an authentication request to OpenOTP server(s) with the provided credentials during the first step (username).

1. Overview OpenOTP Signature Plugin for Nextcloud allows authenticated users to self-sign a document or submit a document for Signature to Nextcloud users. It enables Electronic Signature with your Mobile with the OpenOTP Server which validates your identity and generates secure communication flow with all third parties involved in the signature process. All signature types (Standard, Advanced and Seal) are supported with that plugin. In order to use that plugin, you MUST HAVE OpenOTP Security Suite running in your infrastructure (on-premise or in the cloud).

1. Introduction The Quick-Sign Milter works in addition with a mail server; this software catches mails before they reach the standard mail server. The milter processes the mails if they correspond to a signature/seal request otherwise, these mails follow the standard process. The quicksign-milter package must be installed and configured on a postfix server. WebADM/OpenOTP infrastructure must be already deployed and integrated with your LDAP backend. Your OpenOTP license must also support Sign option.

1. Overview This documentation will explain policies configurable for Web Services and Web Applications under WebADM admin GUI. WebADM provides different kinds of policies : default application configuration (weight 1), per-group (weight 2), per-user (weight 3), per-application (weight 4-6). Settings with the highest weight override settings with the lowest weight. (e.g. for OpenOTP: My default OpenOTP settings require a LoginMode=LDAP only but the user who is trying to log in has a policy configured on his account with the LoginMode=LDAP+OTP.

OpenOTP API Description The OpenOTP authentication service is implemented over the SOAP/XML and RADIUS APIs. The SOAP/XML API is provided with a SOAP WSDL service description listed below. The OpenOTP API is very simple and provides 4 methods: 1. openotpNormalLogin and openotpSimpleLogin These methods are used to send an authentication request. The request contains the following attributes: username: User login name (mandatory). domain: User login domain (optional if OpenOTP as a default domain setting set).

1. Overview This HowTo describes how to configure WebADM to send logs to the local syslog and optionally after to a remote syslog (rsyslog) server. Procedure may change according to the operating system, this configuration has been tested with CentOS Stream and RHEL OS. Please, refer to Rsyslog documentation for more information. 2. Configuration 2.1 WebADM configuration On WebADM side, you need to edit the following configuration file : /opt/webadm/conf/webadm.conf Then you have to configure/enable the following settings:

1. Introduction The Quick-Sign Portal is very easy to install and configure; it can be integrated in an existing environment. It is a web PHP application which interacts with a mail server to permit users to send and sign documents. We recommend to install it on a dedicated machine and not on your WebADM/OpenOTP servers. This Quick-Sign portal is using the quicksign-milter, you must first configure the Quick-Sign Milter before deploying the Quick-Sign portal.

1. Product Documentation This document is a configuration guide for OpenOTP Radius Bridge (RB). The reader should notice that this document is not a guide for installing and configuring OpenOTP or WebADM. Specific application guides are available through the RCDevs documentation website. 2. Product Overview OpenOTP Radius Bridge provides the RADIUS RFC-2865 (Remote Authentication Dial-in User Service) API for OpenOTP Authentication Server. Standalone, the OpenOTP server provides SOAP/XML and JSON interfaces over HTTP and HTTPS.

1. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. You have also to install our Radius Bridge product on your WebADM server(s). Another documentation on that setup is provided by Cisco at this link 2. Register your ASA SSL VPN in Radius Bridge On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.conf and add a RADIUS client (with IP address and RADIUS secret) for your ASA SSL VPN server.

1. Overview In this How-To, we will demonstrate how to reprogram your Yubikey with the Yubikey Personalization Tool, to generate an inventory file through Yubico tool to import the Yubikey in WebADM inventory and how to assign and use your Yubikey with OpenOTP. For this recipe, you will need to have WebADM and OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual. 2. Yubico Personalization Tool Once Yubico Personalization Tool is installed, open it.

1. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. You have also to install our Radius Bridge product on your WebADM server(s). 2. Register your F5 VPN in RadiusBridge On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.conf and add a RADIUS client (with IP address and RADIUS secret) for your F5 VPN server.

1. Overview OpenOTP supports FIDO2 standard from the FIDO Alliance for user authentication and Passkeys provided by Google or Apple. If you intend to use OpenOTP with FIDO2 or Passkeys, please read this document which explains how to enable and use it with your integrations. 1.1 FIDO2 FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments. The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).

How To Enable OpenOTP Authentication On Juniper-Pulse Secure This document explains how to enable OpenOTP authentication with Radius Bridge and Juniper SSL VPN. 1. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. You have also to install our Radius Bridge product on your WebADM server(s). 2. Register Your Juniper VPN In RadiusBridge On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.

Setup of MIRkey / eHSM devices to use with WebADM 1. Introduction This guide will lead you through the setup of one or preferably several (for load-balancing and fail-over purposes) eHSM / MIRkey to use hardware cryptography within WebADM, adding an extra layer of security to protect WebADM sensitive data. MIRKey HSMs required at least WebADM 2.0.17. 2. Download and install the ellipticSecure Device Manager Although it is possible to initialize and set up the eHSM or MIRkey using standard command-line pkcs11 tools, we recommend to use the ellipticSecure Device Manager GUI that allows the update of the firmware and to set up a backup domain allowing backups from one device to be restored to a different device, which is particularly useful for load-balancing across several HSMs and for disaster recovery purposes.

How To Enable OpenOTP Authentication in Palo Alto SSL VPN This document explains how to enable OpenOTP authentication in Palo Alto SSL VPN. 1. Register your Palo Alto VPN in RadiusBridge On your OpenOTP RadiusBridge server, edit the /opt/radiusd/conf/clients.conf and add a RADIUS client (with IP address and RADIUS secret) for your Palo Alto VPN server. Example: client <VPN Server IP> { secret = testing123 shortname = PaloAlto-VPN } 2. On Palo Alto Admin Interface, Set up a RADIUS Server Profile Enter the Palo Alto administration interface.

Setup of SmartCard-HSM devices to use with WebADM 1. Introduction This guide will lead you through the setup of one or preferably several (for load-balancing and fail-over purposes) SmartCard-HSM to use hardware cryptography within WebADM, adding an extra layer of security to protect WebADM sensitives information. All steps of the initialization, configuration and replication of the devices can be performed directly with standard command line tools directly on the server where WebADM is installed, except for the generation of an AES secret key that will be, as we write these lines, only exportable to another device if it has been generated properly through the Smart Card Shell GUI.

1. Overview For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. 2. NetIQ Installation and Initial Configuration We used the NetIQ appliance version 4.3 downloaded from the Microfocus website (trial version). ISO file name: AM_43_AccessManagerAppliance_Eval-0831.iso It’s SUSE Linux: netiqam:~ # cat /etc/SuSE-release SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 4 NetIQ Access Manager Appliance 4.

1. Product Documentation This document describes how to configure correctly the Yubico YubiHSM and enable it through the WebADM setting, in order to provide both hardware level encryption and random seed generation (the strongest Enterprise security available) in your RCDevs product. WebADM only needs a subset of commands to work with the YubiHSM and the reader should notice that this document is not a guide describing all possible modes of operation provided by the device itself.

1. Overview This document explains how to enable OpenOTP authentication with Radius Bridge and pfSense. For this recipe, you will need to have WebADM, OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Administration Guide to do it. 2. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. You have also to install our Radius Bridge product on your WebADM server(s).

1. Overview In this documentation, we will demonstrate how to integrate OpenOTP with Swift Alliance Access 7.2 (AA). LDAP and Radius protocols can be used to integrate AA with OpenOTP. Here, we will demonstrate the Radius integration. This guide has been written with the help of the official Swift Alliance Access 7.2 Administrator Guide. So here, we will use RADIUS one-time passwords authentication method and not the embedded two-factor authentication module implemented in AA.

1. Overview This document explains how to enable OpenOTP authentication with Radius Bridge and OpenVPN. The advantage of integrating RadiusBridge with OpenVPN is : Secure access with MFA. Authentication of Ldap users via OpenVPN client. 2. WebADM/OpenOTP/Radius Bridge For this recipe, you will need to have WebADM/OpenOTP installed and configured. Please, refer to WebADM Installation Guide and WebADM Manual to do it. You have also to install our Radius Bridge product on your WebADM server(s).

1. Overview This document will present you how to use WebADM as Identity Provider (IDP) with different Service Provider (SP) which will consume OpenOTP for authentication processes. We will also see how we can configure and return different information per service provider through users/groups and client policies. The installation of OpenID/SAML IdP is straightforward and only consists of running the self-installer or install the openid package from RCDevs repositories and configure the application in WebADM.

Simple Login Push Login 1. Product Documentation This document is an installation guide for the OpenOTP Authentication Provider for AD FS 3.0 / 4.0. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides to WebADM refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs’ online documentation library. 2. Product Overview The OpenOTP Authentication Provider for AD FS is a component that integrates the RCDevs OpenOTP one-time password authentication into an Active Directory Federation Services server, adding OpenOTP authentication as a possible MFA option in the AD FS Management tool.

1. Overview This documentation provides comprehensive guidance on integrating RCDevs solutions with Extensible Authentication Protocol (EAP) methods for secure and efficient user and computer authentication. 802.1X is a specific IEEE standard that deals with network access control and authentication. It is used to ensure that only authorized devices and users can access a network. Here are the key points about 802.1X: Authentication: 802.1X provides a framework for authenticating devices or users before they are granted access to a network.

1. Overview In that documentation, we will explain how to configure OpenOTP multi-factor authentication on your Microsoft Network Policy Server. As a practical example, we will configure NPS with Microsoft Remote Access Server for VPN use. For this recipe, you will need to have a WebADM, OpenOTP and Radius Bridge installed and configured. Please refer to WebADM Installation Guide, WebADM Manual and Radius Bridge Manual for instructions on these. Your Microsoft Network Policy Server and Remote Access Server should be installed and configured for VPN (PPTP, SSTP) use.

1. Overview This tutorial will explain to you how to configure WebADM/OpenOTP servers and OpenOTP Credential Provider for Windows to authenticate local users using 2-factor authentication. We will also explain how to authenticate your users with OpenOTP and OpenOTP Credential Provider for Windows on a computer out of the domain. Both scenarios require an LDAP server to store user metadata (Token metadata needs to be stored on a user account in WebADM even for local account authentication).

How To Configure MS Remote Desktop Services and RDWeb portal with OpenOTP Note OpenOTP plugin for Remote Desktop Web portal works on Windows Server 2012, 2016, 2019 & 2022. 1. Prerequisites 1.1 Remote Desktop Services Infrastructure In this post, we will assume an existing Remote Desktop Services infrastructure installed and available. This post will not cover how to set up RDS. Please refer to the Microsoft documentation and/or the TechNet blog for details about how to install and configured Microsoft documentation.

How To Install and Configure PAM OpenOTP Plugin to Enable Multifactor Authentication on Linux Machines Simple login flow Push Login flow 1. Background On Unix-like systems, processes such as the OpenSSH daemon need to authenticate the user and learn a few things about him or her (user ID, home directory, …). Authentication is done through a mechanism called Pluggable Authentication Modules, and retrieving information about users (or even groups, hostnames, …) is done through another mechanism, called the Name Service Switch.

1. Product Overview The main use-case of OpenOTP LDAP Bridge is enabling enterprise applications that use LDAP as an external authentication mechanism to work with OpenOTP. LDAP Bridge allows authentication to be delegated to an OpenOTP server transparently, without changing the LDAP back-end. From the client applications perspective, the main change is that it will use the LDAP Bridge as an LDAP server, instead of the backend-end LDAP server.