Overview

This Web application is mostly designed for internal (corporate) use and includes several self-management features like:

  • Manage account information such as email, mobile phone numbers, etc.
  • Reset LDAP password according to a configurable password policy
  • Enroll, re-synchronize and test a Software / Hardware Token or Yubikey
  • Manage SSH keys (SpanKey)
  • Manage PDF Signatures
  • Manage own user certificates

The installation of SelfDesk is straightforward and only consists of running the self-installer or installing it from the RCDevs repository and configure the application in WebADM.

You do not have to modify any files in the SelfDesk install directory! The web applications configurations are managed and stored in LDAP by WebADM. To configure SelfDesk, just enter WebADM as super administrator and go to the 'Applications' menu. Click SelfDesk to enter the web-based configuration.

SelfDesk application logs are accessible in the Databases menu in WebADM.

To be able to use SelfDesk, any LDAP user must be a WebADM account. That means usable LDAP accounts are those containing the webadmAccount LDAP
object class. You can enable the WebADM features on any LDAP user/group by extending it with the webadmAccount object class (from object extension list).

Inline WebApps:
You can embed a Web app on your website in an HTML iFrame or Object.

#Example

<object data="https://<webadm_addr>/webapps/selfdesk?inline=1" />

User Self-Service Desk Installation

The User Self-Service Desk application is included in the webadm_all_in_one package.

RPM Repository

On a RedHat, CentOS or Fedora system, you can use our repository, which simplifies updates.
Clean yum cache and install Self-Service Desk (SelfDesk):

dnf clean all
dnf install selfdesk

The User Self-Service Desk application is now installed.

Debian Repository

On a Debian system, you can use our repository, which simplify updates.
Clean cache and install the User Self-Service Desk application (SelfDesk):

apt update
apt install selfdesk

The User Self-Service Desk application is now installed.

Self-Installer

Download the Selfdesk package from the RCDevs website, copy it on your WebADM server(s) and run the following commands:

[root@webadm1 tmp]# gunzip selfdesk-1.1.8-1.sh.gz
[root@webadm1 tmp]# sh selfdesk-1.1.8-1.sh 
Selfdesk v1.1.8-1 Self Installer
Copyright (c) 2010-2018 RCDevs SA, All rights reserved.
Please report software installation issues to bugs@rcdevs.com.

Verifying package update... Ok
Install selfdesk in '/opt/webadm/webapps/selfdesk' (y/n)? y
Extracting files, please wait... Ok
Removing temporary files... Ok
Selfdesk has been successfully installed.
Restart WebADM services (y/n) y
Stopping WebADM HTTP service... Ok
Stopping WebADM Watchd service... Ok
Stopping WebADM PKI service... Ok
Checking library dependencies... Ok
Checking system architecture... Ok
Checking server configurations... Ok

Found Subscription license (RCDEVSSUPPORT)
Licensed by RCDevs Security SA to RCDevs Support
Licensed product(s): OpenOTP,SpanKey,TiQR

Increasing shared memory to 40 MBytes
Increasing maximum HTTP workers to 64
Starting WebADM PKI service... Ok
Starting WebADM Session service... Ok
Starting WebADM Watchd service... Ok
Starting WebADM HTTP service... Ok

Checking server connections... 
Connected LDAP server: ad1.rcdevsdocs.com (192.168.4.163)
Connected SQL server: SQL Server 1 (192.168.4.163)
Connected PKI server: PKI Server 1 (192.168.4.160)
Connected Mail server: SMTP Server (146.59.204.189)
Connected Session server: Session Server 2 (192.168.4.161)

Checking LDAP proxy user access... Ok
Checking PKI service access... Ok
Checking Mail service access... Ok
Checking Cloud service access... Ok

Cluster mode enabled with 2 nodes (I'm slave)
Session replication status: Active (0.0003 sec)
Please read the INSTALL and README files in /opt/webadm/webapps/selfdesk.

Selfdesk is now installed and can be configured under the WebADM Administrator Portal.

Selfdesk configuration

To configure the SelfDesk application, log in to the WebADM Administrator Portal, navigate to the Applications tab, and then go to Self-Service > User Self-Service Desk (SelfDesk) > CONFIGURE.

The first section of the SelfDesk configuration page contains the Web Application Settings. Here, you can control basic settings such as the default domain, whether the application is published through a reverse proxy or WAProxy, and whether a second factor is required to access the application.

selfdesk

The secondary section of the configuration page contains the Allowed Features section, where you can control which features are available to end-users. Enable the features your end-users will need according to your requirement. The Allowed OTP Methods setting allows end-users to manage their OTP methods, though this setting is configured at the user account level (User Policy) and may be overridden by higher-level policies, such as Client Policies.

selfdesk

The last section provide you the possibility to give end-user possibilities to issue:

  • Emergency OTP;
  • SSH Keys;
  • SSL Certificates (user);
selfdesk

In the Misc Settings section, you can configure a support email address and Token Application Download URLs. To display redirection buttons, provide the URLs using the following syntax:

IOS=https://itunes.apple.com/us/app/openotp-token/id1148075952, Android=https://play.google.com/store/apps/details?id=com.rcdevs.auth

You can configure three or more application redirection buttons if needed by using the same syntax.

Proxy_user permissions for Active Directory

Any actions performed by a user through the SelfDesk application will modify the LDAP attributes of the authenticated user. These changes will be executed by the proxy_user (service account) defined in the webadm.conf file. The proxy_user must have the necessary permissions for the actions allowed through the SelfDesk application. For a complete list of permissions, refer to the Active Directory ACLs for proxy_user documentation.

SelfDesk Usage

The SelfDesk application is accessible on the WebADM server at the following address:

https://your_webadm_address/webapps/selfdesk/index.php

If accessed through WAProxy or a reverse proxy, the default address is:

https://your_waproxy_or_reverse_proxy_address/selfdesk/index.php

selfdesk

Manage personnal information (Home)

The Home tab allows you to view and manage account information such as mobile phone number, email address, preferred language, and change your LDAP password. The change password feature requires the Secure Password Reset (PwReset) application to be installed and configured.

selfdesk

Click on Edit Information to change the user's information.

selfdesk

Click on Update to save the new information provided for your account.

selfdesk

Click on Change Password and follow the instructions to update your LDAP account password.

Tokens enrollment (OTP)

By navigating to the OTP tab, users can customize their authentication settings and manage token registrations.

selfdesk

Click on the Register Token button to start the registration process.

Choose between Hardware, YubiKey, QRCode-based or Manual Registration of the Token according the type of Token you want to register.

Sofware Token

Press I use QRCode-Base authenticator and then a QRCode is prompted as the below example :

selfdesk

Scan the QRCode with your Token application previously installed on your phone. It should create a token entry in your application and 6 digits code should appears.

Enter the OTP provided by your application. This step is needed only if you are not using Push login. With Push login enabled, you don't need to provide the OTP as the registration will be done with a communication coming from OpenOTP Token application (phone) to the server.

selfdesk

Click on Test Login to verify if the Software Token has successfully enrolled.

selfdesk

Enter the OTP from the OpenOTP Smartphone App. (Only without the Push Login.)

selfdesk
selfdesk

In the User Statistics, there is the Login Count, Last Login and Blocking Status.

selfdesk

Click on Resync Token if the Software Token is out of sync. Always use an NTP Server on the WebADM Servers and the Endpoints.

Hardware Token (Inventoried)

To register an inventoried hardware token, select the correct option as shown in the screenshot below, and you need to provide the serial number written on the back of the token and the OTP in order to validate the enrollment and to initialize the Token.

selfdesk

Press Next button and if all information provided can be successfully validated by the server, the token is enrolled on the account.

selfdesk

Yubikey (Inventoried/Yubicloud)

To enroll a Yubikey, select the correct option as shown in the screenshot below and press the Yubikey when you are invited to do it :

selfdesk

If the enrollment finished successfully, a confirmation message like below appears:

selfdesk

FIDO & Passkeys enrollments (FIDO)

From the FIDO tab, you can register your FIDO keys or Passkeys. Choose an empty slot and click Register to begin the registration process.

selfdesk

Once you are one the following screen, plug the FIDO device you want to register on your computer and press the red message which is blinking.

selfdesk

Once you click on the red message, if multiple FIDO devices or Passkeys are available, you will be prompted to choose the one you want to register. Below, I selected the security key option. The steps and screens displayed may vary depending on the web browser you are using for the registration.

selfdesk

In the screens below, the FIDO key has been detected, and access to the key is protected by a PIN that has already been configured. Refer to your security key provider's documentation to set up PIN or biometric protections.

selfdesk

I enter the configured PIN to unlock the key:

selfdesk

After pressing the key, the FIDO device is enrolled and can be used to log in on systems requiring FIDO authentication.

selfdesk

Press Ok and you will be redirected to the FIDO tab, where you can see the registered device.

selfdesk

You can test if the key is working correctly by clicking the Test FIDO login button. The key will be detected by the web browser and will blink, asking for the PIN. Provide the PIN and press the security key to complete the authentication test.

selfdesk

I am successfully authenticated, my FIDO device is correctly registered and ready to be used in my company's FIDO integrations.

selfdesk

Refer to the FIDO & Passkeys documentation for more information.

SSH Key enrollment for Spankey usage

From the SSH tab, you can manage your SSH key(s) for use with Spankey. The following actions are possible:

  • Generate a new SSH key
  • Register a FIDO key as an SSH key
  • Register a PIV key as an SSH key
  • Import an existing SSH key (public key)
  • Remove a currently registered SSH key

Generate a new SSH key

Click on Generate SSH Key button to start the SSH key registration process:

selfdesk

On the next screen, if the Spankey server configuration allows users to choose the key format and length, you can adjust these values. Otherwise, these options will be grayed out, and you can click the Register button to generate the SSH key pair.

selfdesk

Once the key is successfully generated, you will be redirected to a screen where you can download the private key in PuTTY or OpenSSH format. Choose your preferred export format, configure an export password if desired (and if not enforced at the configuration level), and press the Download Private Key button.

selfdesk

Once your private key is downloaded, click the Back To Self-Service button. You will then see the public part of the key registered on your user account.

selfdesk

Electronic Signing (Sign)

The Sign tab allows users connected to the Selfdesk application to electronically sign documents. This feature is available starting from WebADM 2.0.23, Selfdesk 1.2.6, and OpenOTP 2.0. It also requires the OpenOTP Token application, with Push functionality configured in your WebADM infrastructure and a Push token enrolled on the user account.

Go to the Sign tab.

selfdesk

You can choose the Signature Mode you want to use from the following options:

  • Standard (Handwritten Signature): This will be drawn on the mobile device during the transaction.
  • Advanced (Personal Certificate): The certificate is issued by the PKI service included in WebADM.
  • Advanced (External eIDAS Devices): This mode requires a qualified signature creation device (QSCD).

For more information regarding the 3 modes, please refer to the REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT and OpenOTP Signature documentation.

In the below example, I will use the Advanced (Personal Certificate) signature mode.

Drag and drop the document you want to sign, or click in the white area to import the PDF. Once the file is loaded in the SelfDesk application, you will receive a push notification.

selfdesk

Once the document is uploaded, the user receives a notification on the OpenOTP Token application to sign the document.

selfdesk

Click the Next button to review the document:

selfdesk

On the next screen, if no certificate is attached to the user' token, the OpenOTP Token application will prompt you to request a signature certificate from the WebADM PKI. Click the Generate button. The token will communicate with your configured mobile endpoint URL to submit its CSR and receive the signed certificate.

selfdesk

Once the certificate has been issued by WebADM PKI, you can sign the document by clicking Sign. After signing, the document will be returned to the server.

selfdesk

The transaction is submitted to the server.

selfdesk

The document will be downloaded automatically from the User Self-Service Desk.

SSL Certificates (PKI)

From the PKI tab, users can:

  • Issue an SSL certificate (user certificate);
  • Retrieve the SSL certificate of another user, which is useful for S/MIME purposes, for example.
  • Download the WebADM CA certificate.
selfdesk

Issue a new certificate

Click on Add New Certificate button.

selfdesk

The certificate has been issued successfully, and a password has been automatically added to protect the certificate bundle. Copy the password and click the Download button.
Click Ok to return to the PKI menu.

selfdesk

Retrieve SSL Certificate of Another User

For purposes such as S/MIME capabilities, you can download the SSL certificate of another user by clicking the Get Other User Certificate button to import it into your SSL certificate trust store. Enter the username of the user whose SSL certificate you wish to retrieve, and click the Find button.

selfdesk

If a certificate is available for the user you are looking for, you will see the following screen, which provides information about the certificate's validity and the option to download it.

selfdesk

Download the WebADM CA certificate

Click on the Get WebADM CA Certificate button to download the WebADM CA certificate. Add it to your certificate trust store to trust other certificates issued by WebADM.

Badging portal (Badging)

The badging feature is designed to work with the OpenOTP Token mobile application provided by RCDevs. However, if some users forget their phone at home or do not have the OpenOTP Token application installed, you can allow badge-in, badge-out, and check operations through the SelfDesk application.
Access the Badging tab to see the following link:

selfdesk

Click on the Badge-In button. When the operation is successful, you will see the following message:

selfdesk

Press Ok. Your account will then be badged-in, granting access to policies that require badging and unlocking the account at the LDAP level if that feature has been enabled.

selfdesk