Overview
This Web application is mostly designed for internal (corporate) use and includes several self-management features like:
- Manage account information such as email, mobile phone numbers, etc.
- Reset LDAP password according to a configurable password policy
- Enroll, re-synchronize and test a Software / Hardware Token or Yubikey
- Manage SSH keys (SpanKey)
- Manage PDF Signatures
- Manage own user certificates
The installation of SelfDesk is straightforward and only consists of running the self-installer or installing it from the RCDevs repository and configure the application in WebADM.
You do not have to modify any files in the SelfDesk install directory! The web applications configurations are managed and stored in LDAP by WebADM. To configure SelfDesk, just enter WebADM as super administrator and go to the 'Applications' menu. Click SelfDesk to enter the web-based configuration.
SelfDesk application logs are accessible in the Databases menu in WebADM.
To be able to use SelfDesk, any LDAP user must be a WebADM account. That means usable LDAP accounts are those containing the webadmAccount LDAP
object class. You can enable the WebADM features on any LDAP user/group by extending it with the webadmAccount object class (from object extension list).
Inline WebApps:
You can embed a Web app on your website in an HTML iFrame or Object.
#Example
<object data="https://<webadm_addr>/webapps/selfdesk?inline=1" />
User Self-Service Desk Installation
The User Self-Service Desk application is included in the webadm_all_in_one package.
RPM Repository
On a RedHat, CentOS or Fedora system, you can use our repository, which simplifies updates.
Clean yum cache and install Self-Service Desk (SelfDesk):
dnf clean all
dnf install selfdesk
The User Self-Service Desk application is now installed.
Debian Repository
On a Debian system, you can use our repository, which simplify updates.
Clean cache and install the User Self-Service Desk application (SelfDesk):
apt update
apt install selfdesk
The User Self-Service Desk application is now installed.
Self-Installer
Download the Selfdesk package from the RCDevs website, copy it on your WebADM server(s) and run the following commands:
[root@webadm1 tmp]# gunzip selfdesk-1.1.8-1.sh.gz
[root@webadm1 tmp]# sh selfdesk-1.1.8-1.sh
Selfdesk v1.1.8-1 Self Installer
Copyright (c) 2010-2018 RCDevs SA, All rights reserved.
Please report software installation issues to bugs@rcdevs.com.
Verifying package update... Ok
Install selfdesk in '/opt/webadm/webapps/selfdesk' (y/n)? y
Extracting files, please wait... Ok
Removing temporary files... Ok
Selfdesk has been successfully installed.
Restart WebADM services (y/n) y
Stopping WebADM HTTP service... Ok
Stopping WebADM Watchd service... Ok
Stopping WebADM PKI service... Ok
Checking library dependencies... Ok
Checking system architecture... Ok
Checking server configurations... Ok
Found Subscription license (RCDEVSSUPPORT)
Licensed by RCDevs Security SA to RCDevs Support
Licensed product(s): OpenOTP,SpanKey,TiQR
Increasing shared memory to 40 MBytes
Increasing maximum HTTP workers to 64
Starting WebADM PKI service... Ok
Starting WebADM Session service... Ok
Starting WebADM Watchd service... Ok
Starting WebADM HTTP service... Ok
Checking server connections...
Connected LDAP server: ad1.rcdevsdocs.com (192.168.4.163)
Connected SQL server: SQL Server 1 (192.168.4.163)
Connected PKI server: PKI Server 1 (192.168.4.160)
Connected Mail server: SMTP Server (146.59.204.189)
Connected Session server: Session Server 2 (192.168.4.161)
Checking LDAP proxy user access... Ok
Checking PKI service access... Ok
Checking Mail service access... Ok
Checking Cloud service access... Ok
Cluster mode enabled with 2 nodes (I'm slave)
Session replication status: Active (0.0003 sec)
Please read the INSTALL and README files in /opt/webadm/webapps/selfdesk.
Selfdesk is now installed and can be configured under the WebADM Administrator Portal.
Selfdesk configuration
To configure the SelfDesk application, log in to the WebADM Administrator Portal, navigate to the Applications
tab, and then go to Self-Service
> User Self-Service Desk (SelfDesk)
> CONFIGURE
.
The first section of the SelfDesk configuration page contains the Web Application Settings
. Here, you can control basic settings such as the default domain, whether the application is published through a reverse proxy or WAProxy, and whether a second factor is required to access the application.
The secondary section of the configuration page contains the Allowed Features
section, where you can control which features are available to end-users. Enable the features your end-users will need according to your requirement. The Allowed OTP Methods
setting allows end-users to manage their OTP methods, though this setting is configured at the user account level (User Policy) and may be overridden by higher-level policies, such as Client Policies.
The last section provide you the possibility to give end-user possibilities to issue:
- Emergency OTP;
- SSH Keys;
- SSL Certificates (user);
In the Misc Settings
section, you can configure a support email address and Token Application Download URLs. To display redirection buttons, provide the URLs using the following syntax:
IOS=https://itunes.apple.com/us/app/openotp-token/id1148075952, Android=https://play.google.com/store/apps/details?id=com.rcdevs.auth
You can configure three or more application redirection buttons if needed by using the same syntax.
Proxy_user permissions for Active Directory
Any actions performed by a user through the SelfDesk application will modify the LDAP attributes of the authenticated user. These changes will be executed by the proxy_user
(service account) defined in the webadm.conf
file. The proxy_user
must have the necessary permissions for the actions allowed through the SelfDesk application. For a complete list of permissions, refer to the Active Directory ACLs for proxy_user
documentation.
SelfDesk Usage
The SelfDesk application is accessible on the WebADM server at the following address:
https://your_webadm_address/webapps/selfdesk/index.php
If accessed through WAProxy or a reverse proxy, the default address is:
https://your_waproxy_or_reverse_proxy_address/selfdesk/index.php
Manage personnal information (Home)
The Home
tab allows you to view and manage account information such as mobile phone number, email address, preferred language, and change your LDAP password. The change password feature requires the Secure Password Reset (PwReset)
application to be installed and configured.
Click on Edit Information
to change the user's information.
Click on Update
to save the new information provided for your account.
Click on Change Password
and follow the instructions to update your LDAP account password.
Tokens enrollment (OTP)
By navigating to the OTP
tab, users can customize their authentication settings and manage token registrations.
Click on the Register Token
button to start the registration process.
Choose between Hardware
, YubiKey
, QRCode-based
or Manual Registration
of the Token according the type of Token you want to register.
Sofware Token
Press I use QRCode-Base authenticator and then a QRCode is prompted as the below example :
Scan the QRCode with your Token application previously installed on your phone. It should create a token entry in your application and 6 digits code should appears.
Enter the OTP provided by your application. This step is needed only if you are not using Push login. With Push login enabled, you don't need to provide the OTP as the registration will be done with a communication coming from OpenOTP Token application (phone) to the server.
Click on Test Login
to verify if the Software Token has successfully enrolled.
Enter the OTP from the OpenOTP Smartphone App. (Only without the Push Login.)
In the User Statistics, there is the Login Count, Last Login and Blocking Status.
Click on Resync Token
if the Software Token is out of sync. Always use an NTP Server on the WebADM Servers and the Endpoints.
Hardware Token (Inventoried)
To register an inventoried hardware token, select the correct option as shown in the screenshot below, and you need to provide the serial number written on the back of the token and the OTP in order to validate the enrollment and to initialize the Token.
Press Next
button and if all information provided can be successfully validated by the server, the token is enrolled on the account.
Yubikey (Inventoried/Yubicloud)
To enroll a Yubikey, select the correct option as shown in the screenshot below and press the Yubikey when you are invited to do it :
If the enrollment finished successfully, a confirmation message like below appears:
FIDO & Passkeys enrollments (FIDO)
From the FIDO
tab, you can register your FIDO keys or Passkeys. Choose an empty slot and click Register
to begin the registration process.
Once you are one the following screen, plug the FIDO device you want to register on your computer and press the red message which is blinking.
Once you click on the red message, if multiple FIDO devices or Passkeys are available, you will be prompted to choose the one you want to register. Below, I selected the security key option. The steps and screens displayed may vary depending on the web browser you are using for the registration.
In the screens below, the FIDO key has been detected, and access to the key is protected by a PIN that has already been configured. Refer to your security key provider's documentation to set up PIN or biometric protections.
I enter the configured PIN to unlock the key:
After pressing the key, the FIDO device is enrolled and can be used to log in on systems requiring FIDO authentication.
Press Ok
and you will be redirected to the FIDO
tab, where you can see the registered device.
You can test if the key is working correctly by clicking the Test FIDO login
button. The key will be detected by the web browser and will blink, asking for the PIN. Provide the PIN and press the security key to complete the authentication test.
I am successfully authenticated, my FIDO device is correctly registered and ready to be used in my company's FIDO integrations.
Refer to the FIDO & Passkeys documentation for more information.
SSH Key enrollment for Spankey usage
From the SSH
tab, you can manage your SSH key(s) for use with Spankey. The following actions are possible:
- Generate a new SSH key
- Register a FIDO key as an SSH key
- Register a PIV key as an SSH key
- Import an existing SSH key (public key)
- Remove a currently registered SSH key
Generate a new SSH key
Click on Generate SSH Key
button to start the SSH key registration process:
On the next screen, if the Spankey server configuration allows users to choose the key format
and length
, you can adjust these values. Otherwise, these options will be grayed out, and you can click the Register
button to generate the SSH key pair.
Once the key is successfully generated, you will be redirected to a screen where you can download the private key in PuTTY or OpenSSH format. Choose your preferred export format, configure an export password if desired (and if not enforced at the configuration level), and press the Download Private Key
button.
Once your private key is downloaded, click the Back To Self-Service
button. You will then see the public part of the key registered on your user account.
Electronic Signing (Sign)
The Sign
tab allows users connected to the Selfdesk application to electronically sign documents. This feature is available starting from WebADM 2.0.23, Selfdesk 1.2.6, and OpenOTP 2.0. It also requires the OpenOTP Token application, with Push functionality configured in your WebADM infrastructure and a Push token enrolled on the user account.
Go to the Sign
tab.
You can choose the Signature Mode
you want to use from the following options:
Standard (Handwritten Signature)
: This will be drawn on the mobile device during the transaction.Advanced (Personal Certificate)
: The certificate is issued by the PKI service included in WebADM.Advanced (External eIDAS Devices)
: This mode requires a qualified signature creation device (QSCD).
For more information regarding the 3 modes, please refer to the REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT and OpenOTP Signature documentation.
In the below example, I will use the Advanced (Personal Certificate)
signature mode.
Drag and drop the document you want to sign, or click in the white area to import the PDF. Once the file is loaded in the SelfDesk application, you will receive a push notification.
Once the document is uploaded, the user receives a notification on the OpenOTP Token application to sign the document.
Click the Next
button to review the document:
On the next screen, if no certificate is attached to the user' token, the OpenOTP Token application will prompt you to request a signature certificate from the WebADM PKI. Click the Generate
button. The token will communicate with your configured mobile endpoint URL to submit its CSR and receive the signed certificate.
Once the certificate has been issued by WebADM PKI, you can sign the document by clicking Sign
. After signing, the document will be returned to the server.
The transaction is submitted to the server.
The document will be downloaded automatically from the User Self-Service Desk.
SSL Certificates (PKI)
From the PKI
tab, users can:
- Issue an SSL certificate (user certificate);
- Retrieve the SSL certificate of another user, which is useful for S/MIME purposes, for example.
- Download the WebADM CA certificate.
Issue a new certificate
Click on Add New Certificate
button.
The certificate has been issued successfully, and a password has been automatically added to protect the certificate bundle. Copy the password and click the Download
button.
Click Ok
to return to the PKI
menu.
Retrieve SSL Certificate of Another User
For purposes such as S/MIME capabilities, you can download the SSL certificate of another user by clicking the Get Other User Certificate
button to import it into your SSL certificate trust store. Enter the username of the user whose SSL certificate you wish to retrieve, and click the Find
button.
If a certificate is available for the user you are looking for, you will see the following screen, which provides information about the certificate's validity and the option to download it.
Download the WebADM CA certificate
Click on the Get WebADM CA Certificate
button to download the WebADM CA certificate. Add it to your certificate trust store to trust other certificates issued by WebADM.
Badging portal (Badging)
The badging feature is designed to work with the OpenOTP Token mobile application provided by RCDevs. However, if some users forget their phone at home or do not have the OpenOTP Token application installed, you can allow badge-in
, badge-out
, and check
operations through the SelfDesk application.
Access the Badging
tab to see the following link:
Click on the Badge-In
button. When the operation is successful, you will see the following message:
Press Ok
. Your account will then be badged-in, granting access to policies that require badging and unlocking the account at the LDAP level if that feature has been enabled.