Overview
The User Self-Registration (SelfReg) application is a web application provided by RCDevs that is installed on the WebADM server. This application allows users to manage their OTP/FIDO2 tokens, SSH keys, application passwords (App Keys), and certificate enrollments.
The SelfReg application is similar to the User Self-Service Desk, with one key difference: the User Self-Registration can only be accessed through a request from a WebADM or Helpdesk Administrator. To grant access, the Administrator sends a Self-Registration request to the user, who then receives a one-time link to access the application. Once the user logs in, the access link is revoked, and the user cannot use it again. The links can be provided to end-users by Mail or by SMS. An SMTP/SMS gateway must be configured in order to deliver the One Time access link to the end-user.
To use SelfReg, any LDAP user must be a WebADM account (licensed).
The installation of SelfReg is straightforward and involves either running the self-installer or installing the package from the RCDevs repositories. It is also included in the webadm_all_in_one
package.
After installation, you need to register and configure the application in WebADM. There is no need to modify any files in the SelfReg installation directory, as all web application configurations are managed and stored in LDAP by WebADM.
URL example when a user accesses the application through the WebADM server:
https://webadm_server_address/webapps/selfreg/
URL example when a user accesses the application through the WAProxy:
https://waproxy_ip/selfreg/
Installation
The User Self-Registration application can be installed using our package repositories or through a self-installer.
Install with Redhat Repository
On a RedHat, CentOS or Fedora system, you can use RCDevs repository.
Clean dnf cache and install the User Self-Registration (SelfReg):
dnf clean all
dnf install selfreg
The User Self-Registration application is now installed.
Install with Debian Repository
On a Debian or Ubuntu system, you can use RCDevs repository:
Clean apt cache and install the User Self-Registration (SelfReg):
apt update
apt install selfreg
The User Self-Registration application is now installed.
Install Using the Self-Installer
The installation of the User Self-Registration application is very simple and is performed in less than 5 minutes. Just download the User Self-Registration self-installer package from the RCDevs website and put the installer file on your server. You can use WinSCP to copy the file to your server.
To install the User Self-Registration, log into the server with SSH and run the following commands:
gunzip selfreg-1.x.x.sh.gz
bash selfreg-1.x.x.sh
Webapp Integration
You can embed a Web app on your website in an HTML iFrame or Object.
#Example
<object data="https://<webadm_addr>/webapps/selfreg?inline=1" />
SelfReg Configuration
Once the application is installed, you need to register it through the WebADM Administrator Portal.
To do this, log in to the WebADM GUI with a super_admin
account. Click on the Applications
tab, then, in the Categories
box on the left, select Self-Service
. You should see the User Self-Registration application listed there.
Click on the Register
button to create the LDAP configuration object for the application. After registration, you can configure it by clicking the Configure
button.
The first section contains the default Web Application Settings, similar to other web applications provided by RCDevs.
The User Self-Registration application is designed for secure access through WAProxy or a reverse proxy. By default, access is granted via a one-time link provided to the end user. Optionally, you can require the user’s LDAP password or a user certificate to access the application.
The secondary section of the configuration page includes the Allowed Features
section, where you can control which features are available to end users. Enable the features based on your requirements to grant the appropriate access.
The OTP Token Management
section defines the token methods that users can register.
The Default Token Type
setting enforces a default view for the selected token type. For example, if QRCODE-TOTP
is selected, when a user attempts to add a token, the focus will automatically be on QRCODE-TOTP
. The user will need to click the back
button in the self-service interface to select a different token type for registration.
The SSH Key Management
section allows you to configure the types of SSH keys that end users can register for Spankey usage. Additionally, it includes a Key Password Length
setting to enforce password protection for the keys.
The Mail/SMS Link
section allow you to configure:
-
The
Registration URL
refers to the external web application URL or reverse proxy mapping. This URL will be included in the mail or SMS sent to the end user, depending on the chosen delivery mode. Since the application is published through WAProxy, the URL ishttps://iam.rcdevsdocs.com/selfreg/
. Thewebapps/
segment is omitted when applications are accessed through WAProxy. If you use your own reverse proxy, you have the flexibility to configure URL redirection and rewriting as needed. -
The
Link Delivery Mode
can be configured to:Mail
: Self-registration request is sent to user email address(es).SMS
: Self-registration request is sent to user mobile number(s).MAILSMS
: Self-registration request is sent via both email and SMS.
-
The
Link Expiration Time
can be configured to set the default time after which the one-time link automatically expire (in hours).
The Email & SMS Settings
section allows you to configure:
Email Subject
: Customize the subject line of emails sent to end users.Secure Email
: When enabled, emails are encrypted using the user certificate's public key for S/MIME purposes. If no certificate is available for the user, the system will fall back to unencrypted mode for that user.SMS Message Type
: Configure this setting asNormal
orFlash
. InFlash
mode, SMS messages are not stored on the mobile phone.
The PKI Management
section allows you to configure a user certificate validity period different from the default value set in rsignd.conf
. If not configured, it will use the default value from rsignd.conf
. You also have the option to let users specify Extended Key Usage (EKU) settings for S/MIME and Smartcard login for Windows.
In the Misc Settings
section, you can configure a Support Email
address and the Token Application Download URLs
. To display redirection buttons, provide the URLs using the following syntax:
IOS=https://itunes.apple.com/us/app/openotp-token/id1148075952, Android=https://play.google.com/store/apps/details?id=com.rcdevs.auth
You can configure three or more application redirection buttons if needed by using the same syntax.
SelfReg Usage
Send a Self-Registration Request to a User
To send a self-registration request to a user, you can choose from several methods:
-
Automatic Sending: The system can automatically trigger and send registration links based on specified conditions. For example, if a user attempts to log in to a client system configured with OpenOTP, and the login mode is set to
LDAP+OTP
with theOTP Type
configured asTOKEN
, but the user does not have a registered token, the login attempt will fail. If theSend Self-Registration Links
setting is enabled in the OpenOTP configuration, a self-registration link providing access to the SelfReg portal will be automatically sent to the user. -
Manual Sending: Links can be manually sent through the WebADM Administrator or Help Desk portals.
From the WebADM Administrator portal, click on a licensed user account. In the Application Action
box, click on User Self-Registration
.
You will be redirected to the Self-Registration request form to prepare the request:
Configure the desired settings and click Send
. A confirmation message will appear if the request is successfully sent.
- API Integration: Use the WebADM Manager APIs to programmatically send self-registration links. The methods is the following one:
Access the Self-Registration Portal
Once the Self-Registration request has been received, click on the link in the email to access the portal.
Token Enrollment (OTP)
By navigating to the OTP
tab, users can customize their authentication settings (if allowed in application configuration) and manage token registrations.
Select the token slot where you want to register a token if multiple slots has been allowed in the SelfReg configuration. Click the dropdown list next to the View My
option to choose the desired slot. Here, primary token slot is selected.
Click the Register Token
button to begin the token registration process.
On the hardware token registration screen, enter the token serial number and generate an OTP with the hardware token. Provide the generated OTP and click the Register
button. If the serial number and OTP are valid, the hardware token will be successfully registered.
On the Yubikey registration screen, press the Yubikey to complete the enrollment. The Yubikey must be inventoried or registered with YubiCloud (Yubico Validation Servers). If you are using a Yubikey registered with YubiCloud, ensure that the YubiCloud configuration is properly set up in the OpenOTP configuration.
On the Software Token registration screen, scan the QR code using an authenticator application like OpenOTP Token or Google Authenticator. If the Push mechanism feature is enabled in the OpenOTP configuration, it can only be used with the OpenOTP Token application. In Push enrollment mode, you do not need to provide an OTP. In non-push mode, you must enter the OTP to complete the registration by clicking Register
.
FIDO & Passkeys enrollments (FIDO)
From the FIDO
tab, you can register your FIDO keys or Passkeys.
Choose an empty slot and click Register
to begin the registration process. Once you are one the following screen, plug the FIDO device you want to register on your computer and press the red message which is blinking.
Once you click on the red message, if multiple FIDO devices or Passkeys are available, you will be prompted to choose the one you want to register. Below, I selected the security key option. The steps and screens displayed may vary depending on the web browser you are using for the registration.
In the screens below, the FIDO key has been detected, and access to the key is protected by a PIN that has already been configured. Refer to your security key provider's documentation to set up PIN or biometric protections.
I enter the configured PIN to unlock the key:
After pressing the key, the FIDO device is enrolled and can be used to log in on systems requiring FIDO authentication.
After pressing the key, the FIDO device is enrolled and can be used to log in on systems requiring FIDO authentication.
Press Ok
, you will be back on the FIDO
tab. You can test if the key is working correctly by clicking the Test FIDO login
button. The key will be detected by the web browser and will blink, asking for the PIN. Provide the PIN and press the security key to complete the authentication test.
OTP List enrollment
If you've enabled the option for end-users to register an OTP List, the OTP List tab will be available. Click on this tab to view any registered OTP Lists or to initialize a new OTP List.
After clicking the Initialize OTP List
button, you will be redirected to an intermediary screen where you need to click the Register
button to proceed.
A registration confirmation message will then appear, indicating that the OTP list has been successfully initialized.
Click OK
to be redirected to the generated OTP list. You can choose to download or print the list for your records. Once done, press OK
again to exit the screen.
Once an OTP List is registered, you can re-access it later from the User Self-Service Desk application (SelfDesk), remove it or re-build it once all OTP from the list has been used.
SSH Key enrollment for Spankey usage (SSH)
From the SSH
tab, you can manage your SSH key(s) for use with Spankey. The following actions are possible:
- Generate a new SSH key
- Register a FIDO key as an SSH key
- Register a PIV key as an SSH key
- Import an existing SSH key (public key)
- Remove a currently registered SSH key
The available actions on the portal depend on what has been permitted in the SelfReg configuration.
Click on Generate SSH Key
button to start the SSH key registration process:
You will be redirected to the following intermediary page where you have to click the Register
button:
Once the key is successfully generated, you will be redirected to a screen where you can download the private key in PuTTY or OpenSSH format. Choose your preferred export format, configure an export password if desired (and if not enforced at the configuration level), and press the Download Private Key
button.
Once your private key is downloaded, click the Ok
button. You will then see the public part of the key registered on your user account.
SSL Certificates (PKI)
From the PKI tab, users can:
- Issue an SSL certificate (user certificate);
- Download the WebADM CA certificate.
Click on Add New Certificate
button.
The certificate has been issued successfully, and a password has been automatically added to protect the certificate bundle. Copy the password and click the Download
button. Click Ok
to return to the PKI
menu.
You can remove or renew the certificate by clicking the trash or renew icons. To download the public part of the certificate, click the Download
icon. The private key of a registered certificate can not be re-downloaded.
Application Password (App Keys)
If you enabled the App Keys
registration, the tab will appear in the portal only if a WebADM Client Policy is configured with the Application Passwords
MFA Authentication server (OpenOTP) setting. Click on Initialize Passwords
to generate application passwords.
On the next screen, click on Initialize
button.
A confirmation message will appear if the App Keys are successfully initialized.
Below is the registered App Keys usable only for the Mail
client policy.