Overview

The User Self-Registration (SelfReg) application is a web application provided by RCDevs that is installed on the WebADM server. This application allows users to manage their OTP/FIDO2 tokens, SSH keys, application passwords (App Keys), and certificate enrollments.

The SelfReg application is similar to the User Self-Service Desk, with one key difference: the User Self-Registration can only be accessed through a request from a WebADM or Helpdesk Administrator. To grant access, the Administrator sends a Self-Registration request to the user, who then receives a one-time link to access the application. Once the user logs in, the access link is revoked, and the user cannot use it again. The links can be provided to end-users by Mail or by SMS. An SMTP/SMS gateway must be configured in order to deliver the One Time access link to the end-user.

To use SelfReg, any LDAP user must be a WebADM account (licensed).

The installation of SelfReg is straightforward and involves either running the self-installer or installing the package from the RCDevs repositories. It is also included in the webadm_all_in_one package.

After installation, you need to register and configure the application in WebADM. There is no need to modify any files in the SelfReg installation directory, as all web application configurations are managed and stored in LDAP by WebADM.

URL example when a user accesses the application through the WebADM server:
https://webadm_server_address/webapps/selfreg/

URL example when a user accesses the application through the WAProxy:
https://waproxy_ip/selfreg/

Installation

The User Self-Registration application can be installed using our package repositories or through a self-installer.

Install with Redhat Repository

On a RedHat, CentOS or Fedora system, you can use RCDevs repository.
Clean dnf cache and install the User Self-Registration (SelfReg):

dnf clean all
dnf install selfreg

The User Self-Registration application is now installed.

Install with Debian Repository

On a Debian or Ubuntu system, you can use RCDevs repository:
Clean apt cache and install the User Self-Registration (SelfReg):

apt update
apt install selfreg

The User Self-Registration application is now installed.

Install Using the Self-Installer

The installation of the User Self-Registration application is very simple and is performed in less than 5 minutes. Just download the User Self-Registration self-installer package from the RCDevs website and put the installer file on your server. You can use WinSCP to copy the file to your server.
To install the User Self-Registration, log into the server with SSH and run the following commands:

gunzip selfreg-1.x.x.sh.gz
bash selfreg-1.x.x.sh

Webapp Integration

You can embed a Web app on your website in an HTML iFrame or Object.

#Example  

<object data="https://<webadm_addr>/webapps/selfreg?inline=1" />

SelfReg Configuration

Once the application is installed, you need to register it through the WebADM Administrator Portal.

To do this, log in to the WebADM GUI with a super_admin account. Click on the Applications tab, then, in the Categories box on the left, select Self-Service. You should see the User Self-Registration application listed there.

selfreg

Click on the Register button to create the LDAP configuration object for the application. After registration, you can configure it by clicking the Configure button.

selfreg

The first section contains the default Web Application Settings, similar to other web applications provided by RCDevs.

selfreg

The User Self-Registration application is designed for secure access through WAProxy or a reverse proxy. By default, access is granted via a one-time link provided to the end user. Optionally, you can require the user’s LDAP password or a user certificate to access the application.

selfreg

The secondary section of the configuration page includes the Allowed Features section, where you can control which features are available to end users. Enable the features based on your requirements to grant the appropriate access.

selfreg

The OTP Token Management section defines the token methods that users can register.

The Default Token Type setting enforces a default view for the selected token type. For example, if QRCODE-TOTP is selected, when a user attempts to add a token, the focus will automatically be on QRCODE-TOTP. The user will need to click the back button in the self-service interface to select a different token type for registration.

The SSH Key Management section allows you to configure the types of SSH keys that end users can register for Spankey usage. Additionally, it includes a Key Password Length setting to enforce password protection for the keys.

selfreg

The Mail/SMS Link section allow you to configure:

  • The Registration URL refers to the external web application URL or reverse proxy mapping. This URL will be included in the mail or SMS sent to the end user, depending on the chosen delivery mode. Since the application is published through WAProxy, the URL is https://iam.rcdevsdocs.com/selfreg/. The webapps/ segment is omitted when applications are accessed through WAProxy. If you use your own reverse proxy, you have the flexibility to configure URL redirection and rewriting as needed.

  • The Link Delivery Mode can be configured to:

    • Mail: Self-registration request is sent to user email address(es).
    • SMS: Self-registration request is sent to user mobile number(s).
    • MAILSMS: Self-registration request is sent via both email and SMS.
  • The Link Expiration Time can be configured to set the default time after which the one-time link automatically expire (in hours).

selfreg

The Email & SMS Settings section allows you to configure:

  • Email Subject: Customize the subject line of emails sent to end users.
  • Secure Email: When enabled, emails are encrypted using the user certificate's public key for S/MIME purposes. If no certificate is available for the user, the system will fall back to unencrypted mode for that user.
  • SMS Message Type: Configure this setting as Normal or Flash. In Flash mode, SMS messages are not stored on the mobile phone.
selfreg

The PKI Management section allows you to configure a user certificate validity period different from the default value set in rsignd.conf. If not configured, it will use the default value from rsignd.conf. You also have the option to let users specify Extended Key Usage (EKU) settings for S/MIME and Smartcard login for Windows.

In the Misc Settings section, you can configure a Support Email address and the Token Application Download URLs. To display redirection buttons, provide the URLs using the following syntax:

IOS=https://itunes.apple.com/us/app/openotp-token/id1148075952, Android=https://play.google.com/store/apps/details?id=com.rcdevs.auth

You can configure three or more application redirection buttons if needed by using the same syntax.

selfreg

SelfReg Usage

Send a Self-Registration Request to a User

To send a self-registration request to a user, you can choose from several methods:

  • Automatic Sending: The system can automatically trigger and send registration links based on specified conditions. For example, if a user attempts to log in to a client system configured with OpenOTP, and the login mode is set to LDAP+OTP with the OTP Type configured as TOKEN, but the user does not have a registered token, the login attempt will fail. If the Send Self-Registration Links setting is enabled in the OpenOTP configuration, a self-registration link providing access to the SelfReg portal will be automatically sent to the user.

  • Manual Sending: Links can be manually sent through the WebADM Administrator or Help Desk portals.

From the WebADM Administrator portal, click on a licensed user account. In the Application Action box, click on User Self-Registration.

selfreg

You will be redirected to the Self-Registration request form to prepare the request:

selfreg

Configure the desired settings and click Send. A confirmation message will appear if the request is successfully sent.

selfreg
  • API Integration: Use the WebADM Manager APIs to programmatically send self-registration links. The methods is the following one:
selfreg

Access the Self-Registration Portal

Once the Self-Registration request has been received, click on the link in the email to access the portal.

selfreg

Token Enrollment (OTP)

By navigating to the OTP tab, users can customize their authentication settings (if allowed in application configuration) and manage token registrations.

selfreg

Select the token slot where you want to register a token if multiple slots has been allowed in the SelfReg configuration. Click the dropdown list next to the View My option to choose the desired slot. Here, primary token slot is selected.

Click the Register Token button to begin the token registration process.

On the hardware token registration screen, enter the token serial number and generate an OTP with the hardware token. Provide the generated OTP and click the Register button. If the serial number and OTP are valid, the hardware token will be successfully registered.

selfreg

On the Yubikey registration screen, press the Yubikey to complete the enrollment. The Yubikey must be inventoried or registered with YubiCloud (Yubico Validation Servers). If you are using a Yubikey registered with YubiCloud, ensure that the YubiCloud configuration is properly set up in the OpenOTP configuration.

selfreg

On the Software Token registration screen, scan the QR code using an authenticator application like OpenOTP Token or Google Authenticator. If the Push mechanism feature is enabled in the OpenOTP configuration, it can only be used with the OpenOTP Token application. In Push enrollment mode, you do not need to provide an OTP. In non-push mode, you must enter the OTP to complete the registration by clicking Register.

selfreg

FIDO & Passkeys enrollments (FIDO)

From the FIDO tab, you can register your FIDO keys or Passkeys.

selfreg

Choose an empty slot and click Register to begin the registration process. Once you are one the following screen, plug the FIDO device you want to register on your computer and press the red message which is blinking.

selfreg

Once you click on the red message, if multiple FIDO devices or Passkeys are available, you will be prompted to choose the one you want to register. Below, I selected the security key option. The steps and screens displayed may vary depending on the web browser you are using for the registration.

selfreg

In the screens below, the FIDO key has been detected, and access to the key is protected by a PIN that has already been configured. Refer to your security key provider's documentation to set up PIN or biometric protections.

selfreg

I enter the configured PIN to unlock the key:

selfreg

After pressing the key, the FIDO device is enrolled and can be used to log in on systems requiring FIDO authentication.

selfreg

After pressing the key, the FIDO device is enrolled and can be used to log in on systems requiring FIDO authentication.

selfreg

Press Ok, you will be back on the FIDO tab. You can test if the key is working correctly by clicking the Test FIDO login button. The key will be detected by the web browser and will blink, asking for the PIN. Provide the PIN and press the security key to complete the authentication test.

selfreg

OTP List enrollment

If you've enabled the option for end-users to register an OTP List, the OTP List tab will be available. Click on this tab to view any registered OTP Lists or to initialize a new OTP List.

selfreg

After clicking the Initialize OTP List button, you will be redirected to an intermediary screen where you need to click the Register button to proceed.

selfreg

A registration confirmation message will then appear, indicating that the OTP list has been successfully initialized.

selfreg

Click OK to be redirected to the generated OTP list. You can choose to download or print the list for your records. Once done, press OK again to exit the screen.

selfreg

Once an OTP List is registered, you can re-access it later from the User Self-Service Desk application (SelfDesk), remove it or re-build it once all OTP from the list has been used.

selfreg

SSH Key enrollment for Spankey usage (SSH)

From the SSH tab, you can manage your SSH key(s) for use with Spankey. The following actions are possible:

  • Generate a new SSH key
  • Register a FIDO key as an SSH key
  • Register a PIV key as an SSH key
  • Import an existing SSH key (public key)
  • Remove a currently registered SSH key

The available actions on the portal depend on what has been permitted in the SelfReg configuration.

Click on Generate SSH Key button to start the SSH key registration process:

selfreg

You will be redirected to the following intermediary page where you have to click the Register button:

selfreg

Once the key is successfully generated, you will be redirected to a screen where you can download the private key in PuTTY or OpenSSH format. Choose your preferred export format, configure an export password if desired (and if not enforced at the configuration level), and press the Download Private Key button.

selfreg

Once your private key is downloaded, click the Ok button. You will then see the public part of the key registered on your user account.

selfreg

SSL Certificates (PKI)

From the PKI tab, users can:

  • Issue an SSL certificate (user certificate);
  • Download the WebADM CA certificate.
selfreg

Click on Add New Certificate button.

selfreg

The certificate has been issued successfully, and a password has been automatically added to protect the certificate bundle. Copy the password and click the Download button. Click Ok to return to the PKI menu.

selfreg

You can remove or renew the certificate by clicking the trash or renew icons. To download the public part of the certificate, click the Download icon. The private key of a registered certificate can not be re-downloaded.

Application Password (App Keys)

If you enabled the App Keys registration, the tab will appear in the portal only if a WebADM Client Policy is configured with the Application Passwords MFA Authentication server (OpenOTP) setting. Click on Initialize Passwords to generate application passwords.

selfreg

On the next screen, click on Initialize button.

selfreg

A confirmation message will appear if the App Keys are successfully initialized.

selfreg

Below is the registered App Keys usable only for the Mail client policy.

selfreg