Skip to main content

LDAP+OTP

LDAP+OTP is a seamless two-factor authentication method where the LDAP password and the OTP (Soft OTP) code are combined into a single input field. It enhances security while optimizing the user experience.

What is LDAP+OTP?

LDAP+OTP profiles allow users to enter their LDAP password and OTP code together in a single prompt. This method simplifies the traditional two-step authentication flow into one step, improving usability.

How It Works

Password + OTP Input

Users enter their LDAP password and Soft OTP code combined in a single field:

Example:
If the LDAP password is MyPassword123 and the OTP code is 456789:

  • User enters: MyPassword123456789
  • The system automatically extracts the last 6 characters as the OTP
  • The first part is validated as the LDAP password, and the last part as the OTP code
Important Note

The OTP code must always be appended to the end of the password. The system interprets the last N characters (typically 6) as the OTP code.

SP Manuel Giriş Formu

Ldap+OTP Authentication Method

Profiles

LDAP+OTP profiles define how users will be authenticated and which OTP methods will be used.

Profile Configuration Fields

  • Profile Name: A descriptive name for the profile
  • Fallback Authentication Profiles: Select one or more authentication profiles (LDAP or Local) that will be used for initial credential verification.
    • Multiple profiles can be selected
    • Users receive the OTP via the method they are registered to

Initial Setup

Mobile App Enrollment:
Users must complete the initial enrollment process for at least one OTP method configured in the profile.

Policies

LDAP+OTP policies determine which users will be authenticated using which profile.

Policy Configuration Fields

  • LDAP+OTP Profile: The LDAP+OTP profile to be used
  • Authentication Profile: The LDAP/Local profile used to retrieve user attributes
    • This profile must also be defined inside the LDAP+OTP profile
    • Used to read LDAP attributes such as group, department, etc.
  • Attribute: LDAP user attribute
    • Common attributes: memberOf, department, title, mail
    • Custom LDAP attributes are also supported
  • Attribute Value: One or more values to match
    • Selectable from dropdown
    • Custom values can be entered
    • Supports wildcard (*) and regex

Policy Behavior

Important
  • If No Policy Exists: All users are routed to the fallback profile
  • If Policies Exist: Only users matching a policy rule can authenticate using this profile
  • Priority Order: Policies are evaluated from top to bottom; the first matching policy is applied

Example Routing

You can route IT department users to SMS OTP, while routing Finance department users to Email OTP by creating separate policies.

Advantages

  • User-Friendly: Two-factor authentication in a single step
  • Secure: LDAP password + dynamic OTP combination
  • Flexible: Supports multiple OTP methods
  • Compatible: Ideal for applications with a single password field