One-Time Password Authentication Developer Guide

In addition to the administration settings, you can develop various scripts to control the authentication process. The scripts are written in JavaScript language.

All policy scripts are developed in the Policy Script Administration Console at http(s)://<host>:<port>/ssoadmin/scripts. They can be then executed from the One-Time Password Administration UI. Only the activated versions of enabled policy scripts of type Procedure will be visible in the One-Time Password Administration UI. For more information, see Policy Scripts Implementation Guide.

Note

To create policy scripts in the Policy Script Administration Console, you need the RBA_POLICY_WRITE user management engine (UME) action or RBA_POLICY_ADMIN UME role assigned to your user. For more information, see Policy Scripts Installation Guide.

There are two ways of implementing the policy scripts for OTP authentication: By creating policy scripts, and by reusing a policy script of type Library in another policy script.

Note

You can find example scripts in SAP Note 2225027 Information published on SAP site and in the tutorials of this guide.

Creating Policy Scripts

For the following scenarios you can develop a policy script in the Policy Script Administration Console and execute it from the One-Time Password Administration UI:

Controlling the authentication process for risk-based authentication

You can develop a script that defines the authentication method at runtime in accordance with various conditions. You can make a second factor necessary for users logging on from certain locations for example, but only one factor for other locations.
Setting user permissions for context-based authorization

By using a simple script you can configure the permissions for users to some functionality, without changing the user authorization assignments. For example, you can limit this access when the users authenticate from outside the corporate network. This functionality will be available for the users when they are working from the corporate network.
Configuring logs and traces

You can call methods for OTP logs and traces. For more information, see Policy Script Functions and Methods.
Calling OTP methods in your script functions

In your script, you can call methods in the onInitialize(...), onFirstStageLogin(...), onSecondStageLogin(...), and other functions. For more information, see Policy Script Functions and Methods.
Configuring two-factor authentication to use passcodes sent using out-of-band methods.

You can develop scripts for the passcode to be sent via SMS, e-mail or other non-standard methods. For more information, see Develop a Script for Risk-Based Authentication.
Configuring validation of a passcode generated by a third-party passcode provider.

You can develop a policy script that checks whether a passcode is valid or not. For more information, see Develop a Script for External Passcode Validation.
Using the policy script for an application

You can control the authentication for a specific policy configuration (application) by developing a policy script. In this case, you have to specify the policy script for the Policy option of TOTPLoginModule.

Reusing Policy Scripts

You can call a Library policy script in another policy script of type Procedure with the include directive. For more information, see Reusing Policy Scripts.
Example

After creating a mail policy script in the Policy Script Administration Console at http(s)://<host>:<port>/ssoadmin/scripts, you can use the following:
```
#include "mail";
...
```

More Information