One-Time Password Login Module Options

All of these options are optional. Some of them are configurable in the One-Time Password Administration UI. When you declare options for the TOTPLoginModule in SAP NetWeaver Administrator, you overwrite the central ones set in the One-Time Password Administration UI. This might be necessary when you set custom options for a specific policy configuration (application). If an option is not set explicitly as a login module option, TOTPLoginModule will use the default value.

TOTPLoginModule Options
Name	Value	Description
mode	otp&pwd	When the mode is set to otp&pwd (otp and pwd), two-factor authentication is required. You use two login modules to authenticate the user: TOTPLoginModule to authenticate the user with a user name and a passcode. Another login module to authenticate the user with credentials other than the passcode. For this reason, the tfa.first.factor.login.module option is taken into account. Note If mode is not set explicitly in SAP NetWeaver Administrator, TOTPLoginModule will act like in otp&pwd mode.
	otp	If the mode is set to otp, single-factor authentication is required. You use the TOTPLoginModule to authenticate the user with a user name and a passcode.
	otp\|pwd	If the mode is set to otp\|pwd (otp or pwd), single-factor authentication is required. You can use either the TOTPLoginModule to authenticate the user with a user name and a passcode, or another login module to authenticate the user with credentials other than the passcode. In otp\|pwd mode, it is sufficient if one of the login modules succeeds. For this mode you use pwd.login.module.name option for the non-OTP login module. Note If the mode is set to otp\|pwd, basic authentication is taken into account for the non-OTP factor.
policy	<name of policy>	This option is used for two-factor authentication, and its value must match with the name of the policy script configured in the Policy Script Administration Console at `http(s)://<host>:<port>/ssoadmin/scripts`. For more information, see Policy Scripts Implementation Guide Note The policy is executed when the tfa.policy.activated option is enabled.
UserMappingMode	LogonID	Specifies the user mapping mode. This tells the login module how to retrieve the user. The mapping property for this value is the logon ID. Note This is the default value.
	Email	The mapping property is the user's e-mail address.
	VirtualUser	The authenticated user is mapped to a virtual user. This means that if no such user exists in the UME database. Instead, the user is temporarily created for the current session. For more information, see Two-Factor Authentication with Virtual Users.
tfa.enable.xsrf.protection	yes; no	Specifies if users receive a message when the system detects a potential XSRF attack.
log.http.headers	<string> Note If you specify multiple headers, define them in a comma separated list.	Specifies what headers are used and shown in the logs. One or a combination of the following headers is used by default: Host, Referer, User-agent, Accept, Accept-Language, Connection, Cookie
The following options overwrite the settings in the One-Time Password Administration UI:
otp.allow.concatenated.password.and.passcode	yes; no	This option is not applicable for the OTP-related logon application. It specifies if a user can concatenate password and passcode in one field. For more information, see Configuring an OTP-Related Logon Application. Note The option is disabled by default.
otp.passcode.separator	<string>	Specifies the required separator if the password and passcode are entered in one field. Note This option is used if otp.allow.concatenated.password.and.passcode is enabled..
otp.remember.client	yes; no	Specifies if a persistent cookie is issued for single-factor authentication.
otp.cookie.expiry	<integer between 1 and 365>	Validity in days of the persistent cookie used for single-factor authentication.
otp.cookie.http_only	yes; no	The cookie cannot be accessed from the script in the browser. This option is used for single-factor authentication.
otp.cookie.secure	yes; no	The cookie is sent to the browser only if the HTTPS scheme is used for secure connections. This option is used for single-factor authentication.
otp.login.consecutive.passcodes.enforced	yes; no	Specifies whether two passcodes are required for single-factor authentication.
otp.require.user.confirmation	yes; no	Specifies if user confirmation is required for automatic logon.
tfa.passcode.via.sms	yes; no	Specifies if the passcode is sent via SMS in two-factor authentication. Note All SMS options are applicable only when this option is enabled.
sms.destination	<name of destination>	Configure this property if you set the passcode to be sent via SMS. For more information, see Configuring Authentication with a Random Passcode Sent by SMS, E-Mail, or Another Channel .
sms.max.failed.attempts	<positive integer>	The maximum number of failed logon attempts with a passcode sent via SMS.
sms.message.text	<string>	Text for the SMS message that has to include the [passcode] placeholder. Recommendation Use Latin alphanumeric characters. Some mobile devices do not support all alphabets.
sms.quota	yes; no	Specifies if SMS quota is enabled.
sms.quota.overall	<positive integer>	Allowed SMS messages for all users for the last 24 hours. Applicable if SMS quota is enabled.
sms.quota.per.user	<positive integer>	Allowed SMS messages per user for the last 24 hours. Applicable if SMS quota is enabled.
sms.send.group	<string>	SMS messages are sent to the members of the specified group.
sms.token.length	<integer between 6 and 20>	Length of passcodes sent via SMS.
sms.token.validity	<positive integer>	Validity of passcodes sent via SMS.
sms.ume.attribute.for.number	<string>	UME attribute for a mobile number. Use this property to define from which UME attribute the application takes the mobile number for the SMS. Note The default value is mobile.
tfa.first.factor.login.module	<login module>[,<optional login module 1>,<optional login module 2>, …]	The tfa.first.factor.login.module option is used for otp&pwd and otp modes. The value of this option is the display name of the login module, that authenticates the user with credentials other than the passcode. You can specify multiple login modules, by separating them by commas. If you specify multiple login modules, they will be evaluated in the sequence of their occurrence, until a rule succeeds. If none of the login modules succeeds, the first authentication factor fails. Example: Set the tfa.first.factor.login.module option to SPNegoLoginModule,ClientCertLoginModule,BasicPasswordLoginModule. Depending on their working environment, the users authenticate as follows: When the users are working from the corporate network, they will log in with the SPNegoLoginModule login module as first factor. When the users are working from outside the corporate network (for example, at a customer visit), but on a corporate mobile device with X.509 certificate, they will authenticate via ClientCertLoginModule as first factor. When the users are at home, working on their private mobile devices, they will log in with their username and password as first factor. You can set login modules available in the SAP NetWeaver Administrator at `http(s)://<host>:<port>/nwa`, Configuration Authentication and Single Sign-On Authentication Login Modules. For more information, see Login Modules. Some of the supported login modules are as follows: BasicPasswordLoginModule The value of this option defines the login module that authenticates the user with credentials other than the passcode. The tfa.first.factor.login.module option is used for otp&pwd and otp modes. When you log on with a password, the value of the option has to be BasicPasswordLoginModule. For more information about basic authentication, see Basic Authentication (User ID and Password). ClientCertLoginModule When you log on with a certificate, the value of the option has to be ClientCertLoginModule. For more information about certificate authentication, see X.509 Client Certificates. SPNegoLoginModule When you log on with a Kerberos token, the value of the option has to be SPNegoLoginModule. For more information about Kerberos authentication, see Using Kerberos Authentication EvaluateTicketLoginModule Use this login module for SAML 2.0 authentication. For more information about the login module, see Configuring the AS Java to Accept Logon Tickets. You also need to grant a new keystore permission with a SAML2 keystore view for the relevant domain in SAP NetWeaver Administrator. For this setting, navigate to Certificates and Keys: Key Storage Key Storage tab Security Permissions per Domain tab and choose Modify. For more information, see Using the AS Java Key Storage. SAML2LoginModule Performs user authentication using the SAML assertions. For more information about configuring the use of this login module, see Configuring AS Java as a Service Provider. You also need to grant a new keystore permission with a SAML2 keystore view for the relevant domain in SAP NetWeaver Administrator. For this setting, navigate to Certificates and Keys: Key Storage Key Storage tab Security Permissions per Domain tab and choose Modify. For more information, see Using the AS Java Key Storage. <name of third-party login module> You can use a third-party login module as a factor for OTP authentication. For more information, see Integrating Third-Party Login Modules
<login module>.<login module option>	<value of login module option>	Once you have set up the first factor login module or modules, you can set up the corresponding login module options. For example, you can define the following first factor login modules and login module options: Set the tfa.first.factor.login.module option to SPNegoLoginModule,ClientCertLoginModule,BasicPasswordLoginModule. Set the BasicPasswordLoginModule.UserMappingMode option to Email. Set the ClientCertLoginModule.Rule1.getUserFrom option to subjectName. Set the ClientCertLoginModule.Rule1.AttributeName to CN. For more information, see Using Rules for User Mapping in Basic Password Login Module, Using Rules for User Mapping in Client Certificate Login Module and Integrating Third-Party Login Modules.
tfa.remember.client	yes; no	Specifies if a persistent cookie is created for two-factor authentication.
tfa.cookie.expiry	<integer between 1 and 365>	Validity of persistent cookie for two-factor authentication.
tfa.cookie.http_only	yes; no	The cookie is not accessible from the script of the browser. This option is used for two-factor authentication.
tfa.cookie.secure	yes; no	The cookie is sent to the browser only if the HTTPS scheme is used for secure connections. This option is used for two-factor authentication.
tfa.accept.client.cookie	yes; no	This option is used for a policy script and specifies if an application can accept a persistent client cookie.
tfa.issue.client.cookie	yes; no	This option is used for a policy script and specifies if a persistent client cookie can be issued.
tfa.issue.client.cookie.require.consent	yes; no	Equivalent to the Require User Consent option in the One-Time Password Administration UI. Specifies if Trust this computer or Trust this device checkbox is available for two-factor authentication. If a user selects the checkbox, he or she will log on with a single factor next time.
tfa.policy.activated	yes; no	Specifies if the application can use a policy script. Note This option is disabled by default.
otp.use.external.passcode.validation	yes; no	This option is enabled when users log on with passcodes generated by a third-party passcode provider. The option specifies if the application will validate such external passcodes. Note This option is disabled by default.