8.3 Configuring OAuth2 Event in Advanced Authentication Server Appliance for Power External Users

External users are allowed to connect to Filr through the Multi Factor Authentication. A new SQL repository is configured with the table that provides a power external user’s details like email address and phone number.

To create SQL repository,

Log into the Advanced Authentication Administrative Portal as follows:

https://advanced_authentication_dns_name_or_IP_Address/admin/repositories

Enter the following details to add a new SQL repository.

Table 8-1 AAF Repository page

Field, Option, or Button	Information and/or Action
Name	Enter the name of the repository. For example “External DB”
Database Type	For small deployment, select Postgresql. For large deployment, select the configured database type.
DB host	Enter the IP address of the database. For small deployment, enter the IP address of the Filr appliance.
DB name	Enter the name of the database.
DB user	Enter the name of the database user.
Password	Enter the database password.
Table or view name	Enter the table name as “ss_principals”.
User’s id column	For PostgreSQL and MySQL, enter “id”. For MSSQL, enter “emailaddress”.
User’s id type	For PostgreSQL and MySQL, select “Integer”. For MSSQL, select “String”.
User’s name column	Enter “emailaddress”.
User’s name type column	Select “String”.
User’s phone column	Enter “phone”.
User’s email column	Enter “emailaddress”.

NOTE:If the AA server in unable to connect to the Filr small deployment server, run

# sh /opt/novell/filr_config/pgRemoteAccess.sh <AA_ip_address/nw_mask>

If no IP address is specified, access is enabled for all servers (0.0.0.0/0)

In the Advanced Authentication Administrative Portal, go to :

https://advanced_authentication_dns_name_or_IP_Address/admin/chains

Configure an authentication method for Advanced Authentication.
NOTE:The following methods have been tested with Filr.
- SMS OTP
  
  The administrator must choose another authentication method along with SMS OTP. Since the Mobile Number field is optional in the Self-registration form, the external users who have not entered the mobile number or have entered an incorrect mobile number will not be able to receive the SMS OTP and may not be able to log in to Filr.
- Email OTP
Other authentication methods that NetIQ Advanced Authentication with OAuth2 event supports would also work, but they have not been explicitly tested. All the users must be registered at Advanced Authentication Self-Service Portal with the specific method else the user is not allowed to log in to the Filr application.
Create an authentication chain that is a combination of all the authentication methods that users must pass for successful authentication.
Configure OAuth2 type event.
1. Specify a name for the event.
2. Enable the event by changing Is enabled to ON.
3. Select the OAuth2 event type.The client ID and client secret are generated automatically.
4. Note down the client ID and client secret values. You must specify these values in the NetIQ Advanced Authentication page of the Filr Administration Console (Port 8443 Filr Admin Console > System > NetIQ Advanced Authentication). You can copy the values and paste them in the Filr admin Console. See NetIQ Advanced Authentication Configurationin the Filr 5.0: Administrative UI Reference.
5. Select the chains that you want to assign to the event.
6. In the Redirect URIs option, specify the following redirect URIs for redirection to Filr page after successful authentication:
  - The URI of the Filr web page
  - The URI of the Filr client application
  You can copy the URIs from the Redirection URIs option on the NetIQ Advanced Authentication page of the Filr Administration Console (Port 8443 Filr Admin Console > System > NetIQ Advanced Authentication) and paste them here. See NetIQ Advanced Authentication Configurationin the Filr 5.0: Administrative UI Reference.
7. Click Save.