Google Authentication
The admin can associate an end-user to a realm that has a secondary authentication server configured as TOTP authentication server.
For first time registration through web, perform the following steps:
For example: Admin associates an end-user User1 to a user-realm that has the TOTP authentication-server configured as the secondary authentication-server.
When User1 for the first time, performs a login to the above configured user-realm:
1.After successful authentication with primary authentication-server, User1 is shown the TOTP registration page.
2.User1 is given a TOTP registration key in text form/QR image form and 10 backup codes. User saves 10 backup codes in a safe place for using it later during authentication when end-user device (where Google Authenticator app is installed) is not available (in emergency).
3.Now, User1 opens the device where Google Authenticator app is installed, then either scans the QR image (or) manually adds a new user (for example: GA-User1) by entering the above given secret registration key.
4.The Google-Authentication app (for GA-User1) generates a new 6-digit number called as a token once in every 30 seconds.
5.Enter the current token in the registration page. Click on Sign In. On successful authentication with that token, User1 will be taken to his/her home page.
For already registered user, perform the following steps:
1.The already-registered user (For example: User1), whose realm was associated with secondary authentication server configured as TOTP authentication server, accesses PPS URL via web (User1 has already registered TOTP user in Google Authenticator app.)
2.After successful authentication with primary authentication server, user1 is shown TOTP Token entry page as seen in Figure 29
3.User1 opens Google Authentication app that was installed in mobile (or PC), enters the current token to the
4.Authentication Code. If mobile is not available, user can enter any of the unused backup codes.
5.On successful authentication with the token, User1 can enter any of the unused backup codes.
6.A backup code can be used only once to successfully authenticate with the TOTP authentication server. Once used, the same backup code cannot be reused.