This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Getting SMS to work with SSPR 4.4

We are struggling with a SSPR 4.4.0.0 b306 r39665 test appliance with the perspective to replace our two password reset services presently in use. Unfortunately, we didn't find the documentation overly exhaustive.

One of our goals is to use SMS verification (exclusively) as method to allow users to reset their forgotten password. While after numerous trials and errors we've discovered a way to get SSPR to send SMS messages via our SMS gateway pressing the "Test SMS settings" button, we continue to be presented with a "5036 ERROR_TOKEN_MISSING_CONTACT (no available contact methods of type SMSONLY available)" error when actually trying to use the "forgotten password" module.

This holds, no matter whether we are using "@LDAP:customAttrSMS@" (successfully expanded to the user's SMS number when tested in the SSPR configuration editor) or "%TO%" (lacking precise information we are assuming "%TO%" gets populated from the attribute "telephoneNumber").

The configuration lines coming to my mind state

<setting key="recovery.verificationMethods" syntax="VERIFICATION_METHOD" profile="default" syntaxVersion="0" modifyTime="2020-03-03T14:29:20Z" modifyUser="default|cn=xxx">
<label>Verification Methods</label>
<value><![CDATA[{"methodSettings":{"PREVIOUS_AUTH":{"enabledState":"disabled"},"ATTRIBUTES":{"enabledState":"disabled"},"CHALLENGE_RESPONSES":{"enabledState":"disabled"},"TOKEN":{"enabledState":"required"},"OTP":{"enabledState":"disabled"},"REMOTE_RESPONSES":{"enabledState":"disabled"},"OAUTH":{"enabledState":"disabled"},"null":{"enabledState":"disabled"}},"minOptionalRequired":0}]]></value>
</setting>
<setting key="challenge.token.sendMethod" syntax="SELECT" profile="default" syntaxVersion="0" modifyTime="2020-02-26T11:32:19Z" modifyUser="default|cn=xxx">
<label>Token Send Method</label>
<value><![CDATA[SMSONLY]]></value>
</setting>

Since we are new to SSPR we may have overlooked some essential setting, but searching the available documentation didn't help so far. So any hints by more experienced SSPR users would be welcome.

Tags:

Parents
  • 0  

    There is section under settings for Tokens, I.e. Length, allowed characters, etc.

    There is a section for SMS which I think you have called out.

    There is a section in forgot password where you select SMS ONLY and I think you got that one.

    I think the token is saved in the directory in pwmOTP or the like.  And the user needs permissions to read theirs as well as the Proxy user needs permissions to write it.

  • 0 in reply to   

    Hmm, as far as I understood, the token is not stored in a directory attribute, if one sticks to the LocalDB as we do for the time being. Moreover, the error message stays the same, if we delete "%TOKEN%" from "Forgotten Password SMS Text" (checked out after reading your answer).

    We have succeeded in letting users update their profile data like "phoneNumber", "mail" and even customary attributes ment to store phone numbers used for receiving SMS messages. Users are stored in eDirectory and apparently SSPR can read and write those attributes.

    I still wonder, if the "%TO%" code is really populated from "phoneNumber" or if a different attribute might be used. "Test SMS Setting" does work with a "SMS request data" string containing an authorisation sequence required by our SMS gateway and the two codes "%TO%" and "%MESSAGE%". These two codes are obviously correctly substituted from the "Testing SMS connection" popup window asking for "to" and, well, "message". Even adding "...%TOKEN%..." to the message specified in the test popup works (though with an empty token string in the SMS message sent).

    Consulting /var/log/messages, even with file log level set to "6" didn't produce much more insight compared to the error message returned by the SSPR GUI. It's servlet.AbstractPwmServlet that throws a fatal 5036 "no available contact methods of type SMSONLY available" error, joined by http.PwmResponse.

    Axel

Reply
  • 0 in reply to   

    Hmm, as far as I understood, the token is not stored in a directory attribute, if one sticks to the LocalDB as we do for the time being. Moreover, the error message stays the same, if we delete "%TOKEN%" from "Forgotten Password SMS Text" (checked out after reading your answer).

    We have succeeded in letting users update their profile data like "phoneNumber", "mail" and even customary attributes ment to store phone numbers used for receiving SMS messages. Users are stored in eDirectory and apparently SSPR can read and write those attributes.

    I still wonder, if the "%TO%" code is really populated from "phoneNumber" or if a different attribute might be used. "Test SMS Setting" does work with a "SMS request data" string containing an authorisation sequence required by our SMS gateway and the two codes "%TO%" and "%MESSAGE%". These two codes are obviously correctly substituted from the "Testing SMS connection" popup window asking for "to" and, well, "message". Even adding "...%TOKEN%..." to the message specified in the test popup works (though with an empty token string in the SMS message sent).

    Consulting /var/log/messages, even with file log level set to "6" didn't produce much more insight compared to the error message returned by the SSPR GUI. It's servlet.AbstractPwmServlet that throws a fatal 5036 "no available contact methods of type SMSONLY available" error, joined by http.PwmResponse.

    Axel

Children
  • Verified Answer

    0   in reply to 

    There should also be a setting to define which attribute is used to send SMS based upon.  Good news, is try the search option in the config edtory, very helpful to find things by keyword.