| *** ___TOM (~wtfnom@38.103.49.130) has joined #wikid | 01:16 | |
| *** __TOM has quit (*.net *.split) | 01:26 | |
| *** ___TOM has quit () | 02:13 | |
| *** nowen (~nowen@adsl-98-66-180-42.asm.bellsouth.net) has joined #wikid | 12:27 | |
| *** nowen has quit (Quit: Leaving.) | 13:26 | |
| *** Mo (d8390e7c@gateway/web/freenode/ip.216.57.14.124) has joined #wikid | 15:10 | |
| Mo | hello | 15:10 |
|---|---|---|
| *** Mo is now known as Guest53722 | 15:11 | |
| Guest53722 | Where's Nick? | 15:11 |
| *** Guest53722 has quit (Client Quit) | 15:11 | |
| *** nowen (~nowen@adsl-98-66-180-42.asm.bellsouth.net) has joined #wikid | 15:58 | |
| *** nowen has quit (Ping timeout: 260 seconds) | 17:17 | |
| *** nowen (~nowen@adsl-98-66-180-247.asm.bellsouth.net) has joined #wikid | 17:28 | |
| *** nowen has quit (Quit: Leaving.) | 17:33 | |
| *** nowen (~nowen@99.174.93.102) has joined #wikid | 18:15 | |
| *** nowen1 (~nowen@99-174-93-102.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 19:23 | |
| *** nowen has quit (Read error: Connection reset by peer) | 19:23 | |
| *** nowen1 has quit (Quit: Leaving.) | 19:34 | |
| *** nowen (~nowen@99-174-93-102.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 19:57 | |
| *** __TOM (~wtfnom@38.103.49.130) has joined #wikid | 20:32 | |
| __TOM | Nick | 20:33 |
| nowen | hi | 20:33 |
| __TOM | how do I grant more than 1 token to a user ID? | 20:33 |
| nowen | You'll need to use the API for that. have you looked at example.jsp? | 20:33 |
| nowen | or ADRegister? | 20:33 |
| __TOM | no, not yet in depth. I've seen random postings about it. do you by chance have a link i can review? | 20:34 |
| nowen | you betcha ;) | 20:34 |
| nowen | https://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-test-if-the-server-is-working-correctly | 20:34 |
| nowen | can you edit a file on linux? | 20:35 |
| nowen | also, the end of this page: https://www.wikidsystems.com/support/wikid-support-center/manual/how-to-install-the-wikid-strong-authentication-server/installing-the-wikid-strong-authentication-server-enterprise-edition-page-5 | 20:35 |
| __TOM | yes. i can edit a file on linux. | 20:37 |
| nowen | ok - I'm never sure ;) | 20:37 |
| __TOM | yikes | 20:38 |
| nowen | ? | 20:38 |
| __TOM | so like i'd have to train every helpdesk guy to do this | 20:38 |
| nowen | no | 20:39 |
| nowen | they don't have to edit the file, they just have to enter the reg code into the box. | 20:39 |
| __TOM | yeah. | 20:39 |
| nowen | you can create a script for them with only that one box | 20:39 |
| __TOM | youre giving helpdesk a little too much credit. | 20:39 |
| __TOM | they will be following a specific document telling them how to log into the wikid gui | 20:40 |
| __TOM | and how to add a user to "wikid" | 20:40 |
| nowen | you can also have the users add themselves: https://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-let-users-add-themselves-using-ad-credentials | 20:40 |
| __TOM | and now a portion to describe how to add a second token to a user. | 20:40 |
| __TOM | i guess my question is, why was this prohibited in the gui? | 20:40 |
| __TOM | e.g. adding two for 1 person? | 20:41 |
| nowen | the script can have them add a user's first token and then a second | 20:41 |
| nowen | it was a request from the customer for whom we created the API. they had security concerns. | 20:41 |
| nowen | If you look at ADRegister, they basically login with AD creds, enter one reg code and then can enter another. can't get much easier | 20:46 |
| nowen | would you want your helpdesk people to be WiKIDAdmins? | 20:46 |
| __TOM | there is lot to be desired. | 20:51 |
| nowen | what are you trying to do? | 20:52 |
| __TOM | issue multiple tokens to 1 user. | 20:52 |
| nowen | and you want the helpdesk to do it? | 20:53 |
| __TOM | yes. | 20:53 |
| __TOM | not the end user, but the helpdesk. | 20:53 |
| nowen | does the helpdesk have access to the WiKIDAdmin? | 20:53 |
| __TOM | they can, if its required. | 20:54 |
| nowen | it is not | 20:54 |
| __TOM | theres no RBAC built into the gui | 20:54 |
| __TOM | so, how do you do it then? | 20:54 |
| __TOM | https://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-can-i-test-if-the-server-is-working-correctly | 20:54 |
| __TOM | ? | 20:54 |
| nowen | https://www.wikidsystems.com/support/wikid-support-center/installation-how-tos/how-to-let-users-add-themselves-using-ad-credentials | 20:55 |
| nowen | create a simple script that the helpdesk logs into with their AD creds or however you want to do it. There are two sections. "Add a new token" and "Add a second token". Each section has two boxes: username and regcode | 20:56 |
| __TOM | wait a second. | 20:58 |
| __TOM | im not using AD creds. | 20:58 |
| nowen | you can use whatever you want. | 20:59 |
| __TOM | so... the URL you gave me allows people to log into AD | 21:01 |
| __TOM | i dont have any LDAP/AD setup | 21:01 |
| nowen | what do you have? | 21:01 |
| __TOM | nothing? | 21:01 |
| nowen | do you want your helpdesk to not have to login? | 21:02 |
| __TOM | oh no, i do want them to log in | 21:02 |
| __TOM | right now, to date i have been using whatever local database of users wikid has through the gui | 21:02 |
| nowen | well, if you keep the file in /opt/WiKID/tomcat/webapps/WiKIDAdmin, then that will do it | 21:03 |
| nowen | so, you can just copy the example.jsp and comment out everything you don't want | 21:03 |
| __TOM | but the example.jsp wont require them to log in, | 21:05 |
| __TOM | right? | 21:05 |
| nowen | it requires WiKIDAdmin credentials | 21:05 |
| nowen | brb | 21:06 |
| __TOM | i've entered in my localhost passphrase | 21:11 |
| __TOM | yet it still states that my wclient connection was not successfully est | 21:11 |
| nowen | you probably need to restart wikid. the jsp is cached | 21:12 |
| __TOM | so which section would i need if a user called in, saying that they just added wikid, and they have a passphrase they want to submit to us. | 21:16 |
| nowen | first time registration? | 21:17 |
| __TOM | yes. | 21:17 |
| __TOM | if i went into the admin page | 21:17 |
| __TOM | i could just click on users | 21:17 |
| __TOM | then manually add a user. | 21:17 |
| __TOM | and then i'd see a list of devices. | 21:17 |
| __TOM | with their SHA1 values. | 21:17 |
| __TOM | i'd click on one of those and then add the username. | 21:18 |
| nowen | hmm - the API can't list the reg codes | 21:21 |
| __TOM | so the user would need to read off the reg code verbatim? | 21:21 |
| nowen | yes | 21:21 |
| __TOM | hmm... | 21:21 |
| __TOM | thats sort of challenging in sorts. | 21:22 |
| nowen | or we would need to add that to the api | 21:22 |
| __TOM | "whats your passphase?" "its big X, little l, 3, big K, little f, 3, 3" | 21:22 |
| __TOM | well.. just surprised none of your existing customers find this an issue. | 21:22 |
| __TOM | is there a way to disable that security feature in the wikid admin page? | 21:22 |
| __TOM | so i can add multiple devices to one username? | 21:23 |
| nowen | we can put it on the list | 21:23 |
| nowen | also, you can use pre-registration | 21:23 |
| __TOM | okay...how'd that work? | 21:23 |
| __TOM | some helpdesk guy goes to example.jsp | 21:24 |
| __TOM | and... | 21:24 |
| nowen | the helpdesk person creates a pre-registration code, enters it via the api and gives it to the user | 21:24 |
| __TOM | and then the user, using an Iphone does what exactly with it? | 21:25 |
| nowen | the user selects 'pre-register a domain' enters that code and their PIN twice | 21:25 |
| nowen | but | 21:25 |
| nowen | not supported on smart phone tokens | 21:25 |
| __TOM | bummer. im only using smart phone tokens. | 21:25 |
| nowen | how many users do you have? | 21:26 |
| __TOM | 250? | 21:26 |
| __TOM | roughly | 21:26 |
| nowen | I think most of our customers try to get their users to register their own tokens using ADregister. then, they catch the exceptions. | 21:27 |
| __TOM | I'm not using wikid in your traditional view that all your clients are using this as a password replacement tool. | 21:32 |
| nowen | so, what's the best option? Add a 2nd token through the WiKIDAdmin? | 21:32 |
| nowen | how are you using it? | 21:32 |
| __TOM | most transparent for me is to have the capability to add multiple tokens through wikidadmin for 1 user. | 21:33 |
| __TOM | and it would be great if there was a way to lock IT staff out to just that page. | 21:33 |
| __TOM | but there's currently no role based authentication for that gui. | 21:33 |
| nowen | no, and that's a big add | 21:34 |
| __TOM | yeah, im sure it is. | 21:34 |
| __TOM | again, im using this strictly as two factor solution | 21:34 |
| __TOM | as a secondary factor | 21:34 |
| __TOM | not to replace the primary factor. | 21:34 |
| __TOM | user hits a portal | 21:34 |
| __TOM | they need their user credentials still | 21:34 |
| __TOM | and they need to then punch in a OTP thats provided by wikid. | 21:35 |
| __TOM | to be quite honest, the more and more i think about it, and the more challenges im coming across, i really begin to wonder which market segment has a strong wikid presence. its beginning to seem really misaligned for what i need, a two factor solution for a financial corporate environment. | 21:37 |
| __TOM | not a knock on wikid, but i know you mentioned you coded the API for one of your clients. | 21:37 |
| nowen | yeah, one of our clients in the financial world. | 21:37 |
| __TOM | and i'm sort of curious what kind of shop would do things the way you laid out. | 21:37 |
| __TOM | i can see how that would happen. | 21:38 |
| nowen | I would say about 1/2, but we don't track it. | 21:38 |
| nowen | so, if you're only doing smart phones, how many users will have two? | 21:39 |
| __TOM | 80% will have one, 10% will have 2 or 3 phones, and the last 10% will have upwards of 12 phones. | 21:39 |
| nowen | you could also protect a page with the first token and have them reg the 2nd token there. | 21:40 |
| __TOM | not having end users self register tokens at this time, though a novel idea. | 21:41 |
| __TOM | by thew ay | 21:43 |
| __TOM | do you have any financial references you can throw my way? | 21:43 |
| __TOM | not that i would want to talk to them | 21:43 |
| __TOM | but more in lines of who they are | 21:44 |
| nowen | http://onlinebankingsolutions.com/ they oem. they are a corp banking software provider | 21:45 |
| __TOM | no direct clients then? | 21:46 |
| nowen | I'd have to look | 21:46 |
| nowen | I feel like there was a hedge fund, but I don't know | 21:46 |
| __TOM | okay. thanks... | 21:47 |
| nowen | you know, is does Canyon Partners scream hedge fund? | 21:47 |
| __TOM | im with Canyon Partners. | 21:47 |
| nowen | yeah, I know. but unless it's Julian Peterson or George Soros, I don't know | 21:48 |
| nowen | we have a good number of customers I never talk to/chat with | 21:48 |
| __TOM | they never call in, email, or irc for support? | 21:50 |
| __TOM | thats pretty impressive. | 21:50 |
| nowen | yeah, and I was bragging about how low our post support costs are, but then got hammered by one guy for a like a week. | 21:50 |
| __TOM | so i just tried your suggestion about pre-registration codes | 22:03 |
| __TOM | but wait..you said that didnt work on mobile devices. | 22:03 |
| __TOM | hmm | 22:03 |
| __TOM | so what would work for iphone client then? | 22:04 |
| nowen | I think the best option is for us to add the ability to reg a 2nd token to WiKIDAdmin | 22:06 |
| __TOM | ok. | 22:09 |
| *** nowen has quit (Ping timeout: 246 seconds) | 22:13 | |
| *** nowen (~nowen@99-174-93-102.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 22:27 | |
| *** nowen has quit (Quit: Leaving.) | 22:55 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!