SMS as Second Factor module
This module is implemented as an Authentication Processing Filter. That means it can be configured in the global config.php file or the SP remote or IdP hosted metadata.
It is recommended to run the module at the IdP, and configure the filter to run after all attribute mangling filters have completed, to show the user the exact same attributes that are sent to the SP.
To be able to use this module, you have to register at CM.com to get an API-key for their RESTful API.
First you need to enable the module; in
config.php, search for the
module.enable key and add
cmdotcom with value
'module.enable' => [ 'cmdotcom' => true, … ],
In order to proces the passcode SMS in this module, you need set the mandatory API-key
to interact with the CM.com RESTful API in the
You can optionally set the
mobilePhoneAttribute to the name of the attribute that
contains the user's mobile phone number. The default attribute if this setting is left out is
If the attribute defined above is not available for a user, an error message will be shown, and the user will not be allowed through the filter. So make sure that you select an attribute that is available to all users.
By default the SMS will originate from
CMTelecom, but this can be changed using the optional
The maximum length is 16 digits for a phonenumber or 11 alphanumerical characters [a-zA-Z0-9]. Example: 'CMTelecom'.
Another default is that the OTP received by SMS can be entered within a period of five minutes. This can
be adjusted by configuring the optional
validFor setting to the number of seconds the code should be valid.
Add the filter to your Identity Provider hosted metadata authproc filters list, specifying the attribute you've selected.
90 => [ 'class' => 'cmdotcom:OTP', 'api_key' => 'secret', 'mobilePhoneAttribute' => 'mobile', 'originator' => 'CM Telecom', 'validFor' => 600, ],
This setup uses no persistent storage at all. This means that the user will always be asked to enter a passcode each time she logs in.