One of the most common requests that the development team receives is "How can I modify my template pages to have multiple different brands?"
The usual response is to guide administrators towards template scripting and/or HTTP transformation rules. But wouldn’t it be nice if template pages could be configured on a mechanism or policy level?
We’ve actually been making incremental changes in this space. Starting in Verify Access 10.0.3 with the FIDO2 WebAuthn Registration mechanism, we added a configuration entry for the template page to enable customisation of the FIDO2 PAIR scenario.
This blog however is going to focus on the new configuration entries added in Verify Access 10.0.7 for MAC OTP. And we’ll go through how these new configuration entries are used in the out-of-the-box USC Passkey Account Create policy, also added in 10.0.7.
Mechanism properties
The MAC One-time Password mechanism now has these extra properties:
Delivery Selection Template Page
Override the path of the delivery selection template page that displays the list of methods for generating, delivering, and verifying the one-time password. Allows for the page branding or user experience to be customized.
If no path is specified, the default path /authsvc/authenticator/macotp/delivery_selection.html is used.
In the LMI, navigate to AAC > Authentication > Mechanisms > MAC One-time Password > Edit > Properties to modify this property.
Login Template Page
Override the path of the login template page that displays the form where the user can enter the MAC one-time password. Allows for the page branding or user experience to be customized.
If no path is specified, the default path /authsvc/authenticator/macotp/login.html is used.
In the LMI, navigate to AAC > Authentication > Mechanisms > MAC One-time Password > Edit > Properties to modify this property.
Error Template Page
Override the path of the error template page that displays errors during the MAC one-time password authentication. Allows for the page branding or user experience to be customized.
If no path is specified, the default path /authsvc/authenticator/macotp/error.html is used.
In the LMI, navigate to AAC > Authentication > Mechanisms > MAC One-time Password > Edit > Properties to modify this property.
Policy Parameters
The same configuration options can be configured on a policy level instead. This means that the template file paths don’t have to be static strings, but instead can be read from session or request parameters!
Customisation in action: USC Passkey Account Create
Now, how do we go about using these parameters? Well, in the new account create policy, we needed to tightly control the user experience for performing an email OTP. The policy uses the email OTP step to confirm that the user creating the new account owns and has access to the email address they want to create their account with.
Let’s take a look at the policy itself:
After running the SCIM Endpoint Configuration mechanism (which fetches SCIM configuration and loads it into the session for use in InfoMaps later) and fetching the user’s email via the USC Passkey Account Create - Collect Email mechanism, the user is prompted to complete the MAC OTP mechanism.
The only template that is overwritten at the policy level is the login template page, as the user is not offered the delivery selection template page. This allowed us to ensure that the OTP page matched the style of the rest of the policy. How good is that?!
Before:
After:
Note: If you’d like to run this policy in full, follow the instructions here:
https://www.ibm.com/docs/en/sva/10.0.7?topic=operations-passkey-account-create-policy
It’s now that easy to customise the template pages used by MAC OTP!
Would you like to see more mechanisms updated with customisable template pages? You can vote on this idea in the ideas portal here: https://ideas.ibm.com/ideas/ISAM-I-1212