OTP Email Sender node

The OTP Email Sender node sends an email containing a generated one-time passcode (OTP) to the user.

Send mail requests time out after 10 seconds.

You can change the timeout in the following advanced AM server properties:

org.forgerock.openam.smtp.system.connect.timeout
org.forgerock.openam.smtp.system.socket.read.timeout
org.forgerock.openam.smtp.system.socket.write.timeout

How do I configure advanced server properties?

To configure advanced server properties for all the instances of the AM environment, go to Configure > Server Defaults > Advanced in the AM admin UI.
To configure advanced server properties for a specific instance, go to Deployment > Servers > Server Name > Advanced.

If the property you want to add or edit is already configured, click the pencil () button to edit it, then click the checkmark () button.

Save your changes.

Learn more in advanced properties.

Example

The following example demonstrates using an OTP in a multi-factor authentication journey:

The Page node with the Username Collector node and the Password Collector node prompts for the user credentials.
The Data Store Decision node confirms the username-password credentials.
The HOTP Generator node generates an eight-digit OTP.
The Choice Collector node prompts the user to choose whether they want to receive the OTP via email or SMS.
- If the user chooses email, the OTP Email Sender node sends the OTP to the user’s email address.
- If the user chooses SMS, the OTP SMS Sender node sends the OTP to the user’s mobile number.
The OTP Collector Decision node prompts the user to enter the OTP they received and verifies it. If the OTP is correct, the user is authenticated.

Availability

Product	Available?
PingOne Advanced Identity Cloud	Yes
PingAM (self-managed)	Yes
Ping Identity Platform (self-managed)	Yes

Product

Available?

PingOne Advanced Identity Cloud

Yes

PingAM (self-managed)

Yes

Ping Identity Platform (self-managed)

Yes

Inputs

This node requires the realm and username properties in the incoming node state.

Implement a Username Collector node (standalone AM) or Platform Username node (Ping Identity Platform deployments) earlier in the journey.
This node requires the oneTimePassword property in the incoming node state.

Implement the HOTP Generator node earlier in the journey.

Dependencies

The node requires a configured email provider.

Additionally, the user’s profile must contain a valid email address.

Configuration

Property Usage

Mail Server Host Name (required)

The hostname of the SMTP email server.

Mail Server Host Port

The outgoing mail server port.

Common ports are 25, 465 for SSL/TLS, or 587 for StartTLS.

Mail Server Authentication Username

The username AM uses to connect to the mail server.

Mail Server Authentication Password

The password AM uses to connect to the mail server.

This property is deprecated. Use the Mail Server Secret Label Identifier instead.

If you set a Mail Server Secret Label Identifier, this password is ignored.

Mail Server Secret Label Identifier

An identifier used to create a secret label for mapping to a secret in a secret store.

AM uses this identifier to create a specific secret label for this node. The secret label takes the form am.authentication.nodes.otp.mail.identifier.password where identifier is the value of Mail Server Secret Label Identifier. The identifier can only contain alphanumeric characters a-z, A-Z, 0-9, and periods (.). It can’t start or end with a period.

If you set a Mail Server Secret Label Identifier and AM finds a matching secret in a secret store, the Mail Server Authentication Password is ignored.

Email From Address (required)

The email address from which the OTP will appear to have been sent.

Email Attribute Name

The attribute in the user profile that contains the email address to which the email with the OTP is sent.

Default: mail

The subject of the email

Click Add to add a new email subject. Enter the locale, such as en-uk, in the Key field and the subject in the Value field. Repeat these steps for each locale that you support.

The content of the email

Click Add to add the content of the email. Enter the locale, such as en-uk, in the Key field and the email content in the Value field. Repeat these steps for each locale that you support.

Mail Server Secure Connection

Set the connection method to the mail server.

If you set a secure method here, AM must trust the server certificate of the mail server.

The possible values for this property are:

NON SSL/TLS
SSL/TLS
Start TLS

Default: SSL/TLS

Gateway Implementation Class

The class the node uses to send SMS and email messages. A custom class must implement the com.sun.identity.authentication.modules.hotp.SMSGateway interface.

Default: com.sun.identity.authentication.modules.hotp.DefaultSMSGatewayImpl

Outputs

This node copies shared and transient state into the outgoing node state.

Errors

The node throws an IdRepoException and an SSOException error if it’s unable to obtain the user’s email address.

Outcomes

Single outcome path.

Implement an OTP Collector Decision node after this node to continue the authentication journey.

PingAM Auth node reference