How to configure passwordless OneTouch authentication

Last modified on 24 Feb, 2021. Revision 6
Sometimes you wan to get rid of the password requirement when using OneTouch as "strong" authentication. We will cover RADIUS Authentication and SAML in this article but this is also possible to do for Internal Authentication (Selfservice, WebUi etc.) and OIDC.This KB article assumes that you have the base scenario setup for OneTouch Authentication.
Up to date for
Easyaccess 3.0
Status OK

SAML Authentication

For SAML authentication we need to change the authenticator used to be SAMLUidOneTouch. Login to the WebUI and go to the advance tab, click on the pen besides Authentication - HTTP:

Find your SAML authenticator:

Change the name value to SAMLUidOneTouch, stage changes and commit.

Next we need to remove some Valves from the execution flow since we still expect a password but there is no way for the user to enter a password. Go to Scenarios → Federation and click on your Username, Password and OneTouch scenario. Go to the Execution Flow tab. Delete the InputParameterExistValve and the LDAPBindValve. Click save.

We are now done the user will now see the following page when surfing to the authenticator URL:

Radius Authentication

With RADIUS authentication it will be different we can’t control client it self that connects, for example the OneConnect client (at the moment) will always show the password field even though we do this change on the EasyAccess server. The only thing we need to do here is to remove the LDAPBindValve from the Execution flow on the normal Username, Password and OneTouch RADIUS scenario.

Go to Scenarios → RADIUS and click on the Username, Password and OneTouch scenario. Go to the Execution Flow tab and delete the LDAPBindValve:

Click save. The users will now be able to login without password.

Related articles

Sending EasyAccess logs to InCenter or a Syslog server
4 May, 2021 easyaccess incenter syslog
OneConnect VPN certificate not trusted
22 Aug, 2022 onetouch sslvpn oneconnect