Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Is it possible to ensure that a user has received an SMS on their mobile phone using SMS authentication method and/or CustomerID mobile phone number verification process?

Step-by-step guide

Ubisecure SSO calls the URL listed in the SMS authentication method.  Eg. http://hostname/sendSMS?id=23uhf3423s&from=+38111&to={mobile}&content={challenge}

The {challenge} message is generated based on the localized SMS_TEXT language key found in the custom uas_XX.properties file. Ubisecure CustomerID calls the gateway listed in the methods.sms.gateway variable of the eidm2.properties file methods.sms.gateway = http://smsgw/sendsms?PhoneNumber={mobile}&text={challenge}&etc=123

The actual text sent in the challenge is defined in the setting sms.verification.message of the messages_XX.properties file. In both cases, the call to the external SMS gateway is done by HTTP GET. The {mobile} value is derived from the user’s directory mobile attribute. Use of acknowledgements or read receipts is dependent on SMS gateway capabilities. Every SMS gateway is different and must be checked for compatibility. If a HTTP status of 200 is received from the URL, it is assumed that the delivery has been successful. The actual output of the returned page HTML content is not read, processed or logged in any way. Ubisecure SSO and CustomerID do not process delivery and read receipts. By using an intermediate proxy, it is possible to accept the request from Ubisecure SSO or CustomerID and implement a delay until the receipt of delivery is received, and only then return a 200 successful message. Implementation of the delay logic is gateway specific. User interface text should be updated according to warn the user of the delay. Maximum timeout should be implemented in the proxy application to prevent blocking of the user. An intermediate proxy program can also create its own log of transaction numbers and received return values for diagnostic and possible accounting purposes. Typically operators provide a webservice to list sent messages and statuses.



  • No labels