toopher · dshafer · Feb 23, 2015 · Feb 24, 2015 · Feb 24, 2015 · Feb 24, 2015
diff --git a/Login.jsp b/Login.jsp
diff --git a/README.md b/README.md
@@ -37,18 +37,29 @@ All executable and configuration files must be copied to the proper spot in the
 
     sudo cp -r openam/* ${CATALINA_HOME}/webapps/openam/
 
-Edit Login.jsp to include the Toopher javascript file at the end of the page (just above the closing `</body>` tag):
+Edit Login.jsp to include and initialize the Toopher javascript file at the end of the page (just above the closing `</body>` tag):
 
                     </div>
                 </div>
                 <!--Beginning of required change-->
                 <script language="JavaScript" src="<%= ServiceURI%>/js/toopher-openam.js" type="text/javascript"></script>
+                <script language="JavaScript" type="text/javascript">
+                    toopherOpenAM.init('${toopherIframeSrcUrl}');
+                </script>
                 <!--End of required change-->
             </body>
         </jato:useViewBean>
     </html>
 
-Make sure tomcat can access all of the new files:
+By default, the Toopher-OpenAM Javascript will insert a Toopher Iframe into the login page
+immediately before the OpenAM form, and hide the form.  If you would like to override this
+behavior, you may add an `<iframe id='toopher-iframe'></iframe>` anywhere in the page, and
+the Toopher-OpenAM Javascript will use your iframe element instead of creating one
+of its own.  Your iframe should be 300px in height.  Minimum width is 400px, optimum width
+is 720px.  The iframe should be hidden by default in your CSS - the Toopher-OpenAM Javascript
+will make it visible when it is needed.
+
+Finally, make sure tomcat can access all of the new files:
 
     sudo chown -R tomcat:tomcat ${CATALINA_HOME}/webapps/openam
 
@@ -80,7 +91,6 @@ If you have not done so already, provision a new Toopher Consumer Key/Secret pai
 
 Click the `ToopherSecondFactor` entry in the `Module Instances` list to go to the module options page.  Fill in appropriate values for all fields:
 
-* **Allow Users to Opt-Out of Toopher Authentication** : If enabled, individual users will be able to disable Toopher Authentication when they log in.  This has the effect that the `ToopherSecondFactor` module instance will immedately grant access to the user
 * **User email attribute** : Name of the User Principal attribute that holds a valid email address for the user.  The Toopher Two-Factor ID authentication module uses this address to send self-service Pairing Reset emails to the user *(not yet implemented)*
 * **Authentication Level** : Authentication Level to be reported to OpenAM
 * **Toopher API URL** : URL of the Toopher Web API.  This should be `https://api.toopher.com/v1/` for most users.
@@ -100,31 +110,22 @@ Congratulations - You're done!
 ## Administering a Toopher-Enabled Userbase
 ### The Toopher Two-Factor Login Flow
 
-1. The first time OpenAM users authenticate through the Toopher service, they will be given the chance to opt-out of Toopher Authentication if the **Allow Users to Opt-Out of Toopher** setting is enabled.
 1. If the user has opted-out of Toopher Authentication, they will be immediately authenticated successfully by the Toopher Authentication Service
 1. If the user has not paired a mobile device with their OpenAM profile, they will be prompted to enter a "pairing phrase" generated by the Toopher Mobile App (Available for Android and iOS through the respective app store)
 1. If the user has never logged in from the current terminal, they will be prompted to assign a "Friendly Name" to the terminal.  Terminals are identified by setting a secure cookie in the browser.
 1. The user is prompted via push message on their mobile device to authenticate the login.  If sufficient location information is available, the user is given the option to automatically allow future logins from that specific terminal when the mobile device is in that location
 
-## Future Enhancements
-This pilot demonstrates the core functionality of a Toopher-enhanced OpenAM authentication flow.  Several further improvements are in active development and will be available soon:
-
-* Self-service Toopher pairing management (e.g., account recovery for when a user loses access to their second factor, etc.)
-* User-accessible configuration options
-* Admin pairing management (e.g., allow admins to deactivate pairing, etc.)
-* More dynamic Toopher authentication waiting room (currently the webpage periodically refreshes while Toopher authentication is performed)
-
 ### FAQ
 #### How can users un-pair their mobile device from Toopher?
-Users can delete the pairing from their mobile device by tapping on the pairing in the Toopher mobile app, then selecting "Remove Pairing".  The next time they authenticate through OpenAM, the user will be prompted to re-pair their account with a mobile device.  If the **Allow Users to Opt-Out of Toopher** option is `enabled`, the user will first be given the opportunity to disable Toopher authentication on their account.
+Users can delete the pairing from their mobile device by tapping on the pairing in the Toopher mobile app, then selecting "Remove Pairing".  The next time they authenticate through OpenAM, the user will be prompted to re-pair their account with a mobile device.
 
 #### Can users authenticate if their mobile device is not connected to the network?
 Yes, users can still authenticate with a One-Time Password by clicking on the "Authenticate with
 One-Time Password" button when logging in.  The Toopher mobile app can generate valid One-Time
 Passwords regardless of network connectivity.
 
 #### What happens if users lose their mobile device, or delete the Toopher app?
-Currently, this situation requires an administrator to manually reset the user's Toopher Pairing
+This situation requires an administrator to manually reset the user's Toopher Pairing
 status by running `reset_user.py` script, available in the `tools` directory of the installation archive.
 `reset_user.py` requires access to the same Toopher Consumer Key and Secret used to configure the Toopher
 OpenAM module.  There are two ways to supply these credentials to the script:
@@ -141,6 +142,3 @@ command-line argument: the UID for the OpenAM user needing to be reset.
 
     python tools/reset_user.py johndoe
 
-We are currently developing a self-service Pairing
-Recovery capability in Toopher for OpenAM which will reduce the administrative burden of this task,
-expected to be available in late 2013.
diff --git a/ToopherSecondFactor/ToopherSecondFactor.xml b/ToopherSecondFactor/ToopherSecondFactor.xml
@@ -4,66 +4,12 @@
   <Callbacks length="0" order="1" timeout="600" header="Toopher">
   <!-- dummy callback so code can figure out what to do next -->
   </Callbacks>
-  <Callbacks length="1" order="2" timeout="600" header="Pair with Toopher">
+  <Callbacks length="1" order="2" timeout="600" header="Authenticate with Toopher">
     <NameCallback isRequired="true">
-      <Prompt>Please enter a Pairing Phrase generated from the Toopher Mobile app</Prompt>
+      <Prompt>#TOOPHER_HIDE#</Prompt>
     </NameCallback>
   </Callbacks>
-  <Callbacks length="1" order="3" timeout="600" header="Waiting for Pairing Completion">
-  </Callbacks>
-  <Callbacks length="1" order="4" timeout="600" header="Name Terminal">
-    <NameCallback isRequired="true">
-      <Prompt>Terminal Name</Prompt>
-    </NameCallback>
-  </Callbacks>
-  <Callbacks length="1" order="5" timeout="600" header="Authenticating with Toopher">
-    <ConfirmationCallback>
-      <OptionValues>
-        <OptionValue>
-          <Value>Authenticate with One-Time Password</Value>
-        </OptionValue>
-      </OptionValues>
-    </ConfirmationCallback>
-  </Callbacks>
-  <Callbacks length="1" order="6" timeout="600" header="Enter One-Time Password">
-    <NameCallback isRequired="true">
-      <Prompt>Enter current OTP generated by the Toopher Mobile App</Prompt>
-    </NameCallback>
-  </Callbacks>
-  <Callbacks length="1" order="7" timeout="600" header="This Pairing has been Deactivated on the Mobile Device">
-    <ConfirmationCallback>
-      <OptionValues>
-        <OptionValue>
-          <Value>Re-Pair Account with Toopher</Value>
-        </OptionValue>
-      </OptionValues>
-    </ConfirmationCallback>
-  </Callbacks>
-  <Callbacks length="2" order="8" timeout="600" header="This Pairing has been Deactivated on the Mobile Device">
-    <ConfirmationCallback>
-      <OptionValues>
-        <OptionValue>
-          <Value>Re-Pair Account with Toopher</Value>
-        </OptionValue>
-        <OptionValue>
-          <Value>Disable Toopher Authentication</Value>
-        </OptionValue>
-      </OptionValues>
-    </ConfirmationCallback>
-  </Callbacks>
-  <Callbacks length="2" order="9" timeout="600" header="Enable Toopher Two-Factor Authentication?">
-       <ConfirmationCallback>
-            <OptionValues>
-                <OptionValue>
-                    <Value>Yes, use Toopher</Value>
-                </OptionValue>
-                <OptionValue>
-                    <Value>No thanks</Value>
-                </OptionValue>
-            </OptionValues>
-        </ConfirmationCallback>
-  </Callbacks>
-  <Callbacks length="1" order="10" timeout="600" header="Toopher" error="true">
+  <Callbacks length="1" order="3" timeout="600" header="Toopher" error="true">
     <NameCallback>
       <Prompt>#THE DUMMY WILL NEVER BE SHOWN#</Prompt>
     </NameCallback>

diff --git a/ToopherSecondFactor/amAuthToopherLocalStorageSecondFactor.xml b/ToopherSecondFactor/amAuthToopherLocalStorageSecondFactor.xml
diff --git a/ToopherSecondFactor/amAuthToopherSecondFactor.properties b/ToopherSecondFactor/amAuthToopherSecondFactor.properties
@@ -4,7 +4,6 @@ backend=Backend
 toopher-api-url=Toopher API URL
 toopher-consumer-key=Toopher Consumer Key
 toopher-consumer-secret=Toopher Consumer Secret
-allow-opt-out=Allow Users to Opt-Out of Toopher Authentication
 backend-server-urls=Backend Server URLs
 num-backend-connections=Num Backend Connections
 ldap-bind-user-dn=Bind User DN

diff --git a/ToopherSecondFactor/amAuthToopherSecondFactor.xml b/ToopherSecondFactor/amAuthToopherSecondFactor.xml
@@ -29,15 +29,6 @@
             <Value>mail</Value>
           </DefaultValues>
         </AttributeSchema>
-        <AttributeSchema name="iplanet-am-auth-ToopherSecondFactor-allowOptOut" type="single" syntax="boolean" i18nKey="allow-opt-out">
-          <BooleanValues>
-            <BooleanTrueValue i18nKey="i18nTrue">true</BooleanTrueValue>
-            <BooleanFalseValue i18nKey="i18nFalse">false</BooleanFalseValue>
-          </BooleanValues>
-          <DefaultValues>
-            <Value>false</Value>
-          </DefaultValues>
-        </AttributeSchema>
         <SubSchema name="serverconfig" inheritance="multiple">
           <AttributeSchema name="iplanet-am-auth-ToopherSecondFactor-auth-level" type="single" syntax="number_range" rangeStart="0" rangeEnd="2147483647" i18nKey="auth-level">
             <DefaultValues>
@@ -64,15 +55,6 @@
               <Value>mail</Value>
             </DefaultValues>
           </AttributeSchema>
-          <AttributeSchema name="iplanet-am-auth-ToopherSecondFactor-allowOptOut" type="single" syntax="boolean" i18nKey="allow-opt-out">
-            <BooleanValues>
-              <BooleanTrueValue i18nKey="i18nTrue">true</BooleanTrueValue>
-              <BooleanFalseValue i18nKey="i18nFalse">false</BooleanFalseValue>
-            </BooleanValues>
-            <DefaultValues>
-              <Value>false</Value>
-            </DefaultValues>
-          </AttributeSchema>
         </SubSchema>
       </Organization>
     </Schema>