TOTP Examples for SSO
Last updated
Last updated
The examples below of third-party authenticators are for illustration purposes only. The workflows are subject to change. See the ThousandEyes transaction scripting examples repository for further examples.
The secret token often comes in a form of a QR code:
You need to convert the QR code into a secret token. You can scan the QR code with your mobile phone, or convert it using a desktop or CLI app.
Do not use online QR scanners, as that will expose the secret token to 3rd parties.
The QR code will decode into a string like:
The secret token is just the N5LVC5JZNVVDSUZPJFIWUZSHGFDGMZJU part.
Once you have the secret token, you should store it in the ThousandEyes Credentials Repository as described in Working With Secure Credentials.
Then, use the following code in your transaction test script to generate a one time password in every transaction run:
This section shows the user experience for TOTP workflows, which we can then relate to the scripting used to implement these workflows in ThousandEyes transaction tests.
These workflows are for you to generate a secret key, for use in your transaction test scripts. They’re not generating the one-time password, they’re generating the keys that you will need to generate the OTP each time the transaction test is run.
Above is a workflow for Okta with Google Authenticator as the mobile OTP app. All steps occur within the Okta portal, using a desktop browser running on a workstation with a mouse and a keyboard:
The user sets up extra verification in their user profile, and clicks Set up for the Google Authenticator option. A dialog appears, directing the user to install Google Authenticator on their mobile device (not shown). Instead of clicking Next, the user clicks Can’t scan? Okta generates the secret key and presents it to the user.
Above is a workflow for Microsoft Authenticator with any mobile OTP app. All steps occur within a Microsoft identity portal, using a desktop browser running on a workstation with a mouse and a keyboard:
The user visits the Microsoft portal and chooses the steps for Additional security verification and selects these options: Choose Use verification code from app Provide Authentication phone number Choose Authenticator app or Token Click Set up Authenticator app Under Configure mobile app, do not scan the QR code. Instead, click Configure app without notifications. A secret key is generated and shown. Note that the key, which is lowercase with spaces, should be entered into your transaction test script in all caps, with no spaces.
Above is a workflow for Salesforce for any mobile OTP app. All steps occur within the Salesforce portal, using a desktop browser running on a workstation with a mouse and a keyboard:
Under My Personal Information, click Advanced User Details. The user clicks [Connect] to connect to the One-Time Password Generator. Skipping the QR code, the user clicks I can’t Scan the QR Code. A new dialog appears with the Key, which is what you would use in your transaction test script.
Here is how a one-time password appears when testing the script in the Recorder IDE.