2 Factor Authentication for Password Reset using ManageEngine and RingCentral SMS

SMS is a popular way to support strong authentication or 2 two-factor authentication (2FA) since many people have SMS-enabled mobile devices. Sending an SMS with a password reset code to a known device satisfies the “what you have” component of 2 two-factor authentication, which can be augmented with a username password to satisfy the “what you know” factor.

ManageEngine’s ADSelfService Plus provides a secure and easy-to-use method of enabling end-user password reset for Active Directory, which supports strong authentication using SMS. RingCentral’s SMS service provides a convenient and ideal way to deliver SMS messages which that can be configured easily using two approaches:

1. RingCentral SMS API by writing and deploying a service to receive ManageEngine requests and convert them to RingCentral SMS API calls.
2. RingCentral for Zapier integration by using Zapier’s inbound webhooks capability. No code is required for this approach.

Configuration guide

The recipe for these integrations is now available in the RingCentral Integrations Cookbook which is hosted on GitHub and presented on Read The Docs. If you have any comments or suggestions, please feel free to send a pull request.

How we created the integration recipe

The RingCentral Platform team often get requests from customers to see if our service integrates with a particular service. The first step is to check the RingCentral App Gallery, however, when no pre-built integration is found, it’s often easy to do a few Google searches to see if a simple integration is possible or if it needs to be more in-depth. This integration was created with the following steps:

Step 1: Investigating the application

The first part of looking into integration possibilities (after being familiar with the RingCentral APIs) is to understand the apps integration capabilities. To do this, I did some Google searches for ManageEngine ADSelfService and SMS, which led me to their Administration Guide for SMS Server Settings and HTTP-based SMS providers. After reading their admin guide, it was clear their system can make the equivalent of an outbound webhook via HTTP GET or POST; I looked at the payload and concluded there was enough information to call the RingCentral SMS API.

Step 2: Designing the integration

The next step is to understand what it takes to connect the two services. Since ManageEngine makes outbound webhook requests with query string parameters and RingCentral’s SMS API takes a JSON body, it was necessary to create a middleware service to translate the query string parameters to RingCentral’s SMS API JSON request. Working with the customer, a simple setup was created using ASP.NET.

Step 3: Simplifying the integration

While a transformation middleware app is easy to set up (RingCentral supports Zapier), it is also possible to eliminate the need to write and host a webhook transform app by using Zapier’s webhook trigger capability. I’m always interested in providing even simpler solutions to our customers, so I created a Zap using a Webhooks by Zapier trigger with a RingCentral action as well.

The Zapier inbound webhooks capability is nice because it happens instantaneously without the need to wait for a 5 or 15 minute polling interval. Since Zapier only supports retrieving query parameters from HTTP GET webhooks and not HTTP POST webhooks, set ManageEngine to use HTTP GET.

Step 4: Closing loose ends

There were two items that I wanted to address with the integration for completeness:

1. The first was the use of OAuth 2.0 tokens. Since this was a webhook proxy, there was no need for long-lived access tokens or refresh tokens of any sort. To manage tokens efficiently the access_token_ttl was set to 10 minutes and the refresh_token_ttl was set to -1 (for no refresh token generation).
2. The second was getting clarification on the phone number format used by ManageEngine. I posted a question on their forums and was pleased to find out that ManageEngine uses a simple integer-based phone number format that strips out non-numeric characters.

Summary

2 factor authentication is a necessary part of many password reset services and the combination of ManageEngine ADSelfService Plus and RingCentral make for an ideal solution. When there is no pre-built integration, services that support open APIs such ManageEngine and RingCentral can enable integrations with just a little bit of effort.