Whilst DualShield is fully capable of creating its own Google Authenticator compatible tokens, there are circumstances when it would be useful to import google authenticator tokens that were generated externally into DualShield.

As an example, you might have generated a Google Authenticator QR Code for a AD user where there is no P1 or P2 license, and then used this QR code to program a programmable SafeID token, and now want to use that same programmable token with DualShield (without reprogramming the token).

The following procedure assumes that you still have the QR code that was used to program the programmable token.

Obtaining the seed data from the google authenticator QR Code

Let us assume that we have programmed a diamond token using the following QR code;


Whilst there are several ways to convert this QR code to text (and extract the seed data) we already have an app that can perform this task for us (the SafeID/Diamond programming tool app)

Run the app on the same window that is displaying the QR code to be examined, then use the "Scan Screen" feature to obtain the seed data;


After scanning the QR code you will find the base32 seed data field will now include seed details extracted from the QR code;


Copy and paste the following text into a text editor;

Token Seed File
<?xml version="1.0"?>
<data>
  <header>
    <manufacturerCode>GG</manufacturerCode>
    <productCode>GT</productCode>
    <synchronisation>30</synchronisation>
    <encrypt>NONE</encrypt>
    <encode>BASE32</encode>
    <digits>6</digits>
    <syncsize>2</syncsize>
    <crypto>HmacSHA1</crypto>
  </header>
  <tokens>
    <token>
	<serial>40027524</serial>
      <seed>ZBJ2FSWHA4PKOSG6NA5F3V4OBREK3VJP</seed>
    </token>
  </tokens>
</data>


Now replace the seed data with the seed data in base32 format ("ZBJ2FSWHA4PKOSG6NA5F3V4OBREK3VJP" in the example above) that was produced from your token scan

Next replace the serial number ("40027524" in the above example) with the serial number that you want to use with this token (if the seed was burnt onto a programmable token then use the serial number on the back of the token).

Once you have replaced the seed data and serial number, save the text file with a ".XML" extension to the filename.

The file will now be ready for importing into DualShield.

Importing the seed data into DualShield

Log in to the management console and navigate to ""Repository | Tokens"


Click on the button, and a window titled "Import Tokens" will open;


Ensure the system token repository is selected then click on the button, then navigate to the seed file you created with the text editor and click ;


The token can now be imported by clicking on the button.

The token will import in the form of a Google Authenticator time based token as per the example below and is ready to be assigned to a user;

Assigning the token

To assign the new token to a user left click on the context menu of the newly imported token then select "Assignments";

A new window will now open titled "Token Assignments", click on the button and select the domain that contains the user that we will assign the token to;

Use the icon to select the user the token is to be assigned to then click

  • No labels