Simple TOTP

Nate Klingenstein ndk at signet.id
Tue Apr 30 12:42:19 EDT 2019


Yakov,

> All what I need is to add, in addition to a password, one extra field to enter and process OTP. All OTP secret management is on the identity backend and is not responsibility of IdP.

I assume the second field is entered after the password on a second page, because otherwise you wouldn't be able to do anything based on the login.

> IdP must ,
>  like Google:

I can't speak to exactly what Google can do now, but I remember what they could do last time I evaluated it.

Anyway, in a modern IdP, I would use the MFA flow:

> 1) show and process login
> 
> 2) show and process 
> password

I would first start with the password flow.  It will do all of the above.

> 3) based on login 
> understand whether OTP is enabled for the user or disabled

I don't believe there is a TOTP that is part of the distribution, but there is a contribution:

https://wiki.shibboleth.net/confluence/display/IDP30/Contributions+and+Extensions

I have no idea how functional or supported it is but the code looks a little old.  It calls the Password step itself and probably expects to run on its own, not using the MFA system.  You could install that extension and just try it, or you could use it as the basis for writing your own login flow that works more like the Password + Duo combination, which would be hard.

> 4) show and process OTP depend on result of prev step

I'm not sure what you mean by show and process the OTP.  Normally, you would match the principal name that came back from Password authentication to the one that came back from Google Authenticator, ensure they match, and then pass the user on with the right AuthnContextClassRef.

> All steps use backends API available by http.

I'm also not sure which steps you're talking about, but I believe all these queries use HTTP.  The real question for me is what you want to be able to do with which API's.

You would show a service provider that MFA had been used by sending along an AuthnContextClassRef that indicates compliance with a two-factor platform, which would be done because of the Principal that had been set.
 
> What is the fastest way to reach only this single minimalist task? What can I give as basement?

It's not really easy to do this quickly without knowledge about it.  The MFA handler isn't simple.  But what you're doing is similar to what the Duo flows do and there was at one time a working example, so you can probably put something together if you know about all the pieces.

https://wiki.shibboleth.net/confluence/display/IDP30/MultiFactorAuthnConfiguration

Take care,
Nate.


More information about the users mailing list