Simple TOTP

Yakov Revyakin yrevyakin at gmail.com
Tue Apr 30 13:45:46 EDT 2019 

Currently I have successfully run Shibboleth-IdP3-TOTP-Auth. It adds own
flow where the first step is Password subflow.

I need to add transitions to check if OTP is activated for the user and
whether show OTP form or don't. After that I will think that I have got
what I wanted for fast start.


On Tue, 30 Apr 2019 at 19:42, Nate Klingenstein <ndk at signet.id> wrote:

> Yakov,
>
> > All what I need is to add, in addition to a password, one extra field to
> enter and process OTP. All OTP secret management is on the identity backend
> and is not responsibility of IdP.
>
> I assume the second field is entered after the password on a second page,
> because otherwise you wouldn't be able to do anything based on the login.
>
> > IdP must ,
> >  like Google:
>
> I can't speak to exactly what Google can do now, but I remember what they
> could do last time I evaluated it.
>
> Anyway, in a modern IdP, I would use the MFA flow:
>
> > 1) show and process login
> >
> > 2) show and process
> > password
>
> I would first start with the password flow.  It will do all of the above.
>
> > 3) based on login
> > understand whether OTP is enabled for the user or disabled
>
> I don't believe there is a TOTP that is part of the distribution, but
> there is a contribution:
>
>
> https://wiki.shibboleth.net/confluence/display/IDP30/Contributions+and+Extensions
>
> I have no idea how functional or supported it is but the code looks a
> little old.  It calls the Password step itself and probably expects to run
> on its own, not using the MFA system.  You could install that extension and
> just try it, or you could use it as the basis for writing your own login
> flow that works more like the Password + Duo combination, which would be
> hard.
>
> > 4) show and process OTP depend on result of prev step
>
> I'm not sure what you mean by show and process the OTP.  Normally, you
> would match the principal name that came back from Password authentication
> to the one that came back from Google Authenticator, ensure they match, and
> then pass the user on with the right AuthnContextClassRef.
>
> > All steps use backends API available by http.
>
> I'm also not sure which steps you're talking about, but I believe all
> these queries use HTTP.  The real question for me is what you want to be
> able to do with which API's.
>
> You would show a service provider that MFA had been used by sending along
> an AuthnContextClassRef that indicates compliance with a two-factor
> platform, which would be done because of the Principal that had been set.
>
> > What is the fastest way to reach only this single minimalist task? What
> can I give as basement?
>
> It's not really easy to do this quickly without knowledge about it.  The
> MFA handler isn't simple.  But what you're doing is similar to what the Duo
> flows do and there was at one time a working example, so you can probably
> put something together if you know about all the pieces.
>
>
> https://wiki.shibboleth.net/confluence/display/IDP30/MultiFactorAuthnConfiguration
>
> Take care,
> Nate.
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190430/eeda2270/attachment.html>

More information about the users mailing list