Simple TOTP

Yakov Revyakin yrevyakin at
Tue Apr 30 13:45:46 EDT 2019

Currently I have successfully run Shibboleth-IdP3-TOTP-Auth. It adds own
flow where the first step is Password subflow.

I need to add transitions to check if OTP is activated for the user and
whether show OTP form or don't. After that I will think that I have got
what I wanted for fast start.

On Tue, 30 Apr 2019 at 19:42, Nate Klingenstein <ndk at> wrote:

> Yakov,
> > All what I need is to add, in addition to a password, one extra field to
> enter and process OTP. All OTP secret management is on the identity backend
> and is not responsibility of IdP.
> I assume the second field is entered after the password on a second page,
> because otherwise you wouldn't be able to do anything based on the login.
> > IdP must ,
> >  like Google:
> I can't speak to exactly what Google can do now, but I remember what they
> could do last time I evaluated it.
> Anyway, in a modern IdP, I would use the MFA flow:
> > 1) show and process login
> >
> > 2) show and process
> > password
> I would first start with the password flow.  It will do all of the above.
> > 3) based on login
> > understand whether OTP is enabled for the user or disabled
> I don't believe there is a TOTP that is part of the distribution, but
> there is a contribution:
> I have no idea how functional or supported it is but the code looks a
> little old.  It calls the Password step itself and probably expects to run
> on its own, not using the MFA system.  You could install that extension and
> just try it, or you could use it as the basis for writing your own login
> flow that works more like the Password + Duo combination, which would be
> hard.
> > 4) show and process OTP depend on result of prev step
> I'm not sure what you mean by show and process the OTP.  Normally, you
> would match the principal name that came back from Password authentication
> to the one that came back from Google Authenticator, ensure they match, and
> then pass the user on with the right AuthnContextClassRef.
> > All steps use backends API available by http.
> I'm also not sure which steps you're talking about, but I believe all
> these queries use HTTP.  The real question for me is what you want to be
> able to do with which API's.
> You would show a service provider that MFA had been used by sending along
> an AuthnContextClassRef that indicates compliance with a two-factor
> platform, which would be done because of the Principal that had been set.
> > What is the fastest way to reach only this single minimalist task? What
> can I give as basement?
> It's not really easy to do this quickly without knowledge about it.  The
> MFA handler isn't simple.  But what you're doing is similar to what the Duo
> flows do and there was at one time a working example, so you can probably
> put something together if you know about all the pieces.
> Take care,
> Nate.
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list