Multi token per user
108 views
Skip to first unread message
Salvo Rapisarda
Jun 16, 2016, 4:15:40 AM6/16/16
to privacyidea
Hi,
we have a specific case to propose.
We need to have two tokens per user, within the same realm: SMS and TOTP.
We would like to make sure that the authentication process on takes place through the following steps:
- The user enters the username and password
- The user specify the token type to use
- The user enters the OTP received via SMS or generated via TOTP
How can we do it ?
Thanks,
Salvo.
jmdeking
Jun 16, 2016, 4:56:42 AM6/16/16
to privacyidea
Hi there,
Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo Rapisarda:
What do you use at the frontend? i.e. Citrix Netscaler, Firewall etc.
How do you want to initiate the authentication, i presume using radius?
Please elaborate some more as to how you want to implement this.
Johan.
Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo Rapisarda:
Cornelius Kölbel
Jun 16, 2016, 5:01:07 AM6/16/16
to priva...@googlegroups.com
Hi Salvo,
Johan has a good point!
I was presuming you are running your own application?
If you would do so, you could simply use the API
http://privacyidea.readthedocs.io/en/latest/modules/api.html
Roughly:
1. verify username and password
2. issue GET /token/ as this very user
-> you will see the list of assigned tokens
3. Show these tokens in a dropdown box
4. If SMS type trigger SMS by /validate/check
5. Ask the user to enter OTP.
But if you have any other application/frontend, this will be
challenging.
Kind regards
Cornelius
Am Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking:
> Hi there,
>
>
> What do you use at the frontend? i.e. Citrix Netscaler, Firewall etc.
> How do you want to initiate the authentication, i presume using
> radius?
>
>
> Please elaborate some more as to how you want to implement this.
>
>
> Johan.
>
>
> Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo Rapisarda:
> Hi,
>
>
> we have a specific case to propose.
> We need to have two tokens per user, within the same realm:
> SMS and TOTP.
>
>
> We would like to make sure that the authentication process on
> takes place through the following steps:
>
>
> 1. The user enters the username and password
> 2. The user specify the token type to use
> 3. The user enters the OTP received via SMS or generated
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/798795f9-7a40-43f5-9054-192ac2a0fe0b%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Johan has a good point!
I was presuming you are running your own application?
If you would do so, you could simply use the API
http://privacyidea.readthedocs.io/en/latest/modules/api.html
Roughly:
1. verify username and password
2. issue GET /token/ as this very user
-> you will see the list of assigned tokens
3. Show these tokens in a dropdown box
4. If SMS type trigger SMS by /validate/check
5. Ask the user to enter OTP.
But if you have any other application/frontend, this will be
challenging.
Kind regards
Cornelius
Am Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking:
> Hi there,
>
>
> What do you use at the frontend? i.e. Citrix Netscaler, Firewall etc.
> How do you want to initiate the authentication, i presume using
> radius?
>
>
> Please elaborate some more as to how you want to implement this.
>
>
> Johan.
>
>
> Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo Rapisarda:
> Hi,
>
>
> we have a specific case to propose.
> We need to have two tokens per user, within the same realm:
> SMS and TOTP.
>
>
> We would like to make sure that the authentication process on
> takes place through the following steps:
>
>
> 2. The user specify the token type to use
> 3. The user enters the OTP received via SMS or generated
> via TOTP
>
>
> How can we do it ?
>
>
> Thanks,
> Salvo.
> --
>
>
> How can we do it ?
>
>
> Thanks,
> Salvo.
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/798795f9-7a40-43f5-9054-192ac2a0fe0b%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Salvo Rapisarda
Jun 17, 2016, 6:57:54 AM6/17/16
to privacyidea
Hi Cornelius,
Now, we want to give the feature to choice the OTP method (SMS or TOTP). For do that we have setup a user with two token.
currently we have our web application that use API to authenticate users via SSO using SAMLv2.
A user have only one token of type SMS.
When auth process start:
- User & pass are validated via /validate/samlcheck
- We get transaction_id and then user enter OTP number received via SMS
- Next, another /validate/samlcheck is done adding with pass="OTP number" and transaction_id received on previous step.
But when we do the first call to /validate/samlcheck return an error because is not supported (multiple token).
As we write in first post, we want that user:
- Enter the username and password
- View the token assigned and choice what method to use
- Insert OTP code based on choice
- Authenticate correctly
Thank you
Salvo
Cornelius Kölbel
Jun 17, 2016, 3:22:55 PM6/17/16
to priva...@googlegroups.com
Hi Salvo,
you are probably using otppin=userstore.
The problem is, that two tokens with challenges response is not
supported at the moment. If the user has two tokens and one is a
challenge response token, the tokens need different OTP PINs.
If you are using same OTP pins or the userstore password, privacyIDEA
does not know, which token should create the challenge.
I though your first authentication with the password was not issued
against privacyidea but against e.g. your LDAP.
Kind regards
Cornelius
Am Freitag, den 17.06.2016, 03:57 -0700 schrieb Salvo Rapisarda:
> Hi Cornelius,
>
>
> currently we have our web application that use API to authenticate
> users via SSO using SAMLv2.
> A user have only one token of type SMS.
>
>
> When auth process start:
> 1. User & pass are validated via /validate/samlcheck
> 2. We get transaction_id and then user enter OTP number received
> via SMS
> 3. Next, another /validate/samlcheck is done adding with
> 2. View the token assigned and choice what method to use
> 3. Insert OTP code based on choice
> 4. Authenticate correctly
> https://groups.google.com/d/msgid/privacyidea/38560f79-f9ee-4c50-adab-7c4aa4679333%40googlegroups.com.
you are probably using otppin=userstore.
The problem is, that two tokens with challenges response is not
supported at the moment. If the user has two tokens and one is a
challenge response token, the tokens need different OTP PINs.
If you are using same OTP pins or the userstore password, privacyIDEA
does not know, which token should create the challenge.
I though your first authentication with the password was not issued
against privacyidea but against e.g. your LDAP.
Kind regards
Cornelius
Am Freitag, den 17.06.2016, 03:57 -0700 schrieb Salvo Rapisarda:
> Hi Cornelius,
>
>
> currently we have our web application that use API to authenticate
> users via SSO using SAMLv2.
> A user have only one token of type SMS.
>
>
> When auth process start:
> 2. We get transaction_id and then user enter OTP number received
> via SMS
> 3. Next, another /validate/samlcheck is done adding with
> pass="OTP number" and transaction_id received on previous
> step.
>
>
> Now, we want to give the feature to choice the OTP method (SMS or
> TOTP). For do that we have setup a user with two token.
> But when we do the first call to /validate/samlcheck return an error
> because is not supported (multiple token).
>
>
> As we write in first post, we want that user:
> 1. Enter the username and password
> step.
>
>
> Now, we want to give the feature to choice the OTP method (SMS or
> TOTP). For do that we have setup a user with two token.
> But when we do the first call to /validate/samlcheck return an error
> because is not supported (multiple token).
>
>
> As we write in first post, we want that user:
> 2. View the token assigned and choice what method to use
> 3. Insert OTP code based on choice
> 4. Authenticate correctly
caruso.d...@gmail.com
Jun 20, 2016, 3:29:19 AM6/20/16
to privacyidea
Hi!
What if we create a challenge for every user token (two in this case)?
When the user authenticates via username & password in the first step, two challenges are created (TOTP or SMS),
then the user select the token type, and finally when the user insert the OTP, it is checked against the
correct challenge.
Obviously, there is a problem: the sending of the SMS with OTP needs to be postponed to the user choice.
Daniele
Cornelius Kölbel
Jun 20, 2016, 4:05:51 AM6/20/16
to priva...@googlegroups.com
Hi Daniele,
you are right. At the moment the sms or email is sent, when a challenge
is created.
https://github.com/privacyidea/privacyidea/blob/master/privacyidea/lib/tokens/smstoken.py#L250
The create_challenge is called, after the loop realizes, that the
authentication request is a challenge request. This happens here:
https://github.com/privacyidea/privacyidea/blob/master/privacyidea/lib/token.py#L1825
https://github.com/privacyidea/privacyidea/blob/master/privacyidea/lib/token.py#L1967
If you want to postpone the sending of the challenge, you need to add
another API call.
And this would still not be flexible enough. What should happen, if the
user had two SMS tokens?
What about this:
Let the user select his token, not the token type!
If the user selects the token then you can create a challenge especially
for this very token. if you are doing /validate/check?serial=xxxx
then the check_token_list function is only entered with a single token.
Kind regards
Cornelius
Am Montag, den 20.06.2016, 00:29 -0700 schrieb
caruso.d...@gmail.com:
> https://groups.google.com/d/msgid/privacyidea/6667bc71-b044-4239-8886-cf15fb5d9fe9%40googlegroups.com.
you are right. At the moment the sms or email is sent, when a challenge
is created.
https://github.com/privacyidea/privacyidea/blob/master/privacyidea/lib/tokens/smstoken.py#L250
The create_challenge is called, after the loop realizes, that the
authentication request is a challenge request. This happens here:
https://github.com/privacyidea/privacyidea/blob/master/privacyidea/lib/token.py#L1825
https://github.com/privacyidea/privacyidea/blob/master/privacyidea/lib/token.py#L1967
If you want to postpone the sending of the challenge, you need to add
another API call.
And this would still not be flexible enough. What should happen, if the
user had two SMS tokens?
What about this:
Let the user select his token, not the token type!
If the user selects the token then you can create a challenge especially
for this very token. if you are doing /validate/check?serial=xxxx
then the check_token_list function is only entered with a single token.
Kind regards
Cornelius
Am Montag, den 20.06.2016, 00:29 -0700 schrieb
caruso.d...@gmail.com:
Message has been deleted
Cornelius Kölbel
Sep 13, 2016, 6:08:25 AM9/13/16
to priva...@googlegroups.com
Salvos workflow could be done with the current privacyIDEA API.
But then you would have to heavily improve the simpleSAML plugin.
1. use API to retrieve a list of the users tokens.
either by the users credentials or by a service account credentials.
2. the user could select the token
3. Then the API Request could be triggered with serial number - not the
username.
Kind regards
Cornelius
Am Montag, den 12.09.2016, 11:58 -0700 schrieb Christoph Kreutzer:
> Hi Salvo,
>
> your description sounds totally like what I was thinking of!
>
> If I understand correctly, you use the simpleSAMLphp plugin? Have you
> made any efforts on this? Maybe we could integrate this in the plugin
> maintained by Cornelius (as a PR) or branch it? I am interested to
> contribute, too.
>
> I'm currently using simpleSAMLphp and authtfaga, but I would like to
> replace that with a more complete and versatile solution.
>
> Best regards,
> Christoph
But then you would have to heavily improve the simpleSAML plugin.
1. use API to retrieve a list of the users tokens.
either by the users credentials or by a service account credentials.
2. the user could select the token
3. Then the API Request could be triggered with serial number - not the
username.
Kind regards
Cornelius
Am Montag, den 12.09.2016, 11:58 -0700 schrieb Christoph Kreutzer:
> Hi Salvo,
>
> your description sounds totally like what I was thinking of!
>
> If I understand correctly, you use the simpleSAMLphp plugin? Have you
> made any efforts on this? Maybe we could integrate this in the plugin
> maintained by Cornelius (as a PR) or branch it? I am interested to
> contribute, too.
>
> I'm currently using simpleSAMLphp and authtfaga, but I would like to
> replace that with a more complete and versatile solution.
>
> Best regards,
> Christoph
>
> > Hi Cornelius,
> >
> > currently we have our web application that use API to authenticate
> > users via SSO using SAMLv2.
> > A user have only one token of type SMS.
> >
> > When auth process start:
> > User & pass are validated via /validate/samlcheck
> > We get transaction_id and then user enter OTP number received via
> > SMS
> > Next, another /validate/samlcheck is done adding with pass="OTP
> > number" and transaction_id received on previous step.
> >
> > Now, we want to give the feature to choice the OTP method (SMS or
> > TOTP). For do that we have setup a user with two token.
> > But when we do the first call to /validate/samlcheck return an
> > error because is not supported (multiple token).
> >
> > As we write in first post, we want that user:
> > Enter the username and password
> > View the token assigned and choice what method to use
> > Insert OTP code based on choice
> > Authenticate correctly
> > Thank you
> >
> > Salvo
> >
> >
> > Hi Cornelius,
> >
> > currently we have our web application that use API to authenticate
> > users via SSO using SAMLv2.
> > A user have only one token of type SMS.
> >
> > When auth process start:
> > User & pass are validated via /validate/samlcheck
> > We get transaction_id and then user enter OTP number received via
> > SMS
> > Next, another /validate/samlcheck is done adding with pass="OTP
> > number" and transaction_id received on previous step.
> >
> > Now, we want to give the feature to choice the OTP method (SMS or
> > TOTP). For do that we have setup a user with two token.
> > But when we do the first call to /validate/samlcheck return an
> > error because is not supported (multiple token).
> >
> > As we write in first post, we want that user:
> > Enter the username and password
> > View the token assigned and choice what method to use
> > Insert OTP code based on choice
> > Authenticate correctly
> > Thank you
> >
> > Salvo
> >
> >
Reply all
Reply to author
Forward
0 new messages