Adding additional authentication steps on the IDP level.
14 views
Skip to first unread message
Dominik Trupčević
Apr 13, 2015, 6:12:03 AM4/13/15
to simple...@googlegroups.com
Hi guys!
I've been working with SimpleSAMLphp for some time now and I love the way it just works most of the time :)
I've come across a desire to add an additional step to authentication on the IDP. Imagine a user having a secret question in addition to the standard authsource username/password authentication. A user can define it's own secret question on an SP I created, or a user can remain without a secret question in which case the auth process would default to the standard authsource username/password auth process.
From what I've seen in the documentation, Auth Filters are a way to add steps to the Authentication Processing Chain. The filters however don't work at all If I try to log in on the IDP directly, so if a user gets his username/password stolen, a malicious person can login directly to the IDP and go to all the SP's logged in as that user making the secret question auth filter completely useless :(.
So what I'm asking how would one properly implement additional authentication steps on the IDP? I haven't yet researched all the available modules, so if something similar exits in some of the modules, I apologize and please point me in the right direction :). I would very much like to avoid touching the existing SimpleSAMLphp code and do all the work in a separate module if it's at all possible.
Jaime Perez Crespo
Apr 13, 2015, 10:56:18 AM4/13/15
to simple...@googlegroups.com
Hi Dominik,
Yes, that’s perfectly possible. Authproc filters can be added both to SPs and IdPs, and for both, they can also be added globally or individually. So if you want to enforce that second factor of authentication to all users in your IdP, the way to go then is to add an authproc filter in your SAML 2.0 IdP metadata, that being metadata/saml20-idp-hosted.php.
And of course, you can implement your own authproc filters in a separate module, so you don’t need to mess up with SSP’s codebase. Then you just need to prefix the name of the filter with the name of the module, the same as it is done with every other filter.
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
And of course, you can implement your own authproc filters in a separate module, so you don’t need to mess up with SSP’s codebase. Then you just need to prefix the name of the filter with the name of the module, the same as it is done with every other filter.
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Reply all
Reply to author
Forward
0 new messages