Simplesaml IDP - multifactor user choice

[Sebastiaan Veldhuisen]

Hi All,

A short introduction. I'm the owner of IDFocus and we are specialised in Identity, Access and Security Management (mostly based on the Micro Focus product portfolio, i.e. Access Manager). We are very familiar with federated identity management, but rather novice on SimpleSAMLphp.

We are evaluating SimpleSAMLphp (among other software solution) to be part of our turn-key IAM solution as an IDP. I have the business case that I would like to let the IDP prompt for a user choice regarding a second factor authentication. That prompting should be flexible, i.e.:

1) Depending on the User attributes that are available (my authentication source is a Directory Service via the LDAP protocol), a list of second factor options should be presented to the user, so the user can choose the preferred method.

2) Depending on the target SP (and option 1 taken into account as well) a second factor could be optional. If the second factor for a specified SP is mandatory, a list of second factor options should be presented to the user, so the user can choice the preferred method.

As a Proof of Concept I have developed several second factor modules (TOTP, SMS and YubiKey) as Authentication Processing Filters. This gives me the flexibility to specify different second factor methods per SP. Each module currently has a skip parameter so a user can skip to a different second factor method if that suits the user. I have also customised the LDAP Authentication Source so that it better handles NetIQ eDirectory LDAP status code (intruder lockout, password expired etc.).

The current skip parameter setup is from an enduser perspective not ideal. It would be better if a user can just select the preferred second factor initially after username/ password from a pick list in the UI. The remaining puzzle for me is how do I prompt and make the orchestration of the available Authentication Processing Filters more dynamic ? Is my current approach with the second factors as Authentication Processing Filters the way to go? Or should I merge all Authentication Processing Filters into one Authentication Source? If so, how can I differ between multiple second factors per SP when combining methods inside a single Authentication Source?

If anybody can give me some guidance on the right approach for this use case I would be very grateful.  Me and my company are perfectly fine to contribute to the SimpleSAMLphp project.

Kind regards,

Sebastiaan Veldhuisen

[Dubravko Penezic]

Hi Sebastian,

short answer to your question will be :
It is up to your environment and your needs.

For example , I use SP approach , so MFA is set per SP , and all
information are in metadata files, so they are easily available thru SSP
working process for additional configuration, settings or decision.

Regards
Dubravko Penezic
AAI@EduHr

> --
> This is a mailing list for users of SimpleSAMLphp, not a support
> service. If you are willing to buy commercial support, please take a
> look here:
>  
> https://simplesamlphp.org/support <https://simplesamlphp.org/support>
>  
> Before sending your question, make sure it is related to SimpleSAMLphp,
> and not your web server's configuration or any other third-party
> software. This mailing list cannot help with software that uses
> SimpleSAMLphp, only regarding SimpleSAMLphp itself.
>  
> Make sure to read the documentation:
>  
> https://simplesamlphp.org/docs/stable/
> <https://simplesamlphp.org/docs/stable/>
>  
> If you have an issue with SimpleSAMLphp that you cannot resolve and
> reading the documentation doesn't help, you are more than welcome to ask
> here for help. Subscribe to the list and send an email with your
> question. However, you will be expected to comply with some minimum,
> common sense standards in your questions. Please read this carefully:
>  
> http://catb.org/~esr/faqs/smart-questions.html
> <http://catb.org/~esr/faqs/smart-questions.html>
> ---
> You received this message because you are subscribed to the Google
> Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to simplesamlph...@googlegroups.com
> <mailto:simplesamlph...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/simplesamlphp/3f035cfc-6b95-49dc-b55c-d86432ec0536n%40googlegroups.com
> <https://groups.google.com/d/msgid/simplesamlphp/3f035cfc-6b95-49dc-b55c-d86432ec0536n%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Tim van Dijen]

Hi Sebastiaan,

I think it's very hard to gain the amount of flexibility you're after with SimpleSAMLphp and authproc-filters.. There are however other products around that may be of interest for you.

Perhaps you can take a look at https://github.com/OpenConext/Stepup-deploy and the other Stepup-packages that go along. It integrates with SimpleSAMLphp using this module;  https://github.com/OpenConextApps/simplesamlphp-module-stepupsfo

Basically what it does is to  provide you with a self-service and management portal where people can register their second factor, admins can active/deactivate them. What second factors are available for a user is configurable based on their organization (= attribute based).

It comes with out-of-the-box support for SMS, Yubikey, FIDO2, Azure MFA, and a generic interface to add your custom second factors (all you need is a SAML IDP that takes care of that second factor, and that's where a SimpleSAMLphp IDP + a custom auth module has proven to come in very handy!).
It does come with a somewhat steep learning curve, but support through mailing lists and Slack is great!

Another alternative you could check out is PrivacyIdea (https://www.privacyidea.org).. It's basically the same as OpenConext Stepup, but has even more possibilities for i.e. MFA-authentication on hardware devices, servers, etc.  I guess it all depends on your use cases.

If anybody can give me some guidance on the right approach for this use case I would be very grateful.  Me and my company are perfectly fine to contribute to the SimpleSAMLphp project.

 

You could start with the customizations made to the ldap-module ;-)

Cheers!

- Tim

[Sebastiaan Veldhuisen]

Hi Dubravko,

I do have MFA enforce per SP (through different auth procs), but the overall question is: how do I let a user choose a MFA method if multiple options are available for that SP?

Cheers!

Sebastiaan

[Sebastiaan Veldhuisen]

Hi Tim,

Thanks for your input, I appreciate it. It is a rather complex requirement which I'm used to support with NetIQ Access Manager and Advanced Authentication (also called stepup Authentication).

I did now about OpenConext, but I did not know that all sources were available, thanks! I'm not sure this suits us well as we wan't to have it KISS.

So if I understand you correctly from a simpleSAMLphp perspective a combination of multiple authentication sources would be the best approach (without using OpenConext)?

[Tim van Dijen]

Ugh, are people still using NetIQ Access Manager?   Please set it on fire!!   Nothing good ever came from that :-/

Anyway, OpenConext Stepup can be relatively KISS if you are familiar with Ansible deployments..

But yeah, if you want to do this in SimpleSAMLphp, you have to either deal with authsources & authproc-filters, ór create your own fancy authentication module that takes  care of all your needs.

- Tim

Op dinsdag 9 november 2021 om 12:26:24 UTC+1 schreef sebastiaan...@gmail.com:

[Dubravko Penezic]

Hi Sebastian,

you have few options :

* different entry point (instance per second factor ) easly managed by
automated scripts
* different entity id of SP
* your custom post auth module on which user select second factor (like
consent module)

Regards,
Dubravko

> <https://groups.google.com/d/msgid/simplesamlphp/3f035cfc-6b95-49dc-b55c-d86432ec0536n%40googlegroups.com?utm_medium=email&utm_source=footer
> <https://groups.google.com/d/msgid/simplesamlphp/3f035cfc-6b95-49dc-b55c-d86432ec0536n%40googlegroups.com?utm_medium=email&utm_source=footer>>.

> https://groups.google.com/d/msgid/simplesamlphp/c77377b1-7b9b-4cec-86db-02833186ff24n%40googlegroups.com
> <https://groups.google.com/d/msgid/simplesamlphp/c77377b1-7b9b-4cec-86db-02833186ff24n%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Sebastiaan Veldhuisen]

Hi Tim,

On Tuesday, November 9, 2021 at 12:42:31 PM UTC+1 tvd...@gmail.com wrote:

Ugh, are people still using NetIQ Access Manager?   Please set it on fire!!   Nothing good ever came from that :-/

That is quite a bold statement. Every product has its own pro and cons: I know a lot of really big companies that use it for good reasons. It has some unique features compared to other solutions (SimpleSAMLphp included).

 

Anyway, OpenConext Stepup can be relatively KISS if you are familiar with Ansible deployments..

But yeah, if you want to do this in SimpleSAMLphp, you have to either deal with authsources & authproc-filters, ór create your own fancy authentication module that takes  care of all your needs.

Yeah, that is what I thought as well. It would be really nice if SimpleSAMLphp would have native support for step-up authentication and/ or choosing an auth proc. I found a thesis @ step-up for simpleSAMLphp:

https://is.muni.cz/th/fah34/

Source files are included. Maybe this is useful as an general product enhancement.

[Sebastiaan Veldhuisen]

Hi Dubravko,

Thanks for your input. I'll take a look at the consent module for some inspiration.

Regards,

Sebastiaan

[Peter Schober]

* Sebastiaan Veldhuisen <sebastiaan...@gmail.com> [2021-11-11 09:41]:

> Thanks for your input. I'll take a look at the consent module for some
> inspiration.

Though consent is triggered after authn whereas you'd need to hook
into some code (and render UI and then return/contine the flow) before
authn even happens.
Quite possible that SSP does not currently have the integration points
to do that.

-peter