Shibboleth › Shibboleth - Users

Question about Shibboleth and MFA - Google Authenticator

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

18 messages Options

melvin.lasky

Question about Shibboleth and MFA - Google Authenticator

Hey everyone,

I have successfully gotten Shibboleth to work with my Banner services thanks to everyone here. Next up, MFA. Now, I have successfully gotten that to work as well, with Duo.

However, we are looking into using Google Authenticator. I found this plugin: https://github.com/korteke/Shibboleth-IdP3-TOTP-Auth

The plugin says it’s for 3.2.x but I’m running 3.4.3 not sure if that makes a difference.

I tried using it, and, it is no way the same polish as the Duo plugin. Not sure end users would be happy “registering a token?”.

Anyhow, that being said, i Can’t get it to work. I still set my authn.flows to MFA, and replaced Duo with the Totp, and then did the rest of the instructions.

When I log in, I. have to log in twice. Then after that, it brings me to a Token screen, where I can hit register new token. I. click that. Then. I’m getting:

Web Login Service - Uncaught Exception
A software error was encountered that prevents normal operation:

$encoder.encodeForHTML($flowExecutionException.getCause().toString())

Please report this problem to your Help Desk or administrative staff. It has also been logged for an administrator to review.

In my logs I see:

shib-idp;idp-process.log;dev;nothing;2019-02-15 15:08:49,286 - ERROR [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:76] -
shib-idp;idp-process.log;dev;nothing;org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s3' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows.
shib-idp;idp-process.log;dev;nothing; at org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172)
shib-idp;idp-process.log;dev;nothing;Caused by: org.springframework.webflow.conversation.NoSuchConversationException: No conversation could be found with id '1' -- perhaps this conversation has ended?
shib-idp;idp-process.log;dev;nothing; at org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126)
shib-idp;idp-warn.log;dev;nothing;2019-02-15 15:08:49,286 - ERROR [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException:76] -
shib-idp;idp-warn.log;dev;nothing;org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s3' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows.
shib-idp;idp-warn.log;dev;nothing; at org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.getConversation(AbstractFlowExecutionRepository.java:172)
shib-idp;idp-warn.log;dev;nothing;Caused by: org.springframework.webflow.conversation.NoSuchConversationException: No conversation could be found with id '1' -- perhaps this conversation has ended?
shib-idp;idp-warn.log;dev;nothing; at org.springframework.webflow.conversation.impl.ConversationContainer.getConversation(ConversationContainer.java:126)
shib-idp;idp-process.log;dev;nothing;2019-02-15 15:08:49,288 - WARN [net.shibboleth.ext.spring.error.ExtendedMappingExceptionResolver:136] - Resolved [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s3' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows.] to ModelAndView: reference to view with name 'error'; model is {exception=org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s3' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows., request=org.apache.catalina.connector.RequestFacade@4f585d82, encoder=class net.shibboleth.utilities.java.support.codec.HTMLEncoder, springContext=Root WebApplicationContext: startup date [Fri Feb 15 14:59:47 UTC 2019]; root of context hierarchy}
shib-idp;idp-warn.log;dev;nothing;2019-02-15 15:08:49,288 - WARN [net.shibboleth.ext.spring.error.ExtendedMappingExceptionResolver:136] - Resolved [org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s3' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows.] to ModelAndView: reference to view with name 'error'; model is {exception=org.springframework.webflow.execution.repository.NoSuchFlowExecutionException: No flow execution could be found with key 'e1s3' -- perhaps this executing flow has ended or expired? This could happen if your users are relying on browser history (typically via the back button) that references ended flows., request=org.apache.catalina.connector.RequestFacade@4f585d82, encoder=class net.shibboleth.utilities.java.support.codec.HTMLEncoder, springContext=Root WebApplicationContext: startup date [Fri Feb 15 14:59:47 UTC 2019]; root of context hierarchy}
shib-idp;idp-process.log;dev;nothing;2019-02-15 15:08:58,333 - WARN [org.ldaptive.AbstractOperation$ReopenOperationExceptionHandler:277] - Operation exception encountered, reopening connection
shib-idp;idp-warn.log;dev;nothing;2019-02-15 15:08:58,333 - WARN [org.ldaptive.AbstractOperation$ReopenOperationExceptionHandler:277] - Operation exception encountered, reopening connection
shib-idp;idp-warn.log;dev;nothing;2019-02-15 15:08:58,377 - WARN [org.ldaptive.AbstractOperation$ReopenOperationExceptionHandler:277] - Operation exception encountered, reopening connection
shib-idp;idp-process.log;dev;nothing;2019-02-15 15:08:58,377 - WARN [org.ldaptive.AbstractOperation$ReopenOperationExceptionHandler:277] - Operation exception encountered, reopening connection
shib-idp;idp-process.log;dev;nothing;2019-02-15 15:08:58,418 - INFO [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:152] - Profile Action ValidateUsernamePasswordAgainstLDAP: Login by 'melvin.lasky' succeeded
shib-idp;idp-process.log;dev;nothing;2019-02-15 15:09:01,217 - INFO [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:152] - Profile Action ValidateUsernamePasswordAgainstLDAP: Login by 'melvin.lasky' succeeded
shib-idp;idp-process.log;dev;nothing;2019-02-15 15:09:02,414 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
shib-idp;idp-process.log;dev;nothing;org.springframework.webflow.engine.NoMatchingTransitionException: No transition found on occurence of event 'GenerateTokenSecrets' in state 'DisplayTotpForm' of flow 'authn/Totp' -- valid transitional criteria are array<TransitionCriteria>[proceed] -- likely programmer error, check the set of TransitionCriteria for this state
shib-idp;idp-process.log;dev;nothing; at org.springframework.webflow.engine.TransitionableState.getRequiredTransition(TransitionableState.java:93)
shib-idp;idp-warn.log;dev;nothing;2019-02-15 15:09:02,414 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
shib-idp;idp-warn.log;dev;nothing;org.springframework.webflow.engine.NoMatchingTransitionException: No transition found on occurence of event 'GenerateTokenSecrets' in state 'DisplayTotpForm' of flow 'authn/Totp' -- valid transitional criteria are array<TransitionCriteria>[proceed] -- likely programmer error, check the set of TransitionCriteria for this state
shib-idp;idp-warn.log;dev;nothing; at org.springframework.webflow.engine.TransitionableState.getRequiredTransition(TransitionableState.java:93)
shib-idp;idp-process.log;dev;nothing;2019-02-15 15:09:02,419 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: RuntimeException
shib-idp;idp-warn.log;dev;nothing;2019-02-15 15:09:02,419 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: RuntimeException
shib-idp;idp-audit.log;dev;nothing;20190215T150902Z||||<a href="https://www.apereo.org/cas/protocol/login|||||||||" class="">https://www.apereo.org/cas/protocol/login|||||||||
shib-idp;idp-process.log;dev;nothing;2019-02-15 15:09:02,434 - INFO [Shibboleth-Audit.SSO:275] - 20190215T150902Z||||<a href="https://www.apereo.org/cas/protocol/login|||||||||" class="">https://www.apereo.org/cas/protocol/login|||||||||

Any suggestions would be awesome! You guys are great!

Melvin Lasky

Associate Director of Enterprise Architecture

Riverdale, NY 10471

Phone: 718-862-7410

[hidden email]

www.manhattan.edu

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

Cantor, Scott E.

RE: Question about Shibboleth and MFA - Google Authenticator

> The plugin says it’s for 3.2.x but I’m running 3.4.3 not sure if that makes a
> difference.

https://wiki.shibboleth.net/confluence/display/DEV/Java+Product+Version+Policy

> I tried using it, and, it is no way the same polish as the Duo plugin. Not sure
> end users would be happy “registering a token?”.

You have to register tokens with Duo also. The reason we haven't bothered providing alternative implementations is that doing them requires providing a full system for managing the tokens and the registration UI, and given the almost total monopoly Duo has, it hasn't seemed to be something worth doing. If members ask for the feature I'm sure we would consider it.

> Any suggestions would be awesome! You guys are great!

The error means their flow definition is just broken. It wouldn't work on any release, it's a bug internal to the webflow they wrote, it's not handling an event their code is signaling and providing a transition rule to follow in response to it.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

Tom Scavo

Re: Question about Shibboleth and MFA - Google Authenticator

On Fri, Feb 15, 2019 at 11:22 AM Cantor, Scott <[hidden email]> wrote:
>
> > I tried using it, and, it is no way the same polish as the Duo plugin. Not sure
> > end users would be happy “registering a token?”.
>
> You have to register tokens with Duo also. The reason we haven't bothered providing alternative implementations is that doing them requires providing a full system for managing the tokens and the registration UI, and given the almost total monopoly Duo has, it hasn't seemed to be something worth doing.

Are you referring to OATH TOTP? That's the less interesting part of
Duo's implementation as you know. Duo pretty much invented push
authentication, which everyone copied, and so there are lots of
choices out there.

> If members ask for the feature I'm sure we would consider it.

Out of curiosity, are members asking about W3C WebAuthn? [1] That's
where the authentication space seems to be headed at the moment.

Melvin, sorry for hijacking your thread. You didn't say why you're
considering Google Authenticator in lieu of Duo but you probably want
to avoid that if you can. Google Authenticator has hidden costs (as
you're finding out).

Tom

[1] W3C Web Authentication https://www.w3.org/TR/webauthn/
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

Takeshi NISHIMURA

Re: Question about Shibboleth and MFA - Google Authenticator

In reply to this post by melvin.lasky

Hi Melvin,

We have made an instruction to work that plugin on 3.3/3.4, though it is written in Japanese.
https://meatwiki.nii.ac.jp/confluence/x/mRK_AQ

I hope this will help you.
Takeshi

> 2019/02/16 0:11、Melvin Lasky <[hidden email]> wrote:
>
> Hey everyone,
> I have successfully gotten Shibboleth to work with my Banner services thanks to everyone here. Next up, MFA. Now, I have successfully gotten that to work as well, with Duo.
>
> However, we are looking into using Google Authenticator. I found this plugin: https://github.com/korteke/Shibboleth-IdP3-TOTP-Auth
>
> The plugin says it’s for 3.2.x but I’m running 3.4.3 not sure if that makes a difference.
>
> I tried using it, and, it is no way the same polish as the Duo plugin. Not sure end users would be happy “registering a token?”.
>
> Anyhow, that being said, i Can’t get it to work. I still set my authn.flows to MFA, and replaced Duo with the Totp, and then did the rest of the instructions.
>
> When I log in, I. have to log in twice. Then after that, it brings me to a Token screen, where I can hit register new token. I. click that. Then. I’m getting:
>
> Web Login Service - Uncaught Exception
> A software error was encountered that prevents normal operation:
>
> $encoder.encodeForHTML($flowExecutionException.getCause().toString())
>
> Please report this problem to your Help Desk or administrative staff. It has also been logged for an administrator to review.
>
> In my logs I see:

(snip)

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

Cantor, Scott E.

RE: Question about Shibboleth and MFA - Google Authenticator

In reply to this post by Tom Scavo

> Are you referring to OATH TOTP? That's the less interesting part of Duo's
> implementation as you know. Duo pretty much invented push authentication,
> which everyone copied, and so there are lots of choices out there.

You still have to register tokens for push. Duo simply has a management process for doing that.

> Out of curiosity, are members asking about W3C WebAuthn? [1] That's where
> the authentication space seems to be headed at the moment.

No, for the same reason. WebAuthn is only usable once you register the token (the browser in this case) and have a lifecycle management story for listing them, revoking them, reporting on them, etc. That's the step that's missing from "just implement X". It's no different than any other certificate-like model. The hard work is the same no matter what the technology is.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

melvin.lasky

Re: Question about Shibboleth and MFA - Google Authenticator

In reply to this post by melvin.lasky

Hey,

Thanks Takeshi!!! I translated it using Google translate and am giving it a go…. But still running into issues. Getting this now

shib-idp;idp-process.log;dev;nothing;2019-02-15 20:20:07,494 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
shib-idp;idp-process.log;dev;nothing;org.springframework.webflow.engine.NoMatchingTransitionException: No transition found on occurence of event 'GenerateTokenSecrets' in state 'DisplayTotpForm' of flow 'authn/Totp' -- valid transitional criteria are array<TransitionCriteria>[RegisterToken, proceed] -- likely programmer error, check the set of TransitionCriteria for this state
shib-idp;idp-process.log;dev;nothing; at org.springframework.webflow.engine.TransitionableState.getRequiredTransition(TransitionableState.java:93)
shib-idp;idp-warn.log;dev;nothing;2019-02-15 20:20:07,494 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
shib-idp;idp-warn.log;dev;nothing;org.springframework.webflow.engine.NoMatchingTransitionException: No transition found on occurence of event 'GenerateTokenSecrets' in state 'DisplayTotpForm' of flow 'authn/Totp' -- valid transitional criteria are array<TransitionCriteria>[RegisterToken, proceed] -- likely programmer error, check the set of TransitionCriteria for this state
shib-idp;idp-warn.log;dev;nothing; at org.springframework.webflow.engine.TransitionableState.getRequiredTransition(TransitionableState.java:93)
shib-idp;idp-process.log;dev;nothing;2019-02-15 20:20:07,525 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: RuntimeException
shib-idp;idp-warn.log;dev;nothing;2019-02-15 20:20:07,525 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: RuntimeException
shib-idp;idp-audit.log;dev;nothing;20190215T202007Z||||<a href="https://www.apereo.org/cas/protocol/login|||||||||" class="">https://www.apereo.org/cas/protocol/login|||||||||
shib-idp;idp-process.log;dev;nothing;2019-02-15 20:20:07,559 - INFO [Shibboleth-Audit.SSO:275] - 20190215T202007Z||||<a href="https://www.apereo.org/cas/protocol/login|||||||||" class="">https://www.apereo.org/cas/protocol/login|||||||||

Any suggestions would be awesome!

——————

Someone asked why we want to use Google Authenticator vs Duo - Cost $$$$$$$$. :-)

Mel

Melvin Lasky

Associate Director of Enterprise Architecture

Riverdale, NY 10471

Phone: 718-862-7410

[hidden email]

www.manhattan.edu

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

Greg Haverkamp

Re: Question about Shibboleth and MFA - Google Authenticator

On Fri, Feb 15, 2019 at 12:23 PM Melvin Lasky <[hidden email]> wrote:

Someone asked why we want to use Google Authenticator vs Duo - Cost $$$$$$$$. :-)

Another option, if you want all sorts of other components, is LinOTP (and at least one derivative), which is free and open source: https://github.com/LinOTP/LinOTP. It's what we use, both because of cost (we do have a support contract with them, but it's still cheaper than Duo was quoting us), and because at the time, we had to meet some NIST 800-63-2 LoA 3 requirements, which we could accomplish with some tweaks to LinOTP (which Duo at the time could not meet).

There's an MFA flow-compatible Shibboleth module (https://github.com/cyber-simon/idp-auth-linotp), though it's possible that it is not 3.4-compatible. (At the very least, I know that my heavily modified version works with 3.3.1 but not with 3.4. I'm planning to simplify greatly and rewrite in the near future.)

We don't use of the user self-service components, because they all seemed overly busy for our users, so we rewrote everything as a highly tailored front-end. They've got a reasonably complete API that makes all of that possible.

Greg

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

email_logo.jpg (9K) Download Attachment

Takeshi NISHIMURA

Re: Question about Shibboleth and MFA - Google Authenticator

In reply to this post by melvin.lasky

Hi Mel,

What version are you using? I can't find any occurrence of "GenerateTokenSecrets" in my system.

Takeshi

> 2019/02/16 5:22、Melvin Lasky <[hidden email]> wrote:
>
> Hey,
> Thanks Takeshi!!! I translated it using Google translate and am giving it a go…. But still running into issues. Getting this now
>
> shib-idp;idp-process.log;dev;nothing;2019-02-15 20:20:07,494 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
> shib-idp;idp-process.log;dev;nothing;org.springframework.webflow.engine.NoMatchingTransitionException: No transition found on occurence of event 'GenerateTokenSecrets' in state 'DisplayTotpForm' of flow 'authn/Totp' -- valid transitional criteria are array<TransitionCriteria>[RegisterToken, proceed] -- likely programmer error, check the set of TransitionCriteria for this state
> shib-idp;idp-process.log;dev;nothing; at org.springframework.webflow.engine.TransitionableState.getRequiredTransition(TransitionableState.java:93)

> shib-idp;idp-warn.log;dev;nothing;2019-02-15 20:20:07,494 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception
> shib-idp;idp-warn.log;dev;nothing;org.springframework.webflow.engine.NoMatchingTransitionException: No transition found on occurence of event 'GenerateTokenSecrets' in state 'DisplayTotpForm' of flow 'authn/Totp' -- valid transitional criteria are array<TransitionCriteria>[RegisterToken, proceed] -- likely programmer error, check the set of TransitionCriteria for this state
> shib-idp;idp-warn.log;dev;nothing; at org.springframework.webflow.engine.TransitionableState.getRequiredTransition(TransitionableState.java:93)

> shib-idp;idp-process.log;dev;nothing;2019-02-15 20:20:07,525 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: RuntimeException
> shib-idp;idp-warn.log;dev;nothing;2019-02-15 20:20:07,525 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: RuntimeException
> shib-idp;idp-audit.log;dev;nothing;20190215T202007Z||||https://www.apereo.org/cas/protocol/login|||||||||
> shib-idp;idp-process.log;dev;nothing;2019-02-15 20:20:07,559 - INFO [Shibboleth-Audit.SSO:275] - 20190215T202007Z||||https://www.apereo.org/cas/protocol/login|||||||||
>
> Any suggestions would be awesome!
>
> ——————
>
> Someone asked why we want to use Google Authenticator vs Duo - Cost $$$$$$$$. :-)
>
> Mel
>
> Melvin Lasky
> Associate Director of Enterprise Architecture

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

Robert Bradley

Re: Question about Shibboleth and MFA - Google Authenticator

In reply to this post by Tom Scavo

On 15/02/2019 17:31, Tom Scavo wrote:

> On Fri, Feb 15, 2019 at 11:22 AM Cantor, Scott <[hidden email]>
> wrote:
>> You have to register tokens with Duo also. The reason we haven't
>> bothered providing alternative implementations is that doing them
>> requires providing a full system for managing the tokens and the
>> registration UI, and given the almost total monopoly Duo has, it
>> hasn't seemed to be something worth doing.
>
> Are you referring to OATH TOTP? That's the less interesting part of
> Duo's implementation as you know. Duo pretty much invented push
> authentication, which everyone copied, and so there are lots of
> choices out there.
>
>> If members ask for the feature I'm sure we would consider it.
>
> Out of curiosity, are members asking about W3C WebAuthn? [1] That's
> where the authentication space seems to be headed at the moment.
>

Speaking entirely personally here, I've been playing with TOTP and
Webauthn authentication flows in the past couple of weeks. The idea
seems good, but as Scott points out, the main issue is that you need a
usable means of registering the tokens in the first place. There may be
a way to do that on a separate trusted site, although I suspect it would
be hard to make that code sufficiently generic for widespread use.

I've not used Duo, but it seems to solve the registration problem pretty
well, at the expense of an ongoing cost per user. It also didn't
support U2F/Webauthn, but apparently now has support for it.

--
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

Tom Scavo

Re: Question about Shibboleth and MFA - Google Authenticator

In reply to this post by Cantor, Scott E.

On Fri, Feb 15, 2019 at 12:49 PM Cantor, Scott <[hidden email]> wrote:
>
> > Out of curiosity, are members asking about W3C WebAuthn? [1] That's where
> > the authentication space seems to be headed at the moment.
>
> No, for the same reason. WebAuthn is only usable once you register the token (the browser in this case) and have a lifecycle management story for listing them, revoking them, reporting on them, etc. That's the step that's missing from "just implement X". It's no different than any other certificate-like model. The hard work is the same no matter what the technology is.

Indeed. If you have to do the hard work in either case, it would be
better to take one step forward (WebAuthn) instead of one step back
(OTP). Just my two cents.

Tom
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

Tom Scavo

Re: Question about Shibboleth and MFA - Google Authenticator

In reply to this post by Robert Bradley

On Sat, Feb 16, 2019 at 7:14 AM Robert Bradley
<[hidden email]> wrote:
>
> I've not used Duo, but it seems to solve the registration problem pretty
> well, at the expense of an ongoing cost per user. It also didn't
> support U2F/Webauthn, but apparently now has support for it.

U2F is the predecessor of WebAuthn. To date, Duo has released a number
of WebAuthn resources. I wouldn't be surprised if they're working on a
FIDO2/WebAuthn software authenticator.

Tom
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

Tom Scavo

Re: Question about Shibboleth and MFA - Google Authenticator

In reply to this post by Greg Haverkamp

On Fri, Feb 15, 2019 at 7:45 PM Greg Haverkamp <[hidden email]> wrote:
>
> at the time, we had to meet some NIST 800-63-2 LoA 3 requirements, which we could accomplish with some tweaks to LinOTP (which Duo at the time could not meet).

OTP is not resistant to verifier impersonation so by itself it does
not satisfy Authenticator Assurance Level 3 (as it's now called by
NIST). Duo Push is not resistant to verifier impersonation either.
Just saying.

Tom
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

melvin.lasky

Re: Question about Shibboleth and MFA - Google Authenticator

In reply to this post by melvin.lasky

Hey,

Thanks Takeshi!

I just downloaded it from their website:

totpauth-impl-0.5.1-bin.zip

What version are you using?

Thanks

Mel

Melvin Lasky

Associate Director of Enterprise Architecture

Riverdale, NY 10471

Phone: 718-862-7410

[hidden email]

www.manhattan.edu

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

Greg Haverkamp

Re: Question about Shibboleth and MFA - Google Authenticator

In reply to this post by Tom Scavo

On Sat, Feb 16, 2019 at 5:31 AM Tom Scavo <[hidden email]> wrote:

On Fri, Feb 15, 2019 at 7:45 PM Greg Haverkamp <[hidden email]> wrote:
>
> at the time, we had to meet some NIST 800-63-2 LoA 3 requirements, which we could accomplish with some tweaks to LinOTP (which Duo at the time could not meet).

OTP is not resistant to verifier impersonation so by itself it does
not satisfy Authenticator Assurance Level 3 (as it's now called by
NIST). Duo Push is not resistant to verifier impersonation either.
Just saying.

Alright. But I didn’t say anything about 800-63-3, nor did I say anything about “by itself”. (And, no, LoA 3 is not now called AAL3 if your requirement is specifically written as being 800-63-2.)

It’s not terribly relevant to Shibboleth, anyway, as I had no requirement to claim Shibboleth (and all of the assertion-related stuff) at LoA 3. But I did have other systems that required authentication at LoA 3, and Duo was insufficient. Since I’m not a Duo customer, I haven’t taken the time to figure out where Duo Push lands these days.

Greg

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

Tom Scavo

Re: Question about Shibboleth and MFA - Google Authenticator

On Mon, Feb 18, 2019 at 1:23 PM Greg Haverkamp <[hidden email]> wrote:

>
> On Sat, Feb 16, 2019 at 5:31 AM Tom Scavo <[hidden email]> wrote:
>>
>> On Fri, Feb 15, 2019 at 7:45 PM Greg Haverkamp <[hidden email]> wrote:
>> >
>> > at the time, we had to meet some NIST 800-63-2 LoA 3 requirements, which we could accomplish with some tweaks to LinOTP (which Duo at the time could not meet).
>>
>> OTP is not resistant to verifier impersonation so by itself it does
>> not satisfy Authenticator Assurance Level 3 (as it's now called by
>> NIST). Duo Push is not resistant to verifier impersonation either.
>
> Alright. But I didn’t say anything about 800-63-3, nor did I say anything about “by itself”. (And, no, LoA 3 is not now called AAL3 if your requirement is specifically written as being 800-63-2.)

That is technically correct but I didn't want a casual reader to come
away from your comment thinking that OTP protects against all threats
because it does not. For example, password + OTP does not protect
against an active man-in-the-middle, which puts the SSO session cookie
at risk.

> It’s not terribly relevant to Shibboleth, anyway, as I had no requirement to claim Shibboleth (and all of the assertion-related stuff) at LoA 3. But I did have other systems that required authentication at LoA 3, and Duo was insufficient. Since I’m not a Duo customer, I haven’t taken the time to figure out where Duo Push lands these days.

Sure, but Duo is popular here, hence my earlier remark. For the
archive, it turns out that Duo Push is only slightly better than OTP
with respect to an active man-in-the-middle since the push app
displays the location of the user. I doubt ANY push implementation
does better than that (but I can't be sure since push authentication
is proprietary).

Anyway, if I were in Melvin's shoes, and I couldn't afford Duo, yeah,
I'd be looking for a stopgap too.

Tom
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

Takeshi NISHIMURA

Re: Question about Shibboleth and MFA - Google Authenticator

In reply to this post by melvin.lasky

Hi Mel,

How about the output of this command?

$ LANG=C find totpauth-impl-0.5.1 -type f -exec grep -H Generate {} \;

totpauth-impl-0.5.1/flows/authn/Totp/Totp-flow.xml: <evaluate expression="GenerateNewToken" /> 
totpauth-impl-0.5.1/conf/authn/totp-authn-beans.xml: <bean id="GenerateNewToken" class="net.kvak.shibboleth.totpauth.authn.impl.GenerateNewToken" scope="prototype"
Binary file totpauth-impl-0.5.1/edit-webapp/WEB-INF/lib/totpauth-impl-0.5.1.jar matches

Best regards,
Takeshi

On 2019/02/19 0:58, Melvin Lasky wrote:

> Hey,
> Thanks Takeshi!
>
> I just downloaded it from their website:
> totpauth-impl-0.5.1-bin.zip
>
> What version are you using?
>
> Thanks
>
> Mel
>
> *Melvin Lasky*
> /Associate Director of Enterprise Architecture/
>
> Riverdale, NY 10471
> Phone: 718-862-7410
> [hidden email] <mailto:[hidden email]>
> www.manhattan.edu <http://www.manhattan.edu/>

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

Etienne Dysli Metref

Re: Question about Shibboleth and MFA - Google Authenticator

In reply to this post by Greg Haverkamp

On 16/02/2019 01.44, Greg Haverkamp wrote:
> Another option, if you want all sorts of other components, is LinOTP
> (and at least one derivative), which is free and open
> source: https://github.com/LinOTP/LinOTP.

Indeed a "token backend" is good idea to support multiple second
factors. We use LinOTP's fork PrivacyIDEA over here, which we've
integrated through its API with the IdP -- to verify OTPs -- and our
account management webapp, so users can register tokens themselves. This
allowed us to easily support SMS OTP* and we're about to roll out OATH
TOTP as well with little additional effort (though our IdP flow is
likely to start knowing about token types, which I'd prefer to
avoid...). I've already done the same kind of integration with RADIUS
instead of PrivacyIDEA's HTTP API to verify OTPs with another "token
backend".

Etienne

* Yeah, I know, SMS OTP isn't recommended any more, but it was the
easiest for us to get started with.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

signature.asc (849 bytes) Download Attachment

melvin.lasky

Re: Question about Shibboleth and MFA - Google Authenticator

In reply to this post by Takeshi NISHIMURA

Hi Takeshi,

Thanks for helping!

meltbmbp:totpauth melman101$  LANG=C find totpauth-impl-0.5.1 -type f -exec grep -H Generate {} \;
Binary file totpauth-impl-0.5.1/edit-webapp/WEB-INF/lib/totpauth-impl-0.5.1.jar matches
totpauth-impl-0.5.1/views/totp.vm:   <br><br><button type="submit" name="registerToken" formaction="$flowExecutionUrl&_eventId=GenerateTokenSecrets">Register a new Token</button>
totpauth-impl-0.5.1/conf/authn/totp-authn-beans.xml:   <bean id="GenerateNewToken" class="net.kvak.shibboleth.totpauth.authn.impl.GenerateNewToken" scope="prototype"
totpauth-impl-0.5.1/flows/authn/Totp/Totp-flow.xml: <action-state id="GenerateTokenSecrets">
totpauth-impl-0.5.1/flows/authn/Totp/Totp-flow.xml: <evaluate expression="GenerateNewToken" />

Mel

Melvin Lasky

Associate Director of Enterprise Architecture

Riverdale, NY 10471

Phone: 718-862-7410

[hidden email]

www.manhattan.edu

On Feb 18, 2019, at 10:03 PM, Takeshi NISHIMURA <[hidden email]> wrote:

Hi Mel,

How about the output of this command?

$ LANG=C find totpauth-impl-0.5.1 -type f -exec grep -H Generate {} \;

totpauth-impl-0.5.1/flows/authn/Totp/Totp-flow.xml: <evaluate expression="GenerateNewToken" /> 
totpauth-impl-0.5.1/conf/authn/totp-authn-beans.xml: <bean id="GenerateNewToken" class="net.kvak.shibboleth.totpauth.authn.impl.GenerateNewToken" scope="prototype"
Binary file totpauth-impl-0.5.1/edit-webapp/WEB-INF/lib/totpauth-impl-0.5.1.jar matches

Best regards,
Takeshi

On 2019/02/19 0:58, Melvin Lasky wrote:
Hey,
Thanks Takeshi!
I just downloaded it from their website:
totpauth-impl-0.5.1-bin.zip
What version are you using?
Thanks
Mel
*Melvin Lasky*
/Associate Director of Enterprise Architecture/
Riverdale, NY 10471
Phone: 718-862-7410
[hidden email] <[hidden email]>
www.manhattan.edu <http://www.manhattan.edu/>

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]