issue GET /token/ as this very user
→ you will see the list of assigned tokens
Show these tokens in a dropdown box
If SMS type trigger SMS by /validate/check
Ask the user to enter OTP.
But if you have any other application/frontend, this will be
challenging.
Kind regards
CorneliusAm Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking:
Hi there,
What do you use at the frontend? i.e. Citrix Netscaler, Firewall etc.
How do you want to initiate the authentication, i presume using
radius?
Please elaborate some more as to how you want to implement this.
Johan.
Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo Rapisarda:
Hi,
we have a specific case to propose.
We need to have two tokens per user, within the same realm:
SMS and TOTP.
We would like to make sure that the authentication process on
takes place through the following steps:
1. The user enters the username and password
2. The user specify the token type to use
3. The user enters the OTP received via SMS or generated
via TOTP
How can we do it ?
Thanks,
Salvo.
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY: privacyIDEA Support Level
currently we have our web application that use API to authenticate users
via SSO using SAMLv2.
A user have only one token of type SMS.
When auth process start:
User & pass are validated via /validate/samlcheck
We get transaction_id and then user enter OTP number received via
SMS
Next, another /validate/samlcheck is done adding with pass=“OTP
number” and transaction_id received on previous step.
Now, we want to give the feature to choice the OTP method (SMS or TOTP).
For do that we have setup a user with two token.
But when we do the first call to */validate/samlcheck *return an error
because is not supported (multiple token).
As we write in first post, we want that user*: *
Enter the username and password
View the token assigned and choice what method to use
Insert OTP code based on choice
Authenticate correctly
Thank you
SalvoIl giorno giovedì 16 giugno 2016 11:01:07 UTC+2, Cornelius Kölbel ha scritto:
issue GET /token/ as this very user
→ you will see the list of assigned tokens
Show these tokens in a dropdown box
If SMS type trigger SMS by /validate/check
Ask the user to enter OTP.
But if you have any other application/frontend, this will be
challenging.
Kind regards
Cornelius
Am Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking:
Hi there,
What do you use at the frontend? i.e. Citrix Netscaler, Firewall etc.
How do you want to initiate the authentication, i presume using
radius?
Please elaborate some more as to how you want to implement this.
Johan.
Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo Rapisarda:
Hi,
we have a specific case to propose.
We need to have two tokens per user, within the same realm:
SMS and TOTP.
We would like to make sure that the authentication process on
takes place through the following steps:
1. The user enters the username and password
2. The user specify the token type to use
3. The user enters the OTP received via SMS or generated
via TOTP
How can we do it ?
Thanks,
Salvo.
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY: privacyIDEA Support Level
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
The problem is, that two tokens with challenges response is not
supported at the moment. If the user has two tokens and one is a
challenge response token, the tokens need different OTP PINs.
If you are using same OTP pins or the userstore password, privacyIDEA
does not know, which token should create the challenge.
I though your first authentication with the password was not issued
against privacyidea but against e.g. your LDAP.
Kind regards
CorneliusAm Freitag, den 17.06.2016, 03:57 -0700 schrieb Salvo Rapisarda:
Hi Cornelius,
currently we have our web application that use API to authenticate
users via SSO using SAMLv2.
A user have only one token of type SMS.
When auth process start:
1. User & pass are validated via /validate/samlcheck
2. We get transaction_id and then user enter OTP number received
via SMS
3. Next, another /validate/samlcheck is done adding with
pass=“OTP number” and transaction_id received on previous
step.
Now, we want to give the feature to choice the OTP method (SMS or
TOTP). For do that we have setup a user with two token.
But when we do the first call to /validate/samlcheck return an error
because is not supported (multiple token).
As we write in first post, we want that user:
1. Enter the username and password
2. View the token assigned and choice what method to use
3. Insert OTP code based on choice
4. Authenticate correctly
Thank you
Salvo
Il giorno giovedì 16 giugno 2016 11:01:07 UTC+2, Cornelius Kölbel ha
scritto:
Hi Salvo,
Johan has a good point!
I was presuming you are running your own application?
If you would do so, you could simply use the API
http://privacyidea.readthedocs.io/en/latest/modules/api.html
Roughly:
1. verify username and password
2. issue GET /token/ as this very user
-> you will see the list of assigned tokens
3. Show these tokens in a dropdown box
4. If SMS type trigger SMS by /validate/check
5. Ask the user to enter OTP.
But if you have any other application/frontend, this will be
challenging.
Kind regards
Cornelius
Am Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking:
> Hi there,
>
>
> What do you use at the frontend? i.e. Citrix Netscaler,
Firewall etc.
> How do you want to initiate the authentication, i presume
using
> radius?
>
>
> Please elaborate some more as to how you want to implement
this.
>
>
> Johan.
>
>
> Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo
Rapisarda:
> Hi,
>
>
> we have a specific case to propose.
> We need to have two tokens per user, within the same
realm:
> SMS and TOTP.
>
>
> We would like to make sure that the authentication
process on
> takes place through the following steps:
>
>
> 1. The user enters the username and password
> 2. The user specify the token type to use
> 3. The user enters the OTP received via SMS or
generated
> via TOTP
>
>
> How can we do it ?
>
>
> Thanks,
> Salvo.
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two
factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL
AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and
LIABILITY:
>
https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the
Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails
from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to
priva...@googlegroups.com.
> Visit this group at
https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/privacyidea/798795f9-7a40-43f5-9054-192ac2a0fe0b%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY: privacyIDEA Support Level
you are right. At the moment the sms or email is sent, when a challenge
is created.
The create_challenge is called, after the loop realizes, that the
authentication request is a challenge request. This happens here:
If you want to postpone the sending of the challenge, you need to add
another API call.
And this would still not be flexible enough. What should happen, if the
user had two SMS tokens?
What about this:
Let the user select his token, not the token type!
If the user selects the token then you can create a challenge especially
for this very token. if you are doing /validate/check?serial=xxxx
then the check_token_list function is only entered with a single token.
What if we create a challenge for every user token (two in this
case)?
When the user authenticates via username & password in the first step,
two challenges are created (TOTP or SMS),
then the user select the token type, and finally when the user insert
the OTP, it is checked against the
correct challenge.
Obviously, there is a problem: the sending of the SMS with OTP needs
to be postponed to the user choice.
Daniele
Il giorno venerdì 17 giugno 2016 21:22:55 UTC+2, Cornelius Kölbel ha
scritto:
Hi Salvo,
you are probably using otppin=userstore.
The problem is, that two tokens with challenges response is
not
supported at the moment. If the user has two tokens and one is
a
challenge response token, the tokens need different OTP PINs.
If you are using same OTP pins or the userstore password,
privacyIDEA
does not know, which token should create the challenge.
I though your first authentication with the password was not
issued
against privacyidea but against e.g. your LDAP.
Kind regards
Cornelius
Am Freitag, den 17.06.2016, 03:57 -0700 schrieb Salvo
Rapisarda:
> Hi Cornelius,
>
>
> currently we have our web application that use API to
authenticate
> users via SSO using SAMLv2.
> A user have only one token of type SMS.
>
>
> When auth process start:
> 1. User & pass are validated via /validate/samlcheck
> 2. We get transaction_id and then user enter OTP number
received
> via SMS
> 3. Next, another /validate/samlcheck is done adding
with
> pass="OTP number" and transaction_id received on
previous
> step.
>
>
> Now, we want to give the feature to choice the OTP method
(SMS or
> TOTP). For do that we have setup a user with two token.
> But when we do the first call to /validate/samlcheck return
an error
> because is not supported (multiple token).
>
>
> As we write in first post, we want that user:
> 1. Enter the username and password
> 2. View the token assigned and choice what method to
use
> 3. Insert OTP code based on choice
> 4. Authenticate correctly
> Thank you
>
>
> Salvo
>
>
>
> Il giorno giovedì 16 giugno 2016 11:01:07 UTC+2, Cornelius
Kölbel ha
> scritto:
> Hi Salvo,
>
> Johan has a good point!
> I was presuming you are running your own
application?
> If you would do so, you could simply use the API
>
http://privacyidea.readthedocs.io/en/latest/modules/api.html
>
> Roughly:
>
> 1. verify username and password
> 2. issue GET /token/ as this very user
> -> you will see the list of assigned tokens
> 3. Show these tokens in a dropdown box
> 4. If SMS type trigger SMS by /validate/check
> 5. Ask the user to enter OTP.
>
> But if you have any other application/frontend, this
will be
> challenging.
>
> Kind regards
> Cornelius
>
> Am Donnerstag, den 16.06.2016, 01:56 -0700 schrieb
jmdeking:
> > Hi there,
> >
> >
> > What do you use at the frontend? i.e. Citrix
Netscaler,
> Firewall etc.
> > How do you want to initiate the authentication, i
presume
> using
> > radius?
> >
> >
> > Please elaborate some more as to how you want to
implement
> this.
> >
> >
> > Johan.
> >
> >
> > Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef
Salvo
> Rapisarda:
> > Hi,
> >
> >
> > we have a specific case to propose.
> > We need to have two tokens per user,
within the same
> realm:
> > SMS and TOTP.
> >
> >
> > We would like to make sure that the
authentication
> process on
> > takes place through the following steps:
> >
> >
> > 1. The user enters the username and
password
> > 2. The user specify the token type to
use
> > 3. The user enters the OTP received
via SMS or
> generated
> > via TOTP
> >
> >
> > How can we do it ?
> >
> >
> > Thanks,
> > Salvo.
> > --
> > Please read the blog post about getting help
> > https://www.privacyidea.org/getting-help/.
> >
> > For professional services and consultancy
regarding two
> factor
> > authentication please visit
> >
https://netknights.it/en/leistungen/one-time-services/
> >
> > In an enterprise environment you should get a
SERVICE LEVEL
> AGREEMENT
> > which suites your needs for SECURITY, AVAILABILITY
and
> LIABILITY:
> >
>
https://netknights.it/en/leistungen/service-level-agreements/
> > ---
> > You received this message because you are
subscribed to the
> Google
> > Groups "privacyidea" group.
> > To unsubscribe from this group and stop receiving
emails
> from it, send
> > an email to privacyidea...@googlegroups.com.
> > To post to this group, send email to
> priva...@googlegroups.com.
> > Visit this group at
> https://groups.google.com/group/privacyidea.
> > To view this discussion on the web visit
> >
>
https://groups.google.com/d/msgid/privacyidea/798795f9-7a40-43f5-9054-192ac2a0fe0b%40googlegroups.com.
> > For more options, visit
https://groups.google.com/d/optout.
>
> --
> Cornelius Kölbel
> corneliu...@netknights.it
> +49 151 2960 1417
>
> NetKnights GmbH
> http://www.netknights.it
> Landgraf-Karl-Str. 19, 34131 Kassel, Germany
> Tel: +49 561 3166797, Fax: +49 561 3166798
>
> Amtsgericht Kassel, HRB 16405
> Geschäftsführer: Cornelius Kölbel
>
>
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two
factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL
AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and
LIABILITY:
>
https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the
Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails
from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to
priva...@googlegroups.com.
> Visit this group at
https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/privacyidea/38560f79-f9ee-4c50-adab-7c4aa4679333%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY: privacyIDEA Support Level
What if we create a challenge for every user token (two in this case)?
When the user authenticates via username & password in the first step, two
challenges are created (TOTP or SMS),
then the user select the token type, and finally when the user insert the
OTP, it is checked against the
correct challenge.
Obviously, there is a problem: the sending of the SMS with OTP needs to be
postponed to the user choice.
DanieleIl giorno venerdì 17 giugno 2016 21:22:55 UTC+2, Cornelius Kölbel ha scritto:
Hi Salvo,
you are probably using otppin=userstore.
The problem is, that two tokens with challenges response is not
supported at the moment. If the user has two tokens and one is a
challenge response token, the tokens need different OTP PINs.
If you are using same OTP pins or the userstore password, privacyIDEA
does not know, which token should create the challenge.
I though your first authentication with the password was not issued
against privacyidea but against e.g. your LDAP.
Kind regards
Cornelius
Am Freitag, den 17.06.2016, 03:57 -0700 schrieb Salvo Rapisarda:
Hi Cornelius,
currently we have our web application that use API to authenticate
users via SSO using SAMLv2.
A user have only one token of type SMS.
When auth process start:
1. User & pass are validated via /validate/samlcheck
2. We get transaction_id and then user enter OTP number received
via SMS
3. Next, another /validate/samlcheck is done adding with
pass=“OTP number” and transaction_id received on previous
step.
Now, we want to give the feature to choice the OTP method (SMS or
TOTP). For do that we have setup a user with two token.
But when we do the first call to /validate/samlcheck return an error
because is not supported (multiple token).
As we write in first post, we want that user:
1. Enter the username and password
2. View the token assigned and choice what method to use
3. Insert OTP code based on choice
4. Authenticate correctly
Thank you
Salvo
Il giorno giovedì 16 giugno 2016 11:01:07 UTC+2, Cornelius Kölbel ha
scritto:
Hi Salvo,
Johan has a good point!
I was presuming you are running your own application?
If you would do so, you could simply use the API
http://privacyidea.readthedocs.io/en/latest/modules/api.html
Roughly:
1. verify username and password
2. issue GET /token/ as this very user
-> you will see the list of assigned tokens
3. Show these tokens in a dropdown box
4. If SMS type trigger SMS by /validate/check
5. Ask the user to enter OTP.
But if you have any other application/frontend, this will be
challenging.
Kind regards
Cornelius
Am Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking:
> Hi there,
>
>
> What do you use at the frontend? i.e. Citrix Netscaler,
Firewall etc.
> How do you want to initiate the authentication, i presume
using
> radius?
>
>
> Please elaborate some more as to how you want to implement
this.
>
>
> Johan.
>
>
> Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo
Rapisarda:
> Hi,
>
>
> we have a specific case to propose.
> We need to have two tokens per user, within the same
realm:
> SMS and TOTP.
>
>
> We would like to make sure that the authentication
process on
> takes place through the following steps:
>
>
> 1. The user enters the username and password
> 2. The user specify the token type to use
> 3. The user enters the OTP received via SMS or
generated
> via TOTP
>
>
> How can we do it ?
>
>
> Thanks,
> Salvo.
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two
factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL
AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and
LIABILITY:
>
https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the
Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails
from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to
priva...@googlegroups.com.
> Visit this group at
https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
>
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY: privacyIDEA Support Level
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
Salvos workflow could be done with the current privacyIDEA API.
But then you would have to heavily improve the simpleSAML plugin.
use API to retrieve a list of the users tokens.
either by the users credentials or by a service account credentials.
the user could select the token
Then the API Request could be triggered with serial number - not the
username.
Kind regards
CorneliusAm Montag, den 12.09.2016, 11:58 -0700 schrieb Christoph Kreutzer:
Hi Salvo,
your description sounds totally like what I was thinking of!
If I understand correctly, you use the simpleSAMLphp plugin? Have you
made any efforts on this? Maybe we could integrate this in the plugin
maintained by Cornelius (as a PR) or branch it? I am interested to
contribute, too.
I’m currently using simpleSAMLphp and authtfaga, but I would like to
replace that with a more complete and versatile solution.
Best regards,
Christoph
Hi Cornelius,
currently we have our web application that use API to authenticate
users via SSO using SAMLv2.
A user have only one token of type SMS.
When auth process start:
User & pass are validated via /validate/samlcheck
We get transaction_id and then user enter OTP number received via
SMS
Next, another /validate/samlcheck is done adding with pass=“OTP
number” and transaction_id received on previous step.
Now, we want to give the feature to choice the OTP method (SMS or
TOTP). For do that we have setup a user with two token.
But when we do the first call to /validate/samlcheck return an
error because is not supported (multiple token).
As we write in first post, we want that user:
Enter the username and password
View the token assigned and choice what method to use
Insert OTP code based on choice
Authenticate correctly
Thank you
issue GET /token/ as this very user
→ you will see the list of assigned tokens
Show these tokens in a dropdown box
If SMS type trigger SMS by /validate/check
Ask the user to enter OTP.
But if you have any other application/frontend, this will be
challenging.
Kind regards
Cornelius
Am Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking:
Hi there,
What do you use at the frontend? i.e. Citrix Netscaler,
Firewall etc.
How do you want to initiate the authentication, i presume
using
radius?
Please elaborate some more as to how you want to implement
this.
Johan.
Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo
Rapisarda:
Hi,
we have a specific case to propose.
We need to have two tokens per user, within the same
realm:
SMS and TOTP.
We would like to make sure that the authentication
process on
takes place through the following steps:
1. The user enters the username and password
2. The user specify the token type to use
3. The user enters the OTP received via SMS or
In an enterprise environment you should get a SERVICE LEVEL
AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and
LIABILITY: privacyIDEA Support Level
You received this message because you are subscribed to the
Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from
it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Why would you want to do this?
The user can choose which challenge/response token he wants to use by just using the token.
Why should he click “I will use my email” in the first place?
If the email is compromized, the attacker will in fact choose “please use email”.
So the right move is to actually disable the email token.
I definitely agree with you, but I’m using it in a corporate environment where the boss and the employees don’t want to remember another pin for each token (we are going to use user store password instead of pin) and email access is available only inside the organization network which is not accessible by any other device than the desktop already installed and accessible by a personal bedge.
Indeed strong authentication is not useful in such as environment but it is required for legal compliance due to the fact sensible data requires this kind of authentication.