Hi,
we have a specific case to propose.
We need to have two tokens per user, within the same realm: SMS and TOTP.
We would like to make sure that the authentication process on takes place
through the following steps:
How can we do it ?
Thanks,
Salvo.
Hi Salvo,
Johan has a good point!
I was presuming you are running your own application?
If you would do so, you could simply use the API
http://privacyidea.readthedocs.io/en/latest/modules/api.html
Roughly:
But if you have any other application/frontend, this will be
challenging.
Kind regards
CorneliusAm Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking:
Hi there,
What do you use at the frontend? i.e. Citrix Netscaler, Firewall etc.
How do you want to initiate the authentication, i presume using
radius?Please elaborate some more as to how you want to implement this.
Johan.
Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo Rapisarda:
Hi,we have a specific case to propose. We need to have two tokens per user, within the same realm: SMS and TOTP. We would like to make sure that the authentication process on takes place through the following steps: 1. The user enters the username and password 2. The user specify the token type to use 3. The user enters the OTP received via SMS or generated via TOTP How can we do it ? Thanks, Salvo.–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/798795f9-7a40-43f5-9054-192ac2a0fe0b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Hi there,
What do you use at the frontend? i.e. Citrix Netscaler, Firewall etc.
How do you want to initiate the authentication, i presume using radius?
Please elaborate some more as to how you want to implement this.
Johan.Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo Rapisarda:
Hi,
we have a specific case to propose.
We need to have two tokens per user, within the same realm: SMS and TOTP.
We would like to make sure that the authentication process on takes place
through the following steps:
- The user enters the username and password
- The user specify the token type to use
- The user enters the OTP received via SMS or generated via TOTP
How can we do it ?
Thanks,
Salvo.
Hi Cornelius,
currently we have our web application that use API to authenticate users
via SSO using SAMLv2.
A user have only one token of type SMS.
When auth process start:
Now, we want to give the feature to choice the OTP method (SMS or TOTP).
For do that we have setup a user with two token.
But when we do the first call to */validate/samlcheck *return an error
because is not supported (multiple token).
As we write in first post, we want that user*: *
Thank you
SalvoIl giorno giovedì 16 giugno 2016 11:01:07 UTC+2, Cornelius Kölbel ha scritto:
Hi Salvo,
Johan has a good point!
I was presuming you are running your own application?
If you would do so, you could simply use the API
15.1.1. REST API — privacyIDEA 3.8 documentationRoughly:
- verify username and password
- issue GET /token/ as this very user
→ you will see the list of assigned tokens- Show these tokens in a dropdown box
- If SMS type trigger SMS by /validate/check
- Ask the user to enter OTP.
But if you have any other application/frontend, this will be
challenging.Kind regards
CorneliusAm Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking:
Hi there,
What do you use at the frontend? i.e. Citrix Netscaler, Firewall etc.
How do you want to initiate the authentication, i presume using
radius?Please elaborate some more as to how you want to implement this.
Johan.
Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo Rapisarda:
Hi,we have a specific case to propose. We need to have two tokens per user, within the same realm: SMS and TOTP. We would like to make sure that the authentication process on takes place through the following steps: 1. The user enters the username and password 2. The user specify the token type to use 3. The user enters the OTP received via SMS or generated via TOTP How can we do it ? Thanks, Salvo.–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Hi Salvo,
you are probably using otppin=userstore.
The problem is, that two tokens with challenges response is not
supported at the moment. If the user has two tokens and one is a
challenge response token, the tokens need different OTP PINs.
If you are using same OTP pins or the userstore password, privacyIDEA
does not know, which token should create the challenge.
I though your first authentication with the password was not issued
against privacyidea but against e.g. your LDAP.
Kind regards
CorneliusAm Freitag, den 17.06.2016, 03:57 -0700 schrieb Salvo Rapisarda:
Hi Cornelius,
currently we have our web application that use API to authenticate
users via SSO using SAMLv2.
A user have only one token of type SMS.When auth process start:
1. User & pass are validated via /validate/samlcheck
2. We get transaction_id and then user enter OTP number received
via SMS
3. Next, another /validate/samlcheck is done adding with
pass=“OTP number” and transaction_id received on previous
step.Now, we want to give the feature to choice the OTP method (SMS or
TOTP). For do that we have setup a user with two token.
But when we do the first call to /validate/samlcheck return an error
because is not supported (multiple token).As we write in first post, we want that user:
1. Enter the username and password
2. View the token assigned and choice what method to use
3. Insert OTP code based on choice
4. Authenticate correctly
Thank youSalvo
Il giorno giovedì 16 giugno 2016 11:01:07 UTC+2, Cornelius Kölbel ha
scritto:
Hi Salvo,Johan has a good point! I was presuming you are running your own application? If you would do so, you could simply use the API http://privacyidea.readthedocs.io/en/latest/modules/api.html Roughly: 1. verify username and password 2. issue GET /token/ as this very user -> you will see the list of assigned tokens 3. Show these tokens in a dropdown box 4. If SMS type trigger SMS by /validate/check 5. Ask the user to enter OTP. But if you have any other application/frontend, this will be challenging. Kind regards Cornelius Am Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking: > Hi there, > > > What do you use at the frontend? i.e. Citrix Netscaler, Firewall etc. > How do you want to initiate the authentication, i presume using > radius? > > > Please elaborate some more as to how you want to implement this. > > > Johan. > > > Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo Rapisarda: > Hi, > > > we have a specific case to propose. > We need to have two tokens per user, within the same realm: > SMS and TOTP. > > > We would like to make sure that the authentication process on > takes place through the following steps: > > > 1. The user enters the username and password > 2. The user specify the token type to use > 3. The user enters the OTP received via SMS or generated > via TOTP > > > How can we do it ? > > > Thanks, > Salvo. > -- > Please read the blog post about getting help > https://www.privacyidea.org/getting-help/. > > For professional services and consultancy regarding two factor > authentication please visit > https://netknights.it/en/leistungen/one-time-services/ > > In an enterprise environment you should get a SERVICE LEVEL AGREEMENT > which suites your needs for SECURITY, AVAILABILITY and LIABILITY: > https://netknights.it/en/leistungen/service-level-agreements/ > --- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > Visit this group at https://groups.google.com/group/privacyidea. > To view this discussion on the web visit > https://groups.google.com/d/msgid/privacyidea/798795f9-7a40-43f5-9054-192ac2a0fe0b%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/38560f79-f9ee-4c50-adab-7c4aa4679333%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Hi Daniele,
you are right. At the moment the sms or email is sent, when a challenge
is created.
The create_challenge is called, after the loop realizes, that the
authentication request is a challenge request. This happens here:
If you want to postpone the sending of the challenge, you need to add
another API call.
And this would still not be flexible enough. What should happen, if the
user had two SMS tokens?
What about this:
Let the user select his token, not the token type!
If the user selects the token then you can create a challenge especially
for this very token. if you are doing /validate/check?serial=xxxx
then the check_token_list function is only entered with a single token.
Kind regards
Cornelius
caruso.daniele.89@gmail.com:Am Montag, den 20.06.2016, 00:29 -0700 schrieb
Hi!
What if we create a challenge for every user token (two in this
case)?
When the user authenticates via username & password in the first step,
two challenges are created (TOTP or SMS),
then the user select the token type, and finally when the user insert
the OTP, it is checked against the
correct challenge.
Obviously, there is a problem: the sending of the SMS with OTP needs
to be postponed to the user choice.Daniele
Il giorno venerdì 17 giugno 2016 21:22:55 UTC+2, Cornelius Kölbel ha
scritto:
Hi Salvo,you are probably using otppin=userstore. The problem is, that two tokens with challenges response is not supported at the moment. If the user has two tokens and one is a challenge response token, the tokens need different OTP PINs. If you are using same OTP pins or the userstore password, privacyIDEA does not know, which token should create the challenge. I though your first authentication with the password was not issued against privacyidea but against e.g. your LDAP. Kind regards Cornelius Am Freitag, den 17.06.2016, 03:57 -0700 schrieb Salvo Rapisarda: > Hi Cornelius, > > > currently we have our web application that use API to authenticate > users via SSO using SAMLv2. > A user have only one token of type SMS. > > > When auth process start: > 1. User & pass are validated via /validate/samlcheck > 2. We get transaction_id and then user enter OTP number received > via SMS > 3. Next, another /validate/samlcheck is done adding with > pass="OTP number" and transaction_id received on previous > step. > > > Now, we want to give the feature to choice the OTP method (SMS or > TOTP). For do that we have setup a user with two token. > But when we do the first call to /validate/samlcheck return an error > because is not supported (multiple token). > > > As we write in first post, we want that user: > 1. Enter the username and password > 2. View the token assigned and choice what method to use > 3. Insert OTP code based on choice > 4. Authenticate correctly > Thank you > > > Salvo > > > > Il giorno giovedì 16 giugno 2016 11:01:07 UTC+2, Cornelius Kölbel ha > scritto: > Hi Salvo, > > Johan has a good point! > I was presuming you are running your own application? > If you would do so, you could simply use the API > http://privacyidea.readthedocs.io/en/latest/modules/api.html > > Roughly: > > 1. verify username and password > 2. issue GET /token/ as this very user > -> you will see the list of assigned tokens > 3. Show these tokens in a dropdown box > 4. If SMS type trigger SMS by /validate/check > 5. Ask the user to enter OTP. > > But if you have any other application/frontend, this will be > challenging. > > Kind regards > Cornelius > > Am Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking: > > Hi there, > > > > > > What do you use at the frontend? i.e. Citrix Netscaler, > Firewall etc. > > How do you want to initiate the authentication, i presume > using > > radius? > > > > > > Please elaborate some more as to how you want to implement > this. > > > > > > Johan. > > > > > > Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo > Rapisarda: > > Hi, > > > > > > we have a specific case to propose. > > We need to have two tokens per user, within the same > realm: > > SMS and TOTP. > > > > > > We would like to make sure that the authentication > process on > > takes place through the following steps: > > > > > > 1. The user enters the username and password > > 2. The user specify the token type to use > > 3. The user enters the OTP received via SMS or > generated > > via TOTP > > > > > > How can we do it ? > > > > > > Thanks, > > Salvo. > > -- > > Please read the blog post about getting help > > https://www.privacyidea.org/getting-help/. > > > > For professional services and consultancy regarding two > factor > > authentication please visit > > https://netknights.it/en/leistungen/one-time-services/ > > > > In an enterprise environment you should get a SERVICE LEVEL > AGREEMENT > > which suites your needs for SECURITY, AVAILABILITY and > LIABILITY: > > > https://netknights.it/en/leistungen/service-level-agreements/ > > --- > > You received this message because you are subscribed to the > Google > > Groups "privacyidea" group. > > To unsubscribe from this group and stop receiving emails > from it, send > > an email to privacyidea...@googlegroups.com. > > To post to this group, send email to > priva...@googlegroups.com. > > Visit this group at > https://groups.google.com/group/privacyidea. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/privacyidea/798795f9-7a40-43f5-9054-192ac2a0fe0b%40googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > Cornelius Kölbel > corneliu...@netknights.it > +49 151 2960 1417 > > NetKnights GmbH > http://www.netknights.it > Landgraf-Karl-Str. 19, 34131 Kassel, Germany > Tel: +49 561 3166797, Fax: +49 561 3166798 > > Amtsgericht Kassel, HRB 16405 > Geschäftsführer: Cornelius Kölbel > > > -- > Please read the blog post about getting help > https://www.privacyidea.org/getting-help/. > > For professional services and consultancy regarding two factor > authentication please visit > https://netknights.it/en/leistungen/one-time-services/ > > In an enterprise environment you should get a SERVICE LEVEL AGREEMENT > which suites your needs for SECURITY, AVAILABILITY and LIABILITY: > https://netknights.it/en/leistungen/service-level-agreements/ > --- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > Visit this group at https://groups.google.com/group/privacyidea. > To view this discussion on the web visit > https://groups.google.com/d/msgid/privacyidea/38560f79-f9ee-4c50-adab-7c4aa4679333%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/6667bc71-b044-4239-8886-cf15fb5d9fe9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)
Hi!
What if we create a challenge for every user token (two in this case)?
When the user authenticates via username & password in the first step, two
challenges are created (TOTP or SMS),
then the user select the token type, and finally when the user insert the
OTP, it is checked against the
correct challenge.
Obviously, there is a problem: the sending of the SMS with OTP needs to be
postponed to the user choice.
DanieleIl giorno venerdì 17 giugno 2016 21:22:55 UTC+2, Cornelius Kölbel ha scritto:
Hi Salvo,
you are probably using otppin=userstore.
The problem is, that two tokens with challenges response is not
supported at the moment. If the user has two tokens and one is a
challenge response token, the tokens need different OTP PINs.
If you are using same OTP pins or the userstore password, privacyIDEA
does not know, which token should create the challenge.I though your first authentication with the password was not issued
against privacyidea but against e.g. your LDAP.Kind regards
CorneliusAm Freitag, den 17.06.2016, 03:57 -0700 schrieb Salvo Rapisarda:
Hi Cornelius,
currently we have our web application that use API to authenticate
users via SSO using SAMLv2.
A user have only one token of type SMS.When auth process start:
1. User & pass are validated via /validate/samlcheck
2. We get transaction_id and then user enter OTP number received
via SMS
3. Next, another /validate/samlcheck is done adding with
pass=“OTP number” and transaction_id received on previous
step.Now, we want to give the feature to choice the OTP method (SMS or
TOTP). For do that we have setup a user with two token.
But when we do the first call to /validate/samlcheck return an error
because is not supported (multiple token).As we write in first post, we want that user:
1. Enter the username and password
2. View the token assigned and choice what method to use
3. Insert OTP code based on choice
4. Authenticate correctly
Thank youSalvo
Il giorno giovedì 16 giugno 2016 11:01:07 UTC+2, Cornelius Kölbel ha
scritto:
Hi Salvo,Johan has a good point! I was presuming you are running your own application? If you would do so, you could simply use the API http://privacyidea.readthedocs.io/en/latest/modules/api.html Roughly: 1. verify username and password 2. issue GET /token/ as this very user -> you will see the list of assigned tokens 3. Show these tokens in a dropdown box 4. If SMS type trigger SMS by /validate/check 5. Ask the user to enter OTP. But if you have any other application/frontend, this will be challenging. Kind regards Cornelius Am Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking: > Hi there, > > > What do you use at the frontend? i.e. Citrix Netscaler, Firewall etc. > How do you want to initiate the authentication, i presume using > radius? > > > Please elaborate some more as to how you want to implement this. > > > Johan. > > > Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo Rapisarda: > Hi, > > > we have a specific case to propose. > We need to have two tokens per user, within the same realm: > SMS and TOTP. > > > We would like to make sure that the authentication process on > takes place through the following steps: > > > 1. The user enters the username and password > 2. The user specify the token type to use > 3. The user enters the OTP received via SMS or generated > via TOTP > > > How can we do it ? > > > Thanks, > Salvo. > -- > Please read the blog post about getting help > https://www.privacyidea.org/getting-help/. > > For professional services and consultancy regarding two factor > authentication please visit > https://netknights.it/en/leistungen/one-time-services/ > > In an enterprise environment you should get a SERVICE LEVEL AGREEMENT > which suites your needs for SECURITY, AVAILABILITY and LIABILITY: > https://netknights.it/en/leistungen/service-level-agreements/ > --- > You received this message because you are subscribed to the Google > Groups "privacyidea" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to privacyidea...@googlegroups.com. > To post to this group, send email to priva...@googlegroups.com. > Visit this group at https://groups.google.com/group/privacyidea. > To view this discussion on the web visit >> For more options, visit https://groups.google.com/d/optout. -- Cornelius Kölbel corneliu...@netknights.it +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visitFor more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
corneliu…@netknights.it <javascript:>
+49 151 2960 1417NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Salvos workflow could be done with the current privacyIDEA API.
But then you would have to heavily improve the simpleSAML plugin.
Kind regards
CorneliusAm Montag, den 12.09.2016, 11:58 -0700 schrieb Christoph Kreutzer:
Hi Salvo,
your description sounds totally like what I was thinking of!
If I understand correctly, you use the simpleSAMLphp plugin? Have you
made any efforts on this? Maybe we could integrate this in the plugin
maintained by Cornelius (as a PR) or branch it? I am interested to
contribute, too.I’m currently using simpleSAMLphp and authtfaga, but I would like to
replace that with a more complete and versatile solution.Best regards,
ChristophHi Cornelius,
currently we have our web application that use API to authenticate
users via SSO using SAMLv2.
A user have only one token of type SMS.When auth process start:
User & pass are validated via /validate/samlcheck
We get transaction_id and then user enter OTP number received via
SMS
Next, another /validate/samlcheck is done adding with pass=“OTP
number” and transaction_id received on previous step.Now, we want to give the feature to choice the OTP method (SMS or
TOTP). For do that we have setup a user with two token.
But when we do the first call to /validate/samlcheck return an
error because is not supported (multiple token).As we write in first post, we want that user:
Enter the username and password
View the token assigned and choice what method to use
Insert OTP code based on choice
Authenticate correctly
Thank youSalvo
Hi Salvo,
Johan has a good point!
I was presuming you are running your own application?
If you would do so, you could simply use the API
15.1.1. REST API — privacyIDEA 3.8 documentationRoughly:
- verify username and password
- issue GET /token/ as this very user
→ you will see the list of assigned tokens- Show these tokens in a dropdown box
- If SMS type trigger SMS by /validate/check
- Ask the user to enter OTP.
But if you have any other application/frontend, this will be
challenging.Kind regards
CorneliusAm Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking:
Hi there,
What do you use at the frontend? i.e. Citrix Netscaler,
Firewall etc.
How do you want to initiate the authentication, i presume
using
radius?Please elaborate some more as to how you want to implement
this.Johan.
Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo
Rapisarda:
Hi,we have a specific case to propose. We need to have two tokens per user, within the samerealm:
SMS and TOTP. We would like to make sure that the authenticationprocess on
takes place through the following steps: 1. The user enters the username and password 2. The user specify the token type to use 3. The user enters the OTP received via SMS orgenerated
via TOTP How can we do it ? Thanks, Salvo.–
Please read the blog post about getting help
Getting help – privacyID3A.For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - VerschlüsselungIn an enterprise environment you should get a SERVICE LEVEL
AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and
LIABILITY:
privacyIDEA Support LevelYou received this message because you are subscribed to the
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from
it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.Visit this group at https://groups.google.com/group/privacyidea
.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/798795f9-7a40-43f
5-9054-192ac2a0fe0b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (819 Bytes)
Hi,
I just need exactly the following change on the plugin, and some other I’m not going to talk about in this topic as they are offtopic:
Did someone already implemented this?
I was not able to find something similar implemented.
Thank you.
Best regards,
B.
Why would you want to do this?
The user can choose which challenge/response token he wants to use by just using the token.
Why should he click “I will use my email” in the first place?
If the email is compromized, the attacker will in fact choose “please use email”.
So the right move is to actually disable the email token.
I definitely agree with you, but I’m using it in a corporate environment where the boss and the employees don’t want to remember another pin for each token (we are going to use user store password instead of pin) and email access is available only inside the organization network which is not accessible by any other device than the desktop already installed and accessible by a personal bedge.
Indeed strong authentication is not useful in such as environment but it is required for legal compliance due to the fact sensible data requires this kind of authentication.
Best Regards,
B.
otppin=userstore
Using this setting an otp password is sent to all token available for a user, this mean the issue in case of compromised email remains, doesn’t it?
Best regards,
B.
I think there is a basic misunderstanding.
If you email is compromised, you need to deactivate the email token. No matter, which PIN you are using.
You were complaining about your users not willing to memorize another password/PIN, so I gave you this hint.