Multi token per user


#1

Hi,

we have a specific case to propose.

We need to have two tokens per user, within the same realm: SMS and TOTP.

We would like to make sure that the authentication process on takes place
through the following steps:

  1. The user enters the username and password
  2. The user specify the token type to use
  3. The user enters the OTP received via SMS or generated via TOTP

How can we do it ?

Thanks,
Salvo.


#2

Hi Salvo,

Johan has a good point!
I was presuming you are running your own application?
If you would do so, you could simply use the API
http://privacyidea.readthedocs.io/en/latest/modules/api.html

Roughly:

  1. verify username and password
  2. issue GET /token/ as this very user
    -> you will see the list of assigned tokens
  3. Show these tokens in a dropdown box
  4. If SMS type trigger SMS by /validate/check
  5. Ask the user to enter OTP.

But if you have any other application/frontend, this will be
challenging.

Kind regards
CorneliusAm Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking:

Hi there,

What do you use at the frontend? i.e. Citrix Netscaler, Firewall etc.
How do you want to initiate the authentication, i presume using
radius?

Please elaborate some more as to how you want to implement this.

Johan.

Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo Rapisarda:
Hi,

    we have a specific case to propose.
    We need to have two tokens per user, within the same realm:
    SMS and TOTP.
    
    
    We would like to make sure that the authentication process on
    takes place through the following steps:
    
    
         1. The user enters the username and password
         2. The user specify the token type to use
         3. The user enters the OTP received via SMS or generated
            via TOTP
    
    
    How can we do it ?
    
    
    Thanks,
    Salvo.


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/798795f9-7a40-43f5-9054-192ac2a0fe0b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH


Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)


#3

Hi there,

What do you use at the frontend? i.e. Citrix Netscaler, Firewall etc.
How do you want to initiate the authentication, i presume using radius?

Please elaborate some more as to how you want to implement this.

Johan.Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo Rapisarda:

Hi,

we have a specific case to propose.

We need to have two tokens per user, within the same realm: SMS and TOTP.

We would like to make sure that the authentication process on takes place
through the following steps:

  1. The user enters the username and password
  2. The user specify the token type to use
  3. The user enters the OTP received via SMS or generated via TOTP

How can we do it ?

Thanks,
Salvo.


#4

Hi Cornelius,

currently we have our web application that use API to authenticate users
via SSO using SAMLv2.
A user have only one token of type SMS.

When auth process start:

  1. User & pass are validated via /validate/samlcheck
  2. We get transaction_id and then user enter OTP number received via
    SMS
  3. Next, another /validate/samlcheck is done adding with pass=“OTP
    number” and transaction_id received on previous step.

Now, we want to give the feature to choice the OTP method (SMS or TOTP).
For do that we have setup a user with two token.
But when we do the first call to */validate/samlcheck *return an error
because is not supported (multiple token).

As we write in first post, we want that user*: *

  1. Enter the username and password
  2. View the token assigned and choice what method to use
  3. Insert OTP code based on choice
  4. Authenticate correctly

Thank you

SalvoIl giorno giovedì 16 giugno 2016 11:01:07 UTC+2, Cornelius Kölbel ha scritto:

Hi Salvo,

Johan has a good point!
I was presuming you are running your own application?
If you would do so, you could simply use the API
http://privacyidea.readthedocs.io/en/latest/modules/api.html

Roughly:

  1. verify username and password
  2. issue GET /token/ as this very user
    -> you will see the list of assigned tokens
  3. Show these tokens in a dropdown box
  4. If SMS type trigger SMS by /validate/check
  5. Ask the user to enter OTP.

But if you have any other application/frontend, this will be
challenging.

Kind regards
Cornelius

Am Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking:

Hi there,

What do you use at the frontend? i.e. Citrix Netscaler, Firewall etc.
How do you want to initiate the authentication, i presume using
radius?

Please elaborate some more as to how you want to implement this.

Johan.

Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo Rapisarda:
Hi,

    we have a specific case to propose. 
    We need to have two tokens per user, within the same realm: 
    SMS and TOTP. 
    
    
    We would like to make sure that the authentication process on 
    takes place through the following steps: 
    
    
         1. The user enters the username and password 
         2. The user specify the token type to use 
         3. The user enters the OTP received via SMS or generated 
            via TOTP 
    
    
    How can we do it ? 
    
    
    Thanks, 
    Salvo. 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/798795f9-7a40-43f5-9054-192ac2a0fe0b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


#5

Hi Salvo,

you are probably using otppin=userstore.

The problem is, that two tokens with challenges response is not
supported at the moment. If the user has two tokens and one is a
challenge response token, the tokens need different OTP PINs.
If you are using same OTP pins or the userstore password, privacyIDEA
does not know, which token should create the challenge.

I though your first authentication with the password was not issued
against privacyidea but against e.g. your LDAP.

Kind regards
CorneliusAm Freitag, den 17.06.2016, 03:57 -0700 schrieb Salvo Rapisarda:

Hi Cornelius,

currently we have our web application that use API to authenticate
users via SSO using SAMLv2.
A user have only one token of type SMS.

When auth process start:
1. User & pass are validated via /validate/samlcheck
2. We get transaction_id and then user enter OTP number received
via SMS
3. Next, another /validate/samlcheck is done adding with
pass=“OTP number” and transaction_id received on previous
step.

Now, we want to give the feature to choice the OTP method (SMS or
TOTP). For do that we have setup a user with two token.
But when we do the first call to /validate/samlcheck return an error
because is not supported (multiple token).

As we write in first post, we want that user:
1. Enter the username and password
2. View the token assigned and choice what method to use
3. Insert OTP code based on choice
4. Authenticate correctly
Thank you

Salvo

Il giorno giovedì 16 giugno 2016 11:01:07 UTC+2, Cornelius Kölbel ha
scritto:
Hi Salvo,

    Johan has a good point! 
    I was presuming you are running your own application? 
    If you would do so, you could simply use the API 
    http://privacyidea.readthedocs.io/en/latest/modules/api.html 
    
    Roughly: 
    
    1. verify username and password 
    2. issue GET /token/ as this very user 
       -> you will see the list of assigned tokens 
    3. Show these tokens in a dropdown box 
    4. If SMS type trigger SMS by /validate/check 
    5. Ask the user to enter OTP. 
    
    But if you have any other application/frontend, this will be 
    challenging. 
    
    Kind regards 
    Cornelius 
    
    Am Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking: 
    > Hi there, 
    > 
    > 
    > What do you use at the frontend? i.e. Citrix Netscaler,
    Firewall etc. 
    > How do you want to initiate the authentication, i presume
    using 
    > radius? 
    > 
    > 
    > Please elaborate some more as to how you want to implement
    this. 
    > 
    > 
    > Johan. 
    > 
    > 
    > Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo
    Rapisarda: 
    >         Hi, 
    >         
    >         
    >         we have a specific case to propose. 
    >         We need to have two tokens per user, within the same
    realm: 
    >         SMS and TOTP. 
    >         
    >         
    >         We would like to make sure that the authentication
    process on 
    >         takes place through the following steps: 
    >         
    >         
    >              1. The user enters the username and password 
    >              2. The user specify the token type to use 
    >              3. The user enters the OTP received via SMS or
    generated 
    >                 via TOTP 
    >         
    >         
    >         How can we do it ? 
    >         
    >         
    >         Thanks, 
    >         Salvo. 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/798795f9-7a40-43f5-9054-192ac2a0fe0b%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/38560f79-f9ee-4c50-adab-7c4aa4679333%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH


Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)


#6

Hi Daniele,

you are right. At the moment the sms or email is sent, when a challenge
is created.

The create_challenge is called, after the loop realizes, that the
authentication request is a challenge request. This happens here:


If you want to postpone the sending of the challenge, you need to add
another API call.

And this would still not be flexible enough. What should happen, if the
user had two SMS tokens?

What about this:
Let the user select his token, not the token type!
If the user selects the token then you can create a challenge especially
for this very token. if you are doing /validate/check?serial=xxxx
then the check_token_list function is only entered with a single token.

Kind regards
Cornelius

caruso.daniele.89@gmail.com:Am Montag, den 20.06.2016, 00:29 -0700 schrieb

Hi!

What if we create a challenge for every user token (two in this
case)?
When the user authenticates via username & password in the first step,
two challenges are created (TOTP or SMS),
then the user select the token type, and finally when the user insert
the OTP, it is checked against the
correct challenge.
Obviously, there is a problem: the sending of the SMS with OTP needs
to be postponed to the user choice.

Daniele

Il giorno venerdì 17 giugno 2016 21:22:55 UTC+2, Cornelius Kölbel ha
scritto:
Hi Salvo,

    you are probably using otppin=userstore. 
    
    The problem is, that two tokens with challenges response is
    not 
    supported at the moment. If the user has two tokens and one is
    a 
    challenge response token, the tokens need different OTP PINs. 
    If you are using same OTP pins or the userstore password,
    privacyIDEA 
    does not know, which token should create the challenge. 
    
    I though your first authentication with the password was not
    issued 
    against privacyidea but against e.g. your LDAP. 
    
    Kind regards 
    Cornelius 
    
    Am Freitag, den 17.06.2016, 03:57 -0700 schrieb Salvo
    Rapisarda: 
    > Hi Cornelius, 
    > 
    > 
    > currently we have our web application that use API to
    authenticate 
    > users via SSO using SAMLv2. 
    > A user have only one token of type SMS. 
    > 
    > 
    > When auth process start: 
    >      1. User & pass are validated via /validate/samlcheck 
    >      2. We get transaction_id and then user enter OTP number
    received 
    >         via SMS 
    >      3. Next, another /validate/samlcheck is done adding
    with 
    >         pass="OTP number" and transaction_id received on
    previous 
    >         step. 
    > 
    > 
    > Now, we want to give the feature to choice the OTP method
    (SMS or 
    > TOTP). For do that we have setup a user with two token. 
    > But when we do the first call to /validate/samlcheck return
    an error 
    > because is not supported (multiple token). 
    > 
    > 
    > As we write in first post, we want that user: 
    >      1. Enter the username and password 
    >      2. View the token assigned and choice what method to
    use 
    >      3. Insert OTP code based on choice 
    >      4. Authenticate correctly 
    > Thank you 
    > 
    > 
    > Salvo 
    > 
    > 
    >   
    > Il giorno giovedì 16 giugno 2016 11:01:07 UTC+2, Cornelius
    Kölbel ha 
    > scritto: 
    >         Hi Salvo, 
    >         
    >         Johan has a good point! 
    >         I was presuming you are running your own
    application? 
    >         If you would do so, you could simply use the API 
    >
    http://privacyidea.readthedocs.io/en/latest/modules/api.html 
    >         
    >         Roughly: 
    >         
    >         1. verify username and password 
    >         2. issue GET /token/ as this very user 
    >            -> you will see the list of assigned tokens 
    >         3. Show these tokens in a dropdown box 
    >         4. If SMS type trigger SMS by /validate/check 
    >         5. Ask the user to enter OTP. 
    >         
    >         But if you have any other application/frontend, this
    will be 
    >         challenging. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Donnerstag, den 16.06.2016, 01:56 -0700 schrieb
    jmdeking: 
    >         > Hi there, 
    >         > 
    >         > 
    >         > What do you use at the frontend? i.e. Citrix
    Netscaler, 
    >         Firewall etc. 
    >         > How do you want to initiate the authentication, i
    presume 
    >         using 
    >         > radius? 
    >         > 
    >         > 
    >         > Please elaborate some more as to how you want to
    implement 
    >         this. 
    >         > 
    >         > 
    >         > Johan. 
    >         > 
    >         > 
    >         > Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef
    Salvo 
    >         Rapisarda: 
    >         >         Hi, 
    >         >         
    >         >         
    >         >         we have a specific case to propose. 
    >         >         We need to have two tokens per user,
    within the same 
    >         realm: 
    >         >         SMS and TOTP. 
    >         >         
    >         >         
    >         >         We would like to make sure that the
    authentication 
    >         process on 
    >         >         takes place through the following steps: 
    >         >         
    >         >         
    >         >              1. The user enters the username and
    password 
    >         >              2. The user specify the token type to
    use 
    >         >              3. The user enters the OTP received
    via SMS or 
    >         generated 
    >         >                 via TOTP 
    >         >         
    >         >         
    >         >         How can we do it ? 
    >         >         
    >         >         
    >         >         Thanks, 
    >         >         Salvo. 
    >         > -- 
    >         > Please read the blog post about getting help 
    >         > https://www.privacyidea.org/getting-help/. 
    >         >   
    >         > For professional services and consultancy
    regarding two 
    >         factor 
    >         > authentication please visit 
    >         >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >   
    >         > In an enterprise environment you should get a
    SERVICE LEVEL 
    >         AGREEMENT 
    >         > which suites your needs for SECURITY, AVAILABILITY
    and 
    >         LIABILITY: 
    >         > 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         > --- 
    >         > You received this message because you are
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > Visit this group at 
    >         https://groups.google.com/group/privacyidea. 
    >         > To view this discussion on the web visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/798795f9-7a40-43f5-9054-192ac2a0fe0b%40googlegroups.com. 
    >         > For more options, visit
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/38560f79-f9ee-4c50-adab-7c4aa4679333%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/6667bc71-b044-4239-8886-cf15fb5d9fe9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH


Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)


#7

Hi!

What if we create a challenge for every user token (two in this case)?
When the user authenticates via username & password in the first step, two
challenges are created (TOTP or SMS),
then the user select the token type, and finally when the user insert the
OTP, it is checked against the
correct challenge.
Obviously, there is a problem: the sending of the SMS with OTP needs to be
postponed to the user choice.

DanieleIl giorno venerdì 17 giugno 2016 21:22:55 UTC+2, Cornelius Kölbel ha scritto:

Hi Salvo,

you are probably using otppin=userstore.

The problem is, that two tokens with challenges response is not
supported at the moment. If the user has two tokens and one is a
challenge response token, the tokens need different OTP PINs.
If you are using same OTP pins or the userstore password, privacyIDEA
does not know, which token should create the challenge.

I though your first authentication with the password was not issued
against privacyidea but against e.g. your LDAP.

Kind regards
Cornelius

Am Freitag, den 17.06.2016, 03:57 -0700 schrieb Salvo Rapisarda:

Hi Cornelius,

currently we have our web application that use API to authenticate
users via SSO using SAMLv2.
A user have only one token of type SMS.

When auth process start:
1. User & pass are validated via /validate/samlcheck
2. We get transaction_id and then user enter OTP number received
via SMS
3. Next, another /validate/samlcheck is done adding with
pass=“OTP number” and transaction_id received on previous
step.

Now, we want to give the feature to choice the OTP method (SMS or
TOTP). For do that we have setup a user with two token.
But when we do the first call to /validate/samlcheck return an error
because is not supported (multiple token).

As we write in first post, we want that user:
1. Enter the username and password
2. View the token assigned and choice what method to use
3. Insert OTP code based on choice
4. Authenticate correctly
Thank you

Salvo

Il giorno giovedì 16 giugno 2016 11:01:07 UTC+2, Cornelius Kölbel ha
scritto:
Hi Salvo,

    Johan has a good point! 
    I was presuming you are running your own application? 
    If you would do so, you could simply use the API 
    http://privacyidea.readthedocs.io/en/latest/modules/api.html 
    
    Roughly: 
    
    1. verify username and password 
    2. issue GET /token/ as this very user 
       -> you will see the list of assigned tokens 
    3. Show these tokens in a dropdown box 
    4. If SMS type trigger SMS by /validate/check 
    5. Ask the user to enter OTP. 
    
    But if you have any other application/frontend, this will be 
    challenging. 
    
    Kind regards 
    Cornelius 
    
    Am Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking: 
    > Hi there, 
    > 
    > 
    > What do you use at the frontend? i.e. Citrix Netscaler, 
    Firewall etc. 
    > How do you want to initiate the authentication, i presume 
    using 
    > radius? 
    > 
    > 
    > Please elaborate some more as to how you want to implement 
    this. 
    > 
    > 
    > Johan. 
    > 
    > 
    > Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo 
    Rapisarda: 
    >         Hi, 
    >         
    >         
    >         we have a specific case to propose. 
    >         We need to have two tokens per user, within the same 
    realm: 
    >         SMS and TOTP. 
    >         
    >         
    >         We would like to make sure that the authentication 
    process on 
    >         takes place through the following steps: 
    >         
    >         
    >              1. The user enters the username and password 
    >              2. The user specify the token type to use 
    >              3. The user enters the OTP received via SMS or 
    generated 
    >                 via TOTP 
    >         
    >         
    >         How can we do it ? 
    >         
    >         
    >         Thanks, 
    >         Salvo. 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two 
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL 
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and 
    LIABILITY: 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > Visit this group at 
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/798795f9-7a40-43f5-9054-192ac2a0fe0b%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/38560f79-f9ee-4c50-adab-7c4aa4679333%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


#8

Salvos workflow could be done with the current privacyIDEA API.

But then you would have to heavily improve the simpleSAML plugin.

  1. use API to retrieve a list of the users tokens.
    either by the users credentials or by a service account credentials.
  2. the user could select the token
  3. Then the API Request could be triggered with serial number - not the
    username.

Kind regards
CorneliusAm Montag, den 12.09.2016, 11:58 -0700 schrieb Christoph Kreutzer:

Hi Salvo,

your description sounds totally like what I was thinking of!

If I understand correctly, you use the simpleSAMLphp plugin? Have you
made any efforts on this? Maybe we could integrate this in the plugin
maintained by Cornelius (as a PR) or branch it? I am interested to
contribute, too.

I’m currently using simpleSAMLphp and authtfaga, but I would like to
replace that with a more complete and versatile solution.

Best regards,
Christoph

Hi Cornelius,

currently we have our web application that use API to authenticate
users via SSO using SAMLv2.
A user have only one token of type SMS.

When auth process start:
User & pass are validated via /validate/samlcheck
We get transaction_id and then user enter OTP number received via
SMS
Next, another /validate/samlcheck is done adding with pass=“OTP
number” and transaction_id received on previous step.

Now, we want to give the feature to choice the OTP method (SMS or
TOTP). For do that we have setup a user with two token.
But when we do the first call to /validate/samlcheck return an
error because is not supported (multiple token).

As we write in first post, we want that user:
Enter the username and password
View the token assigned and choice what method to use
Insert OTP code based on choice
Authenticate correctly
Thank you

Salvo

Hi Salvo,

Johan has a good point!
I was presuming you are running your own application?
If you would do so, you could simply use the API
http://privacyidea.readthedocs.io/en/latest/modules/api.html

Roughly:

  1. verify username and password
  2. issue GET /token/ as this very user
    -> you will see the list of assigned tokens
  3. Show these tokens in a dropdown box
  4. If SMS type trigger SMS by /validate/check
  5. Ask the user to enter OTP.

But if you have any other application/frontend, this will be
challenging.

Kind regards
Cornelius

Am Donnerstag, den 16.06.2016, 01:56 -0700 schrieb jmdeking:

Hi there,

What do you use at the frontend? i.e. Citrix Netscaler,
Firewall etc.
How do you want to initiate the authentication, i presume
using
radius?

Please elaborate some more as to how you want to implement
this.

Johan.

Op donderdag 16 juni 2016 10:15:40 UTC+2 schreef Salvo
Rapisarda:
Hi,

    we have a specific case to propose. 
    We need to have two tokens per user, within the same

realm:

    SMS and TOTP. 
    
    
    We would like to make sure that the authentication

process on

    takes place through the following steps: 
    
    
         1. The user enters the username and password 
         2. The user specify the token type to use 
         3. The user enters the OTP received via SMS or

generated

            via TOTP 
    
    
    How can we do it ? 
    
    
    Thanks, 
    Salvo. 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL
AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and
LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the
Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from
it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

Visit this group at https://groups.google.com/group/privacyidea
.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/798795f9-7a40-43f
5-9054-192ac2a0fe0b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH


Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)


#9

Hi,
I just need exactly the following change on the plugin, and some other I’m not going to talk about in this topic as they are offtopic:

Did someone already implemented this?
I was not able to find something similar implemented.
Thank you.

Best regards,
B.


#10

Why would you want to do this?
The user can choose which challenge/response token he wants to use by just using the token.

Why should he click “I will use my email” in the first place?
If the email is compromized, the attacker will in fact choose “please use email”.
So the right move is to actually disable the email token.


#11

I definitely agree with you, but I’m using it in a corporate environment where the boss and the employees don’t want to remember another pin for each token (we are going to use user store password instead of pin) and email access is available only inside the organization network which is not accessible by any other device than the desktop already installed and accessible by a personal bedge.
Indeed strong authentication is not useful in such as environment but it is required for legal compliance due to the fact sensible data requires this kind of authentication.

Best Regards,
B.


#12

otppin=userstore


#13

Using this setting an otp password is sent to all token available for a user, this mean the issue in case of compromised email remains, doesn’t it?

Best regards,
B.


#14

I think there is a basic misunderstanding.
If you email is compromised, you need to deactivate the email token. No matter, which PIN you are using.

You were complaining about your users not willing to memorize another password/PIN, so I gave you this hint.