README.md 5.7 KB
Newer Older
Victor Näslund's avatar
Victor Näslund committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
# Shibboleth-TOTP-loginhandler
This project add a TOTP loginhandler for shibboleth-idp

The TOTP secret is stored encrypted in LDAP

## How to use
First install maven and java 1.8 devel.

Then create the file /opt/shibboleth-idp/credentials/totp-configfile
both on your current compiling node and the shibboleth-idp node
```bash
# Lines are in this format type:value
# Values are encoded in base64
#
# FirstPartOfTOTPAESKey and SecondPartOfTOTPAESKey
# will be used for the encryption key for the TOTP secrets stored in LDAP
# Fore more info about the encryption see TOTPAES.java
# Change them to something appropriate
#
# TOTPMaxTries is how many times one can try
# before the module start taking anti bruteforce measures
#
# TOTPThrottleTime is how many seconds the account and/or ip address
# will be locked because of anti bruteforce measures
#
# To encode the values to base64 use this
# echo -n "BBB" | base64
# Will give you QkJC
#
# To decode base64 do this
# echo "QkJC" | base64 -d

FirstPartOfTOTPAESKey:QUFB
SecondPartOfTOTPAESKey:QkJC
TOTPMaxTries:OA==
TOTPThrottleTime:MTIwMA==
```

To compile the module run

```bash
mvn clean install
```
This will give you a jar file
```bash
totp-0.99.jar
```
Copy this file to your shibboleth-idp installation like
```bash
cp totp-0.99.jar ${shibboleth-idp}/edit-webapp/WEB-INF/lib/
```
Rebuild shibboleth-idp with the module using
```bash
cd ${shibboleth-idp}
./bin/build.sh
```

### Ok now we simply have to edit some config files to enable the module

In ${shibboleth-idp}/conf/logback.xml we have this
```xml
    <!-- Logs IdP, but not OpenSAML, messages -->
    <logger name="net.shibboleth.idp" level="INFO"/>
```
Add this just below

```xml
    <!-- TOTP set to DEBUG if needed -->
    <logger name="se.smhi.totp" level="INFO"/>
```

In ${shibboleth-idp}/conf/authn/general-authn.xml we have this

```xml
    <bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
          p:passiveAuthenticationSupported="true"
          p:forcedAuthenticationSupported="true" />

```
Add this just below
```xml
    <!-- TOTP -->
    <bean id="authn/TOTP" parent="shibboleth.AuthenticationFlow"
          p:passiveAuthenticationSupported="true"
          p:forcedAuthenticationSupported="true">
      <property name="supportedPrincipals">
      <util:list>
          <bean parent="shibboleth.SAML2AuthnContextClassRef"
                c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken" />
                </util:list>
      </property>
    </bean>
```
In ${shibboleth-idp}/conf/authn/ldap-authn-config.xml we have this line
```xml
  <alias name="ValidateUsernamePasswordAgainstLDAP" alias="ValidateUsernamePassword" />
```
Add this line below it
```xml
  <alias name="ValidateUsernamePasswordTOTPAgainstLDAP" alias="ValidateUsernamePasswordTOTP" />
```

In the file ${shibboleth-idp}/conf/ldap.properties we have idp.authn.LDAP.returnAttributes  
Edit idp.authn.LDAP.returnAttributes by adding the name of your LDAP TOTP attribute here so shibboleth fetch it during authentication  
Also edit TOTP to idp.authn.flows like

```bash
idp.authn.LDAP.returnAttributes = cn,TOTPAttribute
idp.authn.flows = Password|TOTP
```

In ${shibboleth-idp}/flows/authn/conditions/conditions-flow.xml we have this
```xml
    <action-state id="ValidateUsernamePassword">
        
        <!-- Call outs for exceptional conditions. -->
        <transition on="AccountWarning" to="CallExpiringPassword" />
        <transition on="ExpiringPassword" to="CallExpiringPassword" />
        <transition on="ExpiredPassword" to="CallExpiredPassword" />
        <transition on="AccountLocked" to="CallAccountLocked" />
        
        <transition to="DisplayUsernamePasswordPage" />
    </action-state>
```
Add this just below
```xml
    <!-- TOTP -->
    <action-state id="ValidateUsernamePasswordTOTP">
        
        <!-- Call outs for exceptional conditions. -->
        <transition on="AccountWarning" to="CallExpiringPassword" />
        <transition on="ExpiringPassword" to="CallExpiringPassword" />
        <transition on="ExpiredPassword" to="CallExpiredPassword" />
        <transition on="AccountLocked" to="CallAccountLocked" />
        
        <transition to="DisplayUsernamePasswordTOTPPage" />
    </action-state>

```

In ${shibboleth-idp}/messages/authn-messages.properties add these lines
```bash
ThrottledUsername = throttled-username
ThrottledIPAddress = throttled-ipaddress
throttled-username.message = Your account is locked for XXX (see TOTPThrottle.java file) minutes
throttled-ipaddress.message = Your IP address is locked for XXX (see TOTPThrottle.java file) minutes
```

In the file ${shibboleth-idp}/system/conf/webflow-config.xml we have this line
```xml
        <webflow:flow-location id="authn/Password" path="../system/flows/authn/password-authn-flow.xml" />
```
Add this below it
```xml
        <!-- TOTP-->
        <webflow:flow-location id="authn/TOTP" path="../system/flows/authn/totp-authn-flow.xml" />
```

Now copy the TOTP config files
```bash
cp system/flows/authn/totp-authn-beans.xml to ${shibboleth-idp}/system/flows/authn/totp-authn-beans.xml

cp system/flows/authn/totp-authn-flow.xml ${shibboleth-idp}/system/flows/authn/totp-authn-flow.xml

cp views/loginTOTP.vm ${shibboleth-idp}/views/loginTOTP.vm

cp conf/authn/totp-authn-config.xml ${shibboleth-idp}/conf/authn/totp-authn-config.xml
```

## Generate your TOTP secret
Uncomment the function call to generateSecretSaltIvForLDAP at the end of the function testValidateTOTPCode in TOTPTest.java then
```bash
mvn clean install
```

Edit your LDAP multivalue attribute and add the generated encrypted secret, salt and IV to your LDAP attribute
Add the TOTP secret to your TOTP device, for example the app Google Authenticator for Android/iPhone phones
## You should now be able to login using TOTP