GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Ratler → shibboleth-mfa-u2f-auth

Ratler / shibboleth-mfa-u2f-auth

Licence: Apache-2.0 license
U2F multifactor authentication plugin for Shibboleth IdPv3

Programming Languages

groovy
2714 projects

Labels

u2fmfa2faidpshibboleth-idpv3shibboleth-identity-provider

Projects that are alternatives of or similar to shibboleth-mfa-u2f-auth

Authelia
The Single Sign-On Multi-Factor portal for web apps
Stars: ✭ 11,094 (+44276%)
Mutual labels:  u2f, mfa, 2fa
SimpleTOTP
A highly configurable yet simple to use TOTP based two-factor authentication processing module for SimpleSAMLphp.
Stars: ✭ 16 (-36%)
Mutual labels:  mfa, 2fa, idp
mfaws
🔒 AWS multi-factor authentication for the CLI
Stars: ✭ 38 (+52%)
Mutual labels:  mfa, 2fa
pyotp
Python One-Time Password Library
Stars: ✭ 1,930 (+7620%)
Mutual labels:  mfa, 2fa
One Time
One Time Password (TOTP and HOTP) library for Clojure. TOTP/HOTP is widely used for Two Factor / Multi Factor Authentication.
Stars: ✭ 129 (+416%)
Mutual labels:  mfa, 2fa
Aws Mfa
Manage AWS MFA Security Credentials
Stars: ✭ 606 (+2324%)
Mutual labels:  mfa, 2fa
twothy
Two factor authenticator for CLI
Stars: ✭ 39 (+56%)
Mutual labels:  mfa, 2fa
Privacyidea
🔐 multi factor authentication system (2FA, MFA, OTP Server)
Stars: ✭ 1,027 (+4008%)
Mutual labels:  mfa, 2fa
a12n-server
A ready-to-launch User and Authentication system for those that don't want to build it
Stars: ✭ 324 (+1196%)
Mutual labels:  mfa, 2fa
awesome-yubikey
Curated list of awesome Yubikey resources, open source projects, tools and tutorials.
Stars: ✭ 22 (-12%)
Mutual labels:  u2f, mfa
kagi
WebAuthn security keys and TOTP multi-factor authentication for Django
Stars: ✭ 17 (-32%)
Mutual labels:  u2f, 2fa
crowbar
Securily generates temporary AWS credentials through identity providers using SAML
Stars: ✭ 23 (-8%)
Mutual labels:  mfa, idp
Django Mfa
Django-mfa (Multi Factor Authentication) is a simple package to add extra layer of security to your django web application. It gives web app a randomly changing password as an extra protection and supports u2f too
Stars: ✭ 139 (+456%)
Mutual labels:  mfa, 2fa
aws-missing-tools
Random tools I've written to make life easier using AWS, namely aws-choose-profile and aws-mfa-login
Stars: ✭ 46 (+84%)
Mutual labels:  mfa, 2fa
node-identif
🔑 Helper class to verify one's identity via personal channels(SMS, Phone, E-Mail and more!)
Stars: ✭ 27 (+8%)
Mutual labels:  2fa
CCU2F
An universal usable FIDO U2F authenticator applet for Java Cards
Stars: ✭ 32 (+28%)
Mutual labels:  u2f
otp
One Time Password for 2-Factor-Authentication implemented in Rust
Stars: ✭ 21 (-16%)
Mutual labels:  2fa
authenticator-rs
Rust library to interact with Security Keys, used by Firefox
Stars: ✭ 209 (+736%)
Mutual labels:  u2f
tfa
tfa is a 2fa cli tool that aims to help you to generate 2fa code on CI/CD pipelines.
Stars: ✭ 25 (+0%)
Mutual labels:  2fa
wp-webauthn
🔒 WP-WebAuthn allows you to safely login to your WordPress site without password.
Stars: ✭ 85 (+240%)
Mutual labels:  u2f
View All Similar Projects ➔

This project is work in progress.

Shibboleth U2F Authentication Plugin

U2F authentication flow for Shibboleth Identity Provider v3.3.x. The U2F flow is designed to be used together with another login flow, usually by utilizing the MFA login flow.

Notes

Tested with Shibboleth Identity Provider 3.3.x, Google Chrome 57.x and Opera 43.x. Currently supported U2F device data stores are DummyDataStore (for testing only), and Yubico's U2F Validation server.

Requirements

Installation

  1. Download preferred distribution, binary release or building from source

    • Binary release

    Download from https://github.com/Ratler/shibboleth-mfa-u2f-auth/releases

    • Source

      Building the distribution.

      $ git clone https://github.com/Ratler/shibboleth-mfa-u2f-auth.git
$ cd shibboleth-mfa-u2f-auth
$ ./gradlew clean installDist

      Files will be found in build/install/shibboleth-mfa-u2f-auth.

  2. Copy conf, edit-webapp and views to $IDP_HOME, usually /opt/shibboleth-idp.

$ cp -r build/install/shibboleth-mfa-u2f-auth/* $IDP_HOME/

  1. Copy $IDP_HOME/conf/u2f.properties.dist to $IDP_HOME/conf/u2f.properties then edit $IDP_HOME/conf/u2f.properties and change the property u2f.appId to your preferred application ID, see https://developers.yubico.com/U2F/App_ID.html for help. Enable and configure one of the supported data stores, u2fval is recommended.

  2. Edit $IDP_HOME/conf/idp.properties and change the following properties:

  • Append /conf/u2f.properties to the property idp.additionalProperties=, eg idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/u2f.properties
  • Change the property idp.authn.flows= to idp.authn.flows=MFA
  1. Edit $IDP_HOME/conf/authn/general-authn.xml, add authn/U2f bean to the element <util:list id="shibboleth.AvailableAuthenticationFlows">
    <bean id="authn/U2f" parent="shibboleth.AuthenticationFlow"
        p:passiveAuthenticationSupported="true"
        p:forcedAuthenticationSupported="true">
        <property name="supportedPrincipals">
            <util:list>
                <bean parent="shibboleth.SAML2AuthnContextClassRef"
                    c:classRef="http://stderr.eu/u2f" />
                <bean parent="shibboleth.SAML1AuthenticationMethod"
                    c:method="http://stderr.eu/u2f" />
            </util:list>
        </property>
    </bean>

Modify the supportedPrincipals list in the bean <bean id="authn/MFA"... to something like this:

    <property name="supportedPrincipals">
        <list>
            <bean parent="shibboleth.SAML2AuthnContextClassRef"
                c:classRef="http://stderr.eu/u2f" />
            <bean parent="shibboleth.SAML1AuthenticationMethod"
                c:method="http://stderr.eu/u2f" />
            <bean parent="shibboleth.SAML2AuthnContextClassRef"
                c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
            <bean parent="shibboleth.SAML2AuthnContextClassRef"
                c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
            <bean parent="shibboleth.SAML1AuthenticationMethod"
                c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
        </list>
    </property>
  1. Edit $IDP_HOME/conf/authn/mfa-authn-config.xml and change the element <util:map id="shibboleth.authn.MFA.TransitionMap"> to something like this:
    <util:map id="shibboleth.authn.MFA.TransitionMap">
        <!-- First rule runs the UsernamePassword login flow. -->
        <entry key="">
            <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password" />
        </entry>

        <!-- An implicit final rule will return whatever the final flow returns. -->
        <entry key="authn/Password">
            <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/U2f" />
        </entry>
    </util:map>

The MFA flow above is the simplest form. The MFA login flow provides a scriptable (or programmable) way to combine one or more login flows, see https://wiki.shibboleth.net/confluence/display/IDP30/MultiFactorAuthnConfiguration for more information.

  1. Rebuild the IdP war file
$ $IDP_HOME/bin/build.sh
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].