One-Time Password (SMS)
Last updated
Last updated
In this scenario, a web resource, Fortified ID Portal, will use an external SAML IdP for authentication.
The web resource Fortified ID Portal will act as an SAML SP. The external SAML IdP is Fortified ID WEB. On the SAML IdP their will be one authentication method which is username and password. Username and password will be authenticated against an Active Directory.
This use case assumes that you have good knowledge of the product in question.
Fortified ID WEB installed and configured
LDAP directory. Location are the users to authenticate. The example code is configured using an Active Directory. We are using mail attribute when authenticating the Active Directory user. We are using mobile attribute of the Active Directory user for sending the ont-time passwod.
Fortified ID Portal installed and configured. (you can use any SAML SP connected to Fortified ID WEB SAML IdP of course).
SMS service
Note. All configuration and testing is done on the scenario server.
Download and install Fortified ID Web and Fortified ID Portal
To install Integrity Web and Integrity Portal, see documentation and installation.
Add files and folders from ZIP-file to Fortified ID Web and Fortified ID Portal.
Download the USE_CASE.zip.
Replace the customer folders for your installations with the ones from the zip-file. Note. This use case was initially done on a Windows server, if you run Container/Docker or Linux you might have to changes something to work in your environments like file paths e.g..
Open the globals.json in both customer folders and update to match your environment.
Start services
Start Fortified ID WEB
Start Fortified ID Portal
Verify Fortified ID WEB is started
Verify Fortified ID Portal is started
Open a browser
Browse to https://localhost:8445/portal
This is the address to Fortified ID Portal acting as a SAML SP
Type the username and password of a user in your Active Directory.
Note. Remember that we in config is using mail attribut as username. Verify that you user has a value in mail attribute.
Other configuration and reference files will be found in the ZIP-file you downloaded.
{
"globals": "@include:globals.json",
"modules": [
{
"name": "CefEventModule",
"config": {}
},
{
"name": "HttpClient",
"config": {
"name": "default",
"idle_timeout_ms": 5000,
"connect_timeout_ms": 5000
}
},
{
"name": "HttpClient",
"config": {
"name": "${globals.keystore.sms_service.name}",
"idle_timeout_ms": 5000,
"connect_timeout_ms": 5000,
"request_timeout_ms": 5000,
"ssl_truststore_path": "${globals.keystore.sms_service.path}",
"ssl_truststore_password": "${globals.keystore.sms_service.password}"
}
},
{
"name": "LdapClient",
"enabled": true,
"instances": 1,
"config": {
"name": "${globals.ldap.ldap1.name}",
"connection": {
"host": "${globals.ldap.ldap1.connection.host}",
"port": "${globals.ldap.ldap1.connection.port}",
"bind_dn": "${globals.ldap.ldap1.connection.bind_dn}",
"bind_password": "${globals.ldap.ldap1.connection.bind_password}",
"use_ssl": "${globals.ldap.ldap1.connection.use_ssl}",
"ssl_trust_all": "${globals.ldap.ldap1.connection.ssl_trust_all}"
}
}
},
{
"name": "SAML",
"config": {
"metadata_cache": "${globals.saml.idp1.metadata_cache}",
"http_port": "${globals.http.port}",
"http_use_ssl": true,
"http_keystore_ref": {
"type": "${globals.keystore.https.ref.type}",
"path": "${globals.keystore.https.ref.path}",
"password": "${globals.keystore.https.ref.password}"
},
"http_keystore_type": "${globals.keystore.https.type}",
"http_key_alias": "${globals.keystore.https.http_key_alias}",
"http_key_password": "${globals.keystore.https.http_key_password}",
"enable_http": true,
"metadata_template": [
{
"id": "${globals.saml.idp1.metadata_id}",
"metadata_file_path": "${globals.saml.idp1.metadata_file_path}",
"sign_ref": [
{
"keystore": {
"alias": "${globals.keystore.saml.sign_ref_keystore_alias}",
"key_password": "${globals.keystore.saml.sign_ref_keystore_key_password}",
"password": "${globals.keystore.saml.sign_ref_keystore_password}",
"path": "${globals.keystore.saml.sign_ref_keystore_path}"
}
}
]
}
],
"metadata": [
{
"path": "${globals.file_paths.base_dir}/config/resources_internal/saml/sp_metadata_files/sp_portal.xml"
}
]
}
},
{
"name": "AuthN",
"enabled": true,
"config": {
"context_path": "/authn",
"webroot_dir": "web",
"http_port": "${globals.http.port}",
"http_use_ssl": true,
"http_keystore_ref": {
"type": "${globals.keystore.https.ref.type}",
"path": "${globals.keystore.https.ref.path}",
"password": "${globals.keystore.https.ref.password}"
},
"http_keystore_type": "${globals.keystore.https.type}",
"http_key_alias": "${globals.keystore.https.http_key_alias}",
"http_key_password": "${globals.keystore.https.http_key_password}",
"authenticators": [
{
"id": "auth00",
"type": "SAMLIDP",
"config": {
"context_path": "/saml/authn/chain",
"base_path": "/saml/authn",
"expiry": "PT1S",
"force_re_auth": false,
"idp": "${globals.saml.idp1.idp_entityid}",
"chain": [
{
"id": "selector_root",
"required": true
}
],
"assertion_config": [
{
"target_sp": [
"FortifiedID_Portal"
],
"nameid_parameter": "mail",
"auth_context_parameter": "AuthnContextClassRef",
"additional_attribute_parameter": [
"givenName",
"sn",
"mail",
"roles",
"display_name",
"distinguishedName"
],
"pre_assertion_pipe": "Retrieve_data_for_SAML_response_for_Portal"
}
]
}
},
{
"id": "selector_root",
"type": "Selector",
"config": {
"base_path": "/saml/authn",
"webroot_dir": "web/authenticator/selector",
"auto_select": false,
"overlay_dirs": [
"${globals.file_paths.base_dir}/config/resources_external/overlays/1_selector_root",
"${globals.file_paths.base_dir}/config/resources_external/overlays/0_look_and_feel"
],
"options": [
{
"id": "1",
"target": "validate_uid_sms_otp_chain",
"label": "ldap_label",
"logo": "assets/svg/microsoft.svg"
}
]
}
},
{
"id": "validate_uid_sms_otp_chain",
"type": "Chain",
"config": {
"base_path": "/saml/authn",
"chain": [
{
"id": "uid_pwd_ldap",
"required": true
},
{
"id": "validate_otp",
"required": true
}
]
}
},
{
"id": "uid_pwd_ldap",
"type": "UserNameAndPassword",
"config": {
"base_path": "/saml/authn",
"webroot_dir": "web/authenticator/username_password",
"overlay_dirs": [
"${globals.file_paths.base_dir}/config/resources_external/overlays/4_main_username_password",
"${globals.file_paths.base_dir}/config/resources_external/overlays/0_look_and_feel"
],
"pipe_id": "Validate_Username_Password",
"exports": [
{
"name": "used_auth",
"value": "username_password_ldap"
},
{
"name": "AuthnContextClassRef",
"value": "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
}
]
}
},
{
"id": "validate_otp",
"type": "OTPValidator",
"config": {
"base_path": "/saml/authn",
"pipe_id": "Validate_OTP",
"overlay_dirs": [
"${globals.file_path.base_dir}/config/resources_external/overlays/3_validate_otp",
"${globals.file_path.base_dir}/config/resources_external/overlays/0_look_and_feel"
],
"webroot_dir": "web/authenticator/otp_validation",
"exports": [
{
"name": "AuthnContextClassRef",
"value": "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"
}
]
}
}
]
}
},
{
"name": "Pipes",
"config": {
"pipes": [
{
"id": "Validate_Username_Password",
"config": {
"valves": [
{
"name": "DumpRequest",
"config": {
"label": "*** DumpRequest ***"
}
},
{
"name": "DumpExports",
"config": {
"label": "*** DumpExports ***"
}
},
{
"name": "LDAPSearch",
"enabled": true,
"config": {
"destination": "${globals.ldap.ldap1.name}",
"base_dn": "${globals.ldap.ldap1.connection.base_dn}",
"scope": "SUB",
"filter": "mail={{{request.identifier}}}",
"attributes": [
{
"name": "mail",
"multivalue": false
}
]
}
},
{
"name": "LDAPBind",
"enabled": true,
"config": {
"destination": "${globals.ldap.ldap1.name}",
"dn": "{{{item.id}}}",
"password": "{{{request.password}}}"
}
},
{
"name": "ExportsPut",
"enabled": true,
"config": {
"name": "username",
"value": "{{{item.mail}}}",
"replace": true
}
},
{
"name": "GenerateOtp",
"enabled": true,
"config": {
"otp_length": 6,
"alpha_numeric": false,
"valid_time": 60,
"dest_parameter": "generated_otp",
"otp_parameter": "generated_otp_value"
}
},
{
"name": "ExportsPut",
"enabled": true,
"config": {
"name": "generated_otp",
"value": "{{{item.generated_otp}}}",
"replace": true
}
},
{
"name": "HttpPost",
"config": {
"url": "${globals.sms_service.url}",
"destination": "${globals.keystore.sms_service.name}",
"content_type": "application/x-www-form-urlencoded",
"parameters": {
"USER": "${globals.sms_service.user}",
"PW": "${globals.sms_service.pw}",
"RCV": "{{{item.mobile}}}",
"SND": "${globals.sms_service.snd}",
"TXT": "{{{item.generated_otp_value}}}"
}
}
},
{
"name": "DumpState",
"config": {
"label": "*** DumpState ***"
}
}
]
}
},
{
"id": "Validate_OTP",
"config": {
"valves": [
{
"name": "DumpRequest",
"config": {
"label": "*** DumpRequest ***"
}
},
{
"name": "DumpExports",
"config": {
"label": "*** DumpExports ***"
}
},
{
"name": "ValidateOtp",
"enabled": true,
"config": {
"username_parameter": "{{{session.username}}}",
"otp_parameter": "{{{request.otp}}}",
"src_parameter": "{{{session.generated_otp}}}"
}
}
]
}
},
{
"id": "Retrieve_data_for_SAML_response_for_Portal",
"config": {
"valves": [
{
"name": "DumpRequest",
"config": {
"label": "*** DumpRequest från DumpData Portal****"
}
},
{
"name": "DumpExports",
"config": {
"label": "*** DumpExports från DumpData Portal****"
}
},
{
"name": "ExportsPut",
"exec_if_expr": "exports.used_auth == ('username_password_ldap')",
"enabled": true,
"config": {
"name": "LDAP_search_filter",
"value": "mail={{{request.username}}}",
"replace": true
}
},
{
"name": "LDAPSearch",
"enabled": true,
"config": {
"destination": "${globals.ldap.ldap1.name}",
"base_dn": "${globals.ldap.ldap1.connection.base_dn}",
"scope": "SUB",
"filter": "{{{exports.LDAP_search_filter}}}",
"attributes": [
{
"name": "givenName",
"multivalue": false
},
{
"name": "sn",
"multivalue": false
},
{
"name": "sAMAccountName",
"multivalue": false
},
{
"name": "mail",
"multivalue": false
},
{
"name": "carLicense",
"multivalue": true
},
{
"name": "displayName",
"multivalue": false
},
{
"name": "distinguishedName",
"multivalue": false
}
]
}
},
{
"name": "ExportsPut",
"enabled": true,
"config": {
"name": "username",
"value": "{{{item.mail}}}",
"replace": true
}
},
{
"name": "ItemPropertyAdd",
"enabled": true,
"config": {
"name": "display_name",
"value": "{{{item.displayName}}}"
}
},
{
"name": "ItemPropertyRename",
"enabled": true,
"config": {
"old_name": "carLicense",
"new_name": "roles"
}
},
{
"name": "DumpExports",
"config": {
"label": "*** DumpExports****"
}
},
{
"name": "DumpState",
"config": {
"label": "*** DumpState ***"
}
}
]
}
}
]
}
}
]
}
You should be redirected to the Fortified ID WEB acting as SAML IdP and see the following:
Click Username & Password (LDAP), you should now see
After username and password verification you will be prompted with add one-time password. Verify user mobile phone for an sms with the one-time password and add it.
Click Verify one-time password, you should now be redirected back to Fortified ID Portal: What you see can differ depending on configuration and values on the logged in object.
