One-Time Password (SMTP)
Last updated
Last updated
In this scenario, a web resource, Fortified ID Portal, will use an external SAML IdP for authentication.
The web resource Fortified ID Portal will act as an SAML SP. The external SAML IdP is Fortified ID WEB. On the SAML IdP their will be one authentication method which is username and password. Username and password will be authenticated against an Active Directory.
This use case assumes that you have good knowledge of the product in question.
Fortified ID WEB installed and configured
LDAP directory. Location are the users to authenticate. The example code is configured using an Active Directory. We are using mail attribute of the Active Directory user.
Fortified ID Portal installed and configured. (you can use any SAML SP connected to Fortified ID WEB SAML IdP of course).
FakeSMTP. This is used when a user reset its own password. When authenticating to the self service we will use UserID (mail) and a mail delivered one-time password (otp). Download and install FakeSMTP on the same host as the use cases and start the smtp service on port 25. Note. If you have an "real" SMTP server then use that instead.
Note. All configuration and testing is done on the scenario server.
Download and install Fortified ID Web and Fortified ID Portal
To install Integrity Web and Integrity Portal, see documentation and installation.
Add files and folders from ZIP-file to Fortified ID Web and Fortified ID Portal.
Download the USE_CASE.zip.
Replace the customer folders for your installations with the ones from the zip-file. Note. This use case was initially done on a Windows server, if you run Container/Docker or Linux you might have to changes something to work in your environments like file paths e.g..
Open the globals.json in both customer folders and update to match your environment.
Start services
Start Fortified ID WEB
Start Fortified ID Portal
Verify Fortified ID WEB is started
Verify Fortified ID Portal is started
Open a browser
Browse to https://localhost:8445/portal
This is the address to Fortified ID Portal acting as a SAML SP
Type the username and password of a user in your Active Directory.
Note. Remember that we in config is using mail attribut as username. Verify that you user has a value in mail attribute.
Add the one-time password. Note. I use the FAKESmtp application local in the Fortified ID WEB server.
Other configuration and reference files will be found in the ZIP-file you downloaded.
{
"globals": "@include:globals.json",
"modules": [
{
"name": "CefEventModule",
"config": {}
},
{
"name": "HttpClient",
"config": {
"name": "default",
"idle_timeout_ms": 5000,
"connect_timeout_ms": 5000
}
},
{
"name": "SmtpClient",
"enabled": true,
"config": {
"name": "${globals.smtp.smtp1.name}",
"host": "${globals.smtp.smtp1.host}",
"port": "${globals.smtp.smtp1.port}",
"user_name": "${globals.smtp.smtp1.user_name}",
"password": "${globals.smtp.smtp1.password}",
"auth_methods": "DIGEST-MD5, CRAM-SHA256, LOGIN"
}
},
{
"name": "LdapClient",
"enabled": true,
"instances": 1,
"config": {
"name": "${globals.ldap.ldap1.name}",
"connection": {
"host": "${globals.ldap.ldap1.connection.host}",
"port": "${globals.ldap.ldap1.connection.port}",
"bind_dn": "${globals.ldap.ldap1.connection.bind_dn}",
"bind_password": "${globals.ldap.ldap1.connection.bind_password}",
"use_ssl": "${globals.ldap.ldap1.connection.use_ssl}",
"ssl_trust_all": "${globals.ldap.ldap1.connection.ssl_trust_all}"
}
}
},
{
"name": "SAML",
"config": {
"metadata_cache": "${globals.saml.idp1.metadata_cache}",
"http_port": "${globals.http.port}",
"http_use_ssl": true,
"http_keystore_ref": {
"type": "${globals.keystore.https.ref.type}",
"path": "${globals.keystore.https.ref.path}",
"password": "${globals.keystore.https.ref.password}"
},
"http_keystore_type": "${globals.keystore.https.type}",
"http_key_alias": "${globals.keystore.https.http_key_alias}",
"http_key_password": "${globals.keystore.https.http_key_password}",
"enable_http": true,
"metadata_template": [
{
"id": "${globals.saml.idp1.metadata_id}",
"metadata_file_path": "${globals.saml.idp1.metadata_file_path}",
"sign_ref": [
{
"keystore": {
"alias": "${globals.keystore.saml.sign_ref_keystore_alias}",
"key_password": "${globals.keystore.saml.sign_ref_keystore_key_password}",
"password": "${globals.keystore.saml.sign_ref_keystore_password}",
"path": "${globals.keystore.saml.sign_ref_keystore_path}"
}
}
]
}
],
"metadata": [
{
"path": "${globals.file_paths.base_dir}/config/resources_internal/saml/sp_metadata_files/sp_portal.xml"
}
]
}
},
{
"name": "AuthN",
"enabled": true,
"config": {
"context_path": "/authn",
"webroot_dir": "web",
"http_port": "${globals.http.port}",
"http_use_ssl": true,
"http_keystore_ref": {
"type": "${globals.keystore.https.ref.type}",
"path": "${globals.keystore.https.ref.path}",
"password": "${globals.keystore.https.ref.password}"
},
"http_keystore_type": "${globals.keystore.https.type}",
"http_key_alias": "${globals.keystore.https.http_key_alias}",
"http_key_password": "${globals.keystore.https.http_key_password}",
"authenticators": [
{
"id": "auth00",
"type": "SAMLIDP",
"config": {
"context_path": "/saml/authn/chain",
"base_path": "/saml/authn",
"expiry": "PT1S",
"force_re_auth": false,
"idp": "${globals.saml.idp1.idp_entityid}",
"chain": [
{
"id": "selector_root",
"required": true
}
],
"assertion_config": [
{
"target_sp": [
"FortifiedID_Portal"
],
"nameid_parameter": "mail",
"auth_context_parameter": "AuthnContextClassRef",
"additional_attribute_parameter": [
"givenName",
"sn",
"mail",
"roles",
"display_name",
"distinguishedName"
],
"pre_assertion_pipe": "Retrieve_data_for_SAML_response_for_Portal"
}
]
}
},
{
"id": "selector_root",
"type": "Selector",
"config": {
"base_path": "/saml/authn",
"webroot_dir": "web/authenticator/selector",
"auto_select": false,
"overlay_dirs": [
"${globals.file_paths.base_dir}/config/resources_external/overlays/1_selector_root",
"${globals.file_paths.base_dir}/config/resources_external/overlays/0_look_and_feel"
],
"options": [
{
"id": "1",
"target": "validate_uid_smtp_otp_chain",
"label": "ldap_label",
"logo": "assets/svg/microsoft.svg"
}
]
}
},
{
"id": "validate_uid_smtp_otp_chain",
"type": "Chain",
"config": {
"base_path": "/saml/authn",
"chain": [
{
"id": "uid_pwd_ldap",
"required": true
},
{
"id": "validate_otp",
"required": true
}
]
}
},
{
"id": "uid_pwd_ldap",
"type": "UserNameAndPassword",
"config": {
"base_path": "/saml/authn",
"webroot_dir": "web/authenticator/username_password",
"overlay_dirs": [
"${globals.file_paths.base_dir}/config/resources_external/overlays/4_main_username_password",
"${globals.file_paths.base_dir}/config/resources_external/overlays/0_look_and_feel"
],
"pipe_id": "Validate_Username_Password",
"exports": [
{
"name": "used_auth",
"value": "username_password_ldap"
},
{
"name": "AuthnContextClassRef",
"value": "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
}
]
}
},
{
"id": "validate_otp",
"type": "OTPValidator",
"config": {
"base_path": "/saml/authn",
"pipe_id": "Validate_OTP",
"overlay_dirs": [
"${globals.file_path.base_dir}/config/resources_external/overlays/3_validate_otp",
"${globals.file_path.base_dir}/config/resources_external/overlays/0_look_and_feel"
],
"webroot_dir": "web/authenticator/otp_validation",
"exports": [
{
"name": "AuthnContextClassRef",
"value": "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"
}
]
}
}
]
}
},
{
"name": "Pipes",
"config": {
"pipes": [
{
"id": "Validate_Username_Password",
"config": {
"valves": [
{
"name": "DumpRequest",
"config": {
"label": "*** DumpRequest ***"
}
},
{
"name": "DumpExports",
"config": {
"label": "*** DumpExports ***"
}
},
{
"name": "LDAPSearch",
"enabled": true,
"config": {
"destination": "${globals.ldap.ldap1.name}",
"base_dn": "${globals.ldap.ldap1.connection.base_dn}",
"scope": "SUB",
"filter": "mail={{{request.identifier}}}",
"attributes": [
{
"name": "mail",
"multivalue": false
}
]
}
},
{
"name": "LDAPBind",
"enabled": true,
"config": {
"destination": "${globals.ldap.ldap1.name}",
"dn": "{{{item.id}}}",
"password": "{{{request.password}}}"
}
},
{
"name": "ExportsPut",
"enabled": true,
"config": {
"name": "username",
"value": "{{{item.mail}}}",
"replace": true
}
},
{
"name": "GenerateOtp",
"enabled": true,
"config": {
"otp_length": 6,
"alpha_numeric": false,
"valid_time": 60,
"dest_parameter": "generated_otp",
"otp_parameter": "generated_otp_value"
}
},
{
"name": "ExportsPut",
"enabled": true,
"config": {
"name": "generated_otp",
"value": "{{{item.generated_otp}}}",
"replace": true
}
},
{
"name": "SmtpSender",
"enabled": true,
"config": {
"smtp_destination": "smtp01",
"username_parameter": "{{{request.identifier}}}",
"subject_parameter": "** Your verification code **",
"message_template": "${globals.file_paths.base_dir}/config/resources_internal/mail_template/mail_template.txt",
"mail_to_parameter": "{{{item.mail}}}",
"mail_from_parameter": "noreply@mycompany.com",
"_mail_cc_parameter": "admin@mycompany.com",
"remove_prefixes": [
"SMTP:",
"sip:"
]
}
},
{
"name": "DumpState",
"config": {
"label": "*** DumpState ***"
}
}
]
}
},
{
"id": "Validate_OTP",
"config": {
"valves": [
{
"name": "DumpRequest",
"config": {
"label": "*** DumpRequest ***"
}
},
{
"name": "DumpExports",
"config": {
"label": "*** DumpExports ***"
}
},
{
"name": "ValidateOtp",
"enabled": true,
"config": {
"username_parameter": "{{{exports.username}}}",
"otp_parameter": "{{{request.otp}}}",
"src_parameter": "{{{exports.generated_otp}}}"
}
}
]
}
},
{
"id": "Retrieve_data_for_SAML_response_for_Portal",
"config": {
"valves": [
{
"name": "DumpRequest",
"config": {
"label": "*** DumpRequest från DumpData Portal****"
}
},
{
"name": "DumpExports",
"config": {
"label": "*** DumpExports från DumpData Portal****"
}
},
{
"name": "ExportsPut",
"exec_if_expr": "exports.used_auth == ('username_password_ldap')",
"enabled": true,
"config": {
"name": "LDAP_search_filter",
"value": "mail={{{request.username}}}",
"replace": true
}
},
{
"name": "LDAPSearch",
"enabled": true,
"config": {
"destination": "${globals.ldap.ldap1.name}",
"base_dn": "${globals.ldap.ldap1.connection.base_dn}",
"scope": "SUB",
"filter": "{{{exports.LDAP_search_filter}}}",
"attributes": [
{
"name": "givenName",
"multivalue": false
},
{
"name": "sn",
"multivalue": false
},
{
"name": "sAMAccountName",
"multivalue": false
},
{
"name": "mail",
"multivalue": false
},
{
"name": "carLicense",
"multivalue": true
},
{
"name": "displayName",
"multivalue": false
},
{
"name": "distinguishedName",
"multivalue": false
}
]
}
},
{
"name": "ExportsPut",
"enabled": true,
"config": {
"name": "username",
"value": "{{{item.mail}}}",
"replace": true
}
},
{
"name": "ItemPropertyAdd",
"enabled": true,
"config": {
"name": "display_name",
"value": "{{{item.displayName}}}"
}
},
{
"name": "ItemPropertyRename",
"enabled": true,
"config": {
"old_name": "carLicense",
"new_name": "roles"
}
},
{
"name": "DumpExports",
"config": {
"label": "*** DumpExports****"
}
},
{
"name": "DumpState",
"config": {
"label": "*** DumpState ***"
}
}
]
}
}
]
}
}
]
}
You should be redirected to the Fortified ID WEB acting as SAML IdP and see the following:
Click Username & Password (LDAP), you should now see
After username and password verification you will be prompted with add one-time password. Verify user mail client, I used FAKESmtp for an email with the one-time password.
Click Sign in, you should now be redirected back to Fortified ID Portal and see: What you see can differ depending on configuration and values on the logged in object.
