Shibboleth Developers

[Fredrik Thulin <>]

All,

A couple of days ago I asked about two factor authentication on the
shibboleth-users list. I was told that such functionality would be best
implemented in a new login handler.

I've written a multi-factor authentication login handler that I would
like to contribute. This work is heavily based on the UsernamePassword
login handler, with some extra magic to support interaction with JAAS
modules capable of requesting multiple authentication tokens from the
CallbackHandler. Please see the attached patch against revision 2983 of
https://svn.middleware.georgetown.edu/java-idp/branches/REL_2.

The fundamental idea I had when designing it this way was that people
are likely to want to use an existing configuration with for example
LDAP authentication as their first factor, and add a token based second
factor.

The "magic" in the CallbackHandler should work with one factor being a
traditional JAAS module (such modules would get what is in "j_password"),
and any number of "new style" JAAS modules which would get a complete
set of all tokens presented ("j_password" + "j_tokens[0]"
... "j_tokens[N]").

I've written two JAAS modules capable of getting all tokens from the
MultiFactorAuthLoginModule. One for YubiKey OTP online validation, and
one for generic OATH-HOTP token validation (using the Apache
lib_authn_otp as a backend). They are both hosted on Github :

https://github.com/Yubico/yubico-java-client/commits/feature%2Fshibboleth_multifactor_auth

What say you? All feedback welcome! Testers and collaborators even more so.

/Fredrik

Configuration example :

On the SP, request Token-authentication :

  <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="yourID" ...>
    <SessionInitiator ... authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Token"/>
  </SessionInitiator>

On the IdP :

handler.xml :

    <!-- Multi factor authentication login handler -->
    <ph:LoginHandler xsi:type="ph:MultiFactorAuth" 
                  jaasConfigurationLocation="file:///local/shibboleth/idp/conf/login.config">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:Token</ph:AuthenticationMethod>
    </ph:LoginHandler>

login.config :

ShibUserPassAuth {
   /* first factor */
   edu.vt.middleware.ldap.jaas.LdapLoginModule required
      ldapUrl="ldap://ldap.example.com:389"
      ...;

   /* second factor */
   com.yubico.jaas.YubikeyLoginModule required
      clientId="4711";


/*   // OATH-HOTP second factor
   com.yubico.jaas.HTTPOathHotpLoginModule required
      protectedUrl = "http://auth.example.com/oath-protected/"
      expectedOutput = "Authenticated with OATH-HOTP.";
*/
};

Attachment: 0001-MultiFactorAuth.patch.gz
Description: GNU Zip compressed data