This project add a TOTP loginhandler for shibboleth-idp
The TOTP secret is stored encrypted in LDAP
First install maven and java 1.8 devel.
Then create the file /opt/shibboleth-idp/credentials/totp-configfile both on your current compiling node and the shibboleth-idp node
# Lines are in this format type:value
# Values are encoded in base64
#
# FirstPartOfTOTPAESKey and SecondPartOfTOTPAESKey
# will be used for the encryption key for the TOTP secrets stored in LDAP
# Fore more info about the encryption see TOTPAES.java
# Change them to something appropriate
#
# TOTPMaxTries is how many times one can try
# before the module start taking anti bruteforce measures
#
# TOTPThrottleTime is how many seconds the account and/or ip address
# will be locked because of anti bruteforce measures
#
# To encode the values to base64 use this
# echo -n "BBB" | base64
# Will give you QkJC
#
# To decode base64 do this
# echo "QkJC" | base64 -d
FirstPartOfTOTPAESKey:QUFB
SecondPartOfTOTPAESKey:QkJC
TOTPMaxTries:OA==
TOTPThrottleTime:MTIwMA==
To compile the module run
mvn clean install
This will give you a jar file
totp-0.99.jar
Copy this file to your shibboleth-idp installation like
cp totp-0.99.jar ${shibboleth-idp}/edit-webapp/WEB-INF/lib/
Rebuild shibboleth-idp with the module using
cd ${shibboleth-idp}
./bin/build.sh
In ${shibboleth-idp}/conf/logback.xml we have this
<!-- Logs IdP, but not OpenSAML, messages -->
<logger name="net.shibboleth.idp" level="INFO"/>
Add this just below
<!-- TOTP set to DEBUG if needed -->
<logger name="se.smhi.totp" level="INFO"/>
In ${shibboleth-idp}/conf/authn/general-authn.xml we have this
<bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true" />
Add this just below
<!-- TOTP -->
<bean id="authn/TOTP" parent="shibboleth.AuthenticationFlow"
p:passiveAuthenticationSupported="true"
p:forcedAuthenticationSupported="true">
<property name="supportedPrincipals">
<util:list>
<bean parent="shibboleth.SAML2AuthnContextClassRef"
c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken" />
</util:list>
</property>
</bean>
In ${shibboleth-idp}/conf/authn/ldap-authn-config.xml we have this line
<alias name="ValidateUsernamePasswordAgainstLDAP" alias="ValidateUsernamePassword" />
Add this line below it
<alias name="ValidateUsernamePasswordTOTPAgainstLDAP" alias="ValidateUsernamePasswordTOTP" />
In the file ${shibboleth-idp}/conf/ldap.properties we have idp.authn.LDAP.returnAttributes
Edit idp.authn.LDAP.returnAttributes by adding the name of your LDAP TOTP attribute here so shibboleth fetch it during authentication
Also edit TOTP to idp.authn.flows like
idp.authn.LDAP.returnAttributes = cn,TOTPAttribute
idp.authn.flows = Password|TOTP
In ${shibboleth-idp}/flows/authn/conditions/conditions-flow.xml we have this
<action-state id="ValidateUsernamePassword">
<!-- Call outs for exceptional conditions. -->
<transition on="AccountWarning" to="CallExpiringPassword" />
<transition on="ExpiringPassword" to="CallExpiringPassword" />
<transition on="ExpiredPassword" to="CallExpiredPassword" />
<transition on="AccountLocked" to="CallAccountLocked" />
<transition to="DisplayUsernamePasswordPage" />
</action-state>
Add this just below
<!-- TOTP -->
<action-state id="ValidateUsernamePasswordTOTP">
<!-- Call outs for exceptional conditions. -->
<transition on="AccountWarning" to="CallExpiringPassword" />
<transition on="ExpiringPassword" to="CallExpiringPassword" />
<transition on="ExpiredPassword" to="CallExpiredPassword" />
<transition on="AccountLocked" to="CallAccountLocked" />
<transition to="DisplayUsernamePasswordTOTPPage" />
</action-state>
In ${shibboleth-idp}/messages/authn-messages.properties add these lines
ThrottledUsername = throttled-username
ThrottledIPAddress = throttled-ipaddress
throttled-username.message = Your account is locked for XXX (see TOTPThrottle.java file) minutes
throttled-ipaddress.message = Your IP address is locked for XXX (see TOTPThrottle.java file) minutes
In the file ${shibboleth-idp}/system/conf/webflow-config.xml we have this line
<webflow:flow-location id="authn/Password" path="../system/flows/authn/password-authn-flow.xml" />
Add this below it
<!-- TOTP-->
<webflow:flow-location id="authn/TOTP" path="../system/flows/authn/totp-authn-flow.xml" />
Now copy the TOTP config files
cp system/flows/authn/totp-authn-beans.xml to ${shibboleth-idp}/system/flows/authn/totp-authn-beans.xml
cp system/flows/authn/totp-authn-flow.xml ${shibboleth-idp}/system/flows/authn/totp-authn-flow.xml
cp views/loginTOTP.vm ${shibboleth-idp}/views/loginTOTP.vm
cp conf/authn/totp-authn-config.xml ${shibboleth-idp}/conf/authn/totp-authn-config.xml
Uncomment the function call to generateSecretSaltIvForLDAP at the end of the function testValidateTOTPCode in TOTPTest.java then
mvn clean install
Edit your LDAP multivalue attribute and add the generated encrypted secret, salt and IV to your LDAP attribute Add the TOTP secret to your TOTP device, for example the app Google Authenticator for Android/iPhone phones