aidan- / simpletotp Goto Github PK

A highly configurable yet simple to use TOTP based two-factor authentication processing module for SimpleSAMLphp.

License: MIT License

PHP 84.88% CSS 1.30% Twig 13.83%

totp google-authenticator simplesamlphp saml identity-provider ssp 2fa mfa two-factor-authentication multi-factor-authentication

simpletotp's Introduction

SimpleTOTP

SimpleTOTP is a SimpleSAMLphp auth processing filter that enables the use of the Time-Based One-Time Password Algorithm (TOTP) as a second-factor authentication mechanism on either an Identity Provider or Service Provider (...or both!).

This has been tested with Google Authenticator on iOS and Android.

Why?

While a there are a few two-factor authentication modules that already exist for SimpleSAMLphp, they are all implemented as authentication sources.

As an auth processing filter, this module is flexible in a number of ways:

agnostic to where the TOTP secret is stored
can be enabled on select Service Providers or an entire Identity Provider

Usage

Like any other auth process filter, this module needs to be configured in an authproc array in either config.php or in the metadata for a particular service provider or identity provider.

Prerequisites

The secret_attr needs to be available in the attribute payload as it is used to generate the token for comparison. This can be added using other auth process filters to look up an external databases of sorts (SQL, LDAP, etc).

After the module has been called, the attribute will be moved out of the user attribute array. As a safety precaution an extra step should be taken ensure this attribute is removed. This can be done using the core:AttributeAlter filter or similar.

Example

Placed in either config.php's authproc or in the appropriate metadata entity:

10 => array(
	'class' => 'simpletotp:mfa',
	'secret_attr' => 'ga_secret', //default
	'enforce_mfa' => false, //default
	'not_configured_url' => NULL,  //default
	'validation_timeout' => <int>, //default 60 (units: minutes) - optional timeout value for re-validation
),

Placed in config.php authproc as one of the last functions to be processed:

99 => array(
	'class' => 'core:AttributeAlter',
	'subject' => 'ga_secret',
	'pattern' => '/.*/',
	'%remove',
),

Example of how it can work with example-userpass module. Below config goes in authsource.php This module is enabled by default but if it is not make sure you create a file called enable inside modules/exampleauth directory.

	'example-userpass' => array(
		'exampleauth:UserPass',
		'student:studentpass' => array(
			'uid' => array('test'),
			'ga_secret' => array('4HX4WBKVIJWDUV5I'),
			'eduPersonAffiliation' => array('member', 'student'),
		),
	),

After logging in with username: student password: studentpass, you will be challenged for TOTP. 4HX4WBKVIJWDUV5I is a secret key that can be generate by visiting /simplesaml/module.php/simpletotp/generate_token.php

A random one will be generated everytime. You can also use the QR code to register your IdP with apps such as FreeOTP or Google Authenticator etc.

NOTE: for TOTP to work you MUST ensure that the clock on your server is in sync. If it is not, a matching token will never be generated and authentication will fail.

Installation

Via Git

A simple git clone in the SimpleSAMLphp module directory is all that is required.

Via Composer

composer.phar require aidan/simplesamlphp-module-simpletotp

TODO

improve usage documentation with examples using external database(s) as data sources
add basic brute force prevention

simpletotp's People

Contributors

Stargazers

Watchers

Forkers

m-emerson catalyst ejyothi jfautley m1k13 yzed sats-seminary dlundgren ziemek99 coreen-kafe jmoral giorgio68 olyanren clmcavaney binayag1 eurekaranch

simpletotp's Issues

SimpleSAMLPHP v2.x - issue with class inheritance

G'day @aidan-,
I have been using your SimpleTOTP module with a SimpleSAMLPHP v1.x installation, and am now trying to upgrade to v2.x
I realise that you may not be actively working in this space any more, but was wondering if your PHP insights may be able to assist.

I am hitting this error:

SimpleSAML\Error\UnserializableException: Could not resolve 'simpletotp:2fa': The class 'SimpleSAML\Module\simpletotp\Auth\Process\2fa' isn't a subclass of '\SimpleSAML\Auth\ProcessingFilter'.

I have modified the class definition from:

class sspmod_simpletotp_Auth_Process_2fa extends SimpleSAML_Auth_ProcessingFilter

use SimpleSAML\Auth;
...
class sspmod_simpletotp_Auth_Process_2fa extends Auth\ProcessingFilter

So, from what I understand, through the extends keyword, the class "sspmod_simpletotp_Auth_Process_2fa" class is a sub class of SimpleSAML\Auth\ProcessingFilter.

Do you have any pointers?

SimpleTotp not working

After login no totp request and ga_secret is not removed

TOTP setup invalidates with each deployment

After each deployment, when the user enters TOTP, it becomes invalid, requiring them to set up TOTP again as the previous configuration no longer works.

Install guide

Hey,

Can you please provide an install guide with the steps?
I tried it my self but i get a : SimpleSAML\Error\CriticalConfigurationError: The configuration is invalid: The configuration (config/config.php) is invalid: Missing configuration file

Backtrace:
0 www/_include.php:70 (N/A)

new UI twig template

for upcoming 1.70 release a twig template is needed

BadRequest in authenticate.php

In public/authenticate.php line 22: throw new SimpleSAML_Error_BadRequest(
should be changed to throw new SimpleSAML\Error\BadRequest(.

TOTP bypass issue after password authentication

The user is able to bypass the TOTP page just by refreshing the page.

Issue:
The variable 'lastverified' is intended to track the time when the user last successfully verified the TOTP code. However, in the current code, 'lastverified' is set as soon as the user lands on the authentication page, which appears to be incorrect. 'lastverified' should only be set when the TOTP is successfully matched and verified. As a workaround, I have moved the code to set 'lastverified' within the authenticate.php file, under the section where the TOTP code is matched.

 if ($code === $_REQUEST['code']) {
    $now = time();
    **$session->setData(
        '\SimpleSAML\Module\simpletotp',
        'lastverified',
        $now,
        Session::DATA_TIMEOUT_SESSION_END
    );**
    ProcessingChain::resumeProcessing($state);
  } else {
      $displayed_error = "You have entered the incorrect TOTP token.";
  }

This needs to be fixed asap.

How to enable the module?

Using SimpleSAML from apt-get install under Ubuntu 16.04. Followed install instructions.

Get the following error upon trying an auth:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 /usr/share/simplesamlphp/www/module.php:170 (N/A)
Caused by: Exception: Could not resolve 'simpletotp:2fa': No class named 'sspmod_simpletotp_Auth_Process_2fa'.

Do I have to manually enable the module? Right now it's in: /usr/share/simplesamlphp/modules/SimpleTOTP and "default-enable" is present.

thanks!