ForgeRock OpenAM and Google Authenticator: Will it blend?




OpenAM provides built in support for OATH authentication (not to be confused with OAuth, which is a different kettle of fish altogether).


OATH defines an open standard for One Time Password (OTP) generators.  These can be HMAC Hash based (HOTP), or time based (TOTP).


Google Authenticator is a free application that you can download for your Android or iOS device that provides an implementation of the OATH TOTP standard.   It turns out to be surprisingly easy to configure Google Authenticator to work with OpenAM.


Let's walk through the steps.

We will configure this in a realm called "test". Realm's are a kick butt feature of OpenAM that allows us to create isolated administration, data store and policy domains.  A common use would be to configure separate environments for customers and employees, but realms are also great for creating test environments.


Navigate to your test realm, click on the "Authentication Tab". Under "Modules" edit the OATH module. It should look something like this:




The key attributes we need to set for Google Authenticator are:
  • Auth Level.  This is a higher strength multi-factor module, so we assign a value of 10 here. 
  • One Time Password Length: This is the length of the OTP that will be displayed by the Google Authenticator application. Six is the default for Authenticator. 
  • Minimum secret key length: I used 8 for this example, which is too short for production. This is the length (in hex characters) of the encoded secret. 
  • Secret Key Attribute: This is the name of the ldap attribute where the secret key is stored. For this example I am using the "title" attribute. This isn't a great choice, and for production you would extend your ldap schema with a dedicated attribute. 
  • OATH Algorithm:  TOTP for Google Authenticator
  • Last Login Time Attribute:  The OATH TOTP module needs to store the last login timestamps (UNIX long time) in this attribute.  I am using "description" but again you should extend your schema with a dedicated attribute.
You will want to ensure that the attributes chosen above are fetched by OpenAM. Navigate to your datastore configuration for the realm and make sure that "LDAP User Attributes" contains the two attributes you have configured in the OATH module.

Now that we have configured the OATH module, we need to modify the default ldapService chain to use the new module:


The above chain will first authenticate the user against the Datastore (i.e. ldap username/password), and if that is successful will pass them on to the OATH module. Both modules are "REQUIRED" - so the user must pass through both to authenticate. 

Registering the Shared Secret 


Before we can test this out, we need to seed our LDAP with the shared secret. The OpenAM server and Google Authenticator must share a common secret to authenticate the user. Briefly, the way this works is that the Authenticator client will hash the current time using the shared secret to obtain a OTP. The server will do the same and compare the results with the OTP entered by the user. 

For convenience the easiest way to register a secret with the Authenticator application is to use a QR code. The user simply scans the generated QR code to setup the account. The same secret is registered with the LDAP server.  

Ideally we would have a nice registration page that handles this - but for now we will do this manually.

The tricky bit is the encoding of the secret for storage.  The secret key stored in LDAP is the Base16 encoded value of the secret. For generating a QR code for scanning, we must use the Base32 encoding. 

Using the example below:
Shared Secret: "hello" (without the quotes)
Base16 encoded value: 68656C6C6F (http://online-calculators.appspot.com/base16/ to generate this)
Base32 encoded value: NBSWY3DP (http://online-calculators.appspot.com/base32/ )

To register the QR code we create a special URL of the form:

otpauth://totp/test@forgerock.com?secret=NBSWY3DP

Where the secret is the Base32 encoded value that we determined above. This URL can be pasted into a QR generator (http://goqr.me/ for example) and scanned into your Google Authenticator application. Here is an example:





We can use an LDAP Client such as Apache Studio to register the base 16 encoded secret:





Let's give it a whirl!  Navigate to the login page for your realm. For example http://openam.example.com:8080/openam/XUI/#login/test

You will first see the LDAP module challenge:


Followed by the OTP challenge:



Enter the OTP displayed by your Google Authenticator Application.  You should be authenticated and redirected to the profile landing page.

Troubleshooting

If you run into problems enable the debug log at message level (Configuration -> Servers and Sites -> your server url -> Debugging).  Look for messages with "oath" in the string.

The logs are under your openam config directory (openam-config/openam/debug).



Comments

zeinab said…
hello��
i'm zeinab

I want to disable my 2 step verification code for log in in my account instagram and just log in with user name and password.
Because I changed my phone and i forgot my password in authenticator app.
i do not have this code in my new phone. i know that i can disable that in may account. but now i cant log in to my account because when i enter user name and password, insta wants the code from authenticator app and i do not have it. so what can i do?
@zeinabkazemi780@gmail.com
January 26, 2020 at 1:59 PM
Post a Comment

Popular posts from this blog

Introducing ds-operator, the ForgeRock Directory Services Operator for Kubernetes

Image
ForgeRock Directory Services 7.0 was a big achievement for the Grenoble Directory team.  It is the only "Kubernetes native" directory where you can add a new replica using kubectl: kubectl scale sts/ds-idrepo --replicas=3 The 7.0 deployment is assembled using standard Kubernetes primitives such as StatefulSets , Persistent Volume Claims, and Services.  This is all built and orchestrated using Skaffold and Kustomize .  An emerging pattern in the Kubernetes world is the use of Custom Resources and Operators .  Broadly speaking, a custom resource is the declaration of the desired system state, and the operator's job is to observe the current state and bring the system into alignment with the declared state: source: https://blog.container-solutions.com/kubernetes-operators-explained The Kubernetes API server (the thing that responds to your kubectl commands) can be extended to handle new custom types.  A custom resource definition (CRD) describes to the API server the syntax
Read more

Automating OpenDJ backups on Kubernetes

Image
Kubernetes   StatefulSets  are designed to run "pet" like services such as databases.   ForgeRock's OpenDJ LDAP server is an excellent fit for StatefulSets as it requires stable network identity and persistent storage. The ForgeOps project contains a Kubernetes Helm chart to deploy DJ to a Kubernetes cluster. Using a StatefulSet, the cluster will auto-provision persistent storage for our pod. We configure OpenDJ to place its backend database on this storage volume. This gives us persistence that survives container restarts, or even restarts of the cluster. As long as we don't delete the underlying persistent volume, our data is safe. Persistent storage is quite reliable, but we typically want additional offline backups. The high level approach to accomplish this is as follows: Configure the OpenDJ container to support scheduled backups to a volume. Configure a Kubernetes volume to store the backups. Create a sidecar container that archives the backups
Read more

Deploying the ForgeRock platform on Kubernetes using Skaffold and Kustomize

Image
If you are following along with the  ForgeOps repository, you will see some significant changes in the way we deploy the ForgeRock IAM platform to Kubernetes.  These changes are aimed at dramatically simplifying the workflow to configure, test and deploy ForgeRock Access Manager, Identity Manager, Directory Services and the Identity Gateway. To understand the motivation for the change, let's recap the current deployment approach: The Kubernetes manifests are maintained in one git repository ( forgeops ), while the product configuration is another ( forgeops-init ). At runtime ,  Kubernetes init containers clone the configuration from git and make it  available to the component using a shared volume. The advantage of this approach is that the docker container for a product can be (relatively) stable. Usually it is the configuration that is changing, not the product binary. This approach seemed like a good idea at the time, but in retrospect it created a lot of c
Read more