How to Integrate NetIQ Access Manager with Google Authenticator for two-factor authentication



By: cstumula

August 6, 2013 12:08 pm

Reads: 2418

Comments:8

Rating:5.0

Download googleAuthenticator-coolsolution_v06

Introduction

Many organizations need or desire to implement a multi-factor authentication scheme to satisfy regulatory requirements or increase security. There are several commercial 2-factor solutions on the market that can be integrated with NetIQ Access Manager (NAM) but this cool solution shows you how you can use the Google Authenticator One-Time Password (OTP) as a second authentication factor with your NAM implementation through a NAM authentication contract. Included is a sample NAM authentication class that you can use or enhance and integration/configuration instructions for integration with NAM providing the OTP “something you have” second factor to compliment the “something you know” user ID and password factor.

Google Authenticator is a standards based open source project published by Google based on the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238. Implementations include several one-time passcode generators for several platforms including:

  • Android – available from Google Play
  • iOS – available from iTunes
  • Blackberry
  • Pluggable Authentication Module (PAM)

Links to the apps for these platforms is available from Google Authenticator Project home page.

One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH) (unrelated to OAuth). The Google Authenticator provides a six digit number that users must provide in addition to their username and password to log into NAM protected services. Several SaaS providers have adopted Google Authenticator for a second factor of authentication, now you too can use this feature for your NAM protected applications.

Setup Details

NetIQ Access Manager Identity Server setup details

  1. Download and copy the jar files, which has custom authentication class and dependent library jar files to folder to your NAM 3.2.x Identity Server(s) /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib
  2. Move existing commons-codec-1.3 to different backup folder and copy commons-codec-1.8.jar file in extractedfolder/lib to lib of above path.
  3. Download and copy the sample jsp pages to /opt/novell/nam/idp/webapps/nidp/jsp
  4. Modify web.xml (/opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml) to allow public access to gauthRegistration.jsp
    <filter>
            <filter-name>nidpJspFilter</filter-name>
            <display-name>NIDP Jsp Filter</display-name>
            <description>The NIDP server JSP filter. Enforces authentication and handles clustering.</description>
            <filter-class>com.novell.nidp.servlets.filters.jsp.NIDPJspFilter</filter-class>
            <init-param>
              <param-name>publicAccess</param-name>
              <param-value>gauthRegistration.jsp </param-value>
            </init-param>
    </filter>
  5. Restart IDP
  6. As you would add any new authentication scheme to NAM, use the NAM Admin Console to define a new authentication Class, Method, and Contract on your Identity Server / Cluster. First define the Google Authenticator Class under the “Local” tab select Classes and click New to add your Google Authenticator Class.

    29354-1

  7. Specify the logical name for your class eg. Googleauthenticator below and from the drop-down list select the “java class” parameter as Other and enter the ”java class path” as com.netiq.custom.GoogleAuthenticatorClass

    29354-2

  8. Before hitting Apply or OK, add a property to the class which defines where the link between the Google Authenticator and NAM authenticated user will be stored.

    Note: Each user must register their Google Authenticator so that it is uniquely associated with their NAM user store account. This Cool Solution includes Three sample classes, eDirectory user attribute approach implementation class, a file based class and a memory based class.

    Download googleAuthenticator-coolsolution_v06 ->

    eDirectory (any ldap store) user store based approach registration key is stored to one of the attribute of the user in ldap store. Value is encrypted with password Which is defined in edir implementation class file.

    The file based option writes the link to a file on the Identity Server file system; the memory based option writes the link into memory and is therefore lost every time the Identity Server is restarted. Either the file or memory approach are adequate for a single node Identity Server environment. For a multi-server cluster NAM implementation, user store is one choice where this information can be stored in a schema extension on each user object or one of the existing ldap attribute.

    For additional user store types other than edir refer to the section below (How to implement custom Secret Store) gives the key APIs required to do this.

    To use one of the supplied examples, click the Properties tab and add a New property that defines the secret store connector class where each user’s secret seed is stored. Use SECRET_STORE_CLASS as the property Name and,

    1. For the LDAP user attribute use com.netiq.gauth.store.LdapGAuthStoreImpl as the property value. Add ldap attribute name as follows, SECRET_LDAP_ATTRIBUTE_NAME as name and value as <ldap attribute name>> if ldap attribute parameter missing default “carLicence” attribute will be used for demo purpose with edir userstore. When complete, click Apply. NOTE: This class had issue of encrypting the secret, please use the patch archive to use different class. Instructions are below under section “New class for user attribute store”
    2. for the file based sample use com.netiq.gauth.store.FileGAuthStoreImpl as the property Value
    3. for the memory store sample use com.netiq.gauth.store.GAuthStoreImpl as the property Value.

    Note:

    1. The file store class writes to the /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes/gauthkeys file. This file must be created manually where the owner must be novlwww (run ‘chown novlwww:novlwww /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes/gauthkeys at console). Restart the Identity Server when done.
    2. In memory store GAuthStoreImpl class writes to HashMap in memory. As mentioned above, this information is not persistent and will be lost with a restart of the Identity Server.

      29354-3

  9. Your NAM authentication class is now defined. Next, define a NAM Identity Server Method using the custom Google Authenticator Class just created and uncheck checkbox identifies user as shown below. When complete, click Apply.

    29354-4

  10. Your NAM authentication Class and Method are complete. The last Identity Server configuration task is to add the Google Authenticator Method just defined to an existing NAM Authentication Contract as the second factor. For example, you can use the NAM default “Name/Password – From” contract as the second method as shown below. When complete, click Apply.
    29354-5

  11. Apply changes on IDP and update IDP server

Testing the configuration:

  1. Access NetIQ Identity Server page http(s)://<<idp server >>:<<port>>/nidp or protected resource
  2. Select the contract where google authenticator is configured as second method to be executed for two factor authentication.
  3. Do login with first method, here name password form for example, provide login credentials username/password and submit

    29354-6

  4. After successfully authenticating with the first factor (LDAP User Store Username and Password), the user is prompted for their Google Authenticator OTP:
    29354-7

  5. If the user has already registered for Google Authenticator, the user can enter the OTP value generated by their app and enter the 6-digit result here. Upon successful validation of the token, by the NAM Identity Server the user is authenticated and session is established directing the user to the requested resource; in this example the NAM NIDP page depicted below:

    29354-8

  6. If the user is registered but token validation fails (e.g. miss-typed entry) an “Invalid Token” error message is displayed:
    29354-9
  7. If the user is NOT registered or does not have a token and randomly enters and submits a value, a message is displayed indicating the user is not registered and the user is provided a link to register for two factor authentication.

    29354-10

  8. When a user clicks the link for registering for two factor authentication, a unique secret key is generated and QR code also displayed so the user can scan the code with the google authenticator client on mobile. Or the user can manually register the client/device by entering the secret code displayed in google authenticator mobile client.

    29354-11

  9. Once registration is complete on the mobile google authenticator application, the token will be shown for this account.
  10. Enter the above token and submit the form again.
  11. User will be authenticated.

How to implement custom Secret Store?

This cool solution provides three approaches (eDir user attribute, file and memory stores) to save the google authenticator registration Key value between googleauthenticator and the Identity user store users. The following info provides an approach where we can write the information to any store.

  1. Configure required connect parameters as name value pair at class properties in Admin Console UI while defining google authenticator class.
  2. Implement GAuthStore interface defined in com.netiq.gauth.store
    package com.netiq.gauth.store;
    
    import java.util.List;
    import java.util.Properties;
    
    /**
     * @author chandu
     	*
     	*/
    public interface GAuthStore {
    
    public void writeToStore(String userName, String secret, List<Object> addlParams) throws Exception;
    public String readSecretFromStore(String userName, List<Object> addlParams) throws Exception;
    public void init(Properties prop);
    	
    }
  3. Class properties are sent to init method
  4. writeToStore method is writing to store
  5. readSecretFromStore method is for reading secret per user
  6. Define a parameter SECRET_STORE_CLASS with value as new class at class properties at Admin Console UI
  7. Apply changes and update IDP configuration.

Security concerns with registration page

The registration page has access to sensitive user data. The Session parameter is set by token validation class, as the user goes through the registration stage. However, once the registration is complete and the token has been submitted, the session parameter is removed. Hence Registration page is not accessible for the user.

If user access registration jsp file directly, following message will be displayed.

29354-12

Suggested enhancements:

  1. Expire the registration page after some time by closing the browser or auto submit to server.
  2. If the user is not registered identify this automatically after the first factor authentication and display the registration page (depends on your use case; not showing this information is often considered a more secure choice). Consider displaying a message on the initial Google Authenticator login page to provide additional information/instructions/links to the user like “any difficulty please contact administrator”. This can be done by modifying sample gtoken.jsp file.

New class for user attribute store:

This is a new class can be used to store the secret seed for two factor authentication in user profile attribute at Edirectory / Active directory. Configuration steps are as follows:

  1. Copy the java binary classes (com folder) from <google authenticator extracted folder>/bin to /opt/novell/nam/idp/webapps/WEB-INF/classes
  2. Restart IDP
  3. Under NAM authentication classes, Google authenticator class add the following properties
    1. SECRET_STORE_CLASS = com.netiq.gauth.store.UserStoreImpl
    2. SECRET_LDAP_ATTRIBUTE_NAME = << ldap attribute name>>

      Note: above property of ldap attribute name is not provided default “carLicense” attribute will be tried to used.
  4. Apply and update IDP
  5. Screen shot for reference:

    29354-13

Google Authenticator downloads for mobile:

  1. Wiki: http://code.google.com/p/google-authenticator/
  2. Andriod: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
  3. Apple ios: http://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
VN:D [1.9.22_1171]
Rating: 5.0/5 (5 votes cast)
How to Integrate NetIQ Access Manager with Google Authenticator for two-factor authentication, 5.0 out of 5 based on 5 ratings

Tags: , , ,
Categories: Access Manager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

8 Comments

  1. By:edir4ever

    Hello,

    This is an extremely cool! solution… we are trying this with 3.2 SP2 but getting a class not found exception while registering the user. We did not find the com.novell.nidp.common.util.Obfuscation class in the nidp jar file.
    Could you please help us in locating the correct class file.
    Appreciate for this cool solution.. this is extremely helpful.

    • By:edir4ever

      Adding on to my last comment…
      the above ClassNotFoundException is coming in the Windows version of IDP (NAM 3.2 SP2). In Linux version we were able to configure it but unearthed few more issues. The LDAP implementation “LdapGAuthStoreImpl” does not work, even though the com.netiq.gauth.store.LdapGAuthStoreImpl is mentioned as the property value for the SECRET_STORE_CLASS, it’s trying to store the keys in the file… working on this part now.
      If this works out with LDAP attr based, it will be awesome!

    • By:adamdn01

      I’ve run into the same issue! I’m using NAM 3.2.2 on SLES. If someone can tell me where to find the com.novell.nidp.common.util.Obfuscation class that would be very helpful.

      Thanks.

      • By:cstumula

        Obfuscator class is renamed to different as part of obfuscation of nidp module. Hence class won’t be available with the same name. Please use the new class i added to download bundle and follow the instruction under the section (end of th article) “New class for user attribute store”

  2. By:cstumula

    On fire fox token input jsp “gtoken.jsp” will not accept any characters, that’s b’cos of code works well with only IE. to make it work on firefox and other browsers, please use this following script.
    Place the following script function between java script tags
    function isNumberKey(evt){
    var charCode = (evt.which) ? evt.which : event.keyCode
    if (charCode > 31 && (charCode 57))
    return false;
    return true;
    }

    edit input field on the same jsp gtoken.jsp to following

    size also can be restricted to 6 b’cos token is 6 digits only

  3. By:esandoval_identicum

    Hi guys!

    Does anybody knows if this cool solutions works on NetIQ Access Manager 4.0 .
    The UserStoreImpl.class hasn’t provisioned on “netiq access manager 4.0 official tar” , and with this implementation, after deploy all , without configure SECRET_STORE_CLASS on parameters from class ( just to know if the default configuration works) , i’ve got an “error 500″ with the following root cause:

    java.lang.NoClassDefFoundError: com/warrenstrange/googleauth/GoogleAuthenticator
    com.netiq.gauth.GAuthfier.validateToken(GAuthfier.java:57)
    com.netiq.custom.GoogleAuthenticatorClass.handlePostedData(GoogleAuthenticatorClass.java:134)
    com.netiq.custom.GoogleAuthenticatorClass.doAuthenticate(GoogleAuthenticatorClass.java:103)
    com.novell.nidp.authentication.local.LocalAuthenticationClass.authenticate(y:459)
    com.novell.nidp.authentication.ContractExecutionState.A(y:3166)
    com.novell.nidp.authentication.ContractExecutionState.doContract(y:3062)
    com.novell.nidp.authentication.ContractExecutionState.exec(y:291)
    com.novell.nidp.authentication.ContractExecutionState.execute(y:502)
    com.novell.nidp.common.profile.LoginProfile.C(y:366)
    com.novell.nidp.common.profile.LoginProfile.executeContract(y:1008)
    com.novell.nidp.common.profile.LoginProfile.executeContract(y:1131)
    com.novell.nidp.common.profile.LoginProfile.spLogin(y:841)
    com.novell.nidp.liberty.idff.profile.LibertySSOProfile.doAuthentication(y:1062)
    com.novell.nidp.liberty.idff.profile.LibertySSOProfile.handleAuthnRequest(y:650)
    com.novell.nidp.liberty.idff.profile.LibertySSOProfile.processAuthnRequest(y:853)
    com.novell.nidp.liberty.idff.profile.LibertySSOProfile.processSSOEndpoint(y:3460)
    com.novell.nidp.liberty.IDFFHandler.E(y:1056)
    com.novell.nidp.liberty.IDFFHandler.handleRequest(y:1393)
    com.novell.nidp.liberty.LibertyMeDescriptor.handleRequest(y:2440)
    com.novell.nidp.servlets.NIDPServlet.myDoGet(y:535)
    com.novell.nidp.servlets.NIDPBaseServlet.doGet(y:1845)
    com.novell.nidp.servlets.NIDPBaseServlet.doPost(y:2799)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:728)

    • By:cstumula

      Secret store class UserStoreImpl will with 4.0 too. cool solution has to be used complete source for your new TOTP mehtod. can’t be mixed of 4.0 packaged Google auth class and cool solution

      com/warrenstrange/googleauth/GoogleAuthenticator this class will be with cool solution source

      • By:esandoval_identicum

        I don’t mix classes, only deploy cool solution and i’ve this error, any ideas?

Comment