TOTP

Overview

The TOTP plugin provides a login flow that implements a bare-bones form of support for TOTP OATH tokens. Any software or hardware token supporting the TOTP algorithm should work. It can be used to piggyback on the existing Password flow's login form view, with an additional field to collect the token code, or it can be run separately with a dedicated view, usually via the IdP's Multi-Factor Authentication feature. In either case, the identity of the subject used to resolve token seeds is generally based on an earlier authentication step.

There are some limitations to understand about this add-on:

  • There is no support for enrollment of users and tokens or for managing those enrollments.
  • The default implementation provides a couple of options for looking up token seeds for subjects, a static/dummy option for testing and making use of the IdP's Attribute Resolver service to look up (and optionally decrypt) token information at runtime. An extension point does exist for providing alternative token sources, but this interface is not at this time a public API so should be viewed as unstable.

Taken together, this plugin is probably best viewed as either a feature for local extension or as a tool for some limited kinds of deployments where tokens can be managed by hand in some way much as SSH keys often are by small teams.

Plugin Installation

Plugin IDModule(s)Authentication Flow IDLatest Version
net.shibboleth.idp.plugin.authn.totpidp.authn.TOTPauthn/TOTP1.0.0: download

For a detailed guide on how to install plugins, see here.

In summary, use the plugin command that ships with the IdP to install the plugin from either a local file pre-downloaded, from a URL or by pluginId 4.2

Installation

C:>\opt\shibboleth-idp\bin\plugin.bat -I net.shibboleth.idp.plugin.oidc.whatever

or

$ /opt/shibboleth-idp/bin/plugin.sh -i http://shibboleth.net/downloads/identity-provider/plugins/pluginName/version/URL

or

$ /opt/shibboleth-idp/bin/plugin.sh -i <plugin.tar.gz>

If installing from a local file, you need to ensure the GPG detached signature (e.g. the .asc file) is placed alongside the main plugin archive on disk.

Listing Installed Plugins

$ /opt/shibboleth-idp/bin/plugin.sh -l

or

C:>\opt\shibboleth-idp\bin\plugin.bat -l

Installing this plugin will automatically enable or update the "idp.authn.TOTP" module since that is the only functionality provided. You are of course free to subsequently re-enable or disable the module by hand.

Token Creation and Testing

While this plugin lacks real management functionality, there is a simple command-line tool installed into bin for generating new token seeds and performing test validations.

The output includes the unencrypted, Base32-encoded seed, a URL that can be used to manually install the token into software authenticators, and a URL to a QR code generator for the token.

Generating tokens
$ cd /opt/shibboleth-idp 
$ bin/totpauth.sh --home . --issuer Shibboleth --account jdoe
Seed: 7ZODY4DQQ76DHYL3JK66DJIR3TE3QPW5
URL: otpauth://totp/Shibboleth:jdoe?secret=7ZODY4DQQ76DHYL3JK66DJIR3TE3QPW5&issuer=Shibboleth
QR Code: https://api.qrserver.com/v1/create-qr-code/?data=otpauth%3A%2F%2Ftotp%2FShibboleth%3Ajdoe%3Fsecret%3D7ZODY4DQQ76DHYL3JK66DJIR3TE3QPW5%26issuer%3DShibboleth&size=200x200&ecc=M&margin=0

The same utility also includes a mode for validating codes by supplying both the seed and a code to check.

Configuration

Installing/enabling this module will only populate a few files:

FileDescription
views/totp.vmView template for dedicated prompt for token code
views/totp-error.vmView template for reporting errors with code validation
bin/totp.shShell script for testing token code validation
bin/totp.batBatch script for testing token code validation

Other than the user interface, which is fairly self-explanatory, the only configuration required is to define how to resolve token seeds to use while validating a particular subject's token codes. This is assumed to be the Attribute Resolver in most "real" cases, but it's also possible to define some static tokens for testing in a Spring configuration file (e.g., conf/global.xml).

User Interface

After installation, a view (with some error handling examples) is provided to support a "two-stage" user interface where the token code is collected after an initial factor is completed that will supply the username to this flow. This is designed to work out of the box with a simple "Password flow, then TOTP flow" MFA configuration, much as the Duo flow works.

As an alternative, you may choose to "collapse" the collection process so that the Password login form includes the input field to collect the token code. This would perhaps be appropriate in cases when you impose TOTP as a second factor to all requests. The name of the input field is "tokencode" by default but is controllable with the idp.authn.TOTP.fieldName property. With this approach, the same underlying configuration is used but the flow will try and locate the form field before displaying the second view, and if for some reason the code fails, it will simply fall back to the second view to reprompt for the code.

One note about this: because of the way Spring messages work, unfortunately putting the input field on the Password collection view will not allow use of any Spring message identifiers that are pre-installed with this module, namely "idp.totp.field" for the field label. So you would need to add that to your own conf/messages.properties file or just inline the label.

Finally, for non-browser use, it's also possible to supply the code in a request header, "X-Shibboleth-TOTP" by default, also controllable with a property. Because of this, the flow is installed by default as supporting non-browser use, though if the header is missing there is no user interface to ask for one.

Source of Token Seeds

Reference