This repository has been archived by the owner on Mar 20, 2019. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' of github.com:Yubico/yubico-shibboleth-idp-mult…
…ifactor-login-handler
- Loading branch information
Showing
8 changed files
with
168 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,36 @@ | ||
MultiFactor Login Handler for use with the Shibboleth IdP. | ||
|
||
See https://spaces.internet2.edu/display/SHIB2/Multi+Factor+Login+Handler | ||
( or https://spaces.internet2.edu/x/FQFvAQ ) for installation instructions. | ||
|
||
This version has been tested with Shibboleth IdP 2.2.1 and with the | ||
JAAS modules from yubico-validation-client 2.0-pre1-shib. | ||
|
||
What is special with this Login Handler? Two things : | ||
|
||
1) It collects multiple authentication factors from the login servlet. | ||
|
||
Besides the j_username and j_password collected by the regular | ||
UsernamePassword login handler, we also collect | ||
j_tokens[0] .. j_tokens[n]. | ||
|
||
See MultiFactorAuthLoginServlet.service(). | ||
|
||
2) We convey all these collected factors to JAAS modules by calling the | ||
JAAS modules PasswordCallback.setPassword() muliple times, with | ||
j_password coming last (to provide some compatibility with single- | ||
factor JAAS modules). | ||
|
||
If the JAAS module wants to get more than the first factor, it must | ||
pass us a PasswordCallback capable of accumulating factors in | ||
setPassword(). | ||
|
||
See MultiAuthCallbackHandler.handle(). | ||
|
||
See com.yubico.jaas.MultiValuePasswordCallback for an example of a multi- | ||
factor capable PasswordCallback. | ||
|
||
Currently known Multi Factor JAAS modules : | ||
|
||
com.yubico.jaas.YubikeyLoginModule for YubiKey OTPs | ||
com.yubico.jaas.HttpOathOtpLoginModule for OATH token validations |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
<%@ page import="edu.internet2.middleware.shibboleth.idp.authn.LoginContext" %> | ||
<%@ page import="edu.internet2.middleware.shibboleth.idp.authn.LoginHandler" %> | ||
<%@ page import="edu.internet2.middleware.shibboleth.idp.session.*" %> | ||
<%@ page import="edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper" %> | ||
<%@ page import="org.opensaml.saml2.metadata.*" %> | ||
|
||
<% | ||
LoginContext loginContext = HttpServletHelper.getLoginContext(HttpServletHelper.getStorageService(application), | ||
application, request); | ||
Session userSession = HttpServletHelper.getUserSession(request); | ||
%> | ||
|
||
<html> | ||
|
||
<head> | ||
<title>Shibboleth Identity Provider - Example Login Page</title> | ||
</head> | ||
|
||
<body> | ||
<img src="<%= request.getContextPath() %>/images/logo.jpg" /> | ||
<h1>Example Login Page</h1> | ||
<p>This login page is an example and should be customized. Refer to the | ||
<a href="https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPassLoginPage" target="_new"> documentation</a>. | ||
</p> | ||
|
||
<% if (loginContext == null) { %> | ||
<p><font color="red">Error:</font> Direct access to this page is not supported.</p> | ||
<% } else { %> | ||
|
||
<h2>Shibboleth Identity Provider Login to Service Provider <%= loginContext.getRelyingPartyId() %></h2> | ||
|
||
<% if (request.getAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY) != null) { %> | ||
<p><font color="red">Authentication Failed</font></p> | ||
<% } %> | ||
|
||
<% if(request.getAttribute("actionUrl") != null){ %> | ||
<form action="<%=request.getAttribute("actionUrl")%>" method="post"> | ||
<% }else{ %> | ||
<form action="j_security_check" method="post"> | ||
<% } %> | ||
<table> | ||
<tr> | ||
<td>Username:</td> | ||
<td><input name="j_username" type="text" tabindex="1" /></td> | ||
</tr> | ||
<tr> | ||
<td>Password:</td> | ||
<td><input name="j_password" type="password" tabindex="2" /></td> | ||
</tr> | ||
<% String s = (String) request.getAttribute("actionUrl"); if (s.contains("/MultiFactor")){ %> | ||
<tr> | ||
<td>Token:</td> | ||
<td><input name="j_tokens[0]" type="text" tabindex="3" /></td> | ||
</tr> | ||
<% } %> | ||
<tr> | ||
<td colspan="2"><input type="submit" value="Login" tabindex="9" /></td> | ||
</tr> | ||
</table> | ||
</form> | ||
<%}%> | ||
</body> | ||
|
||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
30 changes: 30 additions & 0 deletions
30
...va/com/yubico/shibboleth/idp/multifactor/MultiFactorAuthLoginHandlerNamespaceHandler.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
/* | ||
* Copyright 2011 Yubico AB. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
* | ||
* @author Fredrik Thulin <fredrik@yubico.com> | ||
* | ||
*/ | ||
package com.yubico.shibboleth.idp.multifactor; | ||
|
||
import edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler; | ||
|
||
public class MultiFactorAuthLoginHandlerNamespaceHandler extends BaseSpringNamespaceHandler { | ||
public static final String NAMESPACE = "http://www.yubico.com/2011/shibboleth/idp"; | ||
|
||
public void init() { | ||
registerBeanDefinitionParser(MultiFactorAuthLoginHandlerBeanDefinitionParser.SCHEMA_TYPE, | ||
new MultiFactorAuthLoginHandlerBeanDefinitionParser()); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
http\://www.yubico.com/2011/shibboleth/idp = com.yubico.shibboleth.idp.multifactor.MultiFactorAuthLoginHandlerNamespaceHandler |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
http\://www.yubico.com/2011/shibboleth/idp = schema/shibboleth-2.0-idp-multifactor-login-handler.xsd |
35 changes: 35 additions & 0 deletions
35
src/main/resources/schema/shibboleth-2.0-idp-multifactor-login-handler.xsd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
|
||
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.yubico.com/2011/shibboleth/idp" | ||
xmlns="http://www.yubico.com/2011/shibboleth/idp" | ||
xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler" | ||
elementFormDefault="qualified"> | ||
|
||
<xsd:import namespace="urn:mace:shibboleth:2.0:idp:profile-handler" | ||
schemaLocation="classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd" /> | ||
|
||
<xsd:complexType name="MultiFactorAuth"> | ||
<xsd:complexContent> | ||
<xsd:extension base="ph:LoginHandlerType"> | ||
<xsd:attribute name="jaasConfigurationLocation" type="xsd:anyURI"> | ||
<xsd:annotation> | ||
<xsd:documentation> | ||
Location of the JAAS configuration. If this attribute is used it will usually contain a file | ||
URL to a configuration on the local filesystem. However, this attribute need not be used and | ||
this information can be set within the VM in any manner supported by the JVM/container | ||
implementation. | ||
</xsd:documentation> | ||
</xsd:annotation> | ||
</xsd:attribute> | ||
<xsd:attribute name="authenticationServletURL" type="xsd:string"> | ||
<xsd:annotation> | ||
<xsd:documentation> | ||
The servlet context path to the com.yubico.shibboleth.idp.MultiFactorAuthLoginServlet | ||
that will authenticate the user. | ||
</xsd:documentation> | ||
</xsd:annotation> | ||
</xsd:attribute> | ||
</xsd:extension> | ||
</xsd:complexContent> | ||
</xsd:complexType> | ||
</xsd:schema> |