-
Notifications
You must be signed in to change notification settings - Fork 317
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
extend U2F #248
Comments
So basicly we want to be a SAML identity provider (IdP)? |
Yes and No. Here are some thoughts: simple APIAn application could implement U2F on its own. So why should it use privacyIDEA. My main point would be - because it is simpler than implementing U2F. simple CodeprivacyIDEA already provides a plugin for simpleSAMLphp. So basically I want to avoid reinventing the wheel. And implementing and maintaining a SAML IdP seems quite a task. Any thoughts and input welcome! |
I was thinking which only works in a browser. |
How would you return the successful authentication back to the application? |
i have no idea. javascripting? |
We add the U2F functionality to the privacyIDEA simpleSAMLphp plugin. We can use an adapted login UI, which also needs to support Challenge Response. The SAML IdP needs to run on the same machine like the privacyIDEA Server. Take a look at https://github.com/simplesamlphp/simplesamlphp/blob/master/modules/authYubiKey/templates/yubikeylogin.php for an example of an adapted Login UI. |
In addition we can try to add javascript in the templates. Using the javascript we could create a challenge response on the one page. |
What I am looking for is a SSO solution not only for the web but also internal. WebAuth https://web.stanford.edu/services/webauth/ is a Apache Auth module |
You are welcome to file a feature request for a plugin for webauth. |
We start by enabling Challenge Response against privacyIDEA in the default simpleSAMLphp login page. |
The plugins own logic supports the basic use of callenge response. This is the basic support for privacyidea/privacyidea#248
In cases like the U2F token there is no RequestInput to enter the OTP value, but only the message is displayed. Working on privacyidea/privacyidea#248
Now we have to do the u2fSignResponse javascript stuff... |
We need to add a mechanism to let other applications / web sites authenticate against privacyidea. We should avoid, that each website needs to register the U2F key.
Redirect to privacyIDEA for authentication?
The text was updated successfully, but these errors were encountered: