extend U2F

[cornelinux]

We need to add a mechanism to let other applications / web sites authenticate against privacyidea. We should avoid, that each website needs to register the U2F key.

Redirect to privacyIDEA for authentication?

[vDorst]

So basicly we want to be a SAML identity provider (IdP)?

[cornelinux]

Yes and No.
Might be great if privacyIDEA was an IdP.

Here are some thoughts:

simple API

An application could implement U2F on its own. So why should it use privacyIDEA. My main point would be - because it is simpler than implementing U2F.
I.e. it must be easier for an application to connect to privacyIDEA than to implement U2F.
And I think SAML on the SP side is also not that easy.

simple Code

privacyIDEA already provides a plugin for simpleSAMLphp. So basically I want to avoid reinventing the wheel. And implementing and maintaining a SAML IdP seems quite a task.
At the moment the privacyIDEA server has 13.000 lines of code. (The system from which privacyIDEA was forked has 30.000 slocs). 13.000 is not that much and I am happy and proud, that it is not much but nevertheless provides a great functionality.
Looking at https://github.com/rohe/pysaml2 or https://github.com/rohe/pyoidc which might give a starting point for either SAML or OpenID Connect you see that it is quite some code. The issue #252 also emerged from a necessity to login via SAML. I would have preferred to have a SAML SP functionality to login to the privacyIDEA WebUI. (hm, I should nevertheless create a ticket for SAML ;-)
But at this stage I wanted to avoid pulling a requirement like pysaml2 so I went with REMOTE_USER. Which also provides other possible means to login.

Any thoughts and input welcome!

[vDorst]

I was thinking which only works in a browser.
can you do a u2f auth with an iframe or overlay? so that the u2f origin is pi server.
if that is possible.
an app like sinplesaml or owncloud can do a simple username and otp pin password with the default theme.
when u2f is required it shows an iframe or overlay to handle u2f stuff.

[cornelinux]

How would you return the successful authentication back to the application?

[vDorst]

i have no idea. javascripting?
redirect is probably better.
Does privacyidea support redirection at the moment?

[cornelinux]

We add the U2F functionality to the privacyIDEA simpleSAMLphp plugin. We can use an adapted login UI, which also needs to support Challenge Response. The SAML IdP needs to run on the same machine like the privacyIDEA Server.

Take a look at https://github.com/simplesamlphp/simplesamlphp/blob/master/modules/authYubiKey/templates/yubikeylogin.php for an example of an adapted Login UI.

[cornelinux]

In addition we can try to add javascript in the templates.
See discopower/templates/disco-tpl.php.

Using the javascript we could create a challenge response on the one page.

[vDorst]

What I am looking for is a SSO solution not only for the web but also internal.
I think Kerberos can be a good solution for internal use. But not directly for websites. Because with standard mod_auth_kerb you can't logout unless you close the browser.
WebAuth seems a good bridge for that. Can handle SSO and also kerberos/GSSAPI tickets.

WebAuth https://web.stanford.edu/services/webauth/ is a Apache Auth module
WebKDC is service to handle login and logout. Which I think can be done by privacyIdea. So that we can use U2F devices.
Kerberos is able to handle OTP via FreeRadius server.

[cornelinux]

You are welcome to file a feature request for a plugin for webauth.
But I am not sure if it is a descending branch.
The latest release/news is one year old.
They mentioned cosign, which has its last entry 2012.
Just file the issue and we will see.

[cornelinux]

We start by enabling Challenge Response against privacyIDEA in the default simpleSAMLphp login page.

[cornelinux]

Now we have to do the u2fSignResponse javascript stuff...