On Wed, Oct 25, 2017 at 10:37 AM, Kanapriya Kuleswararajan < kanapr...@wso2.com> wrote:
> Hi Malithi, > > >> BTW, for both local user and federated user this will work once you >> de-select the Enable TOTP claim from the dashboard. Because for the >> federated scenario, based on the use-cases have to create the user in the >> local user store. If you are not setting any use case, then default (local) >> use-case will get involved in the federation scenario. Please refer the >> documentation [1] for more info. >> > > So you mean, the federated user always needs to be some how associated > with a local user ? If so, if such a local user is not found should it > proceed further ? > I was using 'userAttribute' usecase to associate with the local account. > It worked for SMS OTP but not for TOTP. Will have a check on this again, > because as per the code same utilities seems to be used in both cases. > > Yes, the federated user some how associated with local user to handle with > these use-cases and I checked the case such as ,if such user is not found > in user store then process gets fails. This should be fixed and I raised a > JIRA [1] to track this issue. > > [1] https://wso2.org/jira/browse/ISCONNECT-91 > I'm still confused on the expectation here. 1. When TOTP is enabled as second factor for a federated login scenario, should that federated identity be always mapped with a local account ? 2. If (1) should hold, that means during the authentication flow, if the association fails the end to end authentication should fail as well. From, the JIRA that you have created, I don't think this is what's being highlighted. 3. For the case I tried, where in first step user authenticates with Google and in the second step TOTP comes, the user didn't get associated with the local user even though I have configured so. Still TOTP worked but the problem was there was no way to enforce re-scanning of the QR code. Given the fact, I too think user should always be associated for a local user, or if such a user is not found may be JIT provision the federated user (may be by honouring the JIT provisioning config). Else the end to end authentication flow should fail with appropriate error messages. > >> [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+ >> Authenticator >> >> Thanks >> >> >> Kanapriya Kuleswararajan >> Software Engineer | WSO2 >> Mobile : - 0774894438 >> Mail : - kanapr...@wso2.com >> LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/ >> >> On Mon, Oct 23, 2017 at 11:51 PM, Malithi Edirisinghe <malit...@wso2.com> >> wrote: >> >>> Hi Team, >>> >>> I configured two step authentication with google federated >>> authentication and TOTP for a service provider; i.e, first step is >>> configured to use google as federated IdP, second step is TOTP. >>> Both 'authenticationMandatory' and 'enrolUserInAuthenticationFlow' is >>> set to true in TOTP authenticator configuration in >>> application-authentication.xml file, such that TOTP is enforced and can >>> enrol user while login. >>> >>> Now, when trying to access the SP, Google login page popped up for which >>> user credentials were provided and authenticated. Then, in the next step, >>> TOTP propose to enrol the user by scanning the QR code which was done. The >>> federated user logged in successfully. >>> >>> Now, suppose I want to refresh the secret key of this account or clear >>> it, such that the user needs to scan the QR code again. This could be done >>> for a local user as the secret key was stored under ' >>> http://wso2.org/claims/identity/secretkey' claim. But, for the user >>> federated over google this could not be done. And I'm not sure where do we >>> store the secret key for this account. >>> >>> Appreciate your input. >>> >>> Thanks, >>> Malithi. >>> >>> -- >>> >>> *Malithi Edirisinghe* >>> Associate Technical Lead >>> WSO2 Inc. >>> >>> Mobile : +94 (0) 718176807 >>> malit...@wso2.com >>> >> >> >> >> >> -- >> >> *Malithi Edirisinghe* >> Associate Technical Lead >> WSO2 Inc. >> >> Mobile : +94 (0) 718176807 >> malit...@wso2.com >> > > -- *Malithi Edirisinghe* Associate Technical Lead WSO2 Inc. Mobile : +94 (0) 718176807 malit...@wso2.com
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
