Hi Malithi, > > I'm still confused on the expectation here. > 1. When TOTP is enabled as second factor for a federated login scenario, > should that federated identity be always mapped with a local account ? >
Yes, that is how these use-cases are working in federated scenario. > 2. If (1) should hold, that means during the authentication flow, if the > association fails the end to end authentication should fail as well. From, > the JIRA that you have created, I don't think this is what's being > highlighted. > Earlier , we had failed the authentication flow when if there is no user found in active directory, then there was a concern to handle this flow by endup with first step rather make the flow fails. But based on the internal discussion, we handle this with specific condition in SMSOTP and EmailOTP. Say, In SMSOTP we handled this flow by having a parameter and if that parameter set as true then allow the user to enter a mobile number in authentication flow and if not redirect the user to error page with specific error message. In my concern, Since these use-cases are same for all these three authenticators , Don't we need to handle this flow in TOTP as well by end up with first step or redirecting the user to error page? That's the reason for raising this JIRA. 3. For the case I tried, where in first step user authenticates with Google > and in the second step TOTP comes, the user didn't get associated with the > local user even though I have configured so. Still TOTP worked but the > problem was there was no way to enforce re-scanning of the QR code. > Given the fact, I too think user should always be associated for a local > user, or if such a user is not found may be JIT provision the federated > user (may be by honouring the JIT provisioning config). Else the end to end > authentication flow should fail with appropriate error messages. > > > >> >>> [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+ >>> Authenticator >>> >>> Thanks >>> >>> >>> Kanapriya Kuleswararajan >>> Software Engineer | WSO2 >>> Mobile : - 0774894438 >>> Mail : - [email protected] >>> LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/ >>> >>> On Mon, Oct 23, 2017 at 11:51 PM, Malithi Edirisinghe <[email protected] >>> > wrote: >>> >>>> Hi Team, >>>> >>>> I configured two step authentication with google federated >>>> authentication and TOTP for a service provider; i.e, first step is >>>> configured to use google as federated IdP, second step is TOTP. >>>> Both 'authenticationMandatory' and 'enrolUserInAuthenticationFlow' is >>>> set to true in TOTP authenticator configuration in >>>> application-authentication.xml file, such that TOTP is enforced and can >>>> enrol user while login. >>>> >>>> Now, when trying to access the SP, Google login page popped up for >>>> which user credentials were provided and authenticated. Then, in the next >>>> step, TOTP propose to enrol the user by scanning the QR code which was >>>> done. The federated user logged in successfully. >>>> >>>> Now, suppose I want to refresh the secret key of this account or clear >>>> it, such that the user needs to scan the QR code again. This could be done >>>> for a local user as the secret key was stored under ' >>>> http://wso2.org/claims/identity/secretkey' claim. But, for the user >>>> federated over google this could not be done. And I'm not sure where do we >>>> store the secret key for this account. >>>> >>>> Appreciate your input. >>>> >>>> Thanks, >>>> Malithi. >>>> >>>> -- >>>> >>>> *Malithi Edirisinghe* >>>> Associate Technical Lead >>>> WSO2 Inc. >>>> >>>> Mobile : +94 (0) 718176807 >>>> [email protected] >>>> >>> >>> >>> >>> >>> -- >>> >>> *Malithi Edirisinghe* >>> Associate Technical Lead >>> WSO2 Inc. >>> >>> Mobile : +94 (0) 718176807 >>> [email protected] >>> >> >> > > > -- > > *Malithi Edirisinghe* > Associate Technical Lead > WSO2 Inc. > > Mobile : +94 (0) 718176807 > [email protected] >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
