On Wed, Oct 25, 2017 at 1:40 PM, Kanapriya Kuleswararajan < [email protected]> wrote:
> Hi Malithi, > >> >> I'm still confused on the expectation here. >> 1. When TOTP is enabled as second factor for a federated login scenario, >> should that federated identity be always mapped with a local account ? >> > > Yes, that is how these use-cases are working in federated scenario. > >> 2. If (1) should hold, that means during the authentication flow, if the >> association fails the end to end authentication should fail as well. From, >> the JIRA that you have created, I don't think this is what's being >> highlighted. >> > > Earlier , we had failed the authentication flow when if there is no user > found in active directory, then there was a concern to handle this flow by > endup with first step rather make the flow fails. But based on the internal > discussion, we handle this with specific condition in SMSOTP and EmailOTP. > Say, In SMSOTP we handled this flow by having a parameter and if that > parameter set as true then allow the user to enter a mobile number in > authentication flow and if not redirect the user to error page with > specific error message. In my concern, Since these use-cases are same for > all these three authenticators , Don't we need to handle this flow in TOTP > as well by end up with first step or redirecting the user to error page? > +1. In that case, can you explain this expectation in the JIRA. Because, JIRA just includes the error and does not mention how the flow should be. > > That's the reason for raising this JIRA. > > 3. For the case I tried, where in first step user authenticates with >> Google and in the second step TOTP comes, the user didn't get associated >> with the local user even though I have configured so. Still TOTP worked but >> the problem was there was no way to enforce re-scanning of the QR code. >> Given the fact, I too think user should always be associated for a local >> user, or if such a user is not found may be JIT provision the federated >> user (may be by honouring the JIT provisioning config). Else the end to end >> authentication flow should fail with appropriate error messages. >> >> >> >>> >>>> [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+ >>>> Authenticator >>>> >>>> Thanks >>>> >>>> >>>> Kanapriya Kuleswararajan >>>> Software Engineer | WSO2 >>>> Mobile : - 0774894438 >>>> Mail : - [email protected] >>>> LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/ >>>> >>>> On Mon, Oct 23, 2017 at 11:51 PM, Malithi Edirisinghe < >>>> [email protected]> wrote: >>>> >>>>> Hi Team, >>>>> >>>>> I configured two step authentication with google federated >>>>> authentication and TOTP for a service provider; i.e, first step is >>>>> configured to use google as federated IdP, second step is TOTP. >>>>> Both 'authenticationMandatory' and 'enrolUserInAuthenticationFlow' is >>>>> set to true in TOTP authenticator configuration in >>>>> application-authentication.xml file, such that TOTP is enforced and can >>>>> enrol user while login. >>>>> >>>>> Now, when trying to access the SP, Google login page popped up for >>>>> which user credentials were provided and authenticated. Then, in the next >>>>> step, TOTP propose to enrol the user by scanning the QR code which was >>>>> done. The federated user logged in successfully. >>>>> >>>>> Now, suppose I want to refresh the secret key of this account or clear >>>>> it, such that the user needs to scan the QR code again. This could be done >>>>> for a local user as the secret key was stored under ' >>>>> http://wso2.org/claims/identity/secretkey' claim. But, for the user >>>>> federated over google this could not be done. And I'm not sure where do we >>>>> store the secret key for this account. >>>>> >>>>> Appreciate your input. >>>>> >>>>> Thanks, >>>>> Malithi. >>>>> >>>>> -- >>>>> >>>>> *Malithi Edirisinghe* >>>>> Associate Technical Lead >>>>> WSO2 Inc. >>>>> >>>>> Mobile : +94 (0) 718176807 >>>>> [email protected] >>>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> *Malithi Edirisinghe* >>>> Associate Technical Lead >>>> WSO2 Inc. >>>> >>>> Mobile : +94 (0) 718176807 >>>> [email protected] >>>> >>> >>> >> >> >> -- >> >> *Malithi Edirisinghe* >> Associate Technical Lead >> WSO2 Inc. >> >> Mobile : +94 (0) 718176807 >> [email protected] >> > > -- *Malithi Edirisinghe* Associate Technical Lead WSO2 Inc. Mobile : +94 (0) 718176807 [email protected]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
