Re: [Dev] How can I reset secret key of a federated identity when using TOTP

2017-10-25 Thread Kanapriya Kuleswararajan 
>
> +1. In that case, can you explain this expectation in the JIRA. Because,
> JIRA just includes the error and does not mention how the flow should be.
>

Updated the JIRA with the relevant information.

>
>
>>
>> That's the reason for raising this JIRA.
>>
>> 3. For the case I tried, where in first step user authenticates with
>>> Google and in the second step TOTP comes, the user didn't get associated
>>> with the local user even though I have configured so. Still TOTP worked but
>>> the problem was there was no way to enforce re-scanning of the QR code.
>>> Given the fact, I too think user should always be associated for a local
>>> user, or if such a user is not found may be JIT provision the federated
>>> user (may be by honouring the JIT provisioning config). Else the end to end
>>> authentication flow should fail with appropriate error messages.
>>>
>>>
>>>

> [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+
> Authenticator
>
> Thanks
>
>
> Kanapriya Kuleswararajan
> Software Engineer | WSO2
> Mobile : - 0774894438
> Mail : - kanapr...@wso2.com
> LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
>
> On Mon, Oct 23, 2017 at 11:51 PM, Malithi Edirisinghe <
> malit...@wso2.com> wrote:
>
>> Hi Team,
>>
>> I configured two step authentication with google federated
>> authentication and TOTP for a service provider; i.e, first step is
>> configured to use google as federated IdP, second step is TOTP.
>> Both 'authenticationMandatory' and 'enrolUserInAuthenticationFlow'
>> is set to true in TOTP authenticator configuration in
>> application-authentication.xml file, such that TOTP is enforced and can
>> enrol user while login.
>>
>> Now, when trying to access the SP, Google login page popped up for
>> which user credentials were provided and authenticated. Then, in the next
>> step, TOTP propose to enrol the user by scanning the QR code which was
>> done. The federated user logged in successfully.
>>
>> Now, suppose I want to refresh the secret key of this account or
>> clear it, such that the user needs to scan the QR code again. This could 
>> be
>> done for a local user as the secret key was stored under '
>> http://wso2.org/claims/identity/secretkey' claim. But, for the user
>> federated over google this could not be done. And I'm not sure where do 
>> we
>> store the secret key for this account.
>>
>> Appreciate your input.
>>
>> Thanks,
>> Malithi.
>>
>> --
>>
>> *Malithi Edirisinghe*
>> Associate Technical Lead
>> WSO2 Inc.
>>
>> Mobile : +94 (0) 718176807
>> malit...@wso2.com
>>
>
>
>
>
> --
>
> *Malithi Edirisinghe*
> Associate Technical Lead
> WSO2 Inc.
>
> Mobile : +94 (0) 718176807
> malit...@wso2.com
>


>>>
>>>
>>> --
>>>
>>> *Malithi Edirisinghe*
>>> Associate Technical Lead
>>> WSO2 Inc.
>>>
>>> Mobile : +94 (0) 718176807
>>> malit...@wso2.com
>>>
>>
>>
>
>
> --
>
> *Malithi Edirisinghe*
> Associate Technical Lead
> WSO2 Inc.
>
> Mobile : +94 (0) 718176807
> malit...@wso2.com
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] How can I reset secret key of a federated identity when using TOTP

2017-10-25 Thread Malithi Edirisinghe 
On Wed, Oct 25, 2017 at 1:40 PM, Kanapriya Kuleswararajan <
kanapr...@wso2.com> wrote:

> Hi Malithi,
>
>>
>> I'm still confused on the expectation here.
>> 1. When TOTP is enabled as second factor for a federated login scenario,
>> should that federated identity be always mapped with a local account ?
>>
>
> Yes, that is how these use-cases are working in federated scenario.
>
>> 2. If (1) should hold, that means during the authentication flow, if the
>> association fails the end to end authentication should fail as well. From,
>> the JIRA that you have created, I don't think this is what's being
>> highlighted.
>>
>
> Earlier , we had failed the authentication flow when if there is no user
> found in active directory, then there was a concern to handle this flow by
> endup with first step rather make the flow fails. But based on the internal
> discussion, we handle this with specific condition in SMSOTP and EmailOTP.
> Say, In SMSOTP we handled this flow by having a parameter and if that
> parameter set as true then allow the user to enter a mobile number in
> authentication flow and if not redirect the user to error page with
> specific error message. In my concern, Since these use-cases are same for
> all these three authenticators , Don't we need to handle this flow in TOTP
> as well by end up with first step or redirecting the user to error page?
>

+1. In that case, can you explain this expectation in the JIRA. Because,
JIRA just includes the error and does not mention how the flow should be.


>
> That's the reason for raising this JIRA.
>
> 3. For the case I tried, where in first step user authenticates with
>> Google and in the second step TOTP comes, the user didn't get associated
>> with the local user even though I have configured so. Still TOTP worked but
>> the problem was there was no way to enforce re-scanning of the QR code.
>> Given the fact, I too think user should always be associated for a local
>> user, or if such a user is not found may be JIT provision the federated
>> user (may be by honouring the JIT provisioning config). Else the end to end
>> authentication flow should fail with appropriate error messages.
>>
>>
>>
>>>
 [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+
 Authenticator

 Thanks


 Kanapriya Kuleswararajan
 Software Engineer | WSO2
 Mobile : - 0774894438
 Mail : - kanapr...@wso2.com
 LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/

 On Mon, Oct 23, 2017 at 11:51 PM, Malithi Edirisinghe <
 malit...@wso2.com> wrote:

> Hi Team,
>
> I configured two step authentication with google federated
> authentication and TOTP for a service provider; i.e, first step is
> configured to use google as federated IdP, second step is TOTP.
> Both 'authenticationMandatory' and 'enrolUserInAuthenticationFlow' is
> set to true in TOTP authenticator configuration in
> application-authentication.xml file, such that TOTP is enforced and can
> enrol user while login.
>
> Now, when trying to access the SP, Google login page popped up for
> which user credentials were provided and authenticated. Then, in the next
> step, TOTP propose to enrol the user by scanning the QR code which was
> done. The federated user logged in successfully.
>
> Now, suppose I want to refresh the secret key of this account or clear
> it, such that the user needs to scan the QR code again. This could be done
> for a local user as the secret key was stored under '
> http://wso2.org/claims/identity/secretkey' claim. But, for the user
> federated over google this could not be done. And I'm not sure where do we
> store the secret key for this account.
>
> Appreciate your input.
>
> Thanks,
> Malithi.
>
> --
>
> *Malithi Edirisinghe*
> Associate Technical Lead
> WSO2 Inc.
>
> Mobile : +94 (0) 718176807
> malit...@wso2.com
>




 --

 *Malithi Edirisinghe*
 Associate Technical Lead
 WSO2 Inc.

 Mobile : +94 (0) 718176807
 malit...@wso2.com

>>>
>>>
>>
>>
>> --
>>
>> *Malithi Edirisinghe*
>> Associate Technical Lead
>> WSO2 Inc.
>>
>> Mobile : +94 (0) 718176807
>> malit...@wso2.com
>>
>
>


-- 

*Malithi Edirisinghe*
Associate Technical Lead
WSO2 Inc.

Mobile : +94 (0) 718176807
malit...@wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] How can I reset secret key of a federated identity when using TOTP

2017-10-25 Thread Kanapriya Kuleswararajan 
Hi Malithi,

>
> I'm still confused on the expectation here.
> 1. When TOTP is enabled as second factor for a federated login scenario,
> should that federated identity be always mapped with a local account ?
>

Yes, that is how these use-cases are working in federated scenario.

> 2. If (1) should hold, that means during the authentication flow, if the
> association fails the end to end authentication should fail as well. From,
> the JIRA that you have created, I don't think this is what's being
> highlighted.
>

Earlier , we had failed the authentication flow when if there is no user
found in active directory, then there was a concern to handle this flow by
endup with first step rather make the flow fails. But based on the internal
discussion, we handle this with specific condition in SMSOTP and EmailOTP.
Say, In SMSOTP we handled this flow by having a parameter and if that
parameter set as true then allow the user to enter a mobile number in
authentication flow and if not redirect the user to error page with
specific error message. In my concern, Since these use-cases are same for
all these three authenticators , Don't we need to handle this flow in TOTP
as well by end up with first step or redirecting the user to error page?

That's the reason for raising this JIRA.

3. For the case I tried, where in first step user authenticates with Google
> and in the second step TOTP comes, the user didn't get associated with the
> local user even though I have configured so. Still TOTP worked but the
> problem was there was no way to enforce re-scanning of the QR code.
> Given the fact, I too think user should always be associated for a local
> user, or if such a user is not found may be JIT provision the federated
> user (may be by honouring the JIT provisioning config). Else the end to end
> authentication flow should fail with appropriate error messages.
>
>
>
>>
>>> [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+
>>> Authenticator
>>>
>>> Thanks
>>>
>>>
>>> Kanapriya Kuleswararajan
>>> Software Engineer | WSO2
>>> Mobile : - 0774894438
>>> Mail : - kanapr...@wso2.com
>>> LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
>>>
>>> On Mon, Oct 23, 2017 at 11:51 PM, Malithi Edirisinghe >> > wrote:
>>>
 Hi Team,

 I configured two step authentication with google federated
 authentication and TOTP for a service provider; i.e, first step is
 configured to use google as federated IdP, second step is TOTP.
 Both 'authenticationMandatory' and 'enrolUserInAuthenticationFlow' is
 set to true in TOTP authenticator configuration in
 application-authentication.xml file, such that TOTP is enforced and can
 enrol user while login.

 Now, when trying to access the SP, Google login page popped up for
 which user credentials were provided and authenticated. Then, in the next
 step, TOTP propose to enrol the user by scanning the QR code which was
 done. The federated user logged in successfully.

 Now, suppose I want to refresh the secret key of this account or clear
 it, such that the user needs to scan the QR code again. This could be done
 for a local user as the secret key was stored under '
 http://wso2.org/claims/identity/secretkey' claim. But, for the user
 federated over google this could not be done. And I'm not sure where do we
 store the secret key for this account.

 Appreciate your input.

 Thanks,
 Malithi.

 --

 *Malithi Edirisinghe*
 Associate Technical Lead
 WSO2 Inc.

 Mobile : +94 (0) 718176807
 malit...@wso2.com

>>>
>>>
>>>
>>>
>>> --
>>>
>>> *Malithi Edirisinghe*
>>> Associate Technical Lead
>>> WSO2 Inc.
>>>
>>> Mobile : +94 (0) 718176807
>>> malit...@wso2.com
>>>
>>
>>
>
>
> --
>
> *Malithi Edirisinghe*
> Associate Technical Lead
> WSO2 Inc.
>
> Mobile : +94 (0) 718176807
> malit...@wso2.com
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] How can I reset secret key of a federated identity when using TOTP

2017-10-24 Thread Malithi Edirisinghe 
On Wed, Oct 25, 2017 at 10:37 AM, Kanapriya Kuleswararajan <
kanapr...@wso2.com> wrote:

> Hi Malithi,
>
>
>> BTW, for both local user and federated user this will work once you
>> de-select the Enable TOTP claim from the dashboard. Because for the
>> federated scenario, based on the use-cases have to create the user in the
>> local user store. If you are not setting any use case, then default (local)
>> use-case will get involved in the federation scenario. Please refer the
>> documentation [1] for more info.
>>
>
> So you mean, the federated user always needs to be some how associated
> with a local user ? If so, if such a local user is not found should it
> proceed further ?
> I was using 'userAttribute' usecase to associate with the local account.
> It worked for SMS OTP but not for TOTP. Will have a check on this again,
> because as per the code same utilities seems to be used in both cases.
>
> Yes, the federated user some how associated with local user to handle with
> these use-cases and I checked the case such as ,if such user is not found
> in user store then process gets fails. This should be fixed and I raised a
> JIRA [1] to track this issue.
>
> [1] https://wso2.org/jira/browse/ISCONNECT-91
>

I'm still confused on the expectation here.
1. When TOTP is enabled as second factor for a federated login scenario,
should that federated identity be always mapped with a local account ?
2. If (1) should hold, that means during the authentication flow, if the
association fails the end to end authentication should fail as well. From,
the JIRA that you have created, I don't think this is what's being
highlighted.
3. For the case I tried, where in first step user authenticates with Google
and in the second step TOTP comes, the user didn't get associated with the
local user even though I have configured so. Still TOTP worked but the
problem was there was no way to enforce re-scanning of the QR code.
Given the fact, I too think user should always be associated for a local
user, or if such a user is not found may be JIT provision the federated
user (may be by honouring the JIT provisioning config). Else the end to end
authentication flow should fail with appropriate error messages.



>
>> [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+
>> Authenticator
>>
>> Thanks
>>
>>
>> Kanapriya Kuleswararajan
>> Software Engineer | WSO2
>> Mobile : - 0774894438
>> Mail : - kanapr...@wso2.com
>> LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
>>
>> On Mon, Oct 23, 2017 at 11:51 PM, Malithi Edirisinghe 
>> wrote:
>>
>>> Hi Team,
>>>
>>> I configured two step authentication with google federated
>>> authentication and TOTP for a service provider; i.e, first step is
>>> configured to use google as federated IdP, second step is TOTP.
>>> Both 'authenticationMandatory' and 'enrolUserInAuthenticationFlow' is
>>> set to true in TOTP authenticator configuration in
>>> application-authentication.xml file, such that TOTP is enforced and can
>>> enrol user while login.
>>>
>>> Now, when trying to access the SP, Google login page popped up for which
>>> user credentials were provided and authenticated. Then, in the next step,
>>> TOTP propose to enrol the user by scanning the QR code which was done. The
>>> federated user logged in successfully.
>>>
>>> Now, suppose I want to refresh the secret key of this account or clear
>>> it, such that the user needs to scan the QR code again. This could be done
>>> for a local user as the secret key was stored under '
>>> http://wso2.org/claims/identity/secretkey' claim. But, for the user
>>> federated over google this could not be done. And I'm not sure where do we
>>> store the secret key for this account.
>>>
>>> Appreciate your input.
>>>
>>> Thanks,
>>> Malithi.
>>>
>>> --
>>>
>>> *Malithi Edirisinghe*
>>> Associate Technical Lead
>>> WSO2 Inc.
>>>
>>> Mobile : +94 (0) 718176807
>>> malit...@wso2.com
>>>
>>
>>
>>
>>
>> --
>>
>> *Malithi Edirisinghe*
>> Associate Technical Lead
>> WSO2 Inc.
>>
>> Mobile : +94 (0) 718176807
>> malit...@wso2.com
>>
>
>


-- 

*Malithi Edirisinghe*
Associate Technical Lead
WSO2 Inc.

Mobile : +94 (0) 718176807
malit...@wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] How can I reset secret key of a federated identity when using TOTP

2017-10-24 Thread Kanapriya Kuleswararajan 
Hi Malithi,


> BTW, for both local user and federated user this will work once you
> de-select the Enable TOTP claim from the dashboard. Because for the
> federated scenario, based on the use-cases have to create the user in the
> local user store. If you are not setting any use case, then default (local)
> use-case will get involved in the federation scenario. Please refer the
> documentation [1] for more info.
>

So you mean, the federated user always needs to be some how associated with
a local user ? If so, if such a local user is not found should it proceed
further ?
I was using 'userAttribute' usecase to associate with the local account. It
worked for SMS OTP but not for TOTP. Will have a check on this again,
because as per the code same utilities seems to be used in both cases.

Yes, the federated user some how associated with local user to handle with
these use-cases and I checked the case such as ,if such user is not found
in user store then process gets fails. This should be fixed and I raised a
JIRA [1] to track this issue.

[1] https://wso2.org/jira/browse/ISCONNECT-91

>
> [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+
> Authenticator
>
> Thanks
>
>
> Kanapriya Kuleswararajan
> Software Engineer | WSO2
> Mobile : - 0774894438
> Mail : - kanapr...@wso2.com
> LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
>
> On Mon, Oct 23, 2017 at 11:51 PM, Malithi Edirisinghe 
> wrote:
>
>> Hi Team,
>>
>> I configured two step authentication with google federated authentication
>> and TOTP for a service provider; i.e, first step is configured to use
>> google as federated IdP, second step is TOTP.
>> Both 'authenticationMandatory' and 'enrolUserInAuthenticationFlow' is
>> set to true in TOTP authenticator configuration in
>> application-authentication.xml file, such that TOTP is enforced and can
>> enrol user while login.
>>
>> Now, when trying to access the SP, Google login page popped up for which
>> user credentials were provided and authenticated. Then, in the next step,
>> TOTP propose to enrol the user by scanning the QR code which was done. The
>> federated user logged in successfully.
>>
>> Now, suppose I want to refresh the secret key of this account or clear
>> it, such that the user needs to scan the QR code again. This could be done
>> for a local user as the secret key was stored under '
>> http://wso2.org/claims/identity/secretkey' claim. But, for the user
>> federated over google this could not be done. And I'm not sure where do we
>> store the secret key for this account.
>>
>> Appreciate your input.
>>
>> Thanks,
>> Malithi.
>>
>> --
>>
>> *Malithi Edirisinghe*
>> Associate Technical Lead
>> WSO2 Inc.
>>
>> Mobile : +94 (0) 718176807
>> malit...@wso2.com
>>
>
>
>
>
> --
>
> *Malithi Edirisinghe*
> Associate Technical Lead
> WSO2 Inc.
>
> Mobile : +94 (0) 718176807
> malit...@wso2.com
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] How can I reset secret key of a federated identity when using TOTP

2017-10-24 Thread Malithi Edirisinghe 
Hi Kanapriya,

On Tue, Oct 24, 2017 at 10:35 AM, Kanapriya Kuleswararajan <
kanapr...@wso2.com> wrote:

> Hi Malithi,
>
> If you wanted to re-scan the QR code then you have to deselect the Enable
> TOTP claim in the dashboard, this will automatically remove the secret key
> claim from the user profile.
>

Noted. Thanks


> BTW, for both local user and federated user this will work once you
> de-select the Enable TOTP claim from the dashboard. Because for the
> federated scenario, based on the use-cases have to create the user in the
> local user store. If you are not setting any use case, then default (local)
> use-case will get involved in the federation scenario. Please refer the
> documentation [1] for more info.
>

So you mean, the federated user always needs to be some how associated with
a local user ? If so, if such a local user is not found should it proceed
further ?
I was using 'userAttribute' usecase to associate with the local account. It
worked for SMS OTP but not for TOTP. Will have a check on this again,
because as per the code same utilities seems to be used in both cases.


>
> [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+
> Authenticator
>
> Thanks
>
>
> Kanapriya Kuleswararajan
> Software Engineer | WSO2
> Mobile : - 0774894438
> Mail : - kanapr...@wso2.com
> LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
> 
>
> On Mon, Oct 23, 2017 at 11:51 PM, Malithi Edirisinghe 
> wrote:
>
>> Hi Team,
>>
>> I configured two step authentication with google federated authentication
>> and TOTP for a service provider; i.e, first step is configured to use
>> google as federated IdP, second step is TOTP.
>> Both 'authenticationMandatory' and 'enrolUserInAuthenticationFlow' is
>> set to true in TOTP authenticator configuration in
>> application-authentication.xml file, such that TOTP is enforced and can
>> enrol user while login.
>>
>> Now, when trying to access the SP, Google login page popped up for which
>> user credentials were provided and authenticated. Then, in the next step,
>> TOTP propose to enrol the user by scanning the QR code which was done. The
>> federated user logged in successfully.
>>
>> Now, suppose I want to refresh the secret key of this account or clear
>> it, such that the user needs to scan the QR code again. This could be done
>> for a local user as the secret key was stored under '
>> http://wso2.org/claims/identity/secretkey' claim. But, for the user
>> federated over google this could not be done. And I'm not sure where do we
>> store the secret key for this account.
>>
>> Appreciate your input.
>>
>> Thanks,
>> Malithi.
>>
>> --
>>
>> *Malithi Edirisinghe*
>> Associate Technical Lead
>> WSO2 Inc.
>>
>> Mobile : +94 (0) 718176807
>> malit...@wso2.com
>>
>
>


-- 

*Malithi Edirisinghe*
Associate Technical Lead
WSO2 Inc.

Mobile : +94 (0) 718176807
malit...@wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] How can I reset secret key of a federated identity when using TOTP

2017-10-23 Thread Kanapriya Kuleswararajan 
Hi Malithi,

If you wanted to re-scan the QR code then you have to deselect the Enable
TOTP claim in the dashboard, this will automatically remove the secret key
claim from the user profile.
BTW, for both local user and federated user this will work once you
de-select the Enable TOTP claim from the dashboard. Because for the
federated scenario, based on the use-cases have to create the user in the
local user store. If you are not setting any use case, then default (local)
use-case will get involved in the federation scenario. Please refer the
documentation [1] for more info.

[1]
https://docs.wso2.com/display/ISCONNECTORS/Configuring+TOTP+Authenticator

Thanks


Kanapriya Kuleswararajan
Software Engineer | WSO2
Mobile : - 0774894438
Mail : - kanapr...@wso2.com
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/


On Mon, Oct 23, 2017 at 11:51 PM, Malithi Edirisinghe 
wrote:

> Hi Team,
>
> I configured two step authentication with google federated authentication
> and TOTP for a service provider; i.e, first step is configured to use
> google as federated IdP, second step is TOTP.
> Both 'authenticationMandatory' and 'enrolUserInAuthenticationFlow' is set
> to true in TOTP authenticator configuration in
> application-authentication.xml file, such that TOTP is enforced and can
> enrol user while login.
>
> Now, when trying to access the SP, Google login page popped up for which
> user credentials were provided and authenticated. Then, in the next step,
> TOTP propose to enrol the user by scanning the QR code which was done. The
> federated user logged in successfully.
>
> Now, suppose I want to refresh the secret key of this account or clear it,
> such that the user needs to scan the QR code again. This could be done for
> a local user as the secret key was stored under 'http://wso2.org/claims/
> identity/secretkey' claim. But, for the user federated over google this
> could not be done. And I'm not sure where do we store the secret key for
> this account.
>
> Appreciate your input.
>
> Thanks,
> Malithi.
>
> --
>
> *Malithi Edirisinghe*
> Associate Technical Lead
> WSO2 Inc.
>
> Mobile : +94 (0) 718176807
> malit...@wso2.com
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev