By: Min Khang Wong named 28 Jun 2024 at 5:09 a.m. CDT

19 Responses
Min Khang Wong gravatar
Hi Support, Currently, we have a 2FA authentication implementation using the authentication script, the Admin User that accessing the TAG application will prompt for 2FA then logged in to TAG. Refer Image_1. This user is also a normal user for accessing other application, eg Jira. The issue happened after the user login to Jira with SSO, the SSOSession created. When user access to TAG on the same browser, the user will not prompted for 2FA, the existing SSOSession grant user access to TAG. Refer Image_2. Referring to Image_3, on the step 5, we would like to stepped up the user authentication, which means when Admin User access to TAG, user will redirect to SSO for login and prompted for 2FA and access TAG as logged in user. Please advise how we can stepped up the user authentication if there is an existing session. Thank you.

By Michael Schwartz Account Admin 28 Jun 2024 at 3:02 p.m. CDT

Michael Schwartz gravatar
There are a few options. 1. The client could use `prompt=login` in the authn request. This would kill SSO because the app would always require authentication. 2. Use the [Post Authn](https://gluu.org/docs/gluu-server/4.5/admin-guide/custom-script/#post-authn) script to check the client_id from the request (and possible lookup the client entity in the database), and based on that, you can require a certain set of allowable acr's. 3. In the application itself, check the `acr` of the id_token, and if it's not what you want, then resend for authn using `prompt=login&acr_value=xxxx`

By Min Khang Wong named 01 Jul 2024 at 3:55 a.m. CDT

Min Khang Wong gravatar
Hi Mike, For number 1 and 3, we are using SAML TR and mod_auth_openidc in our customer environment, as such, we can't customise the authn request. For number 2, how can we associate the Post Authn script with SAML TR? Do you have a sample script for Post Authn to step up the authentication? Thank you.

By Michael Schwartz Account Admin 01 Jul 2024 at 1:16 p.m. CDT

Michael Schwartz gravatar
I asked @Yuriy.Zabrovarnyy if he has a sample. I don't see one in the [Jans Docs](https://docs.jans.io/v1.1.2/admin/developer/scripts/post-authentication/) either

By Yuriy Zabrovarnyy staff 01 Jul 2024 at 3:50 p.m. CDT

Yuriy Zabrovarnyy gravatar
Actually that doc has link to sample script: https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/postauthn/postauthn.py In-lined comments hopefully make it clear how to use the script.

By Yuriy Zabrovarnyy staff 01 Jul 2024 at 4 p.m. CDT

Yuriy Zabrovarnyy gravatar
For stepped up sample I guess we used UpdateToken and PersonAuthentication scripts. Here is doc https://gluu.org/docs/gluu-server/4.5/admin-guide/stepped-up/#step-d-stepped-up-authentication

By Yuriy Zabrovarnyy staff 01 Jul 2024 at 4:06 p.m. CDT

Yuriy Zabrovarnyy gravatar
In jans we have this recipe with digrams which might be easier to read https://docs.jans.io/v1.1.2/admin/recipes/stepped-up-authn/

By Michael Schwartz Account Admin 02 Jul 2024 at 10:22 a.m. CDT

Michael Schwartz gravatar
Min Khang, Just to be clear, I'm assuming both your applications are SAML applications. We're going to look into this, and will revert by tomorrow. It's a little trickier if both the RPs are SAML. BTW, your numbering is a little off in those diagrams, and they are kind of hard to follow. I suggest using the free service [sequencediagrams.org](https://sequencediagrams.org) for these types of diagrams, and add the tag `autonumber`

By Kee Wee Wong Account Admin 03 Jul 2024 at 11:46 p.m. CDT

Kee Wee Wong gravatar
Hi @Michael.Schwartz There is a mixture of mod_auth_openidc and SAML applications in customer environment. Currently there isn't any OpenID Connect client in the environment. I see the documentation shared by @Yuriy.Zabrovarnyy, it looks like it will involve modifying the authorize call with the IDP, which doesn't seem feasible with mod_auth_openidc and SAML applications. The current implementation is we have a Person Authentication Script to check the User Role and the Application accessed to determine if the user is required to perform second factor authentication. ``` title Single App OTP actor "User\nJIRA User\nTAG Admin" as User materialdesignicons F08C6 "TAG\nmod_auth_openidc\nApp" as TAG #green materialdesignicons F1577 "Gluu SSO IDP" as Gluu autonumber 1 User->TAG: Access TAG Application TAG->User: Reverse Proxy redirect to IDP Login User->Gluu: SSO Login activate Gluu Gluu->User:New Session\nPrompt Login User->Gluu: Enter username/password Gluu->Gluu: Check if user is\nAdmin for TAG Gluu->User: User is Admin\nPrompt OTP Page User->Gluu: Enter OTP Gluu->User:Successful Login\nOIDC Redirect to TAG deactivate Gluu User->TAG: Access TAG Application ``` This Person Authentication Script is working until the user is accessing another application on the same SSO session, which bypasses the Person Authentication Script ``` title Multi-App OTP actor "User\nJIRA User\nTAG Admin" as User materialdesignicons F08C6 "JIRA\nSAML App" as JIRA #blue materialdesignicons F1577 "Gluu SSO IDP" as Gluu materialdesignicons F08C6 "TAG\nmod_auth_openidc\nApp" as TAG #green autonumber 1 User->JIRA:Access JIRA Application JIRA->User:SAML Redirect to IDP Login User->Gluu:SAML Login activate Gluu Gluu->User:New Session\nPrompt Login User->Gluu: Enter username/password Gluu->Gluu: Check if user is\nAdmin for JIRA Gluu->User: Successful Login\nSAML Redirect to JIRA deactivate Gluu User->JIRA: Access JIRA Application note over User: <align:center>A few\nmoments later</align> User->TAG: Access TAG Application TAG->User: Reverse Proxy redirect to IDP Login User->Gluu: SSO Login activate Gluu Gluu->Gluu:Validate\nSSOSession Gluu->User:SSOSession Validated\nRedirect to TAG deactivate Gluu User->TAG: Access TAG Application ``` So our idea is to be able to invalidate the SSOSession if the User is determined to be a Admin of the Application accessed.

By Yuriy Zabrovarnyy staff 04 Jul 2024 at 5:31 a.m. CDT

Yuriy Zabrovarnyy gravatar
Is it question about step 12 to decide whether to invalidate AS session ? `post-authn` script is invoked on each call to Authorization Endpoint (`/authorize`). It means that on step 11 to Authorization Endpoint `post-authn` script can intercept call and in script you can invalidate server session if needed. Script provides access to session and request objects. Example: ``` def forceReAuthentication(self, context): session = context.getSession() request = context.getHttpRequest() if (<condition for invalidation>): # if True is returned server invalidates session and redirects for authorization return True return False ```

By Kee Wee Wong Account Admin 04 Jul 2024 at 9:54 p.m. CDT

Kee Wee Wong gravatar
Hi @Yuriy.Zabrovarnyy, Yes, we are looking at checking the the user session vs the condition we have set for user to be stepped up. For mod_auth_openidc, I believe we can implement the `post-authn` script in the OpenID Connect Client for the Reverse Proxy. What about SAML Applications? Where can we define the `post-authn` to intercept the `/authorize` call?

By Yuriy Zabrovarnyy staff 05 Jul 2024 at 7:49 a.m. CDT

Yuriy Zabrovarnyy gravatar
`post-authn` script lives inside AS. It has to be assigned to respective client. Each time RP calls AS Authorization Endpoint (`/authorize`) AS checks whether client send in request has `post-authn` script assigned to it (on db level `jansClnt` should have DN of script in `postAuthnScripts` attribute). If yes it invokes script assigned to that client. Client is the entity which represents RP on AS side.

By Michael Schwartz Account Admin 05 Jul 2024 at 10:54 a.m. CDT

Michael Schwartz gravatar
Maybe @Dzouato Djeumen.Rolain Bonaventure could comment here about how this translates in the Shib IDP SAML flow.

By Dzouato Djeumen Rolain Bonaventure staff 10 Jul 2024 at 3:29 p.m. CDT

Dzouato Djeumen Rolain Bonaventure gravatar
Please find attached a sequence diagram for a tentative description of the authentication flow you'd like to achieve. Let me know if you have any questions.

By Michael Schwartz Account Admin 15 Jul 2024 at 8:11 a.m. CDT

Michael Schwartz gravatar
If it's ok, I"m making this issue public because it may be useful for other Gluu 4 end users, and there is nothing customer specific I see here.

By Kee Wee Wong Account Admin 15 Jul 2024 at 8:39 p.m. CDT

Kee Wee Wong gravatar
Hi @Michael.Schwartz, I've removed references to the customer, you may make it public. @Dzouato Djeumen.Rolain Bonaventure, I can see that the SAML authn flow is also using the post_authn script to handle the session check and triggering re-authn May I know where can we define this post_authn script in Gluu?

By Dzouato Djeumen Rolain Bonaventure staff 17 Jul 2024 at 9:34 a.m. CDT

Dzouato Djeumen Rolain Bonaventure gravatar
Hello Kee Wee, You can find information about the Post Authentication script here: https://gluu.org/docs/gluu-server/4.5/admin-guide/custom-script/#post-authn

By Mobarak Hosen Shakil staff 20 Aug 2024 at 9:16 a.m. CDT

Mobarak Hosen Shakil gravatar
Hi, Kee Wee! Do you need any further assistance on this ticket? Let us know if we can close it. Regards ~ Shakil

By Kee Wee Wong Account Admin 20 Aug 2024 at 9:10 p.m. CDT

Kee Wee Wong gravatar
Hi @Mobarak Hosen.Shakil, Thanks for reminding this ticket. Yes, we see the post-authn script to handle the the session, however, how can we assign this script to the SAML clients? I am seeing that the scripts have to be assign to a OpenID Connect client to take effect and there is no such function or feature in SAML TR configuration.

By Mobarak Hosen Shakil staff 27 Aug 2024 at 1:35 a.m. CDT

Mobarak Hosen Shakil gravatar
Hi, Kee Wee! It's possible to attach post authn script with SAML TR. Please apply the following changes: 1. Goto OpenID Clients and find IDP Client 2. Inside IDP Client > Custom Scripts tab > post authn script 3. Select the post authn script you have added Do you have multiple TR in Gluu? All SAML TR usage IDP client for authentication and authorization. Regards ~ Shakil