By: Brett Cave Account Admin 21 Jun 2017 at 8:47 a.m. CDT

9 Responses
Brett Cave gravatar
I have a running Gluu server that uses internal LDAP for authentication. I'd like to enable MFA for a POC for Gluu - e.g. using the pre-installed twilio SMS custom script. I have read https://gluu.org/docs/ce/authn-guide/customauthn/ to get a guide on how to configure it, but have not been able to get MFA working on my installation. Here is what I have done: 1. Enable twilio_sms 2. Enter the 3 required values as custom properties on the custom scripts page (sid, phone number in "+10000000000" format and token). 3. in manage authentication, under Default Authentication, change to twilio_sms for "oxTrust authentication mode". I have left "authentication mode" as ldap. In a different browser setting, if I kick off SP initiated flow and hit the Gluu server, an error page is returned: https://gyazo.com/403b6d5b33da75b0ea57c22317531416 oxauth.log contains the following... ```2017-06-21 13:22:32,483 WARN [qtp242131142-11] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:341) - Current acr_values: 'twilio_sms' isn't valid 2017-06-21 13:22:32,483 ERROR [qtp242131142-11] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:150) - null java.lang.NullPointerException: null at org.xdi.oxauth.service.external.ExternalAuthenticationService.executeExternalGetAlternativeAuthenticationMethod(ExternalAuthenticationService.java:148) [classes/:?] ... 2017-06-21 13:22:32,484 ERROR [qtp242131142-11] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:345) - Failed to determine alternative authentication mode for acr_values: 'twilio_sms' ```

By Mohib Zico staff 21 Jun 2017 at 8:49 a.m. CDT

Mohib Zico gravatar
Hi Brett, I'll check twiilo and get back to you soon.

By Mohib Zico staff 21 Jun 2017 at 3:15 p.m. CDT

Mohib Zico gravatar
Brett, There is an incompatibility [issue](https://github.com/GluuFederation/oxAuth/issues/571) there. We are working on a workaround till that issue is fixed. I'll be able to share the workaround doc with you by tomorrow.

By Mohib Zico staff 22 Jun 2017 at 3:04 p.m. CDT

Mohib Zico gravatar
Hi Brett, So, we have a workaround for now till the created github issue is fixed and oxauth is patched. Seems like it was dependency issue ( tomcat vs. Jetty ) and that's why twilio_sms script wasn't loading properly. Basically you need to include couple of libraries inside oxauth.war and use that new war to initialize twilio_sms script. I could provide you the modified 'oxauth.war' but it's 50+ Mb, hard to attach in ticket. If you want, I can share the procedure how you can inject those libraries and create a new oxauth war which you can use to test your twilio.

By Brett Cave Account Admin 26 Jun 2017 at 4:19 a.m. CDT

Brett Cave gravatar
Hi Mohib, that would be great. Have worked with wars a bit and already repacked the oxauth war with 1 or 2 small customizations. Let me know what libraries need to be included. Thanks Brett

By Mohib Zico staff 27 Jun 2017 at 5:34 a.m. CDT

Mohib Zico gravatar
Hello Brett, Here are action items: - extract current oxauth.war - Grab libs from below tarball [ attached: two libs ] - Put them inside ~/WEB-INF/lib/ - repack oxauth.war - Stop oxauth service with `service oxauth stop` - Backup your existing 'oxauth.war' [ Not the new modified one, but old active one ] - Remove all oxauth related 'jetty-localhost-80xx-oxauth.war-....' from `/opt/jetty-9.3/temp/` location - Put your new oxauth.war in `/opt/gluu/jetty/oxauth/webapps` - Start oxauth service - Use new Twilio script from [here](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations/twilio_sms)

By Brett Cave Account Admin 27 Jun 2017 at 6:47 a.m. CDT

Brett Cave gravatar
Thanks - was the missing jars. The custom property on a default install was also _sidtwilio instead of twilio_sid but after adjusting the key and entering values, i have successfully been able to use 2FA via SMS :)

By Mohib Zico staff 27 Jun 2017 at 6:53 a.m. CDT

Mohib Zico gravatar
Very nice! Thanks for confirmation, Brett.

By Brett Cave Account Admin 27 Jun 2017 at 6:57 a.m. CDT

Brett Cave gravatar
mohib - a quick question: if i enable twilio for oxtrust auth mode and remove the phone number from a test user profile, I am unable to log in (password phase fails) - is there a way to configure this script so that MFA is used only if user has the phone number attribute set (and also to allow a user to disable MFA if they wish?)

By Mohib Zico staff 27 Jun 2017 at 7:21 a.m. CDT

Mohib Zico gravatar
Yes, we just need to add couple of declarations to do that; meaning... custom Twilio authentication script which will be specific for your organization.