By: Mathieu Minh user 02 Dec 2018 at 9:37 a.m. CST

10 Responses
Mathieu Minh gravatar
Hi Gluu team, I'm currently implementing a SSO/SLO U2F with Super Gluu. My goal is to configure many applications with 2 steps U2F authentication with only one enrollment per device. In my case, for my proof of concept, I have two applications with two distinct login URLs : * APP_A : https://IP_ADRESS:8443/login * APP_B : https://IP_ADRESS:8444/login Cinematics : A - Connection to APP_A 1. Go to https://IP_ADRESS:8443/login 2. Redirection to : https://acme/oxauth/login.htm 3. First step login 4. Redirection to https://acme/oxauth/auth/super-gluu/login.htm 5. Scan QR Code with Super Gluu android application 6. Approve Enrollment on my Android Device 7. Redirection to https://IP_ADRESS:8443/home B - Goto APP_B 1. Go to https://IP_ADRESS:8444 2. Redirection to https://IP_ADRESS:8444/home 3. SSO Works !!! 4. Logout on APP_B 5. FRONT_CHANNEL execution 6. Redirection to https://IP_ADRESS:8444/login => https://acme/oxauth/login.htm 7. Go to APP_A tab and press F5 (Refresh) 8. Redirection to https://IP_ADRESS:8443/login => https://acme/oxauth/login.htm 9. SLO Works !!! If I try to reconnect from APP_A, the authentication cinematic skip the enrollment and send me a push notification on my android device. After approval, I'm logged in the APP_A. But if I try to reconnect from APP_B, I have to perform an other enrollment. In my understanding, I should have receive a push notification and, after approval, go to the home of the APP_B. After some research in the LDAP, logs and Super Gluu script, I saw that a fido is stored for each applicationId, actually the redirect URI login in the attribute oxApplication in the LDAP. More details in the code, SuperGluuExternalAuthenticator.py : ``` u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(user_inum, client_redirect_uri, "oxId") if u2f_devices_list.size() == 0: auth_method = 'enroll' print "Super-Gluu. Authenticate for step 1. There is no U2F '%s' user devices associated with application '%s'. Changing auth_method to '%s'" % (user_name, client_redirect_uri, auth_method) ``` **Is it possible to group the device registration for a group of applications ?** Because even if I perform the enrollment for the APP_B, I have an error on the Super Gluu Android application : *Failed: Duplicate Enrollment There is already an existing key for this account on this device.* So I'm facing a problem but maybe it's because I missed something. Thanks in advance for your help. Regards, Mathieu PS : To give you more informations about my context here is my settings : The installation : Gluu server version 3.1.4 OS : Centos 7 Gluu server installation Detected OS : centos Detected init: systemd Detected Apache: 2.4 Install oxAuth True Install oxTrust True Install LDAP True Install JCE 1.8 True Install Apache 2 web server True Install Shibboleth SAML IDP False Install oxAuth RP False Install Passport False I enabled SUPER GLUU authentication script in : Person Authentication > super_gluu I configured default authentication to SUPER_GLUU in : Manage Authentication > Default Authentication Method > default_acr I configured two OpenIdConnect clients with the same sector identifier client configuration example : Persist Client Authorizations:* FALSE Pre-Authorization:* TRUE Type de l'Application:* WEB Type du Subject:* PUBLIC Access Token as JWT: TRUE Access Token signing algorithm: HS256 Sector Identifier URI: https://acme/oxauth/sectoridentifier/7daf7291-5dd0-4231-986f-7d0e46626831 Include Claims In Id Token:* FALSE Session de déconnexion requise:* TRUE Authentication method for the Token Endpoint: * CLIENT_SECRET_BASIC URIs du Redirect Login: * https://IP_ADRESS:8443/login URIs Redirect Logout: * https://IP_ADRESS:8443/finishlogout Grant Types: * authorization_code * refresh_token Scopes: * clientinfo * email * openid * permission * user_name Response Types: * code Front Channel Logout URI: * https://acme/identity/logout * https://IP_ADRESS:8444/finishlogout And the logs : oxauth_script.log ``` 2018-12-02 09:56:53,643 DEBUG [qtp804611486-16] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:255) - Executing python 'getPageForStep' authenticator method 2018-12-02 09:56:53,665 DEBUG [qtp804611486-15] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:362) - Validating acr_values: 'super_gluu' 2018-12-02 09:56:53,666 DEBUG [qtp804611486-15] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:129) - Executing python 'isValidAuthenticationMethod' authenticator method 2018-12-02 09:56:53,667 DEBUG [qtp804611486-15] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:227) - Executing python 'prepareForStep' authenticator method 2018-12-02 09:56:53,670 INFO [qtp804611486-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Super-Gluu. Prepare for step 1 2018-12-02 09:56:53,670 DEBUG [qtp804611486-15] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:241) - Executing python 'getExtraParametersForStep' authenticator method 2018-12-02 09:57:08,622 DEBUG [qtp804611486-18] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:171) - Executing python 'authenticate' authenticator method 2018-12-02 09:57:08,626 INFO [qtp804611486-18] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Super-Gluu. Authenticate for step 1 2018-12-02 09:57:08,698 INFO [qtp804611486-18] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Super-Gluu. Authenticate for step 1. There is no U2F 'bmarley' user devices associated with application 'https://192.168.1.14:8444/login'. Changing auth_method to 'enroll' 2018-12-02 09:57:08,698 INFO [qtp804611486-18] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Super-Gluu. Authenticate for step 1. auth_method: 'enroll' 2018-12-02 09:57:08,699 DEBUG [qtp804611486-18] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:269) - Executing python 'getApiVersion' authenticator method 2018-12-02 09:57:08,700 DEBUG [qtp804611486-18] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:185) - Executing python 'getNextStep' authenticator method 2018-12-02 09:57:08,702 DEBUG [qtp804611486-18] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:241) - Executing python 'getExtraParametersForStep' authenticator method 2018-12-02 09:57:08,703 DEBUG [qtp804611486-18] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:157) - Executing python 'getCountAuthenticationSteps' authenticator method 2018-12-02 09:57:08,705 DEBUG [qtp804611486-18] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:255) - Executing python 'getPageForStep' authenticator method 2018-12-02 09:57:08,706 INFO [qtp804611486-18] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Super-Gluu. authmethod 'enroll' 2018-12-02 09:57:08,707 DEBUG [qtp804611486-18] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:241) - Executing python 'getExtraParametersForStep' authenticator method 2018-12-02 09:57:08,727 DEBUG [qtp804611486-15] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:362) - Validating acr_values: 'super_gluu' 2018-12-02 09:57:08,727 DEBUG [qtp804611486-15] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:129) - Executing python 'isValidAuthenticationMethod' authenticator method 2018-12-02 09:57:08,728 DEBUG [qtp804611486-15] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:227) - Executing python 'prepareForStep' authenticator method 2018-12-02 09:57:08,729 INFO [qtp804611486-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Super-Gluu. Prepare for step 2 2018-12-02 09:57:08,750 INFO [qtp804611486-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Super-Gluu. Prepare for step 2. auth_method: 'enroll' 2018-12-02 09:57:08,764 INFO [qtp804611486-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Super-Gluu. Prepare for step 2. Adding req_ip and req_loc to super_gluu_request 2018-12-02 09:57:08,765 INFO [qtp804611486-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Super-Gluu. Determine remote location. remote_ip: '192.168.1.14' 2018-12-02 09:57:11,322 TRACE [oxAuthScheduler_Worker-1] [org.xdi.service.custom.script.CustomScriptManager] (CustomScriptManager.java:124) - Last finished time '2018-12-02T09:57:11.322+0000' 2018-12-02 09:57:13,827 INFO [qtp804611486-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Super-Gluu. Determine remote location. Get response with status: 'fail' 2018-12-02 09:57:13,827 INFO [qtp804611486-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Super-Gluu. Prepare for step 2. Failed to determine remote location by remote IP '192.168.1.14' 2018-12-02 09:57:13,831 INFO [qtp804611486-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - Super-Gluu. Prepare for step 2. Prepared super_gluu_request: 2018-12-02 09:57:13,832 INFO [qtp804611486-15] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - {"app":"https://192.168.1.14:8444/login","licensed":false,"method":"enroll","req_ip":"192.168.1.14","created":"2018-12-02T09:57:08.763000","issuer":"https://acme","state":"a820c8f5-a38c-4714-b5aa-a01e7d6b2311","username":"bmarley"} 2018-12-02 09:57:13,833 DEBUG [qtp804611486-15] [org.xdi.oxauth.service.external.ExternalAuthenticationService] (ExternalAuthenticationService.java:241) - Executing python 'getExtraParametersForStep' authenticator method ```

By William Lowe staff 02 Dec 2018 at 10:07 a.m. CST

William Lowe gravatar
Hmm this is a little strange. So just to confirm, `app a` and `app b` are both pointing at the same Gluu Server for SSO? In your oxTrust configuration, what do you have the `default_acr` field set to? If it's set to Super Gluu, both apps should get Super Gluu authentication. You should only have to enroll a device one time per user, per Gluu Server. So in your scenario, if you are using the same user, and the same device, you should only have to enroll the device during the first authentication attempt, in your case `app a`. Assuming the apps are pointed at the same Gluu Server, you're using the same user, and both apps are getting Super Gluu authentication, you should get a push notification for all authentication attempts post enrollment.

By William Lowe staff 02 Dec 2018 at 10:12 a.m. CST

William Lowe gravatar
Sorry, I just re-read your post, and see you already specified you have your acr setup properly. Let me see if we can replicate. Thanks, Will

By William Lowe staff 04 Dec 2018 at 12:09 p.m. CST

William Lowe gravatar
Hi, We found the issue and are testing the fix now. Will confirm here shortly. Thanks for your report! Will

By Mathieu Minh user 04 Dec 2018 at 1:07 p.m. CST

Mathieu Minh gravatar
Hi, Good news ! I'm glad to help the Gluu community. I'm looking forward to integrate the fix. Thanks Mathieu

By William Lowe staff 10 Dec 2018 at 11:52 a.m. CST

William Lowe gravatar
Hi Mathieu , Sorry for the delay. Please replace the existing Super Gluu script in your Gluu Server with the following updated script. https://github.com/GluuFederation/oxAuth/blob/version_3.1.5/Server/integrations/super_gluu/SuperGluuExternalAuthenticator.py That should do the trick. Please re-test and confirm here when you have a moment. Thanks in advance, Will

By Mathieu Minh user 10 Dec 2018 at 2:06 p.m. CST

Mathieu Minh gravatar
Hi William, So I pasted the new script from your link to : Manage Custom Scripts > Person Authentication > super_gluu > Script Then clicked on Update I removed all the fido Items for my user in the Ldap. I removed the key in the Super Gluu Android app. Then I played the following cinematic : 1 - Connection to APP_A * Go to https://IP_ADRESS:8443/login * Redirection to : https://acme/oxauth/login.htm * First step login * Redirection to https://acme/oxauth/auth/super-gluu/login.htm * Scan QR Code with Super Gluu android application * Approve Enrollment on my Android Device * Redirection to https://IP_ADRESS:8443/home * Logout 2 - Connection to APP_B * Go to https://IP_ADRESS:8444/login * Redirection to : https://acme/oxauth/login.htm * First step login * Redirection to https://acme/oxauth/auth/super-gluu/login.htm * **Enrollment prompt again !!!** Conclusion, I saw the change on the script with the refactoring of the method getClientRedirecUri => getApplicationUri but it seems insufficient in my case. Regards, Mathieu

By Yuriy Movchan staff 11 Dec 2018 at 3:10 a.m. CST

Yuriy Movchan gravatar
Hi Mathieu, This new script allow to override application_id. Can you add new script parameter `application_id` with value like `https://acme..`. You can specify any valid https value here. With this parameter both applications should use same enrollment. Regards, Yuriy

By William Lowe staff 11 Dec 2018 at 4:24 a.m. CST

William Lowe gravatar
You can use the OP hostname for the parameter value.

By Mathieu Minh user 11 Dec 2018 at 1:50 p.m. CST

Mathieu Minh gravatar
Hi William and Yuriy, I put the attribute `application_id` in the configuration of the super_gluu script. It works now like a charm. Thanks a lot for your reactivity. I will continue my proof of concept and give you some feedbacks if needed. Best regards, Mathieu

By William Lowe staff 11 Dec 2018 at 1:52 p.m. CST

William Lowe gravatar
Beautiful. Thanks for confirmation.