Your own ID-Server
On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.
Learn MoreThe following tutorial describes the configuration to use Two-Factor Authentication with SecSign ID Plugin on a third party application using Shibboleth IDP
The SecSignID 2FA flow for Shibboleth Identity Provider v3.3.x. :
The SecSignID flow is designed to be used together with another login flow, usually by utilizing the MFA login flow. The first login flow can be the standard password authentication, connected to a LDAP server. In your AD, the Shibboleth users need the SecSignID attribute in the user profiles.
Alternatively, the On-Premise SecSignID Server can be used to manage the user account to SecSignID mapping
After the password login, the SecSignID of the user will be in the authentication context and can be used for the 2FA.
Please contact us, if you do not want to modify Active Directory user profiles. We offer ID – Username mapping with our on-premise SecSignID server. Mapping via text file is not recommended but possible.
When your users login, they usually authenticate with user name and password first. After that, the second factor will be requested. So how does the mapping of user name and SecSignID work?
You have several options to assign a SecSign ID to a user:
An On-Premise ID Server can handle the user mapping, especially when you won’t or can’t add an attribute to the LDAP user profiles:
User management does not need to be complicated. SecSign ID offers convenient options to automate the enrollment of your users. You can conveniently manage the access to your Shibboleth system for large numbers of users with minimal effort. More about user management
The manual enrollment is perfect for small user bases or to test the integration. Depending on your mapping, just add the SecSignID to your Active Directory user profile or add the EPPN (Shibboleth user name combined with the scope) to the user profile on your on-premise ID server.
You can offer the users to add their SecSign ID during the login. Once the user is logged in with his user name and password, he is prompted to provide his SecSignID. He authenticates with his mobile phone and thus, automatically activates 2FA for the next logins.
If would like to enforce naming patterns on how SecSignIDs are automatically created, we offer QR code enrollment. Once the user is logged in with his user name and password, the SecSignID plugin will generate a QR code containing all server endpoints and predefined SecSignID. The user reads the QR code with the SecSignID app and a new SecSignID will be created automatically on the user’s phone. After performing the two factor authentication, the SecSignID will be assigned to the Shibboleth user for future 2FA.
For an even more convenient and streamlined process you can employ your own SecSignID custom app in combination with your on-premise server. It offers numerous customized enrollment options including Email-based activation codes.
Feature coming soon. Please contact us for more information about enrollment options
1. Build the distribution
You will receive a *.zip file, which contains the plugin source. Extract it to the folder secsign-shibboleth and build the jar file. This might take some time.
$ cd secsign-shibboleth $ ./gradlew build $ ./gradlew jar
2. Copy conf
, edit-webapp
, flows
and views
from IDP_HOME
to $IDP_HOME
on your IDP Server (usually /opt/shibboleth-idp)
.
The following tutorial assumes /opt/shibboleth-idp
as $IDP_HOME.
$ cp -r /secsign-shibboleth/build/* $IDP_HOME/
3. Edit $IDP_HOME/conf/idp.properties
and change the following properties:
/conf/secsignid.properties
to the property idp.additionalProperties=
for example:
idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/secsignid.properties
idp.authn.flows=
to idp.authn.flows=MFA
4. Edit $IDP_HOME/conf/secsignid.properties
and configure it to your liking:
If you use the pattern option, some information need to be extracted from the SAML comunication. To do that, adjust your $IDP_HOME/conf/attribute-resolver.xml accordingly.
The username will be loaded via c14nContext, the scope via secsignid.properties. mail and eppn need to be resolved. See example for IDP3 or IDP4
5. Edit $IDP_HOME/conf/authn/general-authn.xml
, add authn/SecSignID
bean to the element
<bean id="authn/SecSignID" parent="shibboleth.AuthenticationFlow" p:passiveAuthenticationSupported="true" p:forcedAuthenticationSupported="true"> <!-- The list below should be changed to reflect whatever locally- or community-defined values are appropriate to represent MFA. It is strongly advised that the value not be specific to SecSignID or any particular technology. --> <property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://example.org/ac/classes/mfa" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="http://example.org/ac/classes/mfa"/> <list> </property> </bean>
6. Modify the supportedPrincipals list in the bean <bean id="authn/MFA"...
to something like this:
<property name="supportedPrincipals"> <list> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="http://example.org/ac/classes/mfa" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="http://example.org/ac/classes/mfa"/> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" /> <bean parent="shibboleth.SAML2AuthnContextClassRef" c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" /> <bean parent="shibboleth.SAML1AuthenticationMethod" c:method="urn:oasis:names:tc:SAML:1.0:am:password" /> </list> </property>
7. Edit $IDP_HOME/conf/authn/mfa-authn-config.xml
and change the element
to something like this:
<util:map id="shibboleth.authn.MFA.TransitionMap"> <!-- First rule runs the UsernamePassword login flow. --> <entry key=""> <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password" /> </entry> <!-- An implicit final rule will return whatever the final flow returns. --> <entry key="authn/Password"> <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/SecSignID" /> </entry> </util:map>
8. Rebuild the IdP war file
$ $IDP_HOME/bin/build.sh
8. Copy the war file to the public folder and restart the web server. For example with Jetty:
$ cp $IDP_HOME/war/idp.war /opt/jetty.../webapps/ $ service jetty restart
1. Configure the SAMLtest Service Provider
$IDP_HOME/metadata/idp-metadata.xml
$IDP_HOME/conf/metadata-providers.xml
and paste the SAMLtest Metadata from https://samltest.id/download/2. Open https://samltest.id/start-idp-test/ in your browser and paste your entityID of your IdP
All connection or authentication errors and exceptions will be logged to $IDP_HOME/logs/idp-process.log
or $IDP_HOME/logs/idp-warn.log
On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.
Learn MoreWe are happy to announce that the SecSign ID server has passed the official FIDO certification program of the FIDO Alliance. This will allow you to use the complete FIDO2/WebAuthn standard for passwordless 2FA sign-ins in your exi ...
Mehr LesenThe FIDO2 Project is a set of standards developed by the FIDO Alliance and the World Wide Web Consortium (W3C) to create a strong authentication protocol for the web. It consist mainly of the WebAuth standard for the browser part ...
Mehr LesenIn the recent weeks, home office work has increased potentially. And while employees are practicing social distancing from their home computer, attackers are working hard to exploit security issues in this situation that is unfami ...
Mehr LesenWant to learn more about SecSign’s innovative and highly secure
solutions for protecting your user accounts and sensitive data?
Use our contact form to submit your information, and a SecSign sales representative will contact you within one business day.
If you need assistance with an existing SecSign account or product
installation, please see the FAQs for more information on the most common questions. You don’t find the solution to your problem? Don’t hesitate to contact the
Product Support
I am Interested in