Configuring CAS On Ubuntu For Two-Factor Authentication With WiKID - Page 2

Want to support HowtoForge? Become a subscriber!
 
Submitted by nowen (Contact Author) (Forums) on Fri, 2011-12-23 12:36. ::

User registration and logging In

Registering the token

Start your WiKID software token. Select Action, Create new domain. Enter the 12 digit domain identifier for your WiKID server. This is typically the zero-padded IP address.

Add Two-factor authentication domain

You will be prompted to set a PIN.

Set PIN for two-factor authentication

You will get back a registration code from the server. This registration must be validated for the user to login.

Registration code for two-factor authentication

Log in to the WiKIDAdmin and click on the Users tab and then Manually validate a user. You will see your registration code.

Register the user

Click on the registration code and enter your username.

add username

Now, head back to the token to the and select Get Passcode.

Get an OTP

Enter your PIN.

Enter PIN

You will get back an OTP from the WiKID Strong Authentication Server.

OTP

Additionally, your default browser will be opened the CAS login page as specified under the Registered URL.

CAS will forward the username and one-time passcode to the WiKID server using RADIUS. If the credentials match. the user will be authenticated.

Successful SSO login

If you run the software token in debug mode, you will see the token validating the SSL certificate for you:

Received 128 bytes from server.
validatedURL() processing response ...
validatedURL() returned url: https://cas.wikidsystems.com/cas/login
validatedURL() hash_from_server: 14Bqov7lBEMn+DavECDMovCBTF0=
validatedURL() hash_from_me: 14Bqov7lBEMn+DavECDMovCBTF0=
validatedURL() validated_url: https://cas.wikidsystems.com/cas/login
Validity check returning: https://cas.wikidsystems.com/cas/login

If there is a Man-in-the-Middle attack the user will get an error that the URL has changed and to contact the administrator. The debug output will show that the hashes do not match:

Received 128 bytes from server.
validatedURL() processing response ...
validatedURL() hash_from_server: 14Bqov7lBEMn+DavECDMovCBTF0=
validatedURL() hash_from_me: /HAtxIVzVL6yo1OjTkPca74xd8s=
Validity check returning: null

 

Conclusion

Single sign-in is a great tool but it creates a "keys to the kingdom" situation where compromising a single set of credentials can result in a much larger breach than without SSO. Additionally, organizations are using SSO for cloud-based services such as Google Apps.

Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.