yubico-shibboleth-idp-multifactor-login-handler

yubico-shibboleth-idp-multifactor-login-handler copied to clipboard

MultiFactor Login Handler for use with the Shibboleth IdP.

NOTE: This project is deprecated and is no longer being maintained.

See https://wiki.shibboleth.net/confluence/display/SHIB2/Multi+Factor+Login+Handler ( or https://wiki.shibboleth.net/confluence/x/aYBC ) for installation instructions.

This version has been successfully tested with Shibboleth IdP versions 2.2.1 and 2.4.0, using the JAAS modules from yubico-validation-client 2.0.2-SNAPSHOT.

What is special with this Login Handler? Two things :

1. It collects multiple authentication factors from the login servlet.

   Besides the j_username and j_password collected by the regular UsernamePassword login handler, we also collect j_tokens[0] .. j_tokens[n].

   See MultiFactorAuthLoginServlet.service().

2. We convey all these collected factors to JAAS modules by calling the JAAS modules PasswordCallback.setPassword() muliple times, with j_password coming last (to provide some compatibility with single- factor JAAS modules).

   If the JAAS module wants to get more than the first factor, it must pass us a PasswordCallback capable of accumulating factors in setPassword().

   See MultiAuthCallbackHandler.handle().

See com.yubico.jaas.MultiValuePasswordCallback for an example of a multi- factor capable PasswordCallback.

Currently known Multi Factor JAAS modules :

com.yubico.jaas.YubikeyLoginModule for YubiKey OTPs com.yubico.jaas.HttpOathOtpLoginModule for OATH token validations