Today many services are offered as web applications. This can be self-hosted systems such as ownCloud or Kopano or cloud services such as the Google G Suite / Google Apps for Work.
The number of services a user uses for his daily work is constantly increasing. So the desire for Single Sign-On is understandable. The user logs on centrally once and can then use all connected services without further authentication. The implementation of Single Sign-On was already described in more detail in the article Brief Introduction: SAML.
But in all cases, whether it is their ownCloud instance or Google G Suite, the user logs on to a web application that is available on the Internet. The login is accessible from everywhere – but also for everyone – and is therefore an interesting target for crackers, cyber criminals and industrial spies.
With the new version of the privacyIDEA SAML App companies can decisively increase the security of the Single Sign-On process.
The initial situation
We assume that you already set up UCS as SAML Identity Provider for your services according to the relevant documentation. Currently, however, users only log in with the domain password.
To extend the Single Sign-On login by a second factor, the administrator must first install the two-factor management system privacyIDEA from the Univention App Center. He can do this on a domain controller or on a normal member server. In a growing domain it makes sense to install privacyIDEA on a member server. During the installation from the App Center, privacyIDEA is already configured automatically so that the administrator can log on to the privacyIDEA management interface and roll out test tokens for the users – for example, smartphone tokens for with the privacyIDEA Authenticator.
privacyIDEA supports a number of other token types such as OTP key fobs, OTP cards, Yubikeys, SMS or e-mail.
For your tests you should get a demo subscription for privacyIDEA here.
Authenticate only once, but secure
Now the administrator can extend the SSO logon by a second factor. With Single Sign-On with SAML, the user logs on to the identity provider. The SAML Identity Provider runs on the UCS domain controller. This means that the administrator must also install the privacyIDEA SAML App from the App Center on the respective domain controller.
On UCS 4.3, the privacyIDEA SAML App is now available in version 1.7, which we will discuss further here. Because in the version 1.7 privacyIDEA can now be used also as so-called “Auth-Proc-Filter”. In the first step the user logs in as usual with his domain password. In an additional second step he is asked for his second factor. This second factor is verified by the privacyIDEA server.
The advantages here are that the respective service, whether it is Google G Suite, Microsoft Office 365 or a self-hosted service, continues to receive the SAML attributes exclusively from the LDAP module of the UCS Identity Provider. The communication between the service (the SAML service provider) and the identity provider does not change. This means that the administrator can be sure that any service that is already connected to the UCS via SAML Single Sign-On will continue to function seamlessly with two factors.
To enable two-factor authentication on the Identity Provider, the administrator only needs to set the following UCR variables on the Identity Provider:
ucr set privacyidea/saml/enable=authproc
ucr set privacyidea/saml/url=https://your.privacyidea.server/privacyidea
This activates two-factor authentication with “Auth-Proc-Filter” and authentication with the second factor takes place against the privacyIDEA server “your.privacyidea.server” located in the network.
Next steps
Thus an organization can control that users always log on to publicly available services in a secure way. Moreover, the central management of the second factors offers further advantages. The enrolled second factors can also easily be used to log on to VPN, SSH servers or desktop clients.