OTP mixed with external identity providers

Hi there,

We have a mix of customers - mostly using their own Azure or Okta that we federate with using FusionAuth's Identity Providers and associated reconcile lambdas.

In this case, MFA is taken care of with the external identity provider.

However, we sometimes create user accounts manually within FusionAuth, and in this scenario, we want to force MFA (OTP in particular) to be used.

At the Application level, I can force MFA to be used, thereby making sure that all users enrol the MFA OTP token at login time, but this also means that federated Azure customers then have to have a 3rd layer of authentication.

There seems to be no configuration setting requiring MFA at the user level, rather than application level - thereby making the user enrol the OTP token regardless of the application they are accessing.

How do we resolve this?

Thanks

Brad.

Hi,

I'm trying to get this working - specifically to fetch the Azure AD Groups list.

The LAMBDA does not have the required information in order to make the requested API calls into Azure though - we need the "access_token". It is shown in the debug for the external identity provider, but I need it to be passed into the Lambda so that I can use it to make further API calls into Azure (specifically https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http)

Is there a way I can get an access token from within the Lambda?

OpenID Connect IdP Response Debug Log for [Cybanetix Azure AD] [00c92a11-475e-4207-ae33-XXXXXXXXXXXXX]

7/1/2023 07:33:38 AM Z Call the configured Token endpoint [https://login.microsoftonline.com/5f6cb372-3153-4b59-b2ab-XXXXXXXXXXXXX/oauth2/token]
7/1/2023 07:33:38 AM Z Endpoint returned status code [200]
7/1/2023 07:33:38 AM Z Access Token Response:
{
"token_type" : "Bearer",
"expires_in" : "3599",
"ext_expires_in" : "3599",
"expires_on" : "1688200418",
"access_token" : "YYYYYYYYYYYYYYYYYYYYYYYYYYY",
"refresh_token" : "HHHHHHHHHHHHHHHHHHHHHHHHH",
"id_token" : "KKKKKKKKKKKKKKKKKKKKKKKKKKKK"
}
7/1/2023 07:33:38 AM Z Call the configured Userinfo endpoint [https://login.microsoftonline.com/5f6cb372-3153-4b59-b2ab-XXXXXXXXXX/openid/userinfo]
7/1/2023 07:33:38 AM Z Endpoint returned status code [200]
7/1/2023 07:33:38 AM Z Build a new user object from the returned Userinfo response:
{
"amr" : "["pwd"]",
"family_name" : "Kite",
"given_name" : "Bradley",
"ipaddr" : "1.2.3.4",
"name" : "Bradley Kite",
"oid" : "f8e0dca2-7d1f-4a30-9f69-JJJJJJJJJJJJJ",
"onprem_sid" : "S-1-5-21-4038623597-1531512353-3070216767-1103",
"rh" : "NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN",
"sub" : "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
"tid" : "5f6cb372-3153-4b59-b2ab-XXXXXXXXXXXXXXXX",
"unique_name" : "bradley.kite@cybanetix.com",
"upn" : "bradley.kite@cybanetix.com",
"uti" : "KKKKKKKKKKKKKKKKKKKKKKKKK",
"ver" : "1.0",
"wids" : "["62e90394-69f5-4237-9190-012177145e10","b79fbf4d-3ef9-4689-8143-76b194e85509"]",
"groups" : [ "["66d8de0b-511c-40f6-9bb4-336fa94490a2","7e3bec0e-7061-4b1d-8a7e-69ad326e393e","c1f5f027-3b4b-49a5-8dee-069ef62ae9f9","7cb99d2c-1474-480e-8717-760c540b6eb6","d6058a35-9ae3-4be6-9c84-95e58a2f9a29","d7d34237-a871-4aad-babf-e8e19ab03726","5ba09a3f-4568-41ac-a06b-2b28c7fd411e","4a326844-c011-4935-b44d-4ded98b7cfa3","0cb0665b-23c4-46d6-b397-56a94c99799b","67ecc67c-2b6c-41d2-89a6-e317794c410b","04282083-1a01-4f1e-a7d5-22bc6c2e6027","146973ae-64e3-41a5-9ab0-e8c89aa07a0a","d3d652c4-a54b-4213-982f-487d4f363a32","8545dff2-70e3-4b2f-ab29-dac881c39a9a","5deb9bf5-5abc-41ad-ab29-b7fa24e29176","aa665544-e3eb-4594-80f3-4f7964e6af05","3d18328f-1293-48cd-b218-b6a8d3a703e3","c564dd61-6d1b-43c7-8ec0-33f79707dcfa","15548cd8-65c1-4889-b978-a04d1f630e97","84d0320c-beb3-4012-a565-1696982d12b5","f74fc2bd-7995-4a14-be9e-6302716df420","0bc5a7a3-6d2b-444f-824b-5e73c5fbe471","a1d330da-388e-4b55-9f46-97376aab5422","95c361ce-b2b3-413f-bdb5-ab198cb5e689","3ee4b754-9660-45cf-96a0-eb341cf11ea2","3561d960-9354-4cee-bd34-06b72ffd1ee1","8b523c9e-1786-48e7-b7b6-14afe2b615d9","ff3c0a70-62c6-48f1-aaff-3df958e0bb6c"]" ]
}
7/1/2023 07:33:38 AM Z Linking strategy [LinkByEmail]
7/1/2023 07:33:38 AM Z Resolved email to [null]
7/1/2023 07:33:38 AM Z Resolved username to [null]
7/1/2023 07:33:38 AM Z Resolved unique Id to [jwSpJK9odbqmZkzqO5HzCLvUgKKksvUz1b5qsX7JxXA]
7/1/2023 07:33:38 AM Z Identity provider returned a unique Id [jwSpJK9odbqmZkzqO5HzCLvUgKKksvUz1b5qsX7JxXA].
7/1/2023 07:33:38 AM Z User with Id [cfb8a0fc-b0b0-448b-869b-efd8a0955887] is linked to this external user.
7/1/2023 07:33:38 AM Z Invoke configured lambda with Id [89e4f359-83b8-4ca5-9e7f-272d4bae9262]
7/1/2023 07:33:38 AM Z Updating user:
{
"active" : true,
"breachedPasswordLastCheckedInstant" : 1647404340012,
"breachedPasswordStatus" : "None",
"connectorId" : "e3306678-a53a-4964-9040-AAAAAAAAAAAA",
"data" : { },
"email" : "bradley.kite@cybanetix.com",
"firstName" : "Bradley",
"fullName" : "Bradley Kite",
"id" : "cfb8a0fc-b0b0-448b-869b-GGGGGGGGGG",
"insertInstant" : 1598377522115,
"lastLoginInstant" : 1688196656636,
"lastName" : "Kite",
"lastUpdateInstant" : 1688196656636,
"memberships" : [ {
"data" : { },
"groupId" : "12e1f396-885f-45d0-9eb1-b69b5820ea19",
"id" : "e9b4f8cd-61f1-41e8-a270-06ddcf293d47",
"insertInstant" : 1647365944503
} ],
"passwordChangeRequired" : false,
"passwordLastUpdateInstant" : 1647365944496,
"preferredLanguages" : [ ],
"registrations" : [ ],
"tenantId" : "863a8e18-7ae4-8ad7-4fa0-XXXXXXXXXXXX",
"twoFactor" : {
"methods" : [ ],
"recoveryCodes" : [ ]
},
"uniqueUsername" : "bradley.kite",
"username" : "bradley.kite",
"usernameStatus" : "ACTIVE",
"verified" : true
}
7/1/2023 07:33:38 AM Z User is already registered for application with Id [6784dd47-e284-4425-8394-8c3b1d031468].
7/1/2023 07:33:39 AM Z User has successfully been reconciled and logged into FusionAuth.
7/1/2023 07:33:39 AM Z Authentication type: OPENID_CONNECT
7/1/2023 07:33:39 AM Z Authentication state: Authenticated

Would it be possible (eg, with some kind of LAMBDA) so that when a user logs in, the LAMBDA can check what groups the user is a member of, and automatically create the app registrations for the app they are trying to access?

The LAMBDA can then create any app-specific usernames, if required. But I'm not sure if the LAMBDA has access to group membership info?

Hi,

I'm not 100% sure how groups are meant to be used in FusionAuth.

I've created a group, assigned it application roles, and put users in the group, but the user still needs to register for the application - is it not possible for app registrations to be inferred from the groups app roles?

I suspect its more a case of me not understanding something.

Thanks for any help offered.

Regards

Brad.

Hi Dan,

Is there a formal / supported way for us to write our own pages & logic and integrate it within the same FusionAuth installation?

For example, is there a directory we can place additional WAR files in? Or Java API's that we can use to create our own plugins?

Regards

Brad.

Hi all,

We have a requirement where a specific application has additional security requirements - specifically that MFA MUST be used before a user can access it.

Is it possible that the first time a user tries to log in, that they are automatically taken to the page were they need to enrol / configure the Google (or other time-based) MFA app?

Example:

User logs in, is redirected to the QR code page where they need to configure Google Authenticator (or another app), then they are allowed access to the SAML application.

Thanks in advance

Thanks Dan,

I've created a github issue here:

https://github.com/FusionAuth/fusionauth-issues/issues/845

Hi,

Is the code for io.fusionauth.app.action.samlv2.LoginAction available as open source? I'd like to implement the missing POST method - it appears that the GET method is implemented, but not POST.

I've found some SAML-related bits on github (https://github.com/FusionAuth/fusionauth-samlv2) but not this class.

Hi Dan,

We are using FusionAuth as the IDP. Its already acting as an IDP for another application, but this app is not playing ball.

I'm afraid I'm not able to name the application, but its a web-based cyber security app that has documented support for Okta, Google and ADFS as the IDP, but we are trying to get it to work with FusionAuth. I'm sure it will be possible, but we need to understand what the above error means.

I've checked the CORS settings and they are fine - we've wild-card allowed CORS requests just as a test, and included POST (among others) as allowed requests.

Regards

Brad.

In case anyone else would like to do the same, I have found a solution which I have detailed here:

https://github.com/FusionAuth/fusionauth-issues/issues/822#issuecomment-680172776

Hi there,

I have an application that only supports SAML POST bindings, and I"m trying to integrate it with FusionAuth.

I'm getting the following error when I try to log in to my app. The app sends the POST request to FusionAuth, but all I get back is

HTTP ERROR 405

HTTP/1.1 405
Date: Wed, 26 Aug 2020 09:46:08 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Access-Control-Allow-Origin: https://XXXXXX
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow-Credentials
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive

In the server logs (fusionauth-app.log) I get a single line:

Aug 26, 2020 10:41:30.865 am WARN  org.primeframework.mvc.action.DefaultActionMappingWorkflow - The action class [io.fusionauth.app.action.samlv2.LoginAction] does not have a valid execute method for the HTTP method [POST]

The SAML request that gets sent in the POST request is:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://XXXXXX/api/auth/saml2/handle-assertion"
                     Destination="https://XXXX.cybanetix.com/samlv2/login/863a8e18-7ae4-8ad7-4fa0-3e9e02a36525"
                     ForceAuthn="false"
                     ID="a58686e0-6743-4a74-9af1-d3d5a21a6b75"
                     IsPassive="false"
                     IssueInstant="2020-08-26T08:31:36.303Z"
                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     Version="2.0"
                     xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://XXXX/api/auth/saml2/login</saml2:Issuer>
  <saml2p:NameIDPolicy AllowCreate="true"
                       Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" />
  <saml2p:RequestedAuthnContext Comparison="exact">
    <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
  </saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>

This looks well-formed to me, the ACS looks good and matches the config in the application, as does the Login URL etc.

Any help will be greatly appreciated.

--
Brad.

Hi Dan,

Thanks - I've created a ticket here:

https://github.com/FusionAuth/fusionauth-issues/issues/822

Regards

Brad.

The problem is that the array of bytes from AD is being interpreted as invalid UTF-16 data.

This can be seen because I've attempted to get the raw binary data from the objectGUID as follows:

for (i = 0; i < userAttributes.objectGUID.length; i++)
{
console.debug("GUID " + i + ": " + userAttributes.objectGUID.charCodeAt(i));
}

This ends up printing the following data:

GUID 0: 65533
GUID 1: 65533
GUID 2: 65533
GUID 3: 1008
GUID 4: 65533
GUID 5: 65533
GUID 6: 68
GUID 7: 65533
GUID 8: 65533
GUID 9: 65533
GUID 10: 1568
GUID 11: 65533
GUID 12: 88
GUID 13: 65533

Is it possible that I can go through the source code at all? I thought there was an open source version of FusionAuth but I couldnt find the code for it.

I imagine that such binary data needs to actually be an array of bytes. Something is trying to UTF-16 decode the data, and as per https://www.fileformat.info/info/unicode/char/0fffd/index.htm the actual binary data is being replaced with the UTF-16 value of 65533.

Given that the vast majority of the world (like it or not) use Active Directory, the LDAP feature is not going to be very valuable to your customers unless we can work through this.

We have over 150 Linux servers, all joined to an Active Directory domain running on the only two Windows servers we have in our estate. Not ideal, but thats the reality of the world we live in.

Hi Dan,

I've noticed that the documentation has been updated, thats great, thanks.

https://fusionauth.io/docs/v1/tech/lambdas/ldap-connector-reconcile

Here it says that the UID must be a string. From Active Directory, the UID is in binary format. I've tried not assigning an ID but this doesnt work. I get this in the event log:

8/3/2020 11:49:05 pm BST
. WARNING DISCARDING USER because it was missing a unique id in the [user.id] property.

So unless I'm missing something, I'm still in the position where I need to somehow convert from binary to text format.

What LDAP directory (OpenLDAP, AD etc) are you guys testing against internally?

--
Brad.

@robotdan

I'm very disappointed with this reply.

In order to evaluate Fusion Auth I had to buy a subscription in the first place (Fusion Reactor) just to get it up sand running in a lab environment (it's not even in production).

There's no documentation, and you can't even provide a reference lambda that works.

I'm happy to provide the engineering resources on our side to get this working but I'm hesitant to pay further for a product that is lacking in basic documentation when we are just in the evaluation phase. If it turns out there is some other critical component or feature that is bit suitable then it would be wasted resources.

Regards

Brad

Any update on this guys? I cannot commit our solution to being based on FusionAuth if I'm not able to get this working.

Thanks in advance

--
Brad.

@robotdan This is as far as I got on Friday.

The problem is that the user.id requires a GUID as a string. If I use the sAMAccountName or userPrincipalName I get the following error:

Lambda invocation exception.

Id: 79e93d02-aeb6-47a4-9e41-1478ec79a4e5
Name: Active Directory

com.fasterxml.jackson.databind.exc.InvalidFormatException: Cannot deserialize value of type `java.util.UUID` from String "bradley.kite@cybanetix.com": UUID has to be represented by standard 36-char representation
 at [Source: (String)"{"active":true,"data":{},"memberships":[],"passwordChangeRequired":false,"preferredLanguages":[],"registrations":[],"twoFactorEnabled":false,"verified":false,"email":"bradley.kite@cybanetix.com","firstName":"Bradley","lastName":"Kite","id":"bradley.kite@cybanetix.com"}"; line: 1, column: 241] (through reference chain: io.fusionauth.domain.User["id"])

I've tried using the actual objectGUID field from Active Directory, but this comes across in binary format, and needs to be translated to the string representation of a GUID. I've tried (with the code below) to convert the GUID from binary to string representation but no such luck as yet.

function reconcile(user, userAttributes) {
  
  console.debug("USER: " + JSON.stringify(user));
  
  console.debug("ATTR: " + JSON.stringify(userAttributes));
  
  user.email     = userAttributes.userPrincipalName;
  user.firstName = userAttributes.givenName;
  user.lastName  = userAttributes.sn;
  user.active    = true;
  user.id        = guidToString(userAttributes.objectGUID);
  
    // guidToString("\374\240\270\317\260\260\213\104\206\233\357\330\240\225\130\207");
  
}

function guidToString(x)
{
    var ret = "";
  
    for (i = 3; i >= 0; i--)
    {
        ret += ('00'+x.charCodeAt(i).toString(16)).substr(-2,2);
    }
    ret += "-";
    for (i = 5; i >= 4; i--)
    {
        ret += ('00'+x.charCodeAt(i).toString(16)).substr(-2,2);
    }
    ret += "-";
    for (i = 7; i >= 6; i--)
    {
        ret += ('00'+x.charCodeAt(i).toString(16)).substr(-2,2);
    }
    ret += "-";
    for (i = 8; i <= 9; i++)
    {
        ret += ('00'+x.charCodeAt(i).toString(16)).substr(-2,2);
    }
    ret += "-";
    for (i = 10; i < 16; i++)
    {
        ret += ('00'+x.charCodeAt(i).toString(16)).substr(-2,2);
    }
  
    return ret;
}

Hi,

We are just getting started with FusionAuth, currently investigating its suitability for our requirements, and cant seem to get the LDAP lambda to work. I know this is a new feature, which is why there is no documentation, but can someone please provide a reference lambda to use? Or a quick how-to?

Our basic use case is to have an app authenticate against FusionAuth which behind the scenes uses LDAP, so just looking to get this off the ground in its most simple configuration.

Thanks

Brad.