Enroll 2FA to thousands of users Automating processes with - - PowerPoint PPT Presentation

enroll 2fa to thousands of users automating processes
SMART_READER_LITE
LIVE PREVIEW

Enroll 2FA to thousands of users Automating processes with - - PowerPoint PPT Presentation

Dec 28, 2023 41 likes •313 views

Enroll 2FA to thousands of users Automating processes with privacyIDEA FOSDEM 2018 Cornelius Klbel About Cornelius Cornelius Klbel 2FA since 2005 Smartcards, Aladdin eT oken, privacyIDEA since 2014

slide-1
SLIDE 1

Enroll 2FA to thousands of users Automating processes with privacyIDEA FOSDEM 2018 Cornelius Kölbel

slide-2
SLIDE 2

About Cornelius

  • Cornelius Kölbel
  • 2FA since 2005

– Smartcards, Aladdin eT

  • ken,

privacyIDEA since 2014

  • Cornelius.koelbel@netknights.it
  • @cornelinux
  • @privacyidea
slide-3
SLIDE 3

Challenges

  • 2FA for services
  • ffered by city

administration

slide-4
SLIDE 4

Challenges

  • End customers of

electricity provider

slide-5
SLIDE 5

Challenges

  • 2FA for all

university students!

slide-6
SLIDE 6

Problems

  • User will not come to

admin desk

  • User unknown
  • User dislocated
  • User not tech savvy
slide-7
SLIDE 7

Problems

  • User shoud not copy
slide-8
SLIDE 8

Management and Authentication

slide-9
SLIDE 9

Network structure

Administration REST API, PAM, RADIUS, SAML, LDAP-Proxy Win Cred Prov REST API, Web UI, CLI, DB

slide-10
SLIDE 10

privacyIDEA can manage different token types

  • Key-fob T
  • kens
  • OTP Cards
  • SMS, Email, Smartphone
  • Yubikey
  • U2F
  • eT
  • ken NG/OTP
  • SSH Keys
  • x.509-Certifjcates
  • Meta-T
  • kens (Forward, RADIUS, 4eyes)
  • ...
slide-11
SLIDE 11

Structure of privacyIDEA

  • UI on Webserver
  • REST API on Webserver
  • Library level
  • Database level

See: http://privacyidea.readthedocs.it

slide-12
SLIDE 12

Possible automations

  • Database (SQL)
  • Library-Calls
  • REST API-Calls
  • Event Handler
slide-13
SLIDE 13

library

  • Python libs for all tasks.
  • No need for REST API

– No load on Webserver

  • T
  • ols for

– expired users, – janitor for orphaned tokens

slide-14
SLIDE 14

Example: automation via library

slide-15
SLIDE 15

Call your API

– POST /validate/check – POST /token/init – GET /token/ – DELETE

/token/OATH12344

See: http://privacyidea.readthedocs.it

slide-16
SLIDE 16

Example: API automation

Generate tokens for users

slide-17
SLIDE 17

Automation via Event Handler

  • Trigger additional

action

slide-18
SLIDE 18

privacyIDEA HTTP Request

  • 1. Pre policies (exceptions)

2. Request 3. Post policies (exceptions) → Response 4. Event Handler triggers additional action

slide-19
SLIDE 19

ingredients

  • Connected API calls
  • Handler Module

(notifjcation, token, script, federation)

  • Conditions
  • Action with options
slide-20
SLIDE 20

Example Event Handler

  • If a paper token is generated by an

administrator, the token will be disabled.

  • It will be enabled if, the user authenticates

with a registration code.

  • The user gets notifjed, when his registration

code is used.

slide-21
SLIDE 21

Example: Event Handler

  • T
  • support external

workfmow, set arbitrary token attribute...

slide-22
SLIDE 22

Example: Event Handler

  • ...and run an

external script!

slide-23
SLIDE 23

Example: Event Handler

  • (API call) /token/init
  • f registration code
  • triggers script to

print welcome letter

slide-24
SLIDE 24

Example: Event Handler

  • /token/assign yubikey
  • triggers token handler to

set token attribute (needs shipping)

slide-25
SLIDE 25

Graduate students: T

  • ken Janitor
  • T
  • ken janitor can fjnd

and disable/delete unused tokens

slide-26
SLIDE 26

Succesful 2FA is a matter of smooth workfmows

slide-27
SLIDE 27
  • https://privacyidea.org
  • https://github.com/privacyidea
  • @privacyidea
  • @cornelinux
  • Cornelius.koelbel@netknights.it