Skip to content

inWebo Casa integration

Jump to bottom
maduvena edited this page Sep 24, 2019 · 66 revisions

Configuring Gluu and Casa for authenticating and enrolling users using inWebo credentials.

Overview

As an identity provider (IDP) and single sign-on (SSO) platform, the Gluu Server supports a wide range of standard solutions for two-factor authentication (2FA) like OTP, FIDO, and browser certificates. In addition, Gluu can be configured to support authentication products from commercial vendors like inWebo, a provider of multi-factor authentication (MFA) solutions for web, mobile, and non-web applications like RADIUS, VPN, and Wi-Fi.

In this tutorial, we'll explain how to configure the Gluu Server for 2FA using inWebo’s browser-based solution, called Virtual Authenticator, and inWebo’s desktop and mobile app, called Authenticator 6. We'll also demonstrate how to setup Casa, a self-service portal for the Gluu Server, so end-user's can enrol their inWebo 2FA credentials directly from within your IDP's domain.

Prerequisites

For this tutorial, you'll need the following:

  1. Gluu Server 3.1.6 -- (installation instructions)
  2. Casa 3.1.6 -- (installation instructions)
  3. The inWebo authentication script, which is included by default with the Gluu Server
  4. An account with inWebo. Request one here
  5. A smartphone with the inWebo mobile app installed -- Download on Android or iOS

Setup inWebo

The first step is to configure your inWebo account to use an external identity provider.

Follow these instructions:

  1. Create an inWebo account. Request one here

  2. Download certificates for API access. Read this article for more details

  3. Configure Gluu as a "Secure site": Navigate to the tab Secure Sites, select the secure site, and click the pencil icon to edit.

    Fill the form with the following values and click Update

    Called URL https://your.gluu.hostname/oxauth/auth/inwebo/iw_va.htm
    Authentication page https://your.gluu.hostname/oxauth/auth/inwebo/iw_va.htm
    Wildcard used in path No
    Form name loginForm
    Login field name loginForm:username
    Password field name loginForm:password

Insert image here (inweboConfig.png) - https://drive.google.com/open?id=11I8veBNCWVakoRmtzKUOkuVSBIVr00Wk

Setup Gluu

Configure chroot

  1. Prepare the inWebo credential file /etc/certs/inwebo_creds.json with CERT_PASSWORD which will contain the passphrase of the configured certificates. The format of the inwebo_creds.json file is - {"CERT_PASSWORD": "<password_in_plain_text>"}
  2. Download the certificate from the inWebo console, which is needed to make calls to inWebo’s API. Place the certificate in /etc/certs/<Filename.p12>

Configure authentication

There are two steps to complete from within the Gluu Server admin dashboard, oxTrust:

  1. Enable the inWebo authenticator
  2. Make inWebo authentication default

Enable inWebo

Follow the steps below to configure inWebo authentication:

  1. Navigate to Configuration > Manage Custom Scripts

  2. Click on the Person Authentication tab

  3. Scroll down to the inWebo authentication script and configure the following parameters

    Property name Property value
    iw_cert_store_type pkcs12
    iw_cert_path /etc/certs/Filename.p12
    iw_creds_file /etc/certs/iw_creds.json
    iw_service_id 1234
    iw_api_uri https://api.myinwebo.com/FS?
    iw_push_withoutpin false
    2fa_requisite false

Insert image here - ( gluuConfig.png) - https://drive.google.com/open?id=1OAcdEGnNtGmWEjuKWX9iLonJ0WEA728O

  1. Select "File" as the Location Type and specify the Script Path which points to the location of the script inside chroot. The inWebo installation script, is included in the default Gluu Server distribution
  2. Enable the script by ticking the check box "Enabled"

Now, inWebo is an available authenticator for your Gluu Server. Using OpenID Connect acr_values, applications can request inWebo authentication for their users.

Make inWebo Default

For the purpose of this tutorial, next we'll make inWebo the default method of authentication for your IDP. This will present inWebo authentication to for all # attempts.

Follow these steps:

  1. Navigate to Configuration > Manage Authentication
  2. Select the Default Authentication Method tab.
  3. You'll see two options: Default acr and oxTrust acr. For the sake of this tutorial, simply change the default_acr field to inWebo.

Now your Gluu Server is configured to enforce inWebo authentication.

Setup Casa

Next, let's configure Casa so end-users can easily enroll and manage their inWebo authentication credentials. Install the inWebo plugin by following the steps below:

  1. Download the plugin

  2. Log in to Casa using an administrator account

  3. Visit Administration console > Casa plugins


    Insert image here - https://drive.google.com/open?id=1xKynbsP2vWuvS9HheuqZ19v5cQGfBvKa

  4. Click on Add a plugin... and select the plugin jar file

  5. Click on Add

Now users will see an "inWebo" menu item added in their navigation where users can enroll their inWebo credentials.

Enroll Devices

Now inWebo credentials can be enrolled and managed via Casa. Navigate back to your credential dashboard, and you will see a new widget for inWebo Devices.

To add a new inWebo credential (virtual authenticator or mobile authenticator), navigate to 2FA credentials > inWebo Credential. Insert image here (add_inwebo_device.png) - https://drive.google.com/open?id=1qmVScqbVbocrBTwiQ4ZAGqTyKDoJDzKD

Click Ready and an you can enroll your inWebo device by any one of the four methods listed in the screenshot. Insert this image here (toActivateDoThis.png) - https://drive.google.com/file/d/1E9ULuzF7Y7i7c6OTJX5KCN3YPCrqL_bd/view?usp=sharing

The first two methods a and b are for adding the Authenticator app (mobile and desktop) as an inWebo device. Insert image here (addAuthenticatorAsInweboDevice.png) - https://drive.google.com/open?id=1IJDxpXNtpJpwi5ar9MD2dHGFnL4qO9DY

The methods listed in c and d are used to add virtual authenticator (browser) as an inWebo credential Insert image here (addVAasInweboDevice.png) - https://drive.google.com/open?id=1B2Ukj4eyc9qYYb9fyQDAosQWcsrK2RZB

Once complete, the new device will appear in a list on the same page. Click the pencil to edit the device's name, or the trashcan to delete the device. Insert image here (deviceList.png) - https://drive.google.com/open?id=1dP-IcUTdCmteoj-1mpV5PNFHXFSXrW8f

Repeat the above steps with another device so you have two 2FA mechanisms registered for your account -- having two strong authenticators reduces the chance of account lockout.

Test

For a quick test of authentication using the inwebo credential, login to oxTrust. You will be presented with inwebo credentials. Authentication using inWebo's Virtual Authenticator
insert image here - loginUsingInweboVA.png - https://drive.google.com/open?id=1e1_hjppEmJMcu9aagQ6CIJMC7VWDuEIh

Authentication using inwebo's Mobile Authenticator (mobile-app)
insert image here - loginUsingInweboCreds.png - https://drive.google.com/open?id=1zypcQ-qJLf_K0Z8_uReCcJ7A2485PgX1

Now you have an IDP with self-service enrollment for inwebo credentials. Simply configure SSO for your web, mobile, and non-web applications to further leverage your new secure identity infrastructure!

References

Clone this wiki locally