OpenAM – HOTP HMAC One-Time Password

Download (DOC, 3.27MB)

Configuring OpenAM in conjunction with the UAG and ADFS implements a federated model of two factor authentication for the user base we manage. It may even provide the necessary pieces to federate with other federations but further investigation into the details of the governance model for each federation is required.
The approach would be to first implement the two factor HOTP model for the SharePoint 2010 Portal. Accessing the SharePoint Portal would encompass the following steps:
• An unauthenticated user attempts to access the SharePoint Portal via the url that is hosted/protected by the UAG.
• The UAG delegates the authentication process to ADFS. ADFS would be configured to use OpenAM as the account provider meaning that ADFS would send a browser redirect to the OpenAM Authentication Server via a proxy URL that is hosted/protected by the UAG. Note: We would most likely need to create a custom authentication module for the UAG protecting OpenAM that inspects the request header looking for evidence that the request came from the ADFS redirect.
• OpenAM would then send to the browser the initial request for the username/password credentials used by the Active Directory.
• If the credential were valid OpenAM would send via SMTP a one-time password (OTP) to the user’s cell phone and/or email account.
• OpenAM sends to the browser a form requesting the OTP.
• The user would use the OTP received to submit back to OpenAM.
• If the OTP is valid OpenAM sends a SAML Assertion back to ADFS.
• ADFS transforms the SAML Assertion into a SAML Claim Token that SharePoint uses.
• With the user now authenticated ADFS redirects (via the UAG) back to the original url requested with the SAML Claim Token.

Leave a Reply

Your email address will not be published. Required fields are marked *