Mfa

来自ling
跳转至: 导航搜索

资源

https://portal.azure.com/#home

AWS Multi-Factor Authentication


Hi GM总,

ALEX是国内ITS这边负责提供MFA流程上可以帮助的联系人.

技术上我们用Java实现过,如果需要帮助可以IM上call一下.

我们之前做的时候流程如下: 1. 登录MFA网站填写表单提交 2. Global its回复后根据他的要求提供相关信息后, 他们会建立一个应用ID发给你们. 3. 根据得到的ID,在自己的系统里集成MFA

MFA相关链接地址: 微软URL:(主要是技术相关的,包括用Java, nodejs等实现MFA的介绍)

https://msdn.microsoft.com/en-us/library/ee517291.aspx

https://docs.microsoft.com/zh-cn/azure/active-directory/develop/active-directory-integrating-applications

德勤URL:

https://wt.deloitteresources.com/solutions/IAM/Pages/MFA-overview.aspx


Production: https://dttsts.deloitteresources.com/adfs/ls

Staging: https://dttstsstage.deloitteresources.com/adfs/ls

Metadata

Production: https://dttsts.deloitteresources.com/FederationMetadata/2007-06/FederationMetadata.xml

Staging: https://dttstsstage.deloitteresources.com/FederationMetadata/2007-06/FederationMetadata.xml

http://localhost:8080/adal4jsample/

https://login.microsoftonline.com/ec43475f-0788-4d87-8211-c70276d7f17e/oauth2/authorize?response_type=code&scope=directory.read.all&response_mode=form_post&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fadal4jsample%2Fsecure%2Faad&client_id=ec07e2ac-87fb-404e-bf88-d3b984f84f1e&resource=https%3a%2f%2fgraph.microsoft.com&state=06dac48f-0f72-4fc0-8d1f-1979d383ca23&nonce=7502f703-e36b-4ee1-a343-e645b32f503a

https://www.cnblogs.com/chenxizhang/p/7904311.html

原理

SSO Oauth2

Under this model, single sign-on is much easier to achieve, and your application is no longer responsible for the following:

  • Authenticating users.
  • Storing user accounts and passwords.
  • Calling to enterprise directories to look up user identity details.
  • Integrating with identity systems from other platforms or companies.

Basics of auth in aad.png

Simplified-provisioning-flow-consent.png

实现

https://docs.microsoft.com/zh-cn/azure/active-directory/authentication/howto-mfa-mfasettings

https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/GettingStarted/fromProviders//hasMFALicense/true

Azure实践系列 4:启用和配置免费的MFA Azure实践系列 5:MFA用户配置及效果展示

Microsoft Graph

https://developer.microsoft.com/zh-CN/graph/get-started/java https://github.com/microsoftgraph/msgraph-sdk-java

https://developer.microsoft.com/zh-cn/graph/graph-explorer 中登陆获取token,通过postman等可以测试


https://github.com/Azure-Samples/active-directory-java-webapp-openidconnect https://github.com/Azure-Samples?q=active-directory

https://docs.microsoft.com/zh-cn/azure/active-directory/develop/authentication-scenarios

https://docs.microsoft.com/zh-cn/azure/active-directory/develop/reference-v2-libraries

https://github.com/scribejava/scribejava/

Mfa-dev&build.PNG

https://developer.microsoft.com/zh-cn/graph/graph-explorer?request=users&version=v1.0 api测试

First step: choose the Azure AD tenant where you want to create your applications

不要用公司账号登陆,否则没有权限

As a first step you'll need to:

  • Sign in to the Azure portal. https://portal.azure.com/#home
  • On the top bar, click on your account, and then on Switch Directory.
  • Once the Directory + subscription pane opens, choose the Active Directory tenant where you wish to register your application, from the Favorites or All Directories list.
  • Click on All services in the left-hand nav, and choose Azure Active Directory.
  • In the next steps, you might need the tenant name (or directory name) or the tenant ID (or directory ID). These are presented in the Properties of the Azure Active Directory window respectively as Name and Directory ID

Register the app app (Webapp-Openidconnect)

  • In the Azure Active Directory pane, click on App registrations and choose New application registration.
  • Enter a friendly name for the application, for example 'Webapp-Openidconnect' and select 'Web app / API' as the Application Type.

Webapp-Openidconnect-->ling

  • For the sign-on URL, enter the base URL for the sample. By default, this sample uses https://localhost:8000/.
  • Click Create to create the application.
  • In the succeeding page, Find the Application ID value and and record it for later. You'll need it to configure the configuration file for this project.
  • Then click on Settings, and choose Properties.
  • For the App ID URI, replace the guid in the generated URI 'https://<your_tenant_name>/<guid>', with the name of your service, for example, 'https://<your_tenant_name>/Webapp-Openidconnect' (replacing <your_tenant_name> with the name of your Azure AD tenant)
https://102010cncger.onmicrosoft.com/b5f3a579-bed5-4a19-b725-3614c959b55c
-->
https://102010cncger.onmicrosoft.com/ling
    • Type a key description (of instance app secret),
    • Select a key duration of either In 1 year, In 2 years, or Never Expires.
    • When you save this page, the key value will be displayed, copy, and save the value in a safe location.
    • You'll need this key later to configure the project. This key value will not be displayed again, nor retrievable by any other means, so record it as soon as it is visible from the Azure portal.
iitkey 12/31/2299 CYYECrDcHXYkA8ZNMvsfaY6ToLbn9pheMdFDC1OFPek=
    • Configure Permissions for your application. To that extent, in the Settings menu, choose the 'Required permissions' section and then, click on Add, then Select an API, and type Microsoft Graph in the textbox. Then, click on Select **Permissions and select Read directory data under APPLICATION PERMISSIONS.

Note that for Read directory data requires the user grating the permission to be a tenant administrator. If you created an AzureAD tenant as part of the sample, you will be an administrator by default.

Step 4: Configure the sample to use your Azure AD tenant

Open web.xml in the webapp/WEB-INF/ folder. Fill in with your tenant and app registration information noted in registration step. Replace 'YOUR_TENANT_NAME' with the tenant domain name, 'YOUR_CLIENT_ID' with the Application Id and 'YOUR_CLIENT_SECRET' with the key value noted.

Step 5: Package and then deploy the adal4jsample.war file.

$ mvn compile -DgroupId='com.microsoft.azure' -DartifactId=adal4jsample -DinteractiveMode=false

$ mvn package

This will generate a adal4jsample.war file in your /targets directory. Deploy this war file using Tomcat or any other J2EE container solution. To deploy on Tomcat container, copy the .war file to the webapps folder under your Tomcat installation and then start the Tomcat server.

This WAR will automatically be hosted at http://<yourserverhost>:<yourserverport>/adal4jsample/

Example: http://localhost:8080/adal4jsample/

You're done!

Click on "Show users in the tenant" to start the process of logging in.

graph api

https://msdn.microsoft.com/zh-cn/library/azure/ad/graph/api/signed-in-user-operations



1.0 https://docs.microsoft.com/zh-cn/azure/active-directory/develop/sample-v1-code 2.0 https://docs.microsoft.com/zh-cn/azure/active-directory/develop/sample-v2-code

saml

https://docs.microsoft.com/zh-cn/azure/active-directory/manage-apps/configure-single-sign-on-portal

https://docs.microsoft.com/zh-cn/azure/active-directory/develop/single-sign-on-saml-protocol

https://github.com/vdenotaris/spring-boot-security-saml-sample


Active-directory-saml-single-sign-on-workflow.png

特定于租户的终结点位于 https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml。 占位符表示 Azure AD 租户的已注册域名或 TenantID GUID。

例如,contoso.com 租户的联合元数据位于: https://login.microsoftonline.com/contoso.com/FederationMetadata/2007-06/FederationMetadata.xml

独立于租户的终结点位于 https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml。 此终结点地址中显示 common,而不是租户域名或 ID。

Production: https://dttsts.deloitteresources.com/adfs/ls
Staging: https://dttstsstage.deloitteresources.com/adfs/ls

Metadata

Production: https://dttsts.deloitteresources.com/FederationMetadata/2007-06/FederationMetadata.xml
Staging: https://dttstsstage.deloitteresources.com/FederationMetadata/2007-06/FederationMetadata.xml


https://www.jianshu.com/p/d041935641b4

使用OpenSAML创建基于SAML 2.0的AuthnRequest对象并可以提交给IDP Identity Provider认证


SAML2.0入门指南

directory

https://docs.microsoft.com/zh-cn/azure/active-directory/

MFA

申请

获取基本信息

Deloitte MFA

关键联系人

申请

获取基本信息

code

public static String getRedirectUrl() {
    try {
        String redirectUrl = authority + tenant
            + "/oauth2/authorize?response_type=code%20id_token&scope=openid&response_mode=form_post&redirect_uri="
            + URLEncoder.encode(redirectUri, "UTF-8") + "&client_id="
            + clientId + "&resource=https%3a%2f%2fgraph.windows.net"
            + "&nonce=" + UUID.randomUUID() + "&site_id=500879";
        return redirectUrl;
    } catch (UnsupportedEncodingException e) {
        return "";
    }
} 


@RequestMapping("mfa")
public @ResponseBody
String mfaLoginSuccessCallback(HttpServletRequest request, HttpServletResponse response) {
    if (AuthHelper.containsAuthenticationData(request)) {
        Map<String, String> params = new HashMap<>();
        for (String key : request.getParameterMap().keySet()) {
            params.put(key, request.getParameterMap().get(key)[0]);
        }
        String currentUri = redirectUri;

        String fullUrl = currentUri + (request.getQueryString() != null ? "?" + request.getQueryString() : "");
        try {
            AuthenticationResponse authResponse = AuthenticationResponseParser.parse(new URI(fullUrl), params);
            if (AuthHelper.isAuthenticationSuccessful(authResponse)) {
                AuthenticationSuccessResponse oidcResponse = (AuthenticationSuccessResponse) authResponse;
                AuthenticationResult result = getAccessToken(oidcResponse.getAuthorizationCode(), currentUri);
                return generateResponseToken(result.getUserInfo());
            } else {
                AuthenticationErrorResponse oidcResponse = (AuthenticationErrorResponse) authResponse;
                log.error(String.format("认证校验错误: %s - %s",
                    oidcResponse.getErrorObject().getCode(), oidcResponse.getErrorObject().getDescription()));
            }
        } catch (Throwable e) {
            log.error("认证错误:", e);
        }
    }
    try {
        response.sendRedirect(getRedirectUrl());
    } catch (IOException e) {
    }
    return "redirect:" + getRedirectUrl();
} 
 

public static String authority = "https://login.windows.net/";  



private AuthenticationResult getAccessToken(AuthorizationCode authorizationCode, String currentUri)
    throws Throwable {
    String authCode = authorizationCode.getValue();
    ClientCredential credential = new ClientCredential(clientId, clientSecret);
    AuthenticationResult result = null;
    ExecutorService service = null;
    try {
        service = Executors.newFixedThreadPool(1);
        AuthenticationContext context = new AuthenticationContext(authority + tenant + "/", true, service);
        if (constant.isProxy()) {
            context.setProxy(new Proxy(Proxy.Type.HTTP, new InetSocketAddress(constant.getProxyUrl(), constant.getProxyPort())));
        }
        Future<AuthenticationResult> future = context.acquireTokenByAuthorizationCode(authCode, new URI(redirectUri), credential, null);
        result = future.get();
    } catch (Exception e) {//ExecutionException
        log.error("MFA登陆错误", e);
    } finally {
        service.shutdown();
    }

    if (result == null) {
        throw new ServiceUnavailableException("authentication result was null");
    }
    return result;
}

nginx

    server {
        listen       80;
        listen       443 ssl;
        server_name  develop.digiiit.deloitte.com.cn;
 
        charset utf-8;
 
        location /reply {
          proxy_pass http://127.0.0.1:8300/base/reply;
          proxy_set_header   Host             $host;
          proxy_set_header   X-Real-IP        $remote_addr;
          proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
          client_max_body_size    1000m;
        }
        ssl_certificate      d:\\server\\nginx\\conf\\drtax.pem;
        ssl_certificate_key  d:\\server\\nginx\\conf\\drtax.key;
    }

secrit

PROD:

TENAND ID: 36da45f1-dd2c-4d1f-af13-5abe46b99921

App Client ID: 7e2e7699-da28-4ca8-a7a2-b37c643abe2f

Secret: aURsdXNbbT5hJWcyJC1DeCNHXlZVKnxYMjNKLTFASiQ3SQ==


NON-PROD:

TENAND ID: 36da45f1-dd2c-4d1f-af13-5abe46b99921

App Client ID: e5224147-f202-48c1-840d-2a454319879e

Secret: ciQ5I0ROR1pwO2stVkJOVURSZERmSXhqZ0JseE4yK0p4UA==

Identifier URI https://develop.digiiit.deloitte.com.cn/identifer

Sign-On URL https://develop.digiiit.deloitte.com.cn/login

Reply URL https://develop.digiiit.deloitte.com.cn/reply

Logout URL https://develop.digiiit.deloitte.com.cn/logout


Identifier URI https://dtt.digiiit.deloitte.com.cn/identifier

Sign-On URL https://dtt.digiiit.deloitte.com.cn/login

Reply URL https://dtt.digiiit.deloitte.com.cn/

Logout URL https://dtt.digiiit.deloitte.com.cn/logout

PROD:

TENAND ID: 36da45f1-dd2c-4d1f-af13-5abe46b99921

App Client ID: 7e2e7699-da28-4ca8-a7a2-b37c643abe2f

Secret: aURsdXNbbT5hJWcyJC1DeCNHXlZVKnxYMjNKLTFASiQ3SQ==



NON-PROD:

TENAND ID: 36da45f1-dd2c-4d1f-af13-5abe46b99921

App Client ID: e5224147-f202-48c1-840d-2a454319879e

Secret: ciQ5I0ROR1pwO2stVkJOVURSZERmSXhqZ0JseE4yK0p4UA==



[‎02/‎01/‎2019 17:58]  Chai, Yi Zhou (CN - Shanghai):  
Hi Krishna
 
[‎02/‎01/‎2019 17:58]  Kishore, Krishna (US - Hyderabad):  
hello
 
[‎02/‎01/‎2019 17:58]  Chai, Yi Zhou (CN - Shanghai):  
May I call you 30 mins later?
 
[‎02/‎01/‎2019 17:59]  Kishore, Krishna (US - Hyderabad):  
sure
 
[‎02/‎01/‎2019 17:59]  Chai, Yi Zhou (CN - Shanghai):  
I have some questions on this..
 
[‎02/‎01/‎2019 17:59]  Kishore, Krishna (US - Hyderabad):  
okay sure
please ping me once you are free
 
[‎02/‎01/‎2019 18:00]  Chai, Yi Zhou (CN - Shanghai):  
sure
 
[‎02/‎01/‎2019 19:52]  Chai, Yi Zhou (CN - Shanghai):  
Hi Krishna
Sorry for the late end of meeting...
 
[‎02/‎01/‎2019 19:56]  Kishore, Krishna (US - Hyderabad):  
hello
np
we can talk now
 
Connected to Kishore, Krishna (US - Hyderabad) (krikishore@deloitte.com).  
[‎02/‎01/‎2019 20:13]  Kishore, Krishna (US - Hyderabad):  
Azure Tenant ID - 36da45f1-dd2c-4d1f-af13-5abe46b99921
 
[‎02/‎01/‎2019 20:16]  Chai, Yi Zhou (CN - Shanghai):  
digiiit
 
[‎02/‎01/‎2019 20:18]  Kishore, Krishna (US - Hyderabad):  
CN digiiit NONPROD
 
[‎02/‎01/‎2019 20:19]  Kishore, Krishna (US - Hyderabad):  
SAML based application
 
[‎02/‎01/‎2019 20:19]  Chai, Yi Zhou (CN - Shanghai):  
WsFed
 
[‎02/‎01/‎2019 20:22]  Kishore, Krishna (US - Hyderabad):  
Gallery app
 
[‎02/‎01/‎2019 20:25]  Kishore, Krishna (US - Hyderabad):  
11 IST
6PM
1:30 PM
 
Call with Kishore, Krishna (US - Hyderabad) (krikishore@deloitte.com) has ended. 28 minutes  
[‎02/‎01/‎2019 20:31]  Chai, Yi Zhou (CN - Shanghai):  
Confimed, it's wsfed
 
[‎02/‎01/‎2019 20:31]  Kishore, Krishna (US - Hyderabad):  
oh ok
 
[‎02/‎01/‎2019 20:32]  Chai, Yi Zhou (CN - Shanghai):  
:'(
 
[‎02/‎01/‎2019 20:32]  Kishore, Krishna (US - Hyderabad):  
then I will not configure SAML settings
think that should work
you can provide your client with the same info
 
[‎02/‎01/‎2019 20:33]  Chai, Yi Zhou (CN - Shanghai):  
you mean the same info of APP CLIENT ID and SECRET?
 
[‎02/‎01/‎2019 20:33]  Kishore, Krishna (US - Hyderabad):  
yes
 
[‎02/‎01/‎2019 20:33]  Chai, Yi Zhou (CN - Shanghai):  
thanks!
Let's try.
 
[‎02/‎01/‎2019 20:34]  Kishore, Krishna (US - Hyderabad):  
sure, if it does not work then we can delete and recreate it
 
[‎02/‎01/‎2019 20:34]  Chai, Yi Zhou (CN - Shanghai):  
yes
 
[‎02/‎01/‎2019 20:34]  Kishore, Krishna (US - Hyderabad):  
The PROD one seems to be configured correctly
 
[‎02/‎01/‎2019 20:34]  Chai, Yi Zhou (CN - Shanghai):  
And we may try the NON-PROD firstly
 
[‎02/‎01/‎2019 20:34]  Kishore, Krishna (US - Hyderabad):  
yes
 
[‎02/‎01/‎2019 20:35]  Chai, Yi Zhou (CN - Shanghai):  
so is the NON-PROD configured?~
 
[‎02/‎01/‎2019 20:35]  Kishore, Krishna (US - Hyderabad):  
yes I am not configuring the SAML settgings
so it would be the wsfed only
you can try with Non Prod one and see
but PROD already look good
 
[‎02/‎01/‎2019 20:36]  Chai, Yi Zhou (CN - Shanghai):  
ok~

问题解决

Requested tenant identifier '{EmailHidden}' is not valid and not valid external domain format

https://login.windows.net/102010cncger.onmicrosoft.com/.well-known/openid-configuration Azure Tenlentid.png

AADSTS90102: 'redirect_uri' value must be a valid absolute Uri.

超时

服务器对外网没有访问权限