Overview
Citrix Consulting in a project involved, which involved integration of NetScaler platform with a third multi-factor authentication solution, Anakam.TFA. This blog article was presented with the aim to spread knowledge that has been acquired in the field. An attempt is made to demonstrate the real-world applications of the NetScaler platform and how to integrate with other industry solutions.
The following is the question outlined that featured integration attempts to reconcile.
- end -user authenticated with LDAP credentials for 1 st factor.
- End-user sent a password for 2 nd factor.
- end user device for a predetermined period registered tries for subsequent authentication is factor authentication require no challenge 2 nd. However, 1 st factor is always necessary.
When an end user has successfully authenticated is registered their device within the Anakam.TFA server. The duration for the device registration is also configurable within the Anakam.TFA management interface. The Anakam.TFA software allows the setting of a 2 nd factor authentication, when the end-user device is registered in the system, and is within the duration limits device registration. This blog is not to focus on how to configure the appropriate settings in the Anakam.TFA software; Instead of this blog article will focus on how to use the NetScaler, with the Anakam.TFA server via HTTP callouts Anakam.TFA the REST APIs and JavaScript.
REST APIs to communicate
This solution requires the use of REST APIs for communications with the server Anakam.TFA. Therefore, it is important to first understand how to use the APIs to interact with the Anakam.TFA server without the NetScaler includes (NetScaler). This will provide a benchmark for comparison available when comes the time to incorporate the NetScaler. One tool that can be used is Google Chrome Advanced REST client. This tool can be downloaded from Google Chrome App Store. This tool can be used to send the appropriate POST and HTTP requests to the server Anakam.TFA for API communication PUT. If used properly, this tool will help you determine the correct order of the API requests to validate successfully complete the various authentication processes.
API sequence
in the following is the correct sequence of requests and their expected responses to present to successful end-user device authenticate who have not yet registered with the Anakam.TFA Server.
- Acquire the authentication key.
request:
POST http://10.1.1.10:8080/tfa/api/5.5/default/auth?applicationKey=/&userKey=UserName
Answer:
default aah022 11f16e1c-ed81-4e22-8018-e4cf70027375 / 1 /tfademo/default/success.jsp TOKEN_CREATED 2014-08-01T00: 13: 51.078 to 04: 00
- the Run command to the 2 nd obtained factor password via e-mail communication
request .:
PUT http: / /10.11.252.114:8080/tfa/api/5.5/default/challenge/11f16e1c-ed81-4e22-8018-e4cf70027375
Answer:
- to the next step of the authentication process in advance by the API command Send "get -params". This API command shifts the authentication logic to the next step. The API documentation for more information. Without this command is executed, the password will not be generated and delivered to the end user
request .:
Answer:
aXXX@citrix.com
- to the passcode that was sent the email of 2 nd factor authentication. Moreover, the duration for device registration hard-coded for each user is enabled for a period of 8 hours. These values are, however, can be configured in this special application hardcoded
request .:
Answer:
Axxx citrix .com @
The authentication process for an unregistered device is now complete. Below is the correct order of steps for the authentication process of end-users that have registered devices
- Acquire the authentication key
request: ..
POST http://10.1.1.10:8080/tfa/api/5.5/default/auth?applicationKey=/&userKey=UserName
Answer:
default aah022 5986ed01-b3f5-4294-aa6b-558dba0bb3d4 / 1 /tfademo/default/success.jsp TOKEN_CREATED 2014-08-01T00: 13: 51.078 to 04: 00
- to send a request to the server containing the device key, which was acquired by the first successful authentication and the authentication key, the recently in step 1
request was acquired:
PUT http://10.11.252.114:8080/tfa/api/5.5/default/challenge/5986ed01-b3f5-4294-aa6b-558dba0bb3d4
Answer:
for the registered devices The authentication process is now complete. This issue is important for the next phase includes the logic on the NetScaler. It will provide a guide available that we. Both the scenarios of authentication with a registered device as compared to a non-registered device
NetScaler configuration
to allow, will followUnregistered Device Authentication
, the configuration, which will be necessary to the solution on the NetScaler to implement responder guidelines http labels and JavaScript integrate custom authentication process compartmentalize and drive. At a high level JavaScript is used to control how HTTP requests are delivered to the NetScaler by the browser and Responder client policies to specific HTTP requests trigger configured trigger then responder actions. Responder Actions Calling HTTP legends that are also REST API requests that are sent to the server Anakam.TFA. Moreover responder actions provide JavaScript that instructs the client's browser, as the corresponding HTTP request to formulate the custom authentication process to drill-down. Following are the details of how this is implemented on the NetScaler be.
- End-user in NetScaler Gateway logon page. A response policy is configured to detect the user name and then use this information for the authentication request to the server Anakam.TFA for second factor authentication. To do this, the first thing that needs to be done, the file "index.html" is to change and to change the form action of "/ cgi / login" to another unique target to trigger the relevant responders policy , This is necessary because a responder policy is not triggered when the expression is configured to trigger on the URL "/ cgi / login". This is by design. We therefore modify this file to capture the user data during a logon attempt to. / Var / NetScaler / gui / vpn
responder policy .:
This policy sparks due to the index.html file updated as shown in the screenshot above is
responder action:
the responder action is configured to invoke an HTTP callout that initiates 2 nd factor authentication process. The Anakam.TFA server responds with an authentication key that relate to the specific user who is trying to authenticate. This authentication key is used for a particular user to monitor the authentication process. The HTTP callout is the authentication key as a text, and then the response action is configured to set the authentication key as a cookie so that it can be used accordingly in the entire authentication process. The cookie for the authentication key "authkey" called. The name is arbitrary and may other names are given, which is acceptable to the organization. Moreover, this responder uses action JavaScript to instruct the end-user client Web browser, perform the following functions:
- instantiate a function that acquires the value of a cookie based on the cookie name
- a "if..else" statement when a device key cookie in the browser of the client Web exists determined. Based on the result of the web browser of the client will initiate an HTTP request, which will carry out an authentication based on a device key existence. This section describes the authentication process without device key. The next section to focus on the authentication process with the device key
"HTTP / 1.1 0 OK r NSET-Cookie: authkey =". + SYS .HTTP_CALLOUT (ana_logon) + "; path = / r NSET cookie: user =". + HTTP.REQ.BODY (0) .TYPECAST_NVLIST_T ( '=', '&') VALUE ( "Login") + "; path = / r NSET-Cookie: Password =". + HTTP.REQ.BODY (0) .TYPECAST_NVLIST_T ( '=', '&') VALUE ( "passwd") + "; path = / r nConnection: close r n r n "
HTTP Legend: This HTTP callout sends the first request required the authentication process calls under to initiate use of the corresponding REST API. Each request sent to the server Anakam.TFA requires an HTTP header called "authorization". This header contains credentials by Anakam.TFA Server required to use the REST APIs. It is encoded Base64.
- The second step in this custom authentication process is to how to instruct them to deliver Anakam.TFA Server passcode that for 2 nd [1945010genutztwerdensoll] factor authentication. Examples include SMS or email. However, there are other methods that support the Anakam.TFA server. In this particular application, e-mail is used
Responder policy. This is the second response policy that is triggered which is also directed to the authentication process for the Anakam.TFA Server. Responder Action: This action responder calls the HTTP callout that the Ankam.TFA server, as instructed the passcode for 2 nd to deliver factor authentication. The HTTP callout result is returned the text that represents the status of the response to the request, the sending by the HTTP callout on how sent the passcode. This result is stored as a cookie on the client Web browser. This cookie is called "Parameter Status". This name can be changed and is not important for the operation of the authentication process. These responder action also contains JavaScript code, the client Web browser has to perform the following:
- request parameters for the password authentication from Anakam.TFA Server. , This step is essential for advancing the authentication process on the Anakam.TFA Server
"HTTP / 1.1 0 OK r NSET-Cookie: Parameter Status =" + SYS.HTTP_CALLOUT (a2) + "; path = / r nConnection: close n r n r "
HTTP legend .:
This HTTP callout executes a command instructing the Anakam.TFA server how to provide the pass code
"PUT /tfa/api/5.5/default/challenge/"+HTTP.REQ.COOKIE.VALUE("AuthKey")+" HTTP / 1.1 r nHost: 10.11.252.114:8080 r nContent-Type: application / xml r nConnection: "+" keep alive r nContent-length: 1000 r nAuthorization: basic YXBpLWFkbWluOkthbGVpZGEuMjAxNA == "+" r n r n"+" ""+" "+""+" "+" "+"
Within this second HTTP callout, we need to switch to expression based requests to advance to use dynamic expressions to acquire data at runtime. to acquire example, cookie values, which are used as parameters, is that the Anakam.TFA Server requires for the authentication process.
Essentially, the text shows up as the request that is sent to the server Anakam.TFA constructed on the NetScaler. The configuration within the NetScaler editor is either text / strings or expressions, to acquire the data at runtime. The text / do not need strings to be enclosed in quotation marks, but the expressions. The quotes must be escaped with a backslash or an error results after saving the configuration. Moreover, when the configuration is too long, the following symbols are to cut the string to remain below the ceiling: "+". These can be placed at the end of each line, as well as the top of the expression based request to see.
- HTTP.REQ.COOKIE.VALUE ( "authkey")
- Customer .IP.SRC
- This next step is unique to the Anakam.TFA authentication process. It is necessary, the authentication process proceeds
Responder policy .:
The responder policy triggers to the authentication logic to the next step
to [
responder action:
the responder action calls an HTML legend, which progresses the authentication process. A state is returned as text and is set as a cookie called "getParams". This name is not important to the authentication process. These responder action is also an HTML page to the end user so that they can enter the pass code that has been sent to them via email.
"HTTP / 1.1 0 OK r NSET-Cookie: getParams =" + SYS.HTTP_CALLOUT (a4) + "; path = / r nConnection: in close n r rn "+" n "+" n "+" n "+"Citrix Access Gateway n"+"n"+"n"+"n"+"n"+" n "+" n"+"n"+"n"+"n"+"n"+"n"+"n"+"n"+"n"+"n"
In HTML body tag is called JavaScript to input the data in the dialog box to purchase and perform a form post. The JavaScript function is called "DialogueBodyI ()". This function is located in a file called " nsshare. js "which on the NetScaler hard disk in the following location: it can be seen /var/netscaler/gui/vpn.
As in the screenshot above, there is a post action of "/ cgi / dlge" on "anakam / vpn / / passcode" This change enables the configuration of a responder policy that is triggered when an HTTP request passes through the NetScaler for the custom URL is changed -. " / vpn this is by design / anakam / passcode. "As with" / cgi / login ", is a response policy requirements not trigger to" / cgi / dlge ".. Therefore, we have the URL to get to change anything back control .
HTTP Legend:
"PUT /tfa/api/5.5/default/challenge /" + HTTP.REQ.COOKIE.VALUE ( " AuthKey ") +" HTTP / 1.1 r nHost: 10.11.252.114:8080rnContent-Type: application / xml r nConnection: "+" keep alive r nContent-length: 1000 r nAuthorization: basic YXBpLWFkbWluOkthbGVpZGEuMjAxNA == "+" r n r n"+" ""+" "+""+" "+" "+"
This HTTP callout is required to drive the authentication process. In this particular step in the process, once this request / response transaction is successfully completed, a passcode is generated and sent to the end user via e-mail in this case.
- The next step in the process is to enter the access code for the 2 nd factor authentication
Responder policy .:
This policy is triggered if an end user the passcode for 2 occurs nd factor authentication
responder action :.
The responder action calls an HTTP Legend submitting the passcode entered by the end user
"HTTP / 1.1 0 OK r NSET cookie: DeviceKey = ". + SYS.HTTP_CALLOUT (a7) + "; expires =" + SYS.TIME .ADD (2500) .TYPECAST_TIME_AT + "; path = / r nConnection: close r n r n "
the response of the HTTP callout returns text that identifies the device key, which is an alphanumeric value , This value is set as a cookie in the web browser of the client as "DeviceKey". There is also a term that is configured, the cookie expires based on the current system time in addition to a period for some time in the future:
- SYS.TIME.ADD (200). TYPECAST_TIME_AT
responder action also provides JavaScript on the Web browser of the client to instruct it to send a request that directs logically with the custom authentication process
HTTP legend .:
"PUT /tfa/api/5.5/default/challenge/"+HTTP.REQ.COOKIE.VALUE("AuthKey")+" HTTP / 1.1 r nHost . 10:11 252.114: 8080 r nContent-Type: application / xml r nConnection: "+" keep alive r nContent-length: 1000 r nAuthorization: basic YXBpLWFkbWluOkthbGVpZGEuMjAxNA == "+" r n r n"+" ""+" "+""+" "+" "+"
This HTTP callout sets the pass code that has been entered by the end user to the Anakam.TFA server. It also allows for registering user equipment. Once the password successfully accepted the Anakam.TFA responding server with a device key that is an alphanumeric value. Successful uptake of the device key also means that the authentication process has been completed for an end user that connects to a non-registered device.
- The last step required to complete the non-registered device authentication process is similar to step 3 in that it progresses the authentication process to complete. It also completes the authentication process for NetScaler gateway that leads from the NetScaler Gateway in the delivery of an authentication cookie "NSC_AAAC"
Responder policy .:
The responder policy trigger last for unregistered device authentication
responder action :.
isThis responder action completed by the publication of LDAP credentials "/ cgi / login" the authentication process.
"HTTP / 1.1 0 OK r NSET-Cookie: Status2 =" + SYS.HTTP_CALLOUT (a4) + "; path = / r nConnection: close r n r n "
the responder action above includes the authentication process of the user's LDAP credentials by publishing" / cgi / login ". user posting on "/ cgi / login" the LDAP credentials correlated with the authentication policy that is bound to the NetScaler Gateway virtual server. a successful contribution in the generation of an authentication cookie by NetScaler Gateway "NSC_AAAC" added lead.
if a device is registered or not, depends on whether the client Web browser contains the device-key cookie using the NetScaler to determine which authentication process. Essentially run, there are two authentication processes of NetScaler is configured to perform non-registered device and registered product. The following section of the authentication process for a registered device.
registered Device Authentication
- End-user in NetScaler Gateway logon page. A response policy is configured to detect the user name and then use this information for the authentication request to the server Anakam.TFA for second factor authentication. This policy is the same as the policy in the first step of a non-registered device used
Responder policy .:
This policy sparks due to the index.html file change
responder action:
This action responder is configured to invoke an HTTP callout, the 2 nd initiating factor authentication process. The Anakam.TFA server responds with an authentication key that relate to the specific user who is trying to authenticate. This authentication key is used for a particular user to monitor the authentication process. The HTTP callout is the authentication key as a text, and then the response action is configured to set the authentication key as a cookie so that it can be used accordingly in the entire authentication process. The cookie for the authentication key "authkey" called. The name is arbitrary and may other names are given, which is acceptable to the organization. Moreover, this responder uses action JavaScript to instruct the end-user client browser, perform the following functions:
- A function that is based the value of a cookie on the cookie name acquires
- a "if..else" statement when a device Key cookie Web browser within the client determined yet. Based on the result of the web browser of the client will initiate an HTTP request, which will carry out an authentication based on a device key existence. This section describes the authentication process using a device key
"HTTP / 1.1 0 OK r NSET-Cookie: authkey =". + SYS.HTTP_CALLOUT (ana_logon) + "; path = / r NSET cookie: user =". + HTTP.REQ.BODY (0) .TYPECAST_NVLIST_T ( '=', '&') VALUE ( "Login") + "; path = / r NSET-Cookie: password =" + HTTP.REQ.BODY (0 ) .TYPECAST_NVLIST_T ( '=', '&') VALUE. ( "Passwd") + "; path = / r nConnection: close r n r n "
HTTP Legend:
sent each request to the server requires a Anakam.TFA HTTP header called "authorization". This header contains credentials by Anakam.TFA Server required to use the REST APIs.
- The next step in the process, the device key to Anakam.TFA Server. If successfully adopted, then end users are authenticated and is not a code for the branches 2 nd provided or commissioned factor authentication in question are
Responder policy .:
the responder policy is triggered when the web browser of the client device key cookie contains
responder action :.
The responder action is responsible for calling the HTTP legend that the device key to Anakam.TFA Server
"HTTP / 1.1 0 OK r NSET-cookie: auth_status = "is present. + SYS. HTTP_CALLOUT (DeviceKey_Authentication_Status) + "; path = / r nConnection: close n r n r
0 Komentar