Multi-factor on the IDP
tim.kutz Jul 16, 2014 11:24 AMWe are currently running a SAML-based SSO infrastructure using PicketLink 2.1.6, under JBoss 7.2.0. I've been tasked with augmenting the infrastructure to provide second factor authentication support, using Entrust to manage additional authentication credentials. I expected to be able to implement a JAAS LoginModule which would handle the second factor, but it appears that the CallbackHandler implementation only provides the username and password credentials. Digging further, it appears that I could get around this by implementing a custom Realm implementation, but there does not appear to be a way to replace the Realm used for a security domain. In Tomcat, the Realm class can be configured within the server.xml, but this option does not appear to be exposed under JBoss 7.
If I am understanding correctly, in order to collect an additional security credential from the user, I need to implement an Authenticator which will forward them to the correct page. The Authenticator then delegates to the Realm by means of the realm.authenticate() method, but the signature on this is (username, credential). Although I can feasibly override this, I can't get the new Realm implementation into use.
Ultimately, what I need, is to be able to provide arbitrary credentials from the Authenticator class, to the LoginModule. The Realm stands between the two, and manages the CallbackHandler that is in use, which would provide the final step in the bridge. It seems the most general purpose approach would be to provide the catalina Request object directly to the CallbackHandler, and then be able to look up any arbitrary property set in the request (or session). Without the ability to replace the Realm, though, it doesn't seem possible to provide any object to the CallbackHandler.
Am I going about this the wrong way, or did I miss some location where the Realm class can be specified?
Tim Kutz