How to Setup 2FA with Google Authenticator in OpenAM

Original article: https://github.com/OpenIdentityPlatform/OpenAM/wiki/How-to-Setup-2FA-with-Google-Authenticator-in-OpenAM

• Introduction
• OpenAM Setup
  • Setup Authentication Module
  • Setup Authentication Chain
  • Setup User Accounts
• Test Solution

Introduction

Google Authenticator is one of the most commonly used applications for two-factor authentication (2FA). It runs both on Android and iOS devices. In the following article, we will describe how to set up 2FA in OpenAM with Google Authenticator.

OpenAM Setup

Setup Authentication Module

For example, we have realm staff where we want to set up 2FA with Google Authenticator. Login into admin console as amadmin user, go to realm staff, and create new OATH module google-authenticator with the following settings:

There are some important settings:

• One Time Password Length: Should be 6 as in Google Authenticator by default
• Secret Key Attribute Name: User attribute in where a secret key is stored.
• OATH Algorithm to Use: For Google Authenticator should be TOTP

• Last Login Time Attribute: User attribute, where users last login time in UNIX format is stored.

• Maximum Allowed Clock Drift: Should be greater than TOTP time steps, so in the following example it is 3.

Setup Authentication Chain

By default, there is ldapService authentication chain, which uses only DataStore authentication module. Add google-authenticator module in the chain.

Setup User Accounts

The next part would be a little bit tricky. To authenticate in Google Authenticator we need to set up user accounts first. Then generate for each user account shared secret. As an example, we will take test account and for this account shared secret will be s3cr3tw0rd.

Encode into Base16. You can or use online service https://simplycalc.com/base16-encode.php either use the following Java function:

private String toBase16(String str) {
  return String.format("%x", new BigInteger(1, str.getBytes(Charset.defaultCharset())));
}

Base16 encoded value is 73336372337477307264.

Open User account properties in Apache Directory Studio (or any other LDAP client application) and add sunIdentityServerPPEncryptKey value 73336372337477307264 as shown on the picture below.

Then generate a QR code to register the user in the Google Authenticator application. QR for Google Authenticator is URI in the following format otpauth://totp/<account id>@<issuer>?secret=<base32 encoded secret>&issuer=<Issuer Name>

Encode secret as Base32. You can use or online service https://simplycalc.com/base32-encode.php, ether following Java function:

import org.apache.commons.codec.binary.Base32;

private String toBase32(String str) {
	return new Base32().encodeAsString(str.getBytes());
}

Base32 encoded value is OMZWG4RTOR3TA4TE

The final URI will be: otpauth://totp/test@openam.openidentityplatform.org?secret=OMZWG4RTOR3TA4TE&issuer=Open+Identity+Platform

Let’s use the online service https://www.the-qrcode-generator.com to generate a QR code image:

Scan QR in Google Authenticator application. A new account will be added.

Test Solution

Let’s sign in into realm staff с with test account: You will be prompted for OTP from Google Authenticator.

Enter the code from Google Authenticator, and you will be successfully authenticated.