BOSH-UAA External 2FA


Suren R
 

Now, when a user is redirected for getting a one time passcode to the UAA page, he have to enter the same credentials which he entered on the first step. Is there a way to change this? May be integrating a third party authentication provider such as Google Auth, RSA Secure Token etc?


Dmitriy Kalinin
 

CLI just shows whatever UAA returns for prompts and UAA shouldnt return
credentials prompts when it's configured delegate collection of creds. I
thought UAA fixed this issue some time ago. Which version of uaa release
are you using?

On Fri, Oct 14, 2016 at 3:04 AM, Suren R <suren.devices(a)gmail.com> wrote:

Now, when a user is redirected for getting a one time passcode to the UAA
page, he have to enter the same credentials which he entered on the first
step. Is there a way to change this? May be integrating a third party
authentication provider such as Google Auth, RSA Secure Token etc?


Suren R
 

I am using uaa release 17
And this is how it looks like in the console:

Email: suren

Password: *****

One Time Code (Get one at https://uaa.run.covisintrnd.com/passcode): ******

On Fri, Oct 14, 2016 at 7:46 PM, Dmitriy Kalinin <dkalinin(a)pivotal.io>
wrote:

CLI just shows whatever UAA returns for prompts and UAA shouldnt return
credentials prompts when it's configured delegate collection of creds. I
thought UAA fixed this issue some time ago. Which version of uaa release
are you using?

On Fri, Oct 14, 2016 at 3:04 AM, Suren R <suren.devices(a)gmail.com> wrote:

Now, when a user is redirected for getting a one time passcode to the UAA
page, he have to enter the same credentials which he entered on the first
step. Is there a way to change this? May be integrating a third party
authentication provider such as Google Auth, RSA Secure Token etc?


Dmitriy Kalinin
 

is this for bosh or for cf? which cli are you using?

Sent from my iPhone

On Oct 14, 2016, at 4:48 PM, Suren R <suren.devices(a)gmail.com> wrote:

I am using uaa release 17
And this is how it looks like in the console:
Email: suren
Password: *****
One Time Code (Get one at https://uaa.run.covisintrnd.com/passcode): ******

On Fri, Oct 14, 2016 at 7:46 PM, Dmitriy Kalinin <dkalinin(a)pivotal.io> wrote:
CLI just shows whatever UAA returns for prompts and UAA shouldnt return credentials prompts when it's configured delegate collection of creds. I thought UAA fixed this issue some time ago. Which version of uaa release are you using?

On Fri, Oct 14, 2016 at 3:04 AM, Suren R <suren.devices(a)gmail.com> wrote:
Now, when a user is redirected for getting a one time passcode to the UAA page, he have to enter the same credentials which he entered on the first step. Is there a way to change this? May be integrating a third party authentication provider such as Google Auth, RSA Secure Token etc?


Koper, Dies <diesk@...>
 

It seems your UAA is (mis?)configured to ask the client (bosh or cf CLI) to prompt the user for username, password and passcode.
See the “prompts” field:

D:\>curl https://login.run.covisintrnd.com/login -H "Accept: application/json"
{"timestamp":"2015-05-09T02:51:29+0000","app":{"version":"2.3.0"},"idpDefinitions":[],"fieldUsernameShow":true,"zone_name":"uaa","
commit_id":"a32678a","prompts":{"username":["text","Email"],"password":["password","Password"],"passcode":["password","One Time Co
de (Get one at https://uaa.run.covisintrnd.com/passcode)"]},"links":{"register":"https://console.run.covisintrnd.com/register","pa
sswd":"https://console.run.covisintrnd.com/password_resets/new","login":"https://login.run.covisintrnd.com","uaa":"https://uaa.run
.covisintrnd.com"},"entityID":"login.run.covisintrnd.com"}

Regards,
Dies Koper
Cloud Foundry Product Manager - CLI


From: Suren R [mailto:suren.devices(a)gmail.com]
Sent: Saturday, October 15, 2016 7:48 AM
To: Discussions about the Cloud Foundry BOSH project.
Subject: [cf-bosh] Re: Re: BOSH-UAA External 2FA

I am using uaa release 17
And this is how it looks like in the console:

Email: suren

Password: *****

One Time Code (Get one at https://uaa.run.covisintrnd.com/passcode): ******

On Fri, Oct 14, 2016 at 7:46 PM, Dmitriy Kalinin <dkalinin(a)pivotal.io<mailto:dkalinin(a)pivotal.io>> wrote:
CLI just shows whatever UAA returns for prompts and UAA shouldnt return credentials prompts when it's configured delegate collection of creds. I thought UAA fixed this issue some time ago. Which version of uaa release are you using?

On Fri, Oct 14, 2016 at 3:04 AM, Suren R <suren.devices(a)gmail.com<mailto:suren.devices(a)gmail.com>> wrote:
Now, when a user is redirected for getting a one time passcode to the UAA page, he have to enter the same credentials which he entered on the first step. Is there a way to change this? May be integrating a third party authentication provider such as Google Auth, RSA Secure Token etc?


Suren R
 

This is Bosh CLI

On Sat, Oct 15, 2016 at 2:43 AM, Dmitriy Kalinin <dkalinin(a)pivotal.io>
wrote:

is this for bosh or for cf? which cli are you using?

Sent from my iPhone

On Oct 14, 2016, at 4:48 PM, Suren R <suren.devices(a)gmail.com> wrote:

I am using uaa release 17
And this is how it looks like in the console:

Email: suren

Password: *****

One Time Code (Get one at https://uaa.run.covisintrnd.com/passcode):
******

On Fri, Oct 14, 2016 at 7:46 PM, Dmitriy Kalinin <dkalinin(a)pivotal.io>
wrote:

CLI just shows whatever UAA returns for prompts and UAA shouldnt return
credentials prompts when it's configured delegate collection of creds. I
thought UAA fixed this issue some time ago. Which version of uaa release
are you using?

On Fri, Oct 14, 2016 at 3:04 AM, Suren R <suren.devices(a)gmail.com> wrote:

Now, when a user is redirected for getting a one time passcode to the
UAA page, he have to enter the same credentials which he entered on the
first step. Is there a way to change this? May be integrating a third party
authentication provider such as Google Auth, RSA Secure Token etc?


Suren R
 

Hi Dies,
I aware that I can disable the passcode prompt in UAA. I am perfectly fine
that a one-time passcode is being asked. However, I want the passcode to
come from a different authentication source. Not the UAA again. Because,
when user opens the web link for the passcode, he will fill up the same
credentials again in the web form which is not a true two-factor
authentication.

regards,
Suren.



On Sat, Oct 15, 2016 at 3:37 PM, Koper, Dies <diesk(a)fast.au.fujitsu.com>
wrote:

It seems your UAA is (mis?)configured to ask the client (bosh or cf CLI)
to prompt the user for username, password and passcode.

See the “prompts” field:



D:\>curl https://login.run.covisintrnd.com/login -H "Accept:
application/json"

{"timestamp":"2015-05-09T02:51:29+0000","app":{"version":"
2.3.0"},"idpDefinitions":[],"fieldUsernameShow":true,"zone_name":"uaa","

commit_id":"a32678a","prompts":{"username":["text","Email"],
"password":["password","Password"],"passcode":["password","One Time Co

de (Get one at https://uaa.run.covisintrnd.com/passcode)"]},"links":{"
register":"https://console.run.covisintrnd.com/register","pa

sswd":"https://console.run.covisintrnd.com/password_resets/new","login":"
https://login.run.covisintrnd.com","uaa":"https://uaa.run

.covisintrnd.com"},"entityID":"login.run.covisintrnd.com"}



Regards,

Dies Koper
Cloud Foundry Product Manager - CLI





*From:* Suren R [mailto:suren.devices(a)gmail.com]
*Sent:* Saturday, October 15, 2016 7:48 AM
*To:* Discussions about the Cloud Foundry BOSH project.
*Subject:* [cf-bosh] Re: Re: BOSH-UAA External 2FA



I am using uaa release 17

And this is how it looks like in the console:

Email: suren

Password: *****

One Time Code (Get one at https://uaa.run.covisintrnd.com/passcode):
******



On Fri, Oct 14, 2016 at 7:46 PM, Dmitriy Kalinin <dkalinin(a)pivotal.io>
wrote:

CLI just shows whatever UAA returns for prompts and UAA shouldnt return
credentials prompts when it's configured delegate collection of creds. I
thought UAA fixed this issue some time ago. Which version of uaa release
are you using?



On Fri, Oct 14, 2016 at 3:04 AM, Suren R <suren.devices(a)gmail.com> wrote:

Now, when a user is redirected for getting a one time passcode to the UAA
page, he have to enter the same credentials which he entered on the first
step. Is there a way to change this? May be integrating a third party
authentication provider such as Google Auth, RSA Secure Token etc?





Dmitriy Kalinin
 

Suren: Sree (UAA PM) says that later versions of UAA should have this
problem resolved. Please update your uaa-release.

On Sun, Oct 16, 2016 at 12:49 AM, Suren R <suren.devices(a)gmail.com> wrote:

Hi Dies,
I aware that I can disable the passcode prompt in UAA. I am perfectly fine
that a one-time passcode is being asked. However, I want the passcode to
come from a different authentication source. Not the UAA again. Because,
when user opens the web link for the passcode, he will fill up the same
credentials again in the web form which is not a true two-factor
authentication.

regards,
Suren.



On Sat, Oct 15, 2016 at 3:37 PM, Koper, Dies <diesk(a)fast.au.fujitsu.com>
wrote:

It seems your UAA is (mis?)configured to ask the client (bosh or cf CLI)
to prompt the user for username, password and passcode.

See the “prompts” field:



D:\>curl https://login.run.covisintrnd.com/login -H "Accept:
application/json"

{"timestamp":"2015-05-09T02:51:29+0000","app":{"version":"2.
3.0"},"idpDefinitions":[],"fieldUsernameShow":true,"zone_name":"uaa","

commit_id":"a32678a","prompts":{"username":["text","Email"],
"password":["password","Password"],"passcode":["password","One Time Co

de (Get one at https://uaa.run.covisintrnd.com/passcode
)"]},"links":{"register":"https://console.run.covisintrnd.com/register
","pa

sswd":"https://console.run.covisintrnd.com/password_resets/new","login":"
https://login.run.covisintrnd.com","uaa":"https://uaa.run

.covisintrnd.com"},"entityID":"login.run.covisintrnd.com"}



Regards,

Dies Koper
Cloud Foundry Product Manager - CLI





*From:* Suren R [mailto:suren.devices(a)gmail.com]
*Sent:* Saturday, October 15, 2016 7:48 AM
*To:* Discussions about the Cloud Foundry BOSH project.
*Subject:* [cf-bosh] Re: Re: BOSH-UAA External 2FA



I am using uaa release 17

And this is how it looks like in the console:

Email: suren

Password: *****

One Time Code (Get one at https://uaa.run.covisintrnd.com/passcode):
******



On Fri, Oct 14, 2016 at 7:46 PM, Dmitriy Kalinin <dkalinin(a)pivotal.io>
wrote:

CLI just shows whatever UAA returns for prompts and UAA shouldnt return
credentials prompts when it's configured delegate collection of creds. I
thought UAA fixed this issue some time ago. Which version of uaa release
are you using?



On Fri, Oct 14, 2016 at 3:04 AM, Suren R <suren.devices(a)gmail.com> wrote:

Now, when a user is redirected for getting a one time passcode to the UAA
page, he have to enter the same credentials which he entered on the first
step. Is there a way to change this? May be integrating a third party
authentication provider such as Google Auth, RSA Secure Token etc?





Suren R
 

Oh great. Let me do a little experiment on the latest version.

Thanks for taking interest on this Dies.

On Wed, Oct 19, 2016 at 4:43 AM, Dmitriy Kalinin <dkalinin(a)pivotal.io>
wrote:

Suren: Sree (UAA PM) says that later versions of UAA should have this
problem resolved. Please update your uaa-release.

On Sun, Oct 16, 2016 at 12:49 AM, Suren R <suren.devices(a)gmail.com> wrote:

Hi Dies,
I aware that I can disable the passcode prompt in UAA. I am perfectly
fine that a one-time passcode is being asked. However, I want the passcode
to come from a different authentication source. Not the UAA again. Because,
when user opens the web link for the passcode, he will fill up the same
credentials again in the web form which is not a true two-factor
authentication.

regards,
Suren.



On Sat, Oct 15, 2016 at 3:37 PM, Koper, Dies <diesk(a)fast.au.fujitsu.com>
wrote:

It seems your UAA is (mis?)configured to ask the client (bosh or cf CLI)
to prompt the user for username, password and passcode.

See the “prompts” field:



D:\>curl https://login.run.covisintrnd.com/login -H "Accept:
application/json"

{"timestamp":"2015-05-09T02:51:29+0000","app":{"version":"2.
3.0"},"idpDefinitions":[],"fieldUsernameShow":true,"zone_name":"uaa","

commit_id":"a32678a","prompts":{"username":["text","Email"],
"password":["password","Password"],"passcode":["password","One Time Co

de (Get one at https://uaa.run.covisintrnd.com/passcode
)"]},"links":{"register":"https://console.run.covisintrnd.com/register
","pa

sswd":"https://console.run.covisintrnd.com/password_resets/new
","login":"https://login.run.covisintrnd.com","uaa":"https://uaa.run

.covisintrnd.com"},"entityID":"login.run.covisintrnd.com"}



Regards,

Dies Koper
Cloud Foundry Product Manager - CLI





*From:* Suren R [mailto:suren.devices(a)gmail.com]
*Sent:* Saturday, October 15, 2016 7:48 AM
*To:* Discussions about the Cloud Foundry BOSH project.
*Subject:* [cf-bosh] Re: Re: BOSH-UAA External 2FA



I am using uaa release 17

And this is how it looks like in the console:

Email: suren

Password: *****

One Time Code (Get one at https://uaa.run.covisintrnd.com/passcode):
******



On Fri, Oct 14, 2016 at 7:46 PM, Dmitriy Kalinin <dkalinin(a)pivotal.io>
wrote:

CLI just shows whatever UAA returns for prompts and UAA shouldnt return
credentials prompts when it's configured delegate collection of creds. I
thought UAA fixed this issue some time ago. Which version of uaa release
are you using?



On Fri, Oct 14, 2016 at 3:04 AM, Suren R <suren.devices(a)gmail.com>
wrote:

Now, when a user is redirected for getting a one time passcode to the
UAA page, he have to enter the same credentials which he entered on the
first step. Is there a way to change this? May be integrating a third party
authentication provider such as Google Auth, RSA Secure Token etc?