Jump to content
  • How to use MFA within WebFOCUS


    Pablo Alvarez

    We’ve recently seen an increase in cyberattacks on enterprises around the world. And as everybody knows, the weakest point in our companies is… US. Humans are the weakest entry point and the one that most hackers will use to access our company assessments.

    Because of that, several of our customers have recently asked how they can enable MFA (Multi-Factor Authentication) on their WebFOCUS installations.

    Adding this extra layer of security will require our users to interact with a device, so even if they don’t have a strong password, this method won’t allow them to provide or ‘write it on a post-it attached to the monitor’. That way, even if the hacker can get our password and account, they’ll need to have physical access to our device.

     

    OAuth MFA

    For this sample I’ll be using Google as the OAuth provider, you can start configuring it following the instructions on: https://developers.google.com/identity/openid-connect/openid-connect, but you can use your own OAuth IdP.

    I’ve used the FQDN of my computer on the information there: 

     

    AD_4nXfmG_n1t_U89kNKZUuJjEcPSohKmzsRgCkmob-MaLfXSZtihRAbQlOIcWSjvldP8t9pTC4lDa5Q4SZT1Jys0KqI7KXmX1RtxTNm8PgK3nCnuX0R14knd8DXM7KNIlRU8cBB_Wrm140WXiG4vk3Xy6r6fPvn?key=Wg9I1I6rhQHJpa3CIuFaXw

    The Authorized redirect URIs must match the one that you use to access WebFOCUS from your browser, but you’ll also need to add the jsp that will validate the token that will be returned from your Identity Provider:

                https://fqdn:port/ibi_apps/service/wf_openidconnect_security_check.jsp

    Replace fqdn with the fully qualified domain name of your box and port for your application server port number where WebFOCUS is deployed.

    This part is the important one, as there’s not too much to configure on the WebFOCUS side apart from that. 

    In my case, my OAuth consent screen doesn’t have any additional scopes configured apart from the email one, so I’m not limiting the scopes that I receive from Google:

     

    AD_4nXdNi_IaeZ4K5Y21qyN4pTpQd83_e8xjMf4ARCxCiHtOx19LkQMsNTwgq2Zg3JN1CTejKGEjkBv_PsTgP8Y2LvMB_xvfeQCUNBvsf7eweCQF7Zeh0XsPQk-we6vlR-zXIx0nHUjJ55KKtCjb_XxOhTgh4GBr?key=Wg9I1I6rhQHJpa3CIuFaXw

     

    My WebFOCUS Security configuration just has the default content for Google (you can change those URLs for the ones of your IdP), and you’ll need to add the ClientID and ClientSecret there. I also changed the Attribute Name for User ID to match Google’s scope, and left the Optional one as ‘email’ as well:

     

    AD_4nXeUIYzoxuuzBa9iIdihfiC7Jj8e6UtiNXu-VLgn_ry9iFpE2gilkDImRGp-kiG_RiOvz9Fp-ZtAYjqjPywHYXYmlazLCOmDQabdYzFLv5-jAuCZZHIb6aKGqdX_o84Vwtn6twpbJmrRrHXPOm6-sUNaUZ0?key=Wg9I1I6rhQHJpa3CIuFaXw

     

    Saving changes and restarting the Application Server is the last thing you need to do, once restarted, you should be able to use SSO against OAuth.

     

    AD_4nXdBHi4TO-XdH9iryztHE1zGKVciqLhRpjCEqlh1jzqeVOVNlQIJMLR7ej0Ru7O2RCr0MPhwdQSX3lWNmMzU19t3Of6Lw85LASVtcy8YcogyHzorrVDY969PXTsYkFkzpcgHp2BsB46FHKwmfxdN2xRureXv?key=Wg9I1I6rhQHJpa3CIuFaXw

     

     

    Once done, you should be able to connect to WebFOCUS using your Google account, and if you have configured the 2nd MFA method there, you are already done, but if not, just access your Google account to manage your profile and enable it (https://myaccount.google.com/u/1/security): 

     

    AD_4nXcQKDDdlU1t1PS0nv7hXGJybNYE83-f3_QlRRLIXS3d78eihUH2Wp8v8Vh7D7cHKeX5JS86BZ4EifzPpPJOIFXjJgTlCi0g-GT4l5ZcsVbG-iGGFe85FsHvlrrPbGQKrJO6jyC7PA14q2UEvMzMSFN_lQU?key=Wg9I1I6rhQHJpa3CIuFaXw


     

    Here you can see it in action:

     

     

    Another method for MFA you can use is SAML instead of OAuth.

    At this case, I’ve been requested twice for the MFA, because the account that I use to login into SAML is my Google one, so I’m being prompted first to access my google account, and secondly in SAML.

    Your IdP should have an option under the security configuration to enable MFA, I’m using OKTA, and there I’ve enabled the Okta Verify (Application for your Mobile devices) and also the Google Authenticator one:

     

    AD_4nXdcs7GvW1geh4QEP4YeXzGNSktWI7dw8XfHDFPCb5Eez9ssKPdwpH2h68phlPDU_M5XObg5bRGCEiSOuXmDo8LzHTvqHFiaoSkKu3W3FuaRDMa-DZ5s3a8nndPJy6GB-aM8A3g-unoqCHIYHZ0qAONCkiIL?key=Wg9I1I6rhQHJpa3CIuFaXw


     

    AD_4nXcCzgUZF_2LFe7Ra4JuXXNkDQXz4W0hw37NgEIDJv_4G9v_j7SMIuFXAMYMnf2KLUm7gy2w7UDfp_55wkcSCKBMXj9JoW_xpGNRoSxeVG-ZcDXLGT1wq4NcHIu1nt1PrUvCGfHSMXSq32THSfZhu9gV2Hg?key=Wg9I1I6rhQHJpa3CIuFaXw

     

    Here’s a short screen-recording of how it works:

    Happy & Secure connections!

    Pablo Alvarez

     

    • Like 1

    User Feedback

    Recommended Comments

    There are no comments to display.


×
  • Create New...