We’ve recently seen an increase in cyberattacks on enterprises around the world. And as everybody knows, the weakest point in our companies is… US. Humans are the weakest entry point and the one that most hackers will use to access our company assessments.
Because of that, several of our customers have recently asked how they can enable MFA (Multi-Factor Authentication) on their WebFOCUS installations.
Adding this extra layer of security will require our users to interact with a device, so even if they don’t have a strong password, this method won’t allow them to provide or ‘write it on a post-it attached to the monitor’. That way, even if the hacker can get our password and account, they’ll need to have physical access to our device.
OAuth MFA
For this sample I’ll be using Google as the OAuth provider, you can start configuring it following the instructions on: https://developers.google.com/identity/openid-connect/openid-connect, but you can use your own OAuth IdP.
I’ve used the FQDN of my computer on the information there:
The Authorized redirect URIs must match the one that you use to access WebFOCUS from your browser, but you’ll also need to add the jsp that will validate the token that will be returned from your Identity Provider:
https://fqdn:port/ibi_apps/service/wf_openidconnect_security_check.jsp
Replace fqdn with the fully qualified domain name of your box and port for your application server port number where WebFOCUS is deployed.
This part is the important one, as there’s not too much to configure on the WebFOCUS side apart from that.
In my case, my OAuth consent screen doesn’t have any additional scopes configured apart from the email one, so I’m not limiting the scopes that I receive from Google:
My WebFOCUS Security configuration just has the default content for Google (you can change those URLs for the ones of your IdP), and you’ll need to add the ClientID and ClientSecret there. I also changed the Attribute Name for User ID to match Google’s scope, and left the Optional one as ‘email’ as well:
Saving changes and restarting the Application Server is the last thing you need to do, once restarted, you should be able to use SSO against OAuth.
Once done, you should be able to connect to WebFOCUS using your Google account, and if you have configured the 2nd MFA method there, you are already done, but if not, just access your Google account to manage your profile and enable it (https://myaccount.google.com/u/1/security):
Here you can see it in action:
Another method for MFA you can use is SAML instead of OAuth.
At this case, I’ve been requested twice for the MFA, because the account that I use to login into SAML is my Google one, so I’m being prompted first to access my google account, and secondly in SAML.
Your IdP should have an option under the security configuration to enable MFA, I’m using OKTA, and there I’ve enabled the Okta Verify (Application for your Mobile devices) and also the Google Authenticator one:
Here’s a short screen-recording of how it works:
Happy & Secure connections!
Pablo Alvarez
-
1
Recommended Comments
There are no comments to display.