Okta MFA Push Authentication on Microsoft Remote Desktop Gateway

Okta MFA Push Authentication on Microsoft Remote Desktop Gateway

 I've successfully implemented this using code from Github linked in this Tutorial.

All credits of the code go to the Code Author! This is simply a guide on how to implement this in your environment.

A few things to note before we head down this path:

1) This will only allow for PUSH authentication on the RDG Gateway. I know that RDG Gateway Web Apps portal supports SSO/SAML, however, once the user has access to the RDP file of the application, MFA no longer is required as they can just launch this from their desktop and connect without authentication. In my opinion, this is a FLAW from microsoft.

2) This is somewhat of what Azure or Duo integration for RDG Gateway does, however, as the Remote Desktop client doesn't have any inputs, it doesn't support Call-in or SMS as there is no input fields for the application to submit back data.

Let's begin! 

Github code is found here: https://github.com/bdalpe/RADIUS-to-Okta-MFA

Download the ZIP and save it to a Linux server/system. (You can do this in Docker but I haven't done it). You will need to open ports 1812-1813-1814 inbound and outbound, and 8080, 80,443 and 8443 outbound. (Or you can be lazy and disable the firewall)

Now in terminal, change to the directory of the zip file, extract it, and work in that directory.

Edit the file run.sh using gedit or vi or your favorite flavor of linux editor.

*!/bin/sh

export OKTA_TENANT=yourtenant.okta.com -> Simple, put your okta tenant

export OKTA_API_KEY=XXXXXX -> In Okta, Navigate to Security > Api > Generate Token. Put that value in here.

export RADIUS_SECRET=****** -> Put whatever complex thing you wish here, this is just used to communicate to your NPS server on the RDG Gateway server.

p=$(which python) -> Change this to p=$(which python3) because you should be using python3 in linux in 2020.

$p server.py

Save this file. This is all you have to do.

Back in the command line, run the following command.

pip3 install -r requirements.txt

You will see stuff installing, that is a good thing. If you don't, then install pip3 with yum or apt-get, whatever linux you are using.

Once this is completed installing, just run the command /bin/sh run.sh and leave the terminal open. It will be blank, and you will see nothing.

RDP to your RDG Gateway server, find "Remote Radius Server"

Right click and Create New. Call it OktaRDG or something similar. Add the Linux server's IP Address where you put the script and hit Apply.

Click the OktaRDG object that you just created and click Edit.

Navigate to the second tab and where I pointed the arrows, put in the SAME secret which you put in the run.sh configuration file in the step above.

Under Load Balancing, Change the settings so they look exactly like the ones in the screenshot. This makes it so that a user has 30 seconds to hit the Yes its Me! push on their mobile device before the server drops the attempt. 

Click Okay.

Now, to enable this policy on the Microsoft Remote Desktop Gateway, you will have to navigate to "Connection Request Policies" on the NPS server. 

Create a new one by right clicking and pressing "new".

For General, Makes sure you choose the remote desktop gateway:

(PLEASE DISABLE THE POLICY FOR NOW UNLESS ITS ON A TEST SERVER)

For conditions, put in NAS Port type as VPN which will target ALL Rdp connections. (Or customize them as you wish) 

Under settings, leave everything blank except for the following: 

Forward your requests to the Remote Radius Sever group which you created: (I have called mine as Okta-RDG) 

Under Specify a Realm Name, you must do the following:

Change the Attribute field to User-name, and then MAP each AD-user to Okta account that you need to authenticate.

For example, see transforms below:

The employee's name is John Snow. His username is jsnow.

The user normally logs into the gateway with domainname\jsnow.

In the mapping, you will put in Find:jsnow - Replace With: john.snow@domainname.com

In my example, he logs in with company\jsnow, and his Okta login is john.snow@company.com, so I have made the mapping.

This will work for any mapping! If your users log in with domainname\john.snow, you will Find:john.show - Replace With: john.snow@domainname.com

You can also map random domain accounts to any okta token. Let's say you have a vendor service account, called domainname\vendor3511. You can make a rule to target an okta account for that vendor with the email of cool.vendor@company.com

You can create a rule of Find:vendor3511 - Replace with: cool.vendor@company.com

VERY IMPORTANT: Keep this rule disabled until FULLY TESTED. Once you enable the rule and make it the top priority, ANY connections to this Remote Desktop Gateway server will be forced to use multifactor. They will be re-authenticated ANY time they try to RDP using an RDP file that has this gateway server and the policy enabled.

Please let me know if you have any questions.

AWS vs Azure vs Google - CSP comparison !!!

This blog on AWS vs Azure vs Google Cloud highlights and elaborates the major factors of comparison among AWS, Azure, and GCP. In this Azure vs AWS vs Google Cloud blog, you’ll be taken through the following factors:

1. Availability Zones
2. Market Shares and Growth Rate
3. Who Uses Them?
4. Services
5. Pricing Models
6. Key Takeaways

Availability Zones: AWS was the earliest in the cloud domain which means that they have had more time to establish and expand their network. So, AWS is hosting in multiple locations worldwide. Azure and GCP are also hosting in multiple locations worldwide, but the difference occurs in the number of their respective availability zones.

• AWS has 66 availability zones with 12 more on the way.
• Azure has 54 regions worldwide and is available in 140 countries all around the world.
• Google Cloud Platform has been made available in 20 regions around the world with 3 more on their way.

Market Share & Growth Rate: In terms of cloud market, AWS has been on the top for as long as anyone can remember. The below graph show the Market Share as per Gartner latest report. 

It clearly depicts that Amazon is the leader in Cloud Service Provider.  Even though both Microsoft Azure and GCP are lagging behind AWS, when it comes to market shares, they have shown tremendous growth rate. The following graph shows that, as of 2019, GCP has shown a growth rate of 83 percent while Microsoft Azure is at the second place with 75 percent of growth rate and AWS, at the third place, with 41 percent of growth rate.

Who Uses Them? Since AWS is the oldest player in the cloud market, it has bigger community support and user base. Therefore, AWS has more high-profile and well-known customers like Netflix, Airbnb, Unilever, BMW, Samsung, MI, Zynga, etc.

Azure is also gaining its share of high-profile customers with time. As of now, Azure has almost 80 percent of Fortune 500 companies as its customers. Some of its major customers are Johnson Controls, Polycom, Fujifilm, HP, Honeywell, Apple, etc.

Google, on the other hand, shares the same infrastructure as that of Google Search and YouTube and, as a result, many high-end companies have put their faith in Google Cloud. Major clients of Google Cloud are HSBC, PayPal, 20th Century Fox, Bloomberg, Dominos, and more.

Services/Features: AWS offers around 200+ services, whereas Azure offers up to 100+ services. Google Cloud, on the other hand, is catching up with Azure and AWS offering around 60+ services.

We have categorized the following main services offered by each Cloud Service Provider. 

1. Compute
2. storage
3. databases
4. networking
5. Hybrid Option

The amazon cloud platform offers almost every feature under the cloud computing industry. Their cloud services allow you to gain easy access to computing power, data storage or other functionality necessary for app developers. 

Compute Services

Services	AWS Cloud	Azure Cloud	GCP
IaaS	Amazon Elastic Compute Cloud	Virtual Machines	Google Compute Engine
PaaS	AWS Elastic Beanstalk	App Service and Cloud Services	Google App Engine
Containers	Amazon Elastic Compute Cloud Container Service	Azure Kubernetes Service (AKS)	Google Kubernetes Engine
Serverless Functions	AWS Lambda	Azure Functions	Google Cloud Functions

Database Services:

Services	AWS Cloud	Azure Cloud	GCP
RDBMS	Amazon Relational Database Service	SQL Database	Google Cloud SQL
NoSQL: Key–Value	Amazon DynamoDB	Table Storage	Google Cloud Datastore  Google Cloud Bigtable
NoSQL: Indexed	Amazon SimpleDB	Azure Cosmos DB	Google Cloud Datastore

Storage Services:

Services	AWS Cloud	Azure Cloud	GCP
Object Storage	Amazon Simple Storage Service	Disk Storage	Google Cloud Storage
Block Storage	Amazon Elastic Block Store	Blob Storage	Google Compute Engine Persistent Disks
Cold Storage	Amazon Glacier	Azure Archive Blob Storage	Google Cloud Storage Nearline
File Storage	Amazon Elastic File System	Azure File Storage	ZFS/Avere

Networking Services:

Services	AWS	Azure	GCP
Virtual Network	Amazon Virtual Private Cloud (VPC)	Virtual Networks (VNets)	Virtual Private Cloud
Elastic Load Balancer	Elastic Load Balancer	Load Balancer	Google Cloud Load Balancing
Peering	Direct Connect	ExpressRoute	Google Cloud Interconnect
DNS	Amazon Route 53

Pricing Model:  All the 3 mentioned Cloud service providers offer different pricing model & it is always updated by each of them. The point to note here is that AWS recently started offering pay-per-minute billing. Azure already offers pay-per-minute billing, while Google Cloud offers pay-per-second billing models which let users save way more than using AWS or Azure. Google also offers various discounts to help customers save up to 50 percent in some cases when compared to AWS. According to Gartner, Google offers deep discounts and exceptionally flexible contracts to try to win projects from customers.

Key Takeaways!

Availability zones: With a greater number of regions and availability zones, the winner here is AWS.

Market shares: With around one-third of market shares in its name, the winner here is AWS.

Growth rate: Having a growth rate of almost 100 percent, the winner is GCP.

Who uses them?:With various high-end customers using all the three cloud platforms, it’s a tie among each of these. 

Services:

1. When it comes to the number of services, the winner is AWS.
2. Regarding the integration with open-source and on-premise systems, such as MS tools, that are mostly used in almost all organizations, the winner is Azure.

Pricing Models: As per Gartner, With more customer-friendly pricing models and discount models, the winner here is Google Cloud.

So, all things considered, it would be better to say that it’s not about choosing the best cloud providers, rather it’s about choosing the best-suited cloud provider as per your needs.

Thanks a lot !!!

ForgeRock OpenAM - Authentication Trees !!!

What could I build with Authentication Trees?

Short answer — a lot!

In the First Article, I have covered some cool things you can do with the Out-Of-The-Box nodes, we will also see how to create custom nodes or access a wealth of custom nodes created by the community.

A simplest way to Implement your own business Logic in a node is by using Scripts in ForgeRock. You can easily write a custom script either in JavaScript or GoovyScript to perform some evaluation & determine the outcome. 

First we will create a Script, to do this navigate to the realm which you have created or to the Top Level realm. 
for e.g.
http://demo.test.com:8080/am/XUI/?realm=/#realms/%2Ftestrealm/scripts

Then Click on the Scripts on the Left Hand Navigation Pane. 

Click on the New Script Button & Enter the name of the Script as shown below. 

Now you need to enter your code & business Logic. you can choose either the JavaScript or GroovyScript. In this example, I have chosen the JavaScript. 

Click on the Validate Button to validate your code & then Save Changes. 

Note the name of the Script & we will use it in our AM Trees. 

Navigate back to the tree we created earlier, and drag a Scripted Decision Node onto the canvas and connect it up. Then select the script and ensure that the outcomes we define in the script (true and false), are entered in the Outcomes field. 

You can now try authenticating again using trees.  
This is very simple example of using Scripts in Node.  common uses of these are calling out to third party services, taking the result and evaluating it to determine an outcome. You can use this as a starting point to develop something more sophisticated.

There are lot of custom examples available on ForgeRock Market Place.

https://backstage.forgerock.com/marketplace/catalogDisplay



Thanks a lot !!!

Multi Factor Authentication - why is it essential for Every Organization !!!

The threat to the organizations is increasing because Organizations are forced to enforce Work from Options to the Employees. multi-factor authentication (MFA) has rapidly gained adoption as a method for increasing the assurance of authentication/authorization for customers.

Authentication is generally accomplished by validating one of three types of factors as mentioned below.

1. something you have (e.g. an user-ID card)
2. something you know (e.g. a username/Password)
3. something you are (e.g. a Fingerprint/Biometric Identification)

Multi-factor authentication employs the combination of two or more types of above mentioned factors.

There are multiple ways to increase the security of your MFA feature. some of the useful Tips have been given below.

1. Understand and manage the vulnerability of your account recovery flow.
2. Protect your login flow from brute force attacks.
3. Design to manage trade-offs between risk, usability, and cost.

We will discuss the all three in detail.

Understanding & Manage the Account recovery flow:

Always separate the recovery of the second factor from the recovery of the primary factor. Should an attacker gain access to primary authentication factor, the second factor becomes immaterial if it can be reset with possession of just the password. Further, the recovery flow for the second factor should be completely separate from the recovery flow for the password.

For example, If an email message is the method for recovering the password, make sure to recover the second factor through an altogether separate channel.

Involve an administrator wherever required. An administrator can in many scenarios implement a sophisticated high assurance authentication method.

In enterprise scenarios, companies will be in the best position to authenticate members of their own organization through shared secrets derived from the content of the employee’s work or profile, the company, and human relationships. One notable approach is to ask an employee’s manager to authenticate the user and then authorize staff to execute the MFA reset.

Protect your login flow from brute force attacks:

As the availability of inexpensive computing resources increases so does the vulnerability of authentication systems to brute force guessing attacks. However several simple techniques can be used to significantly improve the security of your multi-factor authentication in the circumstance where the password has been compromised.

• Login flow sequence
• Rate limits
• Account Locking

For e.g. Placing the challenge for the second factor on a page beneath the login page has two benefits.

• It protects your user from an attack aimed at locking them out of their account once a failed login attempts limit is reached (with rate limits applied to the primary factor).

• Obscuring the second factor provides an attacker with less visibility into another layer of security. Always Implement a rate limit and lock policy on the second factor. The probability that a user enters their token incorrectly multiple times is low. As such, your suspicion of attack should grow with each failed attempt. Response times should grow with each subsequent attempt to decrease the aggregate number of attempts possible per unit time, with a complete account lockout (where feasible) upon several consecutive failed attempts. For time-based second factors, manage rate limits according to the life of the token.

Logs and alerts

Collect and analyse all unsuccessful second factor attempts. In the event of several failed second-factor challenges, alert the user or an administrator of this suspicious behaviour, and prompt the user to enrol for a new token.

Always Use an out-of-band token. A second factor that is verified through a channel separate from the primary factor adds extra protection against brute force attacks (and phishing).

For example, a popular new factor sends the user a push notification on a mobile phone with details about the authentication request and a prompt to accept or deny the request. This channel is inaccessible to a traditional brute force guessing approach.

Design to manage risk, usability and cost:

The design of a multi-factor authentication feature will have significant implications on security, usability, and cost in any context. A higher assurance second factor can in some cases present the burden of increased hassle for end-users and administrators which can impact the adoption of MFA for your product and thereby decrease security. There are some best practices for balancing risk, usability and cost. Offer a spectrum of options to serve diverse user populations. Different user populations present different levels of risk and hence, warrant different levels of assurance. For example, an administrator can have a larger scope of access than an individual user. As such, you may wish to provide relatively stronger second factors for administrators, while offering more convenient options for users. In consumer scenarios different users will have different preferences and a lower assurance more convenient option that is actually used may provide more security than a high assurance option that lacks adoption.

Support federated authentication: In enterprise scenarios many companies are implementing authentication and MFA locally for identities they manage, and federating to resources. This approach allows product development teams to outsource administration of policy and security processes to customers. Multi-factor authentication is only as secure as its account recovery flows. In many highly publicized recent cases, attackers have been able exploit vulnerabilities in the account recovery process to gain control of an account. For example, A web application provides for MFA based on a soft token app installed on a user’s phone and allows the user to enrol a phone number for the purposes of receiving a backup second factor for account recovery in the event that the user is unable to access their soft token. The strength of second factor now depends on the strength of the telecom provider’s processes for authenticating the customer and forwarding calls or SMS. Will the attacker be able to impersonate the user and convince or pressure a customer service rep to route calls or SMS to a number she controls? Every second factor will need a method for replacement, and so this begs the question of how to develop secure recovery flows as mentioned above.

Thanks a lot !!! :-)

Cheers !!!

Authentication Trees - ForgeRock !!

Authentication trees were introduced in ForgeRock openAM version 6.x or later. Authentication trees are made up of authentication nodes, which define actions taken during authentication, similar to authentication modules within chains. 
Authentication trees (also referred to as Intelligent Authentication) provide fine-grained authentication by allowing multiple paths and decision points throughout the authentication flow.

Email Based HOTP Authention Tree: Below example shows the Email based 2 factor authentication tree using gmail. 

Collector Nodes: Collector nodes capture data from a user during the authentication process. This data is often captured by a callback that is rendered in the UI as a text field, drop-down list, or other form component.
Examples of collector nodes includes the Username Collector Node and Password Collector Node as shown in above picture.

Decision Nodes: Decision nodes retrieve the state produced by one or more nodes, perform some processing on it, optionally store some derived information in the shared state, and provide one or more outcomes depending on the result.

The simplest decision node returns a boolean outcome - true, or false.

Example of the Decision nodes includes the Data Store Node as shown in above picture. 

HOTP Generator Node:  This node is used to generate the OTP over the email with a validity period. 

OTP Email Sender Node: This node is used to send the OTP via Email. I have used the Gmail as the mail sender.

To send emails using Gmail server enter these details:

SMTP Host: smtp.gmail.com
SMTP Port: 587
SSL Protocol: OFF
TLS Protocol: ON
SMTP Username: (your Gmail username)
SMTP Password: (your Gmail password)

Also make sure your "From email address" in HESK settings is set to your Gmail email address!

Note: Make sure that the SMTP port 587 is opened from the host computer. 

OTP Collector Decision Node: This node is used to collect the decision of OTP. As described above, The collector node output is either True or False. we have pointed True as Success & False as Failure. 


Once you Save the above Authentication Tree (mytree) access the following URL. 

URL: https://myserver.test.com:8080/am/XUI/?realm=testrealm&service=mytree


Output: After Entering the Username & Password, You should be asked to enter the OTP received on your Gmail. Once OTP is verified, Access is allowed. 


All the very Best. !!!

INTEGRATING SERVICENOW WITH OKTA FOR SINGLE SIGN ON (SSO)

Today’s blog features a tutorial detailing everything you need to know in order to provision users from Okta to ServiceNow and Federated ServiceNow Application using SAML 2.0 (Security Assertion Markup Language).

Okta is a cloud-based identity management product that helps companies manage and secure user authentication and build identity controls into applications.Through this blog, we will show user provisioning from Okta to ServiceNow and configuration of Single Sign-On using Identity Provider and Service Provider Initiated Mechanism through SAML.

Prerequisites:

• Administrative ServiceNow Account
• Application Administrative Okta Account

Configuration Steps at Okta:

1. Login to your OKTA console & click on Applications --> Add Application Button. 
2. Search for serviceNow UD as shown below. 

1. Click on the ADD Button on the Left Pane. Provide the Application URL of your ServiceNow Instance under the Base URL field. In this demo, we have used a dev instance as shown below.
2. Under the Provisioning tab, Enable API Credentials using ServiceNow admin account as shown below. 

1. After successful API Integration, we can create, update and deactivate users from Okta to ServiceNow by defining the Provisioning Rule as shown below. 

    5. Under the Assignments Tab, assign the application to a user or a group. In this demo we have assigned the application to a user for testing as shown below. 

    6. Under the Sign On Tab, download the Identity Provider Metadata as shown below. 

    Save the above IDP URL. 

Configuration Steps to be Done at ServiceNow:

1. Log in to ServiceNow as the administrator as shown below. 

   2. Search for plugins in the Filter navigator (left pane window) & Click on Plugins. 

   3. Search for com.snc.integration.sso.multi in the ID field from the search bar at the top of the Plugins           page. 

   4.  Install the Integration-Multiple Provider Single Sign-On Enhanced UI Plugin as shown below. 

Note: Plugins are automatically activated post installation. 

   5. Search for Multi-Provider SSO in the Filter navigator (top left input field). Click on Properties Button. 

    6.  Select Yes for Enable Multiple provider SSO, as shown below & Click Save. 

    7. Search again for Multi-Provider SSO in the Filter navigator (top left pane). Select Identity                                Providers.

     8. Click New and select SAML for SSO Configuration provider. 

     9. Import the Identity Provider Metadata from Okta. 

     10. After Importing the metadata, automated SAML settings are populated. Check Default for Default                   SAML Settings.

    11. Under the Encryption & Signing Tab, Set the Signing/Encryption Key Alias as “saml2sp”.

    12. Select the User Provisioning Tab and Uncheck Auto Provisioning User and Update User Record Upon         Each Login checkboxes. 

    13. Select the Advanced Tab, In the user field, specify the ServiceNow user attributes that you will be                 matching against Okta with SAML. We are using email as the user field. 

    14. Check Create AuthnContextClass box as shown below. 

      15. Scroll Up and click Test Connection button. You are all set. 

   16. Activate the partnership 

       Thanks a lot !!!