Adding Multi Factor Authentication to VLF-ONE

This Q&A forum allows users to post and respond to "How Do I Do ....." questions. Please do not use to report (suspected) errors - you must use your regional help desk for this. The information contained in this forum has not been validated by LANSA and, as such, LANSA cannot guarantee the accuracy of the information.
Post Reply
MikeRoyal
Posts: 4
Joined: Fri Jun 21, 2019 8:58 pm

Adding Multi Factor Authentication to VLF-ONE

Post by MikeRoyal » Fri Jun 21, 2019 9:23 pm

Hi

I am looking to add Multi factor Authentication to our VLF-ONE application, as it will be accessed outside the corporate network. I found an excellent article on this forum regarding setting up MFA, but I'm not sure how to implement within the VLF-ONE logon process. I can see that I can use a customised version of VF_AC026O for the login handler, but not sure how I can change the actual logon process to prompt for a second level of authorisation.

Ideally I would also want to determine (based on IP address of client) whether the application is being run inside or outside the corporate network so that I only need to show the second level of authentication when the application is being accessed from outside.

Any help greatly appreciated

Mike

MarkD
Posts: 626
Joined: Wed Dec 02, 2015 9:56 am

Re: Adding Multi Factor Authentication to VLF-ONE

Post by MarkD » Mon Jun 24, 2019 11:45 am

Here a suggestion for how you might approach doing this.

In outline the steps are:

 Do the complete login and 2 factor validation process external to your VLF-ONE application.
 Have the external login process create an encrypted login ‘token’ for validated users.
 Make the normal VLF-ONE dialog not appear, instead causing it to ‘flick pass’ the login token directly to the VLF-ONE server-side login validator.
 Have the VLF-ONE server login validator check the token is kosher before letting the user into the application.

In a little more more detail ……………..

First, do the logon and two factor authentication completely external to your VLF-ONE application.

The latest Web API Client Library has a very good example of how to do that.

Once you have externally validated the user and password and passed the second factor check have your sever module create a custom encrypted “token”.
The token would contain the user profile, a onetime GUID and the time of creation as a minimum, and maybe other identification assurance stuff like the IP address of the requester.

Encrypt the token with a one-time key (using maybe a concatenated GUID and a data time stamp).

Store the token and the one-time key in a database table and return the token to the login client.

Then have your client login program open the VLF-ONE application passing that returned token on the URL, maybe using usertoken=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.

Next create a custom VLF-ONE client side login program. You can get the framework level Common Activities tab to do that for you if you want.

A custom login is a reusable based on VF_AC026O and its identifier is specified in your framework’ custom login form.

Modify it so that it does not present a login dialog, but instead ‘flick passes’ the request straight to the VLF-ONE server-side validation program (i.e. your framework’s version of shipped example UF_OLOGON).

Here’s an example of how to avoid the normal VLF-ONE login screen from appearing - viewtopic.php?f=4&t=164&p=530

In your server-side validation module’s CheckUserCredentials method note that the start-up URL is passed in.

Get the token out of the URL, decrypt it and decompose it – assuming that it can be found in the temporary tokens table..

Check that it seems kosher by checks such as:
 Was there a token on the URL?
 Was it found in the temporary tokens table?.
 Do the IP addresses of the VLF-ONE and token requesters match?
 Was it created in the last 15 seconds (say).
 Whatever else you can think of.

Delete the token from the temporary token file.

If everything passes muster, have CheckUserCredentials return all the parameters required to let the user into the VLF-ONE application.
Otherwise reject the logon request with an bad return code or maybe even an full on ABORT operation with system operator warnings.

MarkD
Posts: 626
Joined: Wed Dec 02, 2015 9:56 am

Re: Adding Multi Factor Authentication to VLF-ONE

Post by MarkD » Mon Jun 24, 2019 3:46 pm

If you need more help with this please yell - it would be a very useful example to have.

MikeRoyal
Posts: 4
Joined: Fri Jun 21, 2019 8:58 pm

Re: Adding Multi Factor Authentication to VLF-ONE

Post by MikeRoyal » Mon Jun 24, 2019 5:53 pm

Hi Mark

That's for your detailed response. I'll give it a try. You mentioned checking the IP address. Can you advise the best way of retrieving this? I had thought #sys_web would return this information but can't see a way to do this.

Thanks

Mike

MarkD
Posts: 626
Joined: Wed Dec 02, 2015 9:56 am

Re: Adding Multi Factor Authentication to VLF-ONE

Post by MarkD » Tue Jun 25, 2019 9:10 am

Try the system variable *WEBIPADDR in your server module.
I tried it yesterday on a Windows server and it seems to work okay as long as you don't use localhost in the URL.
https://docs.lansa.com/14/en/lansa015/i ... *WEBIPADDR

MikeRoyal
Posts: 4
Joined: Fri Jun 21, 2019 8:58 pm

Re: Adding Multi Factor Authentication to VLF-ONE

Post by MikeRoyal » Tue Jun 25, 2019 7:23 pm

Thanks. I'll give it a try.

MikeRoyal
Posts: 4
Joined: Fri Jun 21, 2019 8:58 pm

Re: Adding Multi Factor Authentication to VLF-ONE

Post by MikeRoyal » Wed Jun 26, 2019 3:31 am

Hi Mark
I’m having trouble compiling the version of VF_ac026o as the methods don’t exist for the ancestor. Any idea what I’m doing wrong?

Mike

MarkD
Posts: 626
Joined: Wed Dec 02, 2015 9:56 am

Re: Adding Multi Factor Authentication to VLF-ONE

Post by MarkD » Wed Jun 26, 2019 10:25 am

Sorry, that version was quite old.
Try this one instead:

Code: Select all

Begin_Com Role(*EXTENDS #VF_AC026O)
Define_Com Class(#PRIM_TIMR) Name(#LogonShortDelayTimer) Interval(1) Startup(Manual)
* ------------------------------------------------------------
Evtroutine Handling(#LogonShortDelayTimer.Tick)
#LogonShortDelayTimer.Stop
* Replace TheUser and ThePassword with valid credentials.
Signal Event(LogOnAttemptRequested) Platformu(THEUSER) Platformp(THEPASSWORD)
Endroutine
* ------------------------------------------------------------
* Handle getting required user profile and password
Mthroutine Name(zInt_RequestPlatformUCredentials) Options(*REDEFINE)
Define_Com Class(#Prim_Boln) Name(#AtEntry_FrameworkLoadListAttempted)
* Track what the framework list load attempt flag says at entry
#AtEntry_FrameworkLoadListAttempted := #FrameworkListLoadAttempted
* Do ancestor processing
#Com_Ancestor.zInt_RequestPlatformUCredentials Attemptedrequests(#AttemptedRequests)
* No log on form is to be visible
#Com_Owner.Visible := False
* If the frameworks list still needs to be loaded return control and wait for
* that to happen. When it does happen this method will be called again.
If (#AtEntry_FrameworkLoadListAttempted = False)
Return
Endif
* There is only one automatc attempt allowed otherwise bad values will get stuck in a loop
If (#AttemptedRequests > 1)
#uSystem.zInt_IssueTextMessage Text('The server has rejected your logon request. Check the user and password used.') Collectionnumber(1)
#uSystem.zInt_SignalRequestExit Possibletocancel(False) Browserisclosing(False) Timeoutinprogress(False) Fatalerror(True)
Return
Endif
* If we reach here then start the log on a slight delay
#LogonShortDelayTimer.Start
Endroutine

End_Com 

MarkD
Posts: 626
Joined: Wed Dec 02, 2015 9:56 am

Re: Adding Multi Factor Authentication to VLF-ONE

Post by MarkD » Wed Jun 26, 2019 10:40 am

Some other things that might be worth consideration:

--> Something like Signal Event(LogOnAttemptRequested) Platformu("<<TWOFACTOREXTERNAL>>") Platformp("<<NONE>>") could be used to let your server side validator know that it should be looking for the encrypted token on the URL and not validating the user and password itself.

--> Maybe you could have 2 entry point web forms MYAPPINTERNAL and MYAPPEXTERNAL, where only MYAPPEXTERNAL uses the special two factor logic version of VF_AC026O. If you try to use MYAPPINTERNAL externally it would throw you out.

--> You could have a simple hand cranked web page call MYAPP.HTML and some simple Javascript that looks at the requester's IP address and redirects the browser directly into MYAPPINTERNAL, or to the start of your two factor login process, which eventually opens MYAPPEXTERNAL. That way you could use just MYAPP.HTML externally or internally.

Post Reply