Use push-based OTP for onelogin protect devices

[danmerl]

Expected Behavior

Onelogin protect devices should be able to authenticate by responding to a push notification using activate_factor

Current Behavior

Onelogin had a bug so that only with elevated priveleges could the push notification be triggered. They have reportedly fixed this, so any usage of this script should now be based on an API key with sufficient privilege to trigger the push notification.

Possible Solution

If the MFA device is a onelogin protect type device, call activate_trigger if necessary and poll the saml_verify endpoint with the state token until the user responds to the push notification or sends the OTP via the app, rather than ask for manual entry of the OTP

Steps to Reproduce

Select a OneLogin Protect type MFA, user is asked to enter the OTP manually

Context (Environment)

Manual entry adds unnecessary steps since the main feature of the OneLogin protect device is that onelogin can trigger push notifications for 1 touch approval

[danmerl]

Report on this morning's activities trying to get this work.

In onelogin-aws-cli I have been hacking around on the get_saml_assertion method in init.py. My understanding was that for devices like OneLogin Protect, you should be able to call self.ol_client.activate_factor() to trigger the push notification, and then you'd be able to poll the verify method until the response to the push notification was recorded by the server. This it how it works for regular (non SAML) MFA according to https://developers.onelogin.com/api-docs/1/multi-factor-authentication/activate-factor

However, in order to call activate_factor, we need the user's OneLogin id, not their email. And I don't think we can get the user id with the auth only api key we currently use.
OneLogin's docs say that you no longer need to call activate_factor though, unless a needs_trigger field is True, but I'm also not sure how to fetch the OTP_device list that would tell me if needs_trigger is True. In the OneLogin python sdk, a OTP_device is a different class than device, which is what we currently get . You get the otp_device list by calling get_enrolled_factors, for which you also need user id.

Anyway, if I hack our current flow so that if you have selected a OneLogin Protect device, rather than ask you to enter an OTP, it just calls get_saml_assertion_verifying with no OTP, then the push notification is triggered! However, it seems to get triggered every time I call get_saml_assertion_verifying, which you seem to need to do a bunch of times before your response reaches the server.

Also, the way OneLogin Protect push notification works is kind of like DUO, where the notification asks you approve or deny the access. If you tap 'approve', it says it is sending the code, but this never seems to have any effect and the polling of get_saml_assertion_verifying just keeps going, and you keep getting more push notifications. The only way to short circuit the loop is to get to the regular OneLogin Protect screen where you'd see the OTP if you were going to manually enter it. This screen also has a "send OTP" button... if you hit that button, sending the OTP to the server seems to work and eventually the call to get_saml_assertion_verifying will succeed and you're logged in! But even hitting that button is tricky because the push notification keep overlaying the screen you are trying to get to.

So this all kind of sucks. I don't know if there is a client bug so that responding 'approve' to the push notification doesn't work. I don't know why polling that endpoint keeps triggering the push notification.
Apparently if you call activate_factor you might get a new state_token to use in get_saml_assertion_verifying ... maybe that state token is different from the one we currently provide, which is the one we get from the original get_saml_assertion call, and this new one tells the server not to do another push notification? But I can't call activate_factor without the user id, which seems to be some secret id that we need a higher level api key to access and then distribute to everybody, and then it can be part of their config?

[drewsonne]

@danmerl I've given this a shot as well https://stackoverflow.com/questions/48944669/how-to-activate-onelogin-protect-push-challenge-with-saml-assertions

[mumoshu]

FWIW, I tried implementing OneLogin Protect support as well before, and concluded that the OneLogin API doesn't support our use-case.

The requisite of "Manage Users" permission worries me too!

[danmerl]

Glad I'm not the only one hitting this block ... fwiw I had a ticket open with OneLogin support in which [3 months ago] they confirmed it was a bug on their end that you needed manage users level credentials to call activate_factor, and earlier this week they followed up on the ticket to say they fixed it and you should be able to call activate_factor with the auth-only credential rather than manage users. However the triggering push notifications each time you poll the endpoint to see if the approval has been grant seems like it might be another bug on their end.

[drewsonne]

Well... misery loves company, right? 😄