Skip to content

Super Gluu#

Overview#

Super Gluu is a push-notification two-factor authentication (2FA) mobile app built to work with the Gluu Server.

FIDO Security#

Super Gluu uses public-key encryption as specified in the FIDO U2F authentication standard. Upon device enrollment, Super Gluu registers its public key against the Gluu Server's FIDO U2F endpoint. When authentication happens, there is a challenge response to ensure that the device has the corresponding private key.

User and Developer Guides#

User and Developer Guides can be found on the Super Gluu docs site.

Prerequisites#

  • An Internet accessible (non-internal or localhost) Gluu Server with DNS pointing at the public Internet address of the server (installation instructions)

  • Super Gluu interception script (included in the default Gluu Server distribution)

  • An Android or iOS device with Super Gluu installed

  • If the Gluu Server is using a self-signed certificate, Trust All must be enabled in Super Gluu (open the app, navigate to Menu > Trust all (SSL) and enable)

Note

The Gluu Server and Super Gluu can work in the same network, without a DNS server hostname and with a self-signed certificate. There is only one limitation: both components should belong to the same network. Instead of assigning a hostname during Gluu Server installation, an IP address can be specified. In the Super Gluu mobile app, enable Trust all (SSL).

Authentication Workflows#

The authentication workflow for Super Gluu is defined in the Super Gluu interception script linked above in the prerequisites. By default, users are put through a two-step, two-factor authentication process with username and password first, and then push notification via Super Gluu second. Alternative authentication worklows, for instance passwordless authentication, can be configured by adjusting the script as needed.

Properties#

The Super Gluu authentication script has the following properties:

Property Description Example
authentication_mode Determine factor of authentication two_step
credentials_file JSON file for SuperGluu /etc/certs/super_gluu_creds.json
label The name of the application Super Gluu
notification_service_mode Service used to enable push notifications gluu
qr_options Size of the QR code that is used for enrollment and/or authentication { size: 500, mSize: 0.05 }
registration_uri Registration endpoint of the IDP https://idp.example.com/identity/register
supergluu_android_download_url Android app download link, used in the login page https://play.google.com/store/apps/details?id=gluu.super.gluu
supergluu_ios_download_url iOS app download link, used in the login page https://itunes.apple.com/us/app/super-gluu/id1093479646

Enable Super Gluu#

Follow the steps below to enable Super Gluu authentication:

  1. In oxTrust, navigate to Configuration > Manage Custom Scripts.
  2. Click on the Person Authentication tab
  3. Find the Super Gluu script
  4. Enable the script by checking the box
  5. Scroll to the bottom of the page and click Update

Now, Super Gluu is an available authentication mechanism for your Gluu Server. This means that, using OpenID Connect acr_values, applications can now request Super Gluu authentication for users.

Note

To make sure Super Gluu has been enabled successfully, you can check your Gluu Server's OpenID Connect configuration by navigating to the following URL: https://<hostname>/.well-known/openid-configuration. Find "acr_values_supported": and you should see "super_gluu".

Make Super Gluu the Default#

If Super Gluu should be the default authentication mechanism for all authentication events, follow these instructions:

  1. Navigate to Configuration > Manage Authentication

  2. Select the Default Authentication Method tab

  3. In the Default Authentication Method window you will see two options: Default acr and oxTrust acr

supergluu

  • oxTrust acr sets the authentication mechanism for accessing the oxTrust dashboard GUI (only managers should have acccess to oxTrust)

  • Default acr sets the default authentication mechanism for accessing all applications that leverage your Gluu Server for authentication (unless otherwise specified)

If Super Gluu should be the default authentication mechanism for all access, change both fields to Super Gluu.

Super Gluu Login Pages#

The Gluu Server includes two default public-facing pages for Super Gluu:

  1. An enrollment page that is displayed the first time a user is prompted for Super Gluu authentication super-gluu-enrollment

  2. A login page that is displayed for all subsequent Super Gluu authentications super-gluu-push-login

The designs are being rendered from the Super Gluu xhtml page. To customize the look and feel of the pages, follow the customization guide.

First-time Device Enrollment#

Super Gluu device enrollment happens during the first authentication attempt. The initial enrollment page displays a QR code that needs to be scanned with the Super Gluu app.

Subsequent Logins#

If you use the default Super Gluu interception script, all subsequent authentications will trigger a push notification to the enrolled device, which can be approved or denied as needed.

Credential Management#

Self-service#

To offer end-users a portal where they can manage their own account security preferences, including two-factor authentication credentials like Super Gluu, check out our new app, Gluu Casa.

Manual Device Management#

A user's Super Gluu device(s) can be removed by a Gluu administrator either via the oxTrust UI in Users > Manage People, or in LDAP under the user entry:

  1. Find the DN of the user in LDAP

  2. Find the oxID DN associated with the user

  3. Remove the oxID DN

For example, let's say user abc loses their device and wants to enroll a new device to use Super Gluu.

The Gluu Server admin will do the following:

  1. Get the DN of user abc which will be something like this:
    dn: inum=@!ABCD.1234.XXX.XXX.YYYY.8770,ou=people,o=@!DEFG.5678.XXX.XXX.ZZZ,o=gluu”

  2. Now find the oxID DN which is associated with this user’s DN. It might be something like:

    dn: oxId=1487683146561,ou=fido,inum=@!ABCD.1234.XXX.XXX.YYYY.8770,ou=people,o=@!DEFG.5678.XXX.XXX.ZZZ,o=gluu
    objectClass: oxDeviceRegistration
    objectClass: top
    oxDeviceData: {"uuid":"b82abc-a1b2-3abc-bcccc-2222222222222","type":"normal","platform":"android","name":"zico","os_name":"kitkat","os_version":"4.4.4","push_token":"dddddddddd:aaaaaa_58_cccccc_4t_bbbbbbbbbbbbb_aaaaaaaaaaaaaa_ggggggggg"}
    oxDeviceKeyHandle: fyyyyyyyyyyyyy_jaaaaaaaaaaaa_mKJw
    oxStatus: active
    oxApplication: https://test.gluu.org/identity/authentication/authcode
    oxCounter: 2
    creationDate: 20170221131906.559Z
    oxId: 11111111111111111
    oxDeviceRegistrationConf: {"publicKey":"BIGbwF…………….","attestationCert":"MIICJjCCAcygAwIBAgKBgQDzLA-......L5ztE"}
    oxLastAccessTime: 20170
    
  3. Delete the oxID DN

Now the old device is gone and the user can enroll a new device following the above instructions for registering a new device.

Using SCIM#

See the SCIM documentation for a discussion on how to manage FIDO devices, including Super Gluu, using the SCIM protocol.