Tags:
authentication1Add my vote for this tag users1Add my vote for this tag create new tag
, view all tags

Knowd Login Plugin

login-screen-400.png
Knowd - login without password on devices that have a high enough trust score

Overview

Conventionally, users access a TWiki site with username and password. Wave Knowd is an endpoint identity cloud service that provides a link between a unique device identity and Internet services. The Knowd cloud service manages the identity and trust score of user devices. With Knowd, users can log in to a site without specifying a password if the device used has a high enough trust score.

This plugin provides a login manager where TWiki users can register their devices (computers, smartphones, etc), then log in to the TWiki site without a password, provided their device has a high enough trust score. The threshold of the trust score can be set by a TWiki administrator.

Login Procedure

This assumes your TWiki administrator installed and configured this plugin. Follow this procedure to log in to the TWiki site automatically, without specifying a password:

  • One time setup for each device (computer, smartphone, etc) you use:
    • Go to login screen and watch the Knowd info on the upper right. It should show something like this:
      Identity: 2a717742-f579-42f7-bcb5-44104bc65e8f
      Score: 331
    • Log in with username and password.
    • Visit the Knowd Device Manager, and register the device - give it a memorable name, such as Work PC.
    • Log out.

  • Automatic login:
    • Go to login screen.
    • If the trust score is high enough you will be logged in automatically and redirected to TWiki.
    • Else, you will see the score with the (not high enough) message. Log in with your username and password.

Simply put, the automated Knowd log in works as follows:

knowd-login-diagram.png

  1. TWiki sends the login screen to the browser.
  2. With an Ajax call in the login screen, the browser sends a "Get ID" request to the Knowd server.
  3. The Knowd server sends back the ID and a score of the device (browser).
  4. Request automatic log in on TWiki server.
  5. Automatic log in: In case the device is registered and has a high enough score, the automated log in is performed for the user associated with the device, followed by a redirect to the TWiki view script.

This is a simplified diagram. The actual flow is more complex and is documented in the developer section below.

Device Management

The Knowd Device Manager lets you manager your devices (computer, smartphone, etc). Members of the TWikiAdminGroup can manage devices of other users.

Screenshot:
device-manager.png

Functionality:

  • Select user (only available to TWiki administrators).
  • See list of devices. For each device you can:
    • See ID, name, trust score, date of registration, and last access
    • Register a device by giving it a name, such as "Work PC", "MacBook Pro", "iPhone", "Home computer". Unregistered devices are highlighted with a yellow background.
    • Change the name of a registered device.
    • Remove (deregister) a device.

When an action is taken, a the result is shown in a green note. A red note is shown in case of an error.

Developer Documentation

You can skip this unless you want to learn how automated login works.

The login sequence is a bit convoluted due to security considerations.

Knowd login sequence diagram:

knowd-login-sequence.png

  1. TWiki sends login screen to the browser.
  2. The login screen does an Ajax call to the Knowd ID server requesting a claim ticket.
  3. The Knowd ID server returns a one time use claim ticket.
  4. The login screen sends an Ajax request to the TWiki server, passing along the claim ticket.
  5. The TWiki server sends a device ID request to the Knowd ID server, passing along the claim ticket.
  6. The Knowd ID server returns the ID and score of the device, e.g. browser.
  7. The TWiki server returns the Ajax call from the browser, returning the device ID and score. In case the score is above a set threshold and the device is registered, it also returns a magic number.
  8. In case the magic is received, the login screen sends a redirect to the TWiki server, requesting the login screen, passing along the magic number.
  9. The TWiki server handling the login screen checks for the magic number parameter. In case the magic number exists and is correct, TWiki logs in the user associated with the device, and redirects to the view script.

The login method in the TWiki::LoginManager::KnowdLogin module generates the login screen with the Javascript code that does the Ajax calls.

The TWiki::Plugins::KnowdLoginPlugin::Core module handles the KNOWD TWiki variable to manages the device IDs. It also handles the magic number.

The KNOWD TWiki variable supports these parameters:

1. action="checkid" id="..."

Request the device ID from the Knowd ID server. The id parameter is the claim ticket. This calls the Knowd ID server at https://id.wave.com/upi/willcall/claim?ticket=.... A response JSON data might look like:
{"message":"", "result":"OK", "info":"{\"id\":\"a27d00fc-d4f4-4ac1-9a20-dd748d0c2954\", \"score\":244, \"needsSetup\":false, \"setupURL\":null}"}

2. action="getdevices" user="..."

Returns the list of device IDs associated with a user. Specify the WikiName of the user. This also sets SpreadSheetPlugin hashes that can be retrieved as follows:

  • $GETHASH(knowd-login, id) - login name associated with device ID
  • $GETHASH(knowd-wikiname, id) - WikiName associated with device ID
  • $GETHASH(knowd-name, id) - device name
  • $GETHASH(knowd-score, id) - device score
  • $GETHASH(knowd-atime, id) - last login date (epoch time format)
  • $GETHASH(knowd-rtime, id) - date of registration (epoch time format)

This is used to populate the device table at KnowdDeviceManager.

3. action="registerdevice" id="..." name="..." user="..."

Register a device by ID. The name and user is required. Only the device owner or an administrator can register a device.

4. action="deregisterdevice" id="..." user="..."

De-register a device by ID. The user is required. Only the device owner or an administrator can de-register a device.

The plugin stores device data in the plugin's working directory at twiki/working/work_areas/KnowdLoginPlugin. Each device is represented by a file named id-<device-id>.txt, such as id-3b9d59a5-4452-48fe-8197-b36bc6127f2c.txt. Sample content:

atime: 1394694634
login: JimmyNeutron
magic: 
name: iPhone
rtime: 1394694634
score: 244
wikiname: JimmyNeutron

Plugin Installation & Configuration

You do not need to install anything on the browser to use this plugin. These instructions are for the administrator who installs the plugin on the TWiki server.

  • For an automated installation, run the configure script and follow "Find More Extensions" in the in the Extensions section.

  • Or, follow these manual installation steps:
    • Download the ZIP file from the Plugins home (see below).
    • Unzip KnowdLoginPlugin.zip in your twiki installation directory. Content:
      File: Description:
      bin/knowd Utility script to verify device ID
      data/TWiki/KnowdDeviceManager.txt Knowd device manger topic
      data/TWiki/KnowdLoginPlugin.txt Plugin topic
      lib/TWiki/LoginManager/KnowdLogin.pm Login manager Perl module
      lib/TWiki/Plugins/KnowdLoginPlugin.pm Plugin Perl module
      lib/TWiki/Plugins/KnowdLoginPlugin/Config.spec Configure spec file
      lib/TWiki/Plugins/KnowdLoginPlugin/Core.pm Plugin Core module
    • Set the ownership of the extracted directories and files to the webserver user.
    • Install the dependencies indicated below.

  • Plugin configuration:
    • Run the configure script and enable the plugin in the Plugins section.
    • Enable the Know login manager in the Security setup section:
      For {LoginManager} select TWiki::LoginManager::KnowdLogin.
    • Configure additional plugin settings in the Extensions section. Settings:
      $TWiki::cfg{Plugins}{KnowdLoginPlugin}{ScoreThreshold} # Trust score threshold to allow user to login without a password. Default: 400
      $TWiki::cfg{Plugins}{KnowdLoginPlugin}{ClaimIdUrl} # URL to claim an ID and trust score based on the claim ticket.
    • Note: The plugin works on older TWiki releases, however, the GUI of the KnowdDeviceManager depends on TWiki-6.0. If you have an older TWiki release do this:
      • Upgrade to the latest SpreadSheetPlugin and SetGetPlugin
      • Remove the PARENTBC variable in the heading
      • Replace the USERREPORT variables with the direct link to the user's profile page.

  • Testing:
    • Go to login screen and watch the Knowd info on the upper right. It should show something like this:
      Identity: 2a717742-f579-42f7-bcb5-44104bc65e8f
      Score: 231 (not high enough)
    • Log in, visit KnowdDeviceManager, and register the device (your computer) - give it a memorable name, such as Work PC.
    • Log out, then go to login screen again. If the trust score is high enough you will be logged in automatically and redirected to TWiki. Otherwise, you will see the score with a (not high enough) message.

Plugin Info

  • One line description, is shown in the TextFormattingRules topic:
    • Set SHORTDESCRIPTION = Knowd - login without password on devices that have a high enough trust score

Plugin Author: TWiki:Main.PeterThoeny
Copyright: © 2014 Wave Systems Corp.
© 2014 TWiki:Main.PeterThoeny
© 2014 TWiki:TWiki.TWikiContributor
License: GPL (GNU General Public License)
Sponsor: Wave Systems Corp.
Plugin Version: 2014-04-21
2014-04-21: TWikibug:Item7452: Support device setup URL in login screen and device manager; test for vulnerabilities
2014-04-10: TWikibug:Item7452: Add developer documentation; add Knowd login sequence diagram
2014-04-09: TWikibug:Item7452: Doc enhancements; add Knowd login diagram
2014-03-13: TWikibug:Item7452: Initial version
TWiki Dependency: $TWiki::Plugins::VERSION 1.2
CPAN Dependencies: CPAN:Crypt-SSLeay
Other Dependencies: none
Perl Version: 5.005
Plugin Benchmark: GoodStyle nn%, FormattedSearch nn%, KnowdLoginPlugin nn%
Plugin Home: http://TWiki.org/cgi-bin/view/Plugins/KnowdLoginPlugin
Feedback: http://TWiki.org/cgi-bin/view/Plugins/KnowdLoginPluginDev
Appraisal: http://TWiki.org/cgi-bin/view/Plugins/KnowdLoginPluginAppraisal

Related Topics: KnowdDeviceManager, TWikiPlugins, AdminDocumentationCategory, TWikiPreferences

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatmd5 KnowdLoginPlugin.md5 r7 r6 r5 r4 r3 manage 0.2 K 2014-04-22 - 00:42 PeterThoeny  
Compressed Zip archivetgz KnowdLoginPlugin.tgz r7 r6 r5 r4 r3 manage 275.9 K 2014-04-22 - 00:42 PeterThoeny  
Compressed Zip archivezip KnowdLoginPlugin.zip r7 r6 r5 r4 r3 manage 281.9 K 2014-04-22 - 00:42 PeterThoeny  
Unknown file formatEXT KnowdLoginPlugin_installer r4 r3 r2 r1 manage 3.9 K 2014-04-22 - 00:42 PeterThoeny  
Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r7 - 2014-04-22 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2016 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.