Introduction to Secure Password Resets
As a Solutions Architect, the best part of my job is finding ways to make our products do what our customers want them to do…even when they don’t exactly do that. So, when One Identity acquired OneLogin last October, we entered an exciting interim period–a time during which our products would not have native, built in, fully-supported integration, but one in which we would soon be selling integration, and customers would be asking to see integration.
So began a mad dash to configure, script, and pull together all the integrations we could feasibly manage–Single Sign-On into everything (Active Roles, Safeguard, Identity Manager) via native federation support (SAML2, WS-FED), lifecycle management of OneLogin accounts from Identity Manager via the API, device-level MFA using One Identity Defender (major kudos to Eric Hibar Jr. for that one). And, the topic of this blog post, OneLogin as a Multifactor Authentication step during a Self-Service Secure Password Reset (or really ANY workflow) in One Identity Password Manager.
One Identity Password Manager
For those unfamiliar with Password Manager (PWM), it’s a secure enterprise Self-Service Password Reset (SSPR) tool. What’s particularly relevant here is that PWM is highly configurable and customizable, with a drag-and-drop interface for building end-user workflows, and custom activities built with PowerShell (my favorite!) and an in-depth SDK.
In short, you can customize the entire process an end-user goes through to do anything in PWM. In particular, we’ll focus on a secure Password Reset.
OneLogin by One Identity
For those unfamiliar with OneLogin, it is a Market-Leading Identity & Access Management platform, providing SSO, MFA, Unified Directory, User Lifecycle Management, and so much more.
For this integration, we will focus on Multi-Factor Authentication (MFA) to include as part of a PWM workflow.
Sidebar: Standards-Based Authentication (RADIUS)
There’s a reason I’m calling this “API-Based” MFA, and not just “MFA” or “OneLogin Integration” — RADIUS. PWM natively supports the RADIUS protocol to provide multifactor authentication in any workflow. And, of course, OneLogin includes a RADIUS server that PWM can authenticate against. Since Day 1 (okay…maybe day 7) of our OneLogin acquisition, we’ve been able to demonstrate and support this scenario.
But there are limitations.
- RADIUS only works with TOTP or Push-based Security Factors in OneLogin.
- OneLogin Protect
- Authenticator (TOTP-based)
- RADIUS Token
- RADIUS only works for your primary Security Factor in OneLogin. You cannot select a different factor.
- RADIUS configuration & customization options in PWM are limited.
- There can only be 1 RADIUS provider configured for a PWM instance, that applies across the entire user base.
- Customizing the text on the RADIUS action requires modifying an underlying .xml file, and therefore needs to be carried over and accounted for during upgrades
- There is no SDK method for executing a RADIUS authentication with the stored RADIUS configuration, so a custom action cannot be built without implementing your own RADIUS authentication via PowerShell
Now, One Identity used to have an in-house MFA Solution, Starling 2FA, that had native support in PWM for auth via an Android & iOS app, as well as SMS, Email, and Voice. RADIUS by definition cannot support all of these features…but OneLogin can, with its REST API.
My Over-Zealous Plan
Before I even read the documentation of the OneLogin API, one of my talented colleagues in EMEA shared a set of scripts to do…well…exactly this. Use OneLogin for MFA in PWM. But also create users, register new Security Factors…really a whole dev kit of useful sample scripts (some more useful and relevant than others) that immediately grabbed my attention.
Now, my initial reaction was not to pop this into my lab and call it a day, or just to refactor it to fit the Unofficial PowerShell Style Guide (which, let’s be honest…I rarely follow completely). It was “hey, pretty much all of our products support PowerShell for extensibility, it would be REALLY cool if there was a PowerShell Module SDK that wrapped the OneLogin API!
So, I thought “I can write that,” and started working on what would be my first major PowerShell Module.
Perhaps I focused too much on trying to do it proper, and official or whatever, but after dumping tons of time and effort into the development with nothing to publicly share, I realized my scope was a bit large to start, at least for an “as I get the time during work hours” side project.
After getting the framework of an SDK, and wrapping enough endpoints to process MFA requests, I shifted focus to making this work seamlessly with Password Manager.
I am excited to release this project, which allows you to utilize the OneLogin REST API to provide flexible, secure Multifactor Authentication capabilities to Password Manager Workflows, without the limitations of the RADIUS protocol.
Take advantage of PWM’s extensibility, and OneLogin’s powerful REST API to support a wide range of Security Factors, so your users can authenticate the way they prefer:
- OneLogin Protect
- Email OTP & Magic Link
- TOTP-based Authenticators (e.g. Microsoft, Google)
The included OneLoginByOneIdentity PowerShell Module takes care of all the necessary steps to interact with the API, so the PWM Actions can focus on the logic. This “early stages” SDK can also be used to streamline other OneLogin automations.
By utilizing features of the PWM SDK, the UI is generated by the code; no UI elements need to be created manually.
Sample exports of the actions, and an example authentication workflow, are included in the repository for ease of deployment.
Refer to the README for instructions.
The initial purpose of this integration was to provide end users with a smoother experience when authenticating with MFA to reset their passwords. However, this same process can also be utilized by helpdesk staff when verifying the identities of users who need assistance.
Typically when a user contacts the helpdesk, a helpdesk staff member can run a workflow in Password Manager to verify that user’s identity based on the answers to their “helpdesk-only” security questions. Password Manager also natively supports the use of RADIUS MFA as part of this process to allow helpdesk staff to request an OTP from the end user as well. The OneLogin API-Based MFA Solution works in the same way! Including this in a Helpdesk Workflow will prompt the helpdesk staff member to select a Security Factor from the user’s list, and prompt the user for authentication. This can of course be combined with Push Authentication using the OneLogin Protect App so the helpdesk staff member never has to receive an OTP.
Combining this all together allows users to experience a seamless process for authenticating with OneLogin both when resetting their password, and when contacting the helpdesk for assistance.
One Identity GitHub Note
One Identity open source projects are supported through One Identity GitHub issues and the One Identity Community. This includes all scripts, plugins, SDKs, modules, code snippets or other solutions. For assistance with any One Identity GitHub project, please raise a new Issue on the One Identity GitHub project page. You may also visit the One Identity Community to ask questions. Requests for assistance made through official One Identity Support will be referred back to GitHub and the One Identity Community forums where those requests can benefit all users.