Validating OTP with the one stored in AD

ahelland / ADFSMFAAdapters

Custom MFA Adapters for ADFS

38 stars 11 forks source link

Validating OTP with the one stored in AD #4

Closed ClosedCondition closed 4 years ago

ClosedCondition commented 5 years ago

YubiKeyMFAAdapters.cs

line 133:  var userId = otp.Substring(0, 12);
line 137:  if (userId != yubikeyId.Substring(8))

should be changed to:

line 133:  var userId = otp.Substring(0, 12);
line 137:  if (userId != yubikeyId.Substring(0, 12))

to pass the validation. Better, if changed to code for supporting multiple keys for the same user - store several OTPs in the same user AD attribute.

ahelland commented 4 years ago

Yes, you're sort of right :)

It was described in a blog post that I used a prefix in the AD object - "YubiKey:", but with this omitted from the instructions here that is not so apparent. (Whether one should have a prefix or not is a different discussion.)

As a first step I'll point this out in code and instructions, but adding support for multiple keys might also be a good idea.