Oak Ridge National Laboratory (ORNL) Data System Sciences and Engineering (DSSE) researchers recently deployed a customized two-factor authentication (2FA) system fully integrated with Pulse Connect Secure© (PCS), meeting program-sponsor requirements to replace a third-party Security Assertion Markup Language (SAML) Identity Provider (IdP) being used to implement a 2FA solution that fully integrated with PCS. No single product or platform could meet the necessary complex system requirements, leading DSSE researchers Brad Nance and Adam Bengston to design a solution integrating the features of multiple products and platforms with PCS. This solution integrates the features of PCS, Apache HyperText Transfer Protocol (HTTP) Server, and a custom application that meets all requirements, including a requirement to defend against Uniform Resource Locator (URL) manipulation as means to gain unauthorized access to backend applications.
Significance and Impact
The integrated solution prevents an unauthorized user from accessing a backend application via URL manipulation by integrating the features and capabilities of PCS, Apache, and the custom 2FA Gateway Application.
Complex system requirements often can lead to a situation wherein no single product or platform can provide a solution. In these cases, a solution integrating the features of multiple products and platforms is needed. Recently, a program sponsor required discontinued use of a third-party SAML IdP–based system that was being used to implement a 2FA solution that fully integrated with PCS. The requirements for the new solution were the following:
1. Provide access to a secure web portal using 2FA that would include a username/password combination as the first factor, and an email passcode challenge as the second factor.
2. Continue using PCS as the primary platform.
3. Implement a solution without using the existing third-party SAML IdP.
4. Implement a solution where the backend applications leverage a HTTP request header variable for authentication.
5. Prevent unauthorized access, which is usually achieved using URL manipulation, to backend applications for users that have not completed the email passcode challenge.
PCS alone could not provide the features necessary to implement a solution to meet all the requirements. The challenge was to leverage the features of additional platforms to design an integrated solution that met all requirements.
PCS–ONLY 2FA CONFIGURATION
A PCS–only 2FA configuration can be implemented to satisfy all the requirements except the one to prevent unauthorized access through URL manipulation. The primary components of a configuration capable of preventing URL manipulation include the following:
- PCS as the secure web application server that provides a point of presence on the Internet.
- Apache HTTP Server acting as the internal (backend) web server.
- Oracle WebLogic Server acting as the internal (backend) application server.
For a PCS–only configuration, Apache simply acts as the HTTP listener for the applications running on the Oracle WebLogic Server.
The integrated solution uses existing features of PCS and Apache, along with the custom 2FA Gateway Application, to establish communication between system components to prevent URL manipulation. With communication mechanisms in place, Apache can be configured to implement authorization rules requiring an end user to complete the email passcode challenge before allowing access to backend applications. The mechanisms used to establish communication between PCS, Apache, and the 2FA Gateway Application include HTTP request headers and LDAP server attributes.