Using multi factor authentication with Service Portal

Paul McGregor
Kilo Contributor

‎05-30-2017 04:23 PM

Hi,

I have the multi factor authentication plugin enabled, however this does not appear to work for a service portal based login, I just get the message:

Screen Shot 2017-05-31 at 9.13.44 am.png

However it does not give any means to actually enter the 2nd factor. This does work on the standard non-portal login, is there anyway to have it work within the service portal?

Labels:
Preview file
377 KB
0 Helpfuls
  • 5,721 Views
15 REPLIES 15

Brandon May
ServiceNow Employee
ServiceNow Employee

‎07-20-2017 07:07 AM

Hi Paul,



Service Portal currently has no support for MFA (or UI Pages). However, this is being addressed through PRB910508 to be implemented in a future release.



Hope this helps answer your questions.




-Brandon


SC10
Kilo Guru
In response to Brandon May

‎08-18-2017 04:50 PM

Good day brandon.may ,



Would you happen to know if multi-factor authentication is possible with the password reset tool? If not, can you point me in the right direction of someone at ServiceNow to talk to about this?



I'd like to leverage MFA authentication methods instead of enrollment, if possible.



Thank you.


0 Helpfuls

taylor10
Giga Expert

‎08-17-2017 03:18 PM

Hi Paul,



You can try copying and updating the login widget with some modifications...



The way it works is when someone clicks on 'Login', the next step is an ajax post to determine if the login credentials are correct, and if so allow them in. The response from this ajax query contains a status which is usually 'success' but when MFA is enabled and the username/password is correct, the status returned is 'mfa_code_required'. The widget unfortunately only checks if the status is 'success' and this is why you get that nice red text asking you to enter a 6 digit code with nowhere to enter it.



I tried adding lines 35-37 to the OOB login widgets controller to check if the status is 'mfa_code_required' and if so, redirect to the MFA code entry page. It seems to work fine.



One step that is missing here is the check to see if the user has validated their MFA (i.e. they have set it up). If they haven't set it up and the username and password is correct, the login widget will return a 'success' status and bypass MFA altogether (Logging in via the Service Portal seems to actually allow the user to circumvent the 'bypasses remaining' number out of the box). It might be beneficial to add a query to the user_multifactor_auth table to find out if MFA has been validated before proceeding. This would likely be done after line 29.



c.login = function(username, password) {

               var url = urlTools.getURL('view_form.login');

               // If the page isn't public then the id in the 

               // url won't match the rendered page id.

               var pageId = $location.search().id || $scope.page.id;

               var isLoginPage = $scope.portal.login_page_dv == pageId;

               

               return $http({

                       method: 'post',

                       url: url,

                       data: urlTools.encodeURIParameters({

                               'sysparm_type': 'login',

                               'ni.nolog.user_password': true,

                               'remember_me': !!c.remember_me ? true : false,

                               'user_name': username,

                               'user_password': password,

                               'get_redirect_url': true,

                               'sysparm_goto_url': isLoginPage ? null : $location.url()

                       }),

                       headers: {

                               'Content-Type': 'application/x-www-form-urlencoded'

                       }

               }).then(function(response) {

                       if (!response.data) {

                               c.message = $scope.data.errorMsg;

                               return;

                       }

                       

                       if (response.data.status == 'success') {

                                 //

                                 // CHECK IF MFA HAS BEEN VALIDATED HERE!!!

                                 //

                               c.success = response.data.message;

                               $window.location = response.data.redirect_url;

                       } else if (response.data.status == 'mfa_code_required') {

                               c.success = 'Redirecting to multi-factor authentication page.';

                               $window.location = '/validate_multifactor_auth_code.do';

                       

                       } else {

                               // wrong username or password

                               c.message = response.data.message;

                               c.password = "";

                       }

                       

               }, function errorCallback(response) {

                       // error

                       c.message = $scope.data.errorMsg;

               });

       };

lusdafdadad
Kilo Contributor
In response to taylor10

‎11-29-2017 08:03 AM

hi, it works but the pairing of the google app device should be done beforehand.


Do you know if it is possible to add it to the login widget?


many thanks


0 Helpfuls