Develop a Personal Identity Verification (PIV) module that could be implemented into the Drupal CMS platform to allow for two-factor authentication using a Smart Card (SC) or US Government Department of Defense Common Access Card (CAC) card for verification and access to secure website environments.
There was once sandbox-related activity found here http://drupal.org/sandbox/larquin/1292622 , but it seems to have been abandoned.
I think it would be a benefit to the Drupal CMS project and community as a whole to have a module of this caliber actually be produced and available, especially for helping to expand Drupal's involvement into the United States Federal and State Government field as well as helping multi-national governments and businesses throughout the world within the fields of Healthcare, Banking and E-Commerce.
PKI Authentication Discussion: http://drupal.org/node/820906
Full proposal on Google Docs is available here.
Comments
There are a couple of things
There are a couple of things that are not clear to me. Please throw some light. How many organisations do really need this? Have any organisations previously requested this?
If this is a feature in need, and if it has been requested by say a notable number of organisations, then it totally makes sense to work on this. IMHO the project in general should help the community over all and should be worked upon only if there is a need for it. For example, have organisations in the past really shown an interest towards using Drupal if this feature was present? We need to answer these questions.
Vaidik Kapoor
I am working with one very
I am working with one very large U.S. Federal organization that has requested this.
I also have another organization that I will be working with very soon that also wants this.
CAC Auth module?
Hiya! I'm Heather, working with a team looking to move our big old flat files html site into a Drupal 7 system over the next 6 months or so. We're DC based, if that helps.
Anyway, one of the important concerns is that, although we have mostly public files & pages now, there are a few directories locked down with CAC-SSO security via AKO/DKO that we would like to secure in any future versions of the site.
I know its been a few months since your April post - wondered what kind of success you had made since then ... Thanks!
Hi Heather, There's a CAC
Hi Heather,
There's a CAC module (really PKI Authentication, but the only PKI that's implemented is CAC) at http://drupal.org/sandbox/rickwelch/1663258
It was proposed to be presented at the DC Drupalcamp this summer by Rick and maybe Diane and some others from the NRL, though I'm not sure if that happened. I suggest trying it out and, if you have issues, post in the issue queue and/or here.
knaddison blog | Morris Animal Foundation
PKI/CAC responses
Thanks Heather, Rick, et al. If you hear of any federal implementations of Drupal with CAC/PKI and can point me in the right direction to gather more info, I'd be most obliged. John
PKI / CAC
Hi John,
What specifically are you looking for?
-Rick
PKI/CAC
Rick,
Generically (I can't talk specific to my program): implementations of Drupal which use PKI (CAC) user authentication...bonus if Open AM IdM processes authorization tokens.
John
A commerical one...
These guys seems to have a commercial module:
http://www.cantongroup.com/personal-identity-verification
I am all for one that is open-sourced.
CAC Auth module
Hi Heather,
We're going trough the process of getting it approved as a regular contributed module. I hope it will be by the time you need it.
In the Interim, you can check it out from the sandbox area using the link from link that Greg sent. http://drupal.org/sandbox/rickwelch/1663258 Don't hesitate to email me directly if you have any problems or questions.
@rickwelch Thanks for doing
@rickwelch
Thanks for doing this. I have had quite a few DoD customers ask about this and I see it definitely being a worthwhile contribution.
I've got a few sites, but we haven't implemented this functionality. Where is your project application?
CAC / PKI
The ball is in my court since Saturday. Worked on it a bit on Sunday. Hope to finish up and resubmit Thursday evening. You can follow it here: http://drupal.org/node/1775964
It should be fully functional now and any feedback would be appreciated.
@bhosmer
We'd love for someone to test out the module and give us some feedback. We are using it for a couple of web sites and it works for us, but we'd really like to see how it plays in other environments.
eID card in Belgium
Shameless plug : perhaps you may be interested in this module (based upon Drupal's OpenID core module): http://drupal.org/project/beididp.
It talks OpenID to a Java-based IDP server (http://code.google.com/p/eid-idp/ ) that uses an applet to communicate with an eID-smartcard (issued by the Belgian federal government).
I am the main developer for
I am the main developer for Forge.mil Community (https://community.forge.mil). Because it is a DoD website we were required to disable username/password login, and enable CAC and ECA cert authentication through a custom module. A couple issues with sharing this as a general module: we use a custom postgres database for our certificate to username mapping (we use the same database for authentication across multiple sites), instead of something like LDAP. We also have code in there that was required for our usecase, but wouldn't make sense in a general module. Lastly, I am unsure to what extent I am permitted to share the code with anyone outside the DoD, I would have to speak with my boss to determine this last point. I do think making a general module is both valid and valuable. Even sharing my code as is for others to take and modify as needed could be valuable.
Justin Hollingsworth
Open AM for Info Access Control
Justin,
Has Community dabbled in using an IdM such as OpenAM for user authentication and authorization? If not, might you have a good vector for integrating IdM with Drupal?
Thanks,
John
@pwrovchz
I am from a DoD entity - I had read up on your teams implementation as we started to look at Drupal to replace homegrown systems. We have our own custom implementation for some homegrown php applications that always require DoD SSL from Apache - thus all we have to do is check the ID in $_SERVER['SSL_CLIENT_S_DN_CN'] and tie it to an account.
If you cannot share in this venue, would be curious on the NIPR side.
Justin, Could we chat about
Justin,
Could we chat about your code and the possibility of sharing it within?
My email is my D.O. Username at radiantblue.com
We have a simple D7 CAC module as well
Hi All,
We have also implemented a very rudimentary CAC authentication module for Drupal 7 used on a DoD site.
Would be happy to share what we have and very interested in working on something more robust.
-Rick
Copy?
Is it possible to get a copy for at least seeing where to actually start from?
Multi-Factor Authentication module
Are people in this thread already familiar with the new Multi-Factor Authentication module?
According to the project description, "This module includes a secure method for multi-factor authentication using VoIP Drupal and phone based pin numbers. This enhancement to basic authentication greatly improves security especially for site admins."
Have a look: http://drupal.org/project/multifactor/
This won't work as the user
This won't work as the user has a physical card and the module will need to directly interface with the smart card / CAC reader the user has attached to their PC and using it to browse the Drupal site with.
Is the CAC like an RSA
Is the CAC like an RSA SecurID token?
The Two Factor Authentication module is meant to be relatively pluggable/extensible to support other backends. It's possible it could be helpful and provide the right framework for a CAC sub-module.
knaddison blog | Morris Animal Foundation
Not quite. A CAC (Common
Not quite. A CAC (Common Access Card) is a PKCS#11 smart card with a x.509 certificate.
Need ability for users to register and login with PIV card
I am also looking for a module that would let government users log in with a PIV card. (If one doesn't exist, I'll have to write one.)
Then I found out that in addition to that, they'd really like to allow government users to actually register for the site with their PIV cards as well (we collect several different fields during registration.)
This site will have registered users from both the government and civilian organizations, so it would have to allow access with and without the PIV card.
I'll probably be starting this in the next couple of weeks, so if anyone else is already working on a module for this, please let me know and I'll be happy to pitch in.
I can guarantee that once this is developed, there will be a lot of call for it.
Certificate Login Module?
Has anyone tried integrating PIV card user registration and login with the existing Certificate Login module?
http://drupal.org/project/certificatelogin
As of today, this only appears to have 40 active users, but it might be worth exploring. (I haven't looked into it yet.)
I used that module for
I used that module for inspiration for a very heavily modified version. Beyond all the custom code, I essentially have a login form that on submit pulls cert information from the request, queries a database that maps cert information and usernames, loads the user object with the returned username, and then logs the user in with user_external_login(). I've taken all the custom stuff out, the working stuff is essentially:
function MODULE_form_submit($form_id, $form_values) {if (isset($_SERVER['HTTPS'])) {
$issuer = $_SERVER['SSL_CLIENT_I_DN'];
$serial_number = $_SERVER['SSL_CLIENT_M_SERIAL'];
$username = MODULE_sso_get_user($issuer, $serial_number);
$account = user_load(array('name' => $username));
if (isset($account) && user_external_login($account)) {
drupal_goto($_SERVER['REQUEST_URI']);
}
else {
drupal_set_message('A login was attempted but failed.', 'error');
}
}
}
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html has the various SSL variables you can pull from the $_SERVER variable.
What does your database side
What does your database side look like?
Yes, this is needed && sandbox offer
There are more than two projects currently active at the Air Force Academy that could use this functionality. Additionally, since our environment is a curious blend of an academic network, where the stated policy goal is to share information without prior need to know, and a military installation, it can offer some sandboxes that may be useful to try various scenarios where we can experiment with a few different use cases. Examples might include limited communities (CAC-holders only), limited communities of mixed type (US citizens only, but not all CAC-holders), multi-authentication mechanisms (CAC, GemAlto/Two Factor, RSA SecureID) and a fallback to other out-of-band mechanisms (phone/PIN, S/KEY, etc)
-Steve Senator
MediaWiki
If you are looking to borrow code...
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Smartcard_Co...