idpv3-mfa issueshttps://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues2020-01-14T10:51:20+01:00https://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/11-RM-3643-MR-Google Authenticator support2020-01-14T10:51:20+01:00Etienne Dysli Metref-RM-3643-MR-Google Authenticator supportAs a university staff with a smart phone,
I want to use the Google Authenticator mobile application when
authenticating on the IdP,
so that I can access SPs requiring 2FA.
*(from redmine: issue id 3643, created on 2016-04-13)*As a university staff with a smart phone,
I want to use the Google Authenticator mobile application when
authenticating on the IdP,
so that I can access SPs requiring 2FA.
*(from redmine: issue id 3643, created on 2016-04-13)*https://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/12-RM-3644-MR-SMS OTP support2020-01-14T10:51:20+01:00Etienne Dysli Metref-RM-3644-MR-SMS OTP supportAs a university staff with only a mobile phone (no smart phone),
I want to receive an OTP via SMS when authenticating on the IdP,
so that I can access SPs requiring 2FA.
*(from redmine: issue id 3644, created on 2016-04-13)*As a university staff with only a mobile phone (no smart phone),
I want to receive an OTP via SMS when authenticating on the IdP,
so that I can access SPs requiring 2FA.
*(from redmine: issue id 3644, created on 2016-04-13)*https://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/13-RM-3645-MR-Choose second factor on IdP2020-01-14T10:51:21+01:00Etienne Dysli Metref-RM-3645-MR-Choose second factor on IdPAs a user authenticating on the IdP,
I want to be able to choose the second authentication factor,
so that I can use the most convenient method for me.
*(from redmine: issue id 3645, created on 2016-04-13)*As a user authenticating on the IdP,
I want to be able to choose the second authentication factor,
so that I can use the most convenient method for me.
*(from redmine: issue id 3645, created on 2016-04-13)*https://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/14-RM-3646-MR-Backup access2020-01-14T10:51:21+01:00Etienne Dysli Metref-RM-3646-MR-Backup accessAs a regular 2FA user temporarily unable to use my second factor,
I want to be granted a fallback access for a limited period of time,
so that I can access SPs requiring 2FA.
→ process independent of Shibboleth (helpdesk-provided OT...As a regular 2FA user temporarily unable to use my second factor,
I want to be granted a fallback access for a limited period of time,
so that I can access SPs requiring 2FA.
→ process independent of Shibboleth (helpdesk-provided OTP)
*(from redmine: issue id 3646, created on 2016-04-13)*https://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/15-RM-3647-MR-Won't use personal device2020-01-14T10:51:22+01:00Etienne Dysli Metref-RM-3647-MR-Won't use personal deviceAs a reluctant university staff,
I want the University to give me the means to access protected
resources,
so that I can access SPs requiring 2FA without using my own personal
device.
→ process independent of Shibboleth (physical to...As a reluctant university staff,
I want the University to give me the means to access protected
resources,
so that I can access SPs requiring 2FA without using my own personal
device.
→ process independent of Shibboleth (physical token?)
*(from redmine: issue id 3647, created on 2016-04-13)*https://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/16-RM-3648-MR-Password recovery2020-01-14T10:51:22+01:00Etienne Dysli Metref-RM-3648-MR-Password recoveryAs a university student,
I want to be able to reset my password using a 2FA-protected online
self-service,
so that my password cannot be changed by others.
→ process independent of Shibboleth
*(from redmine: issue id 3648, created...As a university student,
I want to be able to reset my password using a 2FA-protected online
self-service,
so that my password cannot be changed by others.
→ process independent of Shibboleth
*(from redmine: issue id 3648, created on 2016-04-13)*https://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/17-RM-3649-MR-MFA for whole SP2020-01-14T10:51:23+01:00Etienne Dysli Metref-RM-3649-MR-MFA for whole SPAs a SP-protected web application operator,
I want to force users to authenticate with two factors,
so that their account and the personal information it contains are
better protected.
*(from redmine: issue id 3649, created on 2016...As a SP-protected web application operator,
I want to force users to authenticate with two factors,
so that their account and the personal information it contains are
better protected.
*(from redmine: issue id 3649, created on 2016-04-13)*https://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/18-RM-3650-MR-MFA only to validate sensitive actions2020-01-14T10:51:23+01:00Etienne Dysli Metref-RM-3650-MR-MFA only to validate sensitive actionsAs a SP-protected web application operator,
I want to be able to use 2FA only to validate sensitive user actions,
so that sensitive actions are strongly protected and users are not
required to use 2FA all the time.
→ handled by the ...As a SP-protected web application operator,
I want to be able to use 2FA only to validate sensitive user actions,
so that sensitive actions are strongly protected and users are not
required to use 2FA all the time.
→ handled by the application which must request stronger authentication
to Shibboleth when it needs it
*(from redmine: issue id 3650, created on 2016-04-13)*https://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/19-RM-3651-MR-IdP configuration for MFA2020-01-14T10:51:24+01:00Etienne Dysli Metref-RM-3651-MR-IdP configuration for MFAAs an IdP operator,
I want to provide a 2FA login flow,
so that SPs can get stronger authentication.
*(from redmine: issue id 3651, created on 2016-04-13)*As an IdP operator,
I want to provide a 2FA login flow,
so that SPs can get stronger authentication.
*(from redmine: issue id 3651, created on 2016-04-13)*https://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/20-RM-3652-MR-MFA over RADIUS2020-01-14T10:51:24+01:00Etienne Dysli Metref-RM-3652-MR-MFA over RADIUSAs a VPN gateway operator,
I want to authenticate 2FA users over RADIUS,
so that both users with or without 2FA are authenticated over the same
protocol.
→ RADIUS authentication is independent of Shibboleth
*(from redmine: issue i...As a VPN gateway operator,
I want to authenticate 2FA users over RADIUS,
so that both users with or without 2FA are authenticated over the same
protocol.
→ RADIUS authentication is independent of Shibboleth
*(from redmine: issue id 3652, created on 2016-04-13)*https://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/21-RM-3653-MR-Verify user identity on enrollment2020-01-14T10:51:24+01:00Etienne Dysli Metref-RM-3653-MR-Verify user identity on enrollmentAs a university account administrator,
I want to verify user's identities before they can use 2FA,
so that I can provide a stronger verification level to applications
using 2FA.
→ process independent of Shibboleth
*(from redmine: ...As a university account administrator,
I want to verify user's identities before they can use 2FA,
so that I can provide a stronger verification level to applications
using 2FA.
→ process independent of Shibboleth
*(from redmine: issue id 3653, created on 2016-04-13)*https://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/30-RM-3663-MR-Add Robot Framework & Selenium to the build pipeline2020-01-14T10:51:34+01:00Etienne Dysli Metref-RM-3663-MR-Add Robot Framework & Selenium to the build pipelineEither in Maven verify phase or separately
*(from redmine: issue id 3663, created on 2016-04-20)*
* Relations:
* blocks #3680
* parent #3685Either in Maven verify phase or separately
*(from redmine: issue id 3663, created on 2016-04-20)*
* Relations:
* blocks #3680
* parent #3685Etienne Dysli MetrefEtienne Dysli Metrefhttps://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/31-RM-3664-MR-Automatic deployment on demo IdP2020-01-14T10:51:35+01:00Etienne Dysli Metref-RM-3664-MR-Automatic deployment on demo IdPBuild pipeline step to deploy the newly-built IdP on the demo machine.
*(from redmine: issue id 3664, created on 2016-04-20)*Build pipeline step to deploy the newly-built IdP on the demo machine.
*(from redmine: issue id 3664, created on 2016-04-20)*nextEtienne Dysli MetrefEtienne Dysli Metrefhttps://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/39-RM-3680-MR-acceptance test for first flow2020-01-14T10:51:43+01:00Etienne Dysli Metref-RM-3680-MR-acceptance test for first flowWith a web browser:
1. Send SAML AuthNRequest asking for the new authN context class to the
IdP
2. IdP should display the form
3. Submit form
4. IdP should produce a SAML AuthN assertion with the new authN context
class
Req...With a web browser:
1. Send SAML AuthNRequest asking for the new authN context class to the
IdP
2. IdP should display the form
3. Submit form
4. IdP should produce a SAML AuthN assertion with the new authN context
class
Requires web testing framework
*(from redmine: issue id 3680, created on 2016-05-04)*
* Relations:
* relates #3674
* blocks #3663
* parent #3685Etienne Dysli MetrefEtienne Dysli Metrefhttps://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/44-RM-3685-MR-Automated web tests for new login flows2020-01-14T10:51:48+01:00Etienne Dysli Metref-RM-3685-MR-Automated web tests for new login flowsAutomated web browser-based tests
*(from redmine: issue id 3685, created on 2016-05-04)*
* Relations:
* child #3663
* child #3680Automated web browser-based tests
*(from redmine: issue id 3685, created on 2016-05-04)*
* Relations:
* child #3663
* child #3680nextEtienne Dysli MetrefEtienne Dysli Metrefhttps://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/60-RM-3711-MR-Force re-authentication2020-01-14T10:52:09+01:00Etienne Dysli Metref-RM-3711-MR-Force re-authenticationSupport forcing re-authentication in the MFA/OTP flow.
*(from redmine: issue id 3711, created on 2016-06-29)*Support forcing re-authentication in the MFA/OTP flow.
*(from redmine: issue id 3711, created on 2016-06-29)*https://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/69-RM-3734-MR-Refactor TinyRadius2020-01-14T10:52:15+01:00Etienne Dysli Metref-RM-3734-MR-Refactor TinyRadiusThe code is old (Java 1.4 or earlier) and could benefit from modern Java
features like type safety (generics) and enums. Moreover, it has no
tests.
*(from redmine: issue id 3734, created on 2016-08-23)*The code is old (Java 1.4 or earlier) and could benefit from modern Java
features like type safety (generics) and enums. Moreover, it has no
tests.
*(from redmine: issue id 3734, created on 2016-08-23)*nextEtienne Dysli MetrefEtienne Dysli Metrefhttps://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/77-RM-3748-MR-Rewrite RadiusClient to handle multiple requests2020-01-14T10:52:21+01:00Etienne Dysli Metref-RM-3748-MR-Rewrite RadiusClient to handle multiple requestsRewrite RadiusClient to be able to handle multiple requests at the same
time. Currently, it uses only one socket (source port) to send and
receive requests and access to the socket is synchronised (serial).
*(from redmine: issue id 374...Rewrite RadiusClient to be able to handle multiple requests at the same
time. Currently, it uses only one socket (source port) to send and
receive requests and access to the socket is synchronised (serial).
*(from redmine: issue id 3748, created on 2016-09-19)*nextEtienne Dysli MetrefEtienne Dysli Metrefhttps://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/83-RM-3769-MR-Modify RadiusClient to handle multiple redundant RADIUS servers2020-01-14T10:52:25+01:00Etienne Dysli Metref-RM-3769-MR-Modify RadiusClient to handle multiple redundant RADIUS serversneed to define fail-over behaviour
*(from redmine: issue id 3769, created on 2016-10-19)*need to define fail-over behaviour
*(from redmine: issue id 3769, created on 2016-10-19)*nextEtienne Dysli MetrefEtienne Dysli Metrefhttps://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa/-/issues/84-RM-3770-MR-Resolve username attribute after password step2020-01-14T10:52:25+01:00Etienne Dysli Metref-RM-3770-MR-Resolve username attribute after password stepin order to always use the same kind of user identifier for the OTP step
*(from redmine: issue id 3770, created on 2016-10-19)*in order to always use the same kind of user identifier for the OTP step
*(from redmine: issue id 3770, created on 2016-10-19)*nextEtienne Dysli MetrefEtienne Dysli Metref