| ... | @@ -15,8 +15,8 @@ |
... | @@ -15,8 +15,8 @@ |
|
|
|
|
|
|
|
Test accounts for use on [mfa-dev](https://mfa-dev.ed.switch.ch/index.html)
|
|
Test accounts for use on [mfa-dev](https://mfa-dev.ed.switch.ch/index.html)
|
|
|
^ Username ^ Password ^ TOTP seed (base32) ^
|
|
^ Username ^ Password ^ TOTP seed (base32) ^
|
|
|
| ''student1'' | ''password1'' | ''QJWAYZKBYCEGOTMLVLHRWK2XR5GER4YO'' |
|
|
| `student1` | `password1` | `QJWAYZKBYCEGOTMLVLHRWK2XR5GER4YO` |
|
|
|
| ''student2'' | ''password2'' | ''HDRCSSKZFXBBEMVT5DY74JIB425NAEZJ'' |
|
|
| `student2` | `password2` | `HDRCSSKZFXBBEMVT5DY74JIB425NAEZJ` |
|
|
|
|
|
|
|
|
---
|
|
---
|
|
|
|
|
|
| ... | @@ -134,7 +134,9 @@ Voici cependant quelques compléments qui ont été discutés en séance: |
... | @@ -134,7 +134,9 @@ Voici cependant quelques compléments qui ont été discutés en séance: |
|
|
* L'appli RH cible est exposée comme une frame via le portail portail.unige.ch qui est accessible via le mot de passe standard ISIs
|
|
* L'appli RH cible est exposée comme une frame via le portail portail.unige.ch qui est accessible via le mot de passe standard ISIs
|
|
|
* Or l'IdP n'est pas fait pour le portail et les frames, notamment problèmes de taille et de lisibilité. Il faudrait une application/SP par écran?
|
|
* Or l'IdP n'est pas fait pour le portail et les frames, notamment problèmes de taille et de lisibilité. Il faudrait une application/SP par écran?
|
|
|
* A discuter avec l'équipe portail
|
|
* A discuter avec l'équipe portail
|
|
|
* Voici une idée de ce que pourrait donner l'IdP MFA: 
|
|
* Voici une idée de ce que pourrait donner l'IdP MFA:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Notes of the working session of 6.4.2016 ##
|
|
## Notes of the working session of 6.4.2016 ##
|
|
|
|
|
|
| ... | @@ -144,15 +146,15 @@ Voici cependant quelques compléments qui ont été discutés en séance: |
... | @@ -144,15 +146,15 @@ Voici cependant quelques compléments qui ont été discutés en séance: |
|
|
|
|
|
|
|
* Is it possible to specify the desired authentication method (SAML authnContextClassRef) on specific URLs in the Apache configuration?
|
|
* Is it possible to specify the desired authentication method (SAML authnContextClassRef) on specific URLs in the Apache configuration?
|
|
|
|
|
|
|
|
**Yes**, according to [NativeSPApacheConfig](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig), any [content setting](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings) can be given with the ''ShibRequestSetting'' directive, in particular ''authnContextClassRef'', ''authnContextComparison'' and ''forceAuthn''. Additionally, it is possible to request more than one authentication method.
|
|
**Yes**, according to [NativeSPApacheConfig](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig), any [content setting](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings) can be given with the `ShibRequestSetting` directive, in particular `authnContextClassRef`, `authnContextComparison` and `forceAuthn`. Additionally, it is possible to request more than one authentication method.
|
|
|
|
|
|
|
|
* Same question as above with "force authentication".
|
|
* Same question as above with "force authentication".
|
|
|
|
|
|
|
|
**Yes** with ''ShibRequestSetting forceAuthn true'', see above.
|
|
**Yes** with `ShibRequestSetting forceAuthn true`, see above.
|
|
|
|
|
|
|
|
* Is there a session timeout per authentication method on the SP?
|
|
* Is there a session timeout per authentication method on the SP?
|
|
|
|
|
|
|
|
**Yes**, but not directly. Session timeouts can be changed per application (in the SP sense). For example, An [ApplicationOverride](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride) could specify a [Sessions](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions) element with MFA-specific timeouts (available settings are ''lifetime'', ''timeout'' and ''maxTimeSinceAuthn''), then this application can be referenced in the Apache configuration with ''ShibRequestSetting applicationId foo''.
|
|
**Yes**, but not directly. Session timeouts can be changed per application (in the SP sense). For example, An [ApplicationOverride](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride) could specify a [Sessions](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions) element with MFA-specific timeouts (available settings are `lifetime`, `timeout` and `maxTimeSinceAuthn`), then this application can be referenced in the Apache configuration with `ShibRequestSetting applicationId foo`.
|
|
|
|
|
|
|
|
### more meetings ###
|
|
### more meetings ###
|
|
|
|
|
|
| ... | | ... | |
