| ... | ... | @@ -8,12 +8,12 @@ |
|
|
|
## Project locations ##
|
|
|
|
|
|
|
|
* This wiki
|
|
|
|
* Issues, planning and roadmap on [[https://forge.switch.ch/projects/idpv3-mfa|SWITCH Forge]]
|
|
|
|
* Source code on [[https://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa|SWITCH's GitLab]]<code bash>git clone https://gitlab.switch.ch/etienne.dysli-metref/idpv3-mfa.git</code>
|
|
|
|
* Issues, planning and roadmap on [SWITCH Forge](https://forge.switch.ch/projects/idpv3-mfa)
|
|
|
|
* Source code on [SWITCH's GitLab](https://gitlab.switch.ch/edu-id/idpv3-mfa)<code bash>git clone https://gitlab.switch.ch/edu-id/idpv3-mfa.git</code>
|
|
|
|
|
|
|
|
## Test accounts with OTP ##
|
|
|
|
|
|
|
|
Test accounts for use on [[https://mfa-dev.ed.switch.ch/index.html|mfa-dev]]
|
|
|
|
Test accounts for use on [mfa-dev](https://mfa-dev.ed.switch.ch/index.html)
|
|
|
|
^ Username ^ Password ^ TOTP seed (base32) ^
|
|
|
|
| ''student1'' | ''password1'' | ''QJWAYZKBYCEGOTMLVLHRWK2XR5GER4YO'' |
|
|
|
|
| ''student2'' | ''password2'' | ''HDRCSSKZFXBBEMVT5DY74JIB425NAEZJ'' |
|
| ... | ... | @@ -36,8 +36,8 @@ Test accounts for use on [[https://mfa-dev.ed.switch.ch/index.html|mfa-dev]] |
|
|
|
|
|
|
|
### Considerations about Shibboleth and the SAML environment ###
|
|
|
|
|
|
|
|
* Connection between a login flow and [[ http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf | SAML Authentication Context Classes ]]. What class to use for a new flow?
|
|
|
|
* Is it possible to combine login flows (sequence, alternative, choice, ...)? if so, how? Answer from devs: [[https://shibboleth.net/pipermail/dev/2015-July/006954.html|no]].
|
|
|
|
* Connection between a login flow and [SAML Authentication Context Classes](http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf). What class to use for a new flow?
|
|
|
|
* Is it possible to combine login flows (sequence, alternative, choice, ...)? if so, how? Answer from devs: [no](https://shibboleth.net/pipermail/dev/2015-July/006954.html).
|
|
|
|
* Flow support for forced authentication and passive authentication.
|
|
|
|
* Where does the verification of the second factor happen? Inside or outside the IdP process? Are existing extension points sufficient?
|
|
|
|
|
| ... | ... | @@ -142,9 +142,9 @@ Voici cependant quelques compléments qui ont été discutés en séance: |
|
|
|
|
|
|
|
### Questions ###
|
|
|
|
|
|
|
|
* Is it possible to specify the desired authentication method (SAML authnContextClassRef) on specific URLs in the Apache configuration?\\ **Yes**, according to [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig|NativeSPApacheConfig]], any [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings|content setting]] can be given with the ''ShibRequestSetting'' directive, in particular ''authnContextClassRef'', ''authnContextComparison'' and ''forceAuthn''. Additionally, it is possible to request more than one authentication method.
|
|
|
|
* Is it possible to specify the desired authentication method (SAML authnContextClassRef) on specific URLs in the Apache configuration?\\ **Yes**, according to [NativeSPApacheConfig](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig), any [content setting](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings) can be given with the ''ShibRequestSetting'' directive, in particular ''authnContextClassRef'', ''authnContextComparison'' and ''forceAuthn''. Additionally, it is possible to request more than one authentication method.
|
|
|
|
* Same question as above with "force authentication".\\ **Yes** with ''ShibRequestSetting forceAuthn true'', see above.
|
|
|
|
* Is there a session timeout per authentication method on the SP?\\ **Yes**, but not directly. Session timeouts can be changed per application (in the SP sense). For example, An [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride|ApplicationOverride]] could specify a [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions|Sessions]] element with MFA-specific timeouts (available settings are ''lifetime'', ''timeout'' and ''maxTimeSinceAuthn''), then this application can be referenced in the Apache configuration with ''ShibRequestSetting applicationId foo''.
|
|
|
|
* Is there a session timeout per authentication method on the SP?\\ **Yes**, but not directly. Session timeouts can be changed per application (in the SP sense). For example, An [ApplicationOverride](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride) could specify a [Sessions](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions) element with MFA-specific timeouts (available settings are ''lifetime'', ''timeout'' and ''maxTimeSinceAuthn''), then this application can be referenced in the Apache configuration with ''ShibRequestSetting applicationId foo''.
|
|
|
|
|
|
|
|
### more meetings ###
|
|
|
|
|
| ... | ... | |
