Changes

Page history
Convert internal links and upload media authored by Etienne Dysli Metref's avatar Etienne Dysli Metref
Show whitespace changes
Inline Side-by-side
toolbox_archive.md
View page @ ef604e79
====== Multi-factor authentication with IdPv3 ======
* Meeting notes below
* [[specifications|Specifications]]
* [[questions|Questions & Answers]]
* [[techwatch|Technology Watch]]
* [Specifications](specifications)
* [Questions & Answers](questions)
* [Technology Watch](techwatch)
===== Project locations =====
......@@ -20,7 +20,7 @@ Test accounts for use on [[https://mfa-dev.ed.switch.ch/index.html|mfa-dev]]
===== Output of the first brainstorming session =====
==== The landscape ====
{{ :brainstorm1.jpg?400 | MFA landscape }}
![MFA landscape](uploads/5c5a250a6e5fc726e4488c7280779d93/brainstorm1.jpg)
==== Questions for those looking to deploy MFA ====
* What do you want to gain with MFA?
* What hardware can you rely on? (mobile/smart phones)
......@@ -48,9 +48,9 @@ Test accounts for use on [[https://mfa-dev.ed.switch.ch/index.html|mfa-dev]]
* Target population: all edu-ID users
* Target environment: IdPv3
[[questions|Questions from UniGE to Swiss edu-ID]]
[Questions from UniGE to Swiss edu-ID](questions)
===== Output of the second brainstorming session =====
{{ :brainstorm2.jpg?400 | MFA scenarios}}
![MFA scenarios](uploads/62357a415625c21c16a49d33dae92cf2/brainstorm2.jpg)
===== Notes of the working session of 28.10.15 =====
==== Notes ====
......@@ -67,7 +67,7 @@ Test accounts for use on [[https://mfa-dev.ed.switch.ch/index.html|mfa-dev]]
* The main target is Google Auth. Additionnal means can be managed via a radius backend
* Main steps and schedule:
* Writing specifications - SWITCH:EDM - and bid for collegiate validation - 12.2015
* [[techwatch|Technology watch]]: verify the availability of new login flows that could be used for our own needs - SWITCH & UNIGE - Q4 2015 & Q1 2016
* [Technology watch](techwatch): verify the availability of new login flows that could be used for our own needs - SWITCH & UNIGE - Q4 2015 & Q1 2016
* Login flow development for Google Auth - SWITCH:EDM - S1 2016
* integration / implementation of the backend radius and study of the possibility of using other techniques (SMS, Yubikey) - UNIGE:AHU,DPE,CBR - S1 2016
* Definition of organizational procedures (provisioning, exceptions handling, (self-)enrolment, communication, helpdesk, incident management, etc.) - UNIGE:PLH - S1 2016
......@@ -114,11 +114,12 @@ Voici cependant quelques compléments qui ont été discutés en séance:
* Voici une idée de ce que pourrait donner l'IdP MFA:{{ :mfa_login_form_mockup.png? |}}
===== Notes of the working session of 6.4.2016 =====
{{:mockup-mfa-idp.pdf|Mock login screens}}
[Mock login screens](uploads/e8b0e7197993cc178a32db07838d664e/mockup-mfa-idp.pdf)
==== Questions ====
* Is it possible to specify the desired authentication method (SAML authnContextClassRef) on specific URLs in the Apache configuration?\\ **Yes**, according to [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig|NativeSPApacheConfig]], any [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings|content setting]] can be given with the ''ShibRequestSetting'' directive, in particular ''authnContextClassRef'', ''authnContextComparison'' and ''forceAuthn''. Additionally, it is possible to request more than one authentication method.
* Same question as above with "force authentication".\\ **Yes** with ''ShibRequestSetting forceAuthn true'', see above.
* Is there a session timeout per authentication method on the SP?\\ **Yes**, but not directly. Session timeouts can be changed per application (in the SP sense). For example, An [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride|ApplicationOverride]] could specify a [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions|Sessions]] element with MFA-specific timeouts (available settings are ''lifetime'', ''timeout'' and ''maxTimeSinceAuthn''), then this application can be referenced in the Apache configuration with ''ShibRequestSetting applicationId foo''.
==== more meetings ====
are [[meetings|here]]
are [here](meetings)