|
|
|
====== Multi-factor authentication with IdPv3 ======
|
|
|
|
* Meeting notes below
|
|
|
|
* [[specifications|Specifications]]
|
|
|
|
* [[questions|Questions & Answers]]
|
|
|
|
* [[techwatch|Technology Watch]]
|
|
|
|
* [Specifications](specifications)
|
|
|
|
* [Questions & Answers](questions)
|
|
|
|
* [Technology Watch](techwatch)
|
|
|
|
|
|
|
|
===== Project locations =====
|
|
|
|
|
| ... | ... | @@ -20,7 +20,7 @@ Test accounts for use on [[https://mfa-dev.ed.switch.ch/index.html|mfa-dev]] |
|
|
|
|
|
|
|
===== Output of the first brainstorming session =====
|
|
|
|
==== The landscape ====
|
|
|
|
{{ :brainstorm1.jpg?400 | MFA landscape }}
|
|
|
|
|
|
|
|
==== Questions for those looking to deploy MFA ====
|
|
|
|
* What do you want to gain with MFA?
|
|
|
|
* What hardware can you rely on? (mobile/smart phones)
|
| ... | ... | @@ -48,9 +48,9 @@ Test accounts for use on [[https://mfa-dev.ed.switch.ch/index.html|mfa-dev]] |
|
|
|
* Target population: all edu-ID users
|
|
|
|
* Target environment: IdPv3
|
|
|
|
|
|
|
|
[[questions|Questions from UniGE to Swiss edu-ID]]
|
|
|
|
[Questions from UniGE to Swiss edu-ID](questions)
|
|
|
|
===== Output of the second brainstorming session =====
|
|
|
|
{{ :brainstorm2.jpg?400 | MFA scenarios}}
|
|
|
|
|
|
|
|
|
|
|
|
===== Notes of the working session of 28.10.15 =====
|
|
|
|
==== Notes ====
|
| ... | ... | @@ -67,7 +67,7 @@ Test accounts for use on [[https://mfa-dev.ed.switch.ch/index.html|mfa-dev]] |
|
|
|
* The main target is Google Auth. Additionnal means can be managed via a radius backend
|
|
|
|
* Main steps and schedule:
|
|
|
|
* Writing specifications - SWITCH:EDM - and bid for collegiate validation - 12.2015
|
|
|
|
* [[techwatch|Technology watch]]: verify the availability of new login flows that could be used for our own needs - SWITCH & UNIGE - Q4 2015 & Q1 2016
|
|
|
|
* [Technology watch](techwatch): verify the availability of new login flows that could be used for our own needs - SWITCH & UNIGE - Q4 2015 & Q1 2016
|
|
|
|
* Login flow development for Google Auth - SWITCH:EDM - S1 2016
|
|
|
|
* integration / implementation of the backend radius and study of the possibility of using other techniques (SMS, Yubikey) - UNIGE:AHU,DPE,CBR - S1 2016
|
|
|
|
* Definition of organizational procedures (provisioning, exceptions handling, (self-)enrolment, communication, helpdesk, incident management, etc.) - UNIGE:PLH - S1 2016
|
| ... | ... | @@ -114,11 +114,12 @@ Voici cependant quelques compléments qui ont été discutés en séance: |
|
|
|
* Voici une idée de ce que pourrait donner l'IdP MFA:{{ :mfa_login_form_mockup.png? |}}
|
|
|
|
|
|
|
|
===== Notes of the working session of 6.4.2016 =====
|
|
|
|
{{:mockup-mfa-idp.pdf|Mock login screens}}
|
|
|
|
[Mock login screens](uploads/e8b0e7197993cc178a32db07838d664e/mockup-mfa-idp.pdf)
|
|
|
|
|
|
|
|
==== Questions ====
|
|
|
|
* Is it possible to specify the desired authentication method (SAML authnContextClassRef) on specific URLs in the Apache configuration?\\ **Yes**, according to [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig|NativeSPApacheConfig]], any [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings|content setting]] can be given with the ''ShibRequestSetting'' directive, in particular ''authnContextClassRef'', ''authnContextComparison'' and ''forceAuthn''. Additionally, it is possible to request more than one authentication method.
|
|
|
|
* Same question as above with "force authentication".\\ **Yes** with ''ShibRequestSetting forceAuthn true'', see above.
|
|
|
|
* Is there a session timeout per authentication method on the SP?\\ **Yes**, but not directly. Session timeouts can be changed per application (in the SP sense). For example, An [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride|ApplicationOverride]] could specify a [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions|Sessions]] element with MFA-specific timeouts (available settings are ''lifetime'', ''timeout'' and ''maxTimeSinceAuthn''), then this application can be referenced in the Apache configuration with ''ShibRequestSetting applicationId foo''.
|
|
|
|
|
|
|
|
==== more meetings ====
|
|
|
|
are [[meetings|here]] |
|
|
|
are [here](meetings) |
