Changes

Page history
Convert internal links and upload media authored by Etienne Dysli Metref's avatar Etienne Dysli Metref
Show whitespace changes
Inline Side-by-side
toolbox_archive.md
View page @ ef604e79
====== Multi-factor authentication with IdPv3 ====== ====== Multi-factor authentication with IdPv3 ======
* Meeting notes below * Meeting notes below
* [[specifications|Specifications]] * [Specifications](specifications)
* [[questions|Questions & Answers]] * [Questions & Answers](questions)
* [[techwatch|Technology Watch]] * [Technology Watch](techwatch)
===== Project locations ===== ===== Project locations =====
...@@ -20,7 +20,7 @@ Test accounts for use on [[https://mfa-dev.ed.switch.ch/index.html|mfa-dev]] ...@@ -20,7 +20,7 @@ Test accounts for use on [[https://mfa-dev.ed.switch.ch/index.html|mfa-dev]]
===== Output of the first brainstorming session ===== ===== Output of the first brainstorming session =====
==== The landscape ==== ==== The landscape ====
{{ :brainstorm1.jpg?400 | MFA landscape }} ![MFA landscape](uploads/5c5a250a6e5fc726e4488c7280779d93/brainstorm1.jpg)
==== Questions for those looking to deploy MFA ==== ==== Questions for those looking to deploy MFA ====
* What do you want to gain with MFA? * What do you want to gain with MFA?
* What hardware can you rely on? (mobile/smart phones) * What hardware can you rely on? (mobile/smart phones)
...@@ -48,9 +48,9 @@ Test accounts for use on [[https://mfa-dev.ed.switch.ch/index.html|mfa-dev]] ...@@ -48,9 +48,9 @@ Test accounts for use on [[https://mfa-dev.ed.switch.ch/index.html|mfa-dev]]
* Target population: all edu-ID users * Target population: all edu-ID users
* Target environment: IdPv3 * Target environment: IdPv3
[[questions|Questions from UniGE to Swiss edu-ID]] [Questions from UniGE to Swiss edu-ID](questions)
===== Output of the second brainstorming session ===== ===== Output of the second brainstorming session =====
{{ :brainstorm2.jpg?400 | MFA scenarios}} ![MFA scenarios](uploads/62357a415625c21c16a49d33dae92cf2/brainstorm2.jpg)
===== Notes of the working session of 28.10.15 ===== ===== Notes of the working session of 28.10.15 =====
==== Notes ==== ==== Notes ====
...@@ -67,7 +67,7 @@ Test accounts for use on [[https://mfa-dev.ed.switch.ch/index.html|mfa-dev]] ...@@ -67,7 +67,7 @@ Test accounts for use on [[https://mfa-dev.ed.switch.ch/index.html|mfa-dev]]
* The main target is Google Auth. Additionnal means can be managed via a radius backend * The main target is Google Auth. Additionnal means can be managed via a radius backend
* Main steps and schedule: * Main steps and schedule:
* Writing specifications - SWITCH:EDM - and bid for collegiate validation - 12.2015 * Writing specifications - SWITCH:EDM - and bid for collegiate validation - 12.2015
* [[techwatch|Technology watch]]: verify the availability of new login flows that could be used for our own needs - SWITCH & UNIGE - Q4 2015 & Q1 2016 * [Technology watch](techwatch): verify the availability of new login flows that could be used for our own needs - SWITCH & UNIGE - Q4 2015 & Q1 2016
* Login flow development for Google Auth - SWITCH:EDM - S1 2016 * Login flow development for Google Auth - SWITCH:EDM - S1 2016
* integration / implementation of the backend radius and study of the possibility of using other techniques (SMS, Yubikey) - UNIGE:AHU,DPE,CBR - S1 2016 * integration / implementation of the backend radius and study of the possibility of using other techniques (SMS, Yubikey) - UNIGE:AHU,DPE,CBR - S1 2016
* Definition of organizational procedures (provisioning, exceptions handling, (self-)enrolment, communication, helpdesk, incident management, etc.) - UNIGE:PLH - S1 2016 * Definition of organizational procedures (provisioning, exceptions handling, (self-)enrolment, communication, helpdesk, incident management, etc.) - UNIGE:PLH - S1 2016
...@@ -114,11 +114,12 @@ Voici cependant quelques compléments qui ont été discutés en séance: ...@@ -114,11 +114,12 @@ Voici cependant quelques compléments qui ont été discutés en séance:
* Voici une idée de ce que pourrait donner l'IdP MFA:{{ :mfa_login_form_mockup.png? |}} * Voici une idée de ce que pourrait donner l'IdP MFA:{{ :mfa_login_form_mockup.png? |}}
===== Notes of the working session of 6.4.2016 ===== ===== Notes of the working session of 6.4.2016 =====
{{:mockup-mfa-idp.pdf|Mock login screens}} [Mock login screens](uploads/e8b0e7197993cc178a32db07838d664e/mockup-mfa-idp.pdf)
==== Questions ==== ==== Questions ====
* Is it possible to specify the desired authentication method (SAML authnContextClassRef) on specific URLs in the Apache configuration?\\ **Yes**, according to [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig|NativeSPApacheConfig]], any [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings|content setting]] can be given with the ''ShibRequestSetting'' directive, in particular ''authnContextClassRef'', ''authnContextComparison'' and ''forceAuthn''. Additionally, it is possible to request more than one authentication method. * Is it possible to specify the desired authentication method (SAML authnContextClassRef) on specific URLs in the Apache configuration?\\ **Yes**, according to [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig|NativeSPApacheConfig]], any [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPContentSettings|content setting]] can be given with the ''ShibRequestSetting'' directive, in particular ''authnContextClassRef'', ''authnContextComparison'' and ''forceAuthn''. Additionally, it is possible to request more than one authentication method.
* Same question as above with "force authentication".\\ **Yes** with ''ShibRequestSetting forceAuthn true'', see above. * Same question as above with "force authentication".\\ **Yes** with ''ShibRequestSetting forceAuthn true'', see above.
* Is there a session timeout per authentication method on the SP?\\ **Yes**, but not directly. Session timeouts can be changed per application (in the SP sense). For example, An [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride|ApplicationOverride]] could specify a [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions|Sessions]] element with MFA-specific timeouts (available settings are ''lifetime'', ''timeout'' and ''maxTimeSinceAuthn''), then this application can be referenced in the Apache configuration with ''ShibRequestSetting applicationId foo''. * Is there a session timeout per authentication method on the SP?\\ **Yes**, but not directly. Session timeouts can be changed per application (in the SP sense). For example, An [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride|ApplicationOverride]] could specify a [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions|Sessions]] element with MFA-specific timeouts (available settings are ''lifetime'', ''timeout'' and ''maxTimeSinceAuthn''), then this application can be referenced in the Apache configuration with ''ShibRequestSetting applicationId foo''.
==== more meetings ==== ==== more meetings ====
are [[meetings|here]] are [here](meetings)