|
|
====== Questions & Answers ======
|
|
|
This page gathers questions and answers concerning this project, mainly intended to convey questions from UniGE to Swiss edu-ID.
|
|
|
===== Open Questions =====
|
|
|
|
|
|
==== Open Questions from SWITCH (08.03.2016) ====
|
|
|
|
|
|
We have identified the following questions, open issues and points to decide:
|
|
|
|
|
|
- All second factor validations are done in the Radius backend?
|
|
|
- Do you have a redundant Radius backend?
|
|
|
- Imagine how the user would walk through the application and the different authentication methods or security levels, and how that could be mapped to the Shibboleth SP configuration and the session management. We propose that the portal developers and Etienne sit together to sort this out.
|
|
|
|
|
|
===== Answered Questions =====
|
|
|
|
|
|
==== Answers from SWITCH ====
|
|
|
|
|
|
One question was:
|
|
|
Il existe 1 fonctionnalité dans l’IdP pour informer (au niveau
|
|
|
interface) sur l’expiration du mot de passe ou le nombre
|
|
|
d’essais restants. Il ne faut pas que cela interfère avec la 2FA
|
|
|
|
|
|
A: Not by default. Only if the IdP doesn't use JAAS, but direct LDAP.
|
|
|
And only if the LDAP server supports it.
|
|
|
|
|
|
Q:
|
|
|
Architecture : du coup, il n’est pas encore clair de savoir s’il
|
|
|
faut mettre en œuvre un second IdP en place pour MFA,
|
|
|
complètement distinct de l’IdP mot de passe ou s’il s’agit
|
|
|
d’appliquer des configurations différentes au sein d’un seul IdP
|
|
|
|
|
|
A: Il s’agit d’appliquer des configurations différentes au sein d’un seul IdP.
|
|
|
|
|
|
Q:
|
|
|
End users : ajout d’un scénario du type Accès de secours
|
|
|
/As a university staff (and VIP), I want to be able to
|
|
|
immediately access a SP requiring 2FA, even if I forgot my
|
|
|
mobile phone. It means that I am granted a fallback access for a
|
|
|
limited period of time but only after proving my identity, in a
|
|
|
way or another. /
|
|
|
|
|
|
A: This is a question to the process designers, not to SWITCH.
|
|
|
|
|
|
Q: End users : ajout d’un scénario de l’"utilisateur réticent"
|
|
|
/As a university staff, I do not want to use my personal mobile
|
|
|
phone to access university’s IT ressources. I think that
|
|
|
University should give me the means to do this, and furthermore
|
|
|
I do not have a mobile phone./
|
|
|
Nous ne savons pas forcément comment traiter ce cas aujourd’hui.
|
|
|
|
|
|
A: Time based OATH (Google Authenticator) requires a smart phone or the University could provide the users with physical tokens. With the additional overhead and lowered security, an event based OATH could also be supported (OTP list). |
|
|
\ No newline at end of file |