... | @@ -7,64 +7,66 @@ A lightweight specification that should get more precise as areas of this projec |
... | @@ -7,64 +7,66 @@ A lightweight specification that should get more precise as areas of this projec |
|
From https://www.mountaingoatsoftware.com/agile/user-stories:
|
|
From https://www.mountaingoatsoftware.com/agile/user-stories:
|
|
> User stories are short, simple descriptions of a feature told from the perspective of the person who desires the new capability, usually a user or customer of the system. They typically follow a simple template:
|
|
> User stories are short, simple descriptions of a feature told from the perspective of the person who desires the new capability, usually a user or customer of the system. They typically follow a simple template:
|
|
>
|
|
>
|
|
> //As a <type of user>, I want <some goal> so that <some reason>.//
|
|
> As a <type of user>, I want <some goal> so that <some reason>.
|
|
>
|
|
>
|
|
> User stories are often written on index cards or sticky notes, stored in a shoe box, and arranged on walls or tables to facilitate planning and discussion. As such, they strongly shift the focus from writing about features to discussing them. In fact, these discussions are more important than whatever text is written.
|
|
> User stories are often written on index cards or sticky notes, stored in a shoe box, and arranged on walls or tables to facilitate planning and discussion. As such, they strongly shift the focus from writing about features to discussing them. In fact, these discussions are more important than whatever text is written.
|
|
|
|
|
|
### End users ###
|
|
### End users ###
|
|
|
|
|
|
As a university staff with a smart phone,\\
|
|
As a university staff with a smart phone,
|
|
I want to use the Google Authenticator mobile application when authenticating on the IdP,\\
|
|
I want to use the Google Authenticator mobile application when authenticating on the IdP,
|
|
so that I can access SPs requiring 2FA.
|
|
so that I can access SPs requiring 2FA.
|
|
|
|
|
|
As a university staff with only a mobile phone (no smart phone),\\
|
|
As a university staff with only a mobile phone (no smart phone),
|
|
I want to receive an OTP via SMS when authenticating on the IdP,\\
|
|
I want to receive an OTP via SMS when authenticating on the IdP,
|
|
so that I can access SPs requiring 2FA.
|
|
so that I can access SPs requiring 2FA.
|
|
|
|
|
|
As a user authenticating on the IdP,\\
|
|
As a user authenticating on the IdP,
|
|
I want to be able to choose the second authentication factor,\\
|
|
I want to be able to choose the second authentication factor,
|
|
so that I can use the most convenient method for me.
|
|
so that I can use the most convenient method for me.
|
|
|
|
|
|
//Backup access//
|
|
#### Backup access ####
|
|
As a regular 2FA user temporarily unable to use my second factor,\\
|
|
|
|
I want to be granted a fallback access for a limited period of time,\\
|
|
As a regular 2FA user temporarily unable to use my second factor,
|
|
so that I can access SPs requiring 2FA.\\
|
|
I want to be granted a fallback access for a limited period of time,
|
|
|
|
so that I can access SPs requiring 2FA.
|
|
-> process independent of Shibboleth (helpdesk-provided OTP)
|
|
-> process independent of Shibboleth (helpdesk-provided OTP)
|
|
|
|
|
|
As a reluctant university staff,\\
|
|
As a reluctant university staff,
|
|
I want the University to give me the means to access protected resources,\\
|
|
I want the University to give me the means to access protected resources,
|
|
so that I can access SPs requiring 2FA without using my own personal device.\\
|
|
so that I can access SPs requiring 2FA without using my own personal device.
|
|
-> process independent of Shibboleth (physical token?)
|
|
-> process independent of Shibboleth (physical token?)
|
|
|
|
|
|
//Password recovery//
|
|
#### Password recovery ####
|
|
As a university student,\\
|
|
|
|
I want to be able to reset my password using a 2FA-protected online self-service,\\
|
|
As a university student,
|
|
so that my password cannot be changed by others.\\
|
|
I want to be able to reset my password using a 2FA-protected online self-service,
|
|
|
|
so that my password cannot be changed by others.
|
|
-> process independent of Shibboleth
|
|
-> process independent of Shibboleth
|
|
|
|
|
|
### Operators/services ###
|
|
### Operators/services ###
|
|
|
|
|
|
As a SP-protected web application operator,\\
|
|
As a SP-protected web application operator,
|
|
I want to force users to authenticate with two factors,\\
|
|
I want to force users to authenticate with two factors,
|
|
so that their account and the personal information it contains are better protected.
|
|
so that their account and the personal information it contains are better protected.
|
|
|
|
|
|
As a SP-protected web application operator,\\
|
|
As a SP-protected web application operator,
|
|
I want to be able to use 2FA only to validate sensitive user actions,\\
|
|
I want to be able to use 2FA only to validate sensitive user actions,
|
|
so that sensitive actions are strongly protected and users are not required to use 2FA all the time.\\
|
|
so that sensitive actions are strongly protected and users are not required to use 2FA all the time.
|
|
-> handled by the application which must request stronger authentication to Shibboleth when it needs it
|
|
-> handled by the application which must request stronger authentication to Shibboleth when it needs it
|
|
|
|
|
|
As an IdP operator,\\
|
|
As an IdP operator,
|
|
I want to provide a 2FA login flow,\\
|
|
I want to provide a 2FA login flow,
|
|
so that SPs can get stronger authentication.
|
|
so that SPs can get stronger authentication.
|
|
|
|
|
|
As a VPN gateway operator,\\
|
|
As a VPN gateway operator,
|
|
I want to authenticate 2FA users over RADIUS,\\
|
|
I want to authenticate 2FA users over RADIUS,
|
|
so that both users with or without 2FA are authenticated over the same protocol.\\
|
|
so that both users with or without 2FA are authenticated over the same protocol.
|
|
-> RADIUS authentication is independent of Shibboleth
|
|
-> RADIUS authentication is independent of Shibboleth
|
|
|
|
|
|
As a university account administrator,\\
|
|
As a university account administrator,
|
|
I want to verify user's identities before they can use 2FA,\\
|
|
I want to verify user's identities before they can use 2FA,
|
|
so that I can provide a stronger verification level to applications using 2FA.\\
|
|
so that I can provide a stronger verification level to applications using 2FA.
|
|
-> process independent of Shibboleth
|
|
-> process independent of Shibboleth
|
|
|
|
|
|
## Architecture ##
|
|
## Architecture ##
|
... | | ... | |