Changes between Version 11 and Version 12 of mfa


Ignore:
Timestamp:
04/17/15 09:44:13 (10 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • mfa

    v11 v12  
    3333Currently (in the initial roll-out of two-factor authentication at UA) you can request this group membership and use of !DuoSecurity two-factor authentication by request to IAM (email iam@alaska.edu). 
    3434 
     35(3) More complex logic is possible.  See the section below on "per SP" configuration of the MCB. 
     36 
    3537== Enrolling and configuring your phone or other second factor == 
    3638If your authentication invokes two factor authentication (via either of the methods above - because a service requires it or because you are in the security group using two factor) and you have not previously used Duo Security with UA, you will be presented with a page to automatically enroll and designate your phone number to be used for second factor.   
     
    5254 
    5355More detailed user documentation is at http://guide.duosecurity.com/manage-devices . 
     56 
     57== Configuring the MCB to require 2FA based on the SP == 
     58Scott Koranda via shibboleth.net  
     592015-04-17 
     60 
     61to Shibboleth  
     62Hello, 
     63 
     64The MCB can be configured to use an attribute to determine which 
     65authentication contexts are allowed for a user, ie. 
     66 
     67<idms attributeResolverID="allowedAuthContexts" /> 
     68 
     69Further the attribute can be of type "Script" and have a dependency on 
     70other attributes such as the value of isMemberOf from an LDAP query on 
     71the principal. 
     72 
     73Still further, the script can ascertain the SP by making a call to 
     74 
     75peerEntityId = String(requestContext.getPeerEntityId()); 
     76 
     77Is it not the case then the logic in the scripted 
     78"allowedAuthContexts" attribute can be such that it can make a 
     79decision on which authentication contexts be allowed for a user by 
     80combining the user's LDAP record and the entityID of the SP which the 
     81user is attempting to access? 
     82 
     83The mechanism described above would allow for a per-SP/per-user 
     84"configuration", though admittedly it is not particularly elegant....It appears to work well with my sandbox. 
     85 
     86I should add that I am primarily focused on SPs that do not send an 
     87explicit request for authentication contexts. 
     88 
     89Thanks, 
     90 
     91Scott K