Is Shibboleth a match to replace our multi-factor authentication system ?

Cantor, Scott cantor.2 at osu.edu
Tue Sep 11 17:50:33 EDT 2012 

On 9/11/12 4:33 PM, "Patrick Rynhart" <P.Rynhart at massey.ac.nz> wrote:
>
>We are finding it difficult to maintain this system, and - as such -
>would like to move towards a standard, enterprise class system as a
>replacement.  I was wondering whether Shibboleth would be a potential
>match as a technology ?

Possibly, but the main thing is to do something like it anyway.

>For authentication, the multi-factor system would first need to query
>AD, then an SQL database, and possibly other data sources if both of
>these fail.  Then relevant data would then need to be released to the
>site concerned.

I know how to do that with a custom login handler. I don't know if it can
be done well with anything that's included.

>1. Most Shibboleth installation online appear to be for integration with
>a Federation (InCommon, e.g.).  I believe that our arrangement is
>simplier - a bilateral arrangement between an IdP and SdP.

I think you'd have more than one SP, so all you're doing is managing the
sorts of things federations manage internally. That's not bilateral in any
real sense when you have lots of SPs.

>If this is correct, could someone please point me to a relevant HOWTO
>that would
>help me to deploy a (minimal) proof-of-concept setup.

I think some people use this:

https://wiki.shibboleth.net/confluence/display/SHIB2/IdPSPLocalTestInstall

There's also testshib.org to work on each end separately.

The bottom line is that if you want to manage things yourself, you have to
learn SAML metadata. There is no way to operate it without that
information unless you use a federation and even then you're substantially
hobbled and will have problems making changes without that understanding.

>Initially I would
>skip Multi-Factor and would seek to setup the simplest possible
>arrangement for a Shib IdP to use AD as its Login Handler and for
>attributes to then be released to our SdP.

There's an installer for Windows for the IdP that is designed to shortcut
an AD-backed IdP installation on Windows.

>2. Following this (to get the multi-factor portion working), is the
>following the correct handler to use for multi-factor auth, or is there
>a better approach ?

>https://wiki.shibboleth.net/confluence/display/SHIB2/Multi+Factor+Login+Ha
>ndler

Haven't used it, don't know.

-- Scott

More information about the users mailing list