Changing MCB assurance level per SP and by "risk" (source IP)

David Langenberg davel at uchicago.edu
Fri Apr 4 17:06:42 EDT 2014 

Hi Rich,

The SP needs to send the "assurance" requirement via the
AuthnContextClassRef field of the AuthRequest.  You can't control on the
IdP side "SP X requests must do DUO".

See:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator#NativeSPSessionInitiator-SAML2SessionInitiator(ProtocolHandler)

As for your second question, once again, it's on the Service to say "hmm,
this user is from Nigeria, I should make them to 2-factor" and then send
the appropriate request to the Identity Provider.  The MCB only affects
policy from the point of view of "can this individual meet this requested
Authentication Context by either using a comparable context (bronze is
requested, user has silver & MCB knows that silver > bronze) or user can
satisfy that authentication context".

Dave



On Fri, Apr 4, 2014 at 2:42 PM, Rich Graves <rgraves at carleton.edu> wrote:

> I have a test Shib 2.4 instance with multi-context-broker and its Duo
> plugin working. By setting a per-user LDAP attribute mapped to "assurance,"
> I can toggle the 2FA requirement off and on. Thanks!
>
> I have not yet figured out how to configure a specific SP to require
> higher assurance, though I see that it's very much intended to work. I'm
> sure I'll figure it out eventually, but more explicit pointers would be
> welcome.
>
> Next step, has anyone looked into changing the MCB assurance requirement
> if the source IP address or geocode is suspicious? For example, webmail
> logins from Nigeria, or some "grand unified logging program" that knows
> that this username logged on from three different continents today. Is HTTP
> REMOTE_ADDR address available to resolver:DataConnectors? I know that some
> big .edu's have done this sort of thing before, but I'm pretty sure that
> work predates MCB.
> --
> Rich Graves <rgraves at carleton.edu>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>



-- 
David Langenberg
Identity & Access Management
The University of Chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140404/ea03a3bb/attachment.html

More information about the users mailing list