Changing MCB assurance level per SP and by "risk" (source IP)
Rich Graves
rgraves at carleton.edu
Fri Apr 4 17:52:19 EDT 2014
> The SP needs to send the "assurance" requirement via the AuthnContextClassRef field of the AuthRequest. You can't control on the IdP side "SP X requests must do DUO".
Yes, that flow is as expected. I just need to figure out how exactly to do that. I will do my homework. I suppose /etc/shibboleth/bindingTemplate.html would be too easy?
> As for your second question, once again, it's on the Service to say "hmm, this user is from Nigeria, I should make them to 2-factor"
Hmm. I agree that the SP, not something like the IdP's relying-party.xml, should decide if an SP wants step-up authentication. But I think I want one central decision point on "risky" IPs -- and certainly on dodgy globe-trotting behavior. Individual SPs, especially third-party SPs, do not know what my IdP knows about expected user behavior.
There is already the <idms attributeResolverID> mechanism for forcing a *user* to a higher assurance level regardless of SP. Or is that supposed to be an inclusive set, and I'm abusing it by making it exclusive? It looks like I could make "creative" use of <idms attributeResolverID> pointing to an instrumented database or LDAP server. Go ahead and talk me out of that.
--
Rich Graves <rgraves at carleton.edu>
More information about the users
mailing list