Multi-factor authentication with two IdPs
Kevin Foote
kpfoote at uoregon.edu
Fri Aug 28 14:57:10 EDT 2015
> On Aug 28, 2015, at 11:22 AM, Dan Ciarniello <DCiarniello at central1.com> wrote:
>
>
>> -----Original Message-----
>> From: Cantor, Scott [mailto:cantor.2 at osu.edu]
>> Sent: Thursday, August 27, 2015 1:58 PM
>> To: Shib Users
>> Subject: Re: Multi-factor authentication with two IdPs
>>
>> On 8/27/15, 4:29 PM, "users on behalf of Dan Ciarniello" <users-
>> bounces at shibboleth.net on behalf of DCiarniello at central1.com> wrote:
>>
>>> The current setup is, I believe, fairly standard with a service provider behind
>> a reverse proxy (an F5) with an ADFS system providing SSO services.
>>>
>>>
>>> As I understand it, the basic workflow is:
>>>
>>> 1. F5 redirects user to ADFS for login
>>> 2. ADFS returns SAML response to the F5 with various “claims” including a
>> user id
>>> 3. F5 then forwards the SAML response to the service provider
>>
>> Unless the F5 is the SP itself, I'm not sure it's relevant to the conversation.
>
> In this case the F5 does act as an SP but I don't have the ability to do any customization there that would help solve my problem.
I wouldn’t think you have any control of that either. Additionally I don’t believe step 3 is correct. If the F5 is the SP it is consuming the assertion itself.
I believe what is happening in the OPs flow description is very similar to the Juniper SSL VPN thread[1][2] of years ago but with F5 hardware / software, (APM formerly FirePass).
[1] http://thread.gmane.org/gmane.comp.web.shibboleth.user/8996/focus=9773
[2] http://thread.gmane.org/gmane.comp.web.shibboleth.user/27936/focus=27954
--------
thanks
kevin.foote
More information about the users
mailing list