2nd factor IdP AuthN conditional on user attribute
Curry, Warren
whcurry at ufl.edu
Thu Feb 9 11:56:50 EST 2017
1) You can query DUO with an API call to if the user is enrolled. IF they are do 2 factor.
2) Or drive via some attribute in your attribute store for the We use a context attribute for people with certain tpyes of access. IF context attribute is a then account is two factor required.
3) Use in combination …
That is what we are doing currently for our small user base. Others are much further up this path than we and may have better insight
whc
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Keith Hazelton
Sent: Thursday, February 09, 2017 11:44 AM
To: Shib Users <users at shibboleth.net>
Cc: Stefan Wold <stefan at yubico.com>; Chris Schulte <cfschulte at humonc.wisc.edu>; Sue Heim <sue at yubico.com>; rcurless at janesville.k12.wi.us
Subject: 2nd factor IdP AuthN conditional on user attribute
We’re running a pilot of U2F / Shib integration at the School District of Janesville, WI.
Some users will have Yubikeys for U2F and others won’t. What is the recommended path for making 2nd factor conditional on, say, membership in a pilot group or a Boolean flag indicating pilot user or not. Is there a straightforward way to set this up in Shib IdP 3.2.1 (upgrade to 3.3 is on the roadmap)?
Thanks in advance, --Keith
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170209/be62be2f/attachment-0001.html>
More information about the users
mailing list