AWS 2fa with gemalto IDProve 100 tokens.

Peter Schober peter.schober at
Thu Jul 26 07:26:16 EDT 2018

* Oleksii Levchyk <lev4ykaol at> [2018-07-26 11:47]:
> As it happened historically, our company uses gemalto IDProve 100
> OTP tokens as 2FA for aws login. According to the description of
> these tokens they can be used only with AWS.
> Now we would like to integrate saml 2.0 SSO, and Shibboleth  is the best
> candidate for this, however there a is requirement from security team to
> keep using uses gemalto IDProve 100 :(

FWIW, the reviews on Amazon for these tokens are abysmal (soldered
battery w/ very short life, bad and not durable display, etc.) so
maybe just waiting a few months until most of those tokens are broken
will rid you of that requirement. ;)

> I guess main problem is that we cannot get secrets as they are known only
> by AWS and manufacturer.
> Is there any plugin/integration/workaround or even idea how we can use them
> without changing token provider to duo or yubikeys?

I'm not aware of existing OATH HOTP support in the Shib IDP and
especially not of any implementations of whatever APIs AWS may offer
for OATH token verification (since you're stuck with their validation
service, lacking the tokens secret keys).


More information about the users mailing list