Best way to protect ECP endpoints
cantor.2 at osu.edu
Tue Mar 27 16:43:23 EDT 2018
On 3/27/18, 4:38 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:
> Looking at the docs on the wiki, it appears things haven't changed too much since V2:
I guess that depends what you think about the differences, but in practice auto-configuring and enabling it with no external login is a pretty major change.
> First, as we plan to move our IdP to AWS, we'll be getting Apache out of the picture, fronting Jetty with an Amazon
> elastic load balancer instead of an httpd. Seems like the perfect opportunity to move to container-level auth.
Strong no. The IdP does authentication, just let it.
> Second, we'd love if our ECP endpoint would have a chance to honor IdP cookies of existing valid sessions before passing
> requests on to perform HTTP basic auth.
It does, there just aren't any clients likely to support it.
> I know the first item is doable. One sentence on the above web page confuses me, though: "If you are only using
> password-based authentication, there is really nothing further for you to configure." Is this implying that I can just set
> up container-based HTTP basic auth in Jetty and add the endpoint to my web.xml?
No, it's saying you don't have to do that anymore.
> The last couple blocks in web.xml seem to imply this -- theones before support for legacy login.sjp. Or is there a way for
> the IdP to handle HTTP basic auth for the ECP endpoint without configuring anything container-level, using the same
> authn configuration that it uses to validate passwords submitted through the UI?
Yes, that's what it does.
> If the latter is true, it seems that honoring of cookies would also be doable.
> Question is what is the basic recommendation for setting up ECP these days if you're doing password authentication on
> your ECP endpoint?
The recommendation is to do nothing. The problem is MFA, which is why I asked Maryland to license their Duo AuthAPI integration.
More information about the users