Best way to protect ECP endpoints

McKean, Brandon Scott - mckeanbs mckeanbs at jmu.edu
Wed Mar 28 13:35:44 EDT 2018 

Pardon my ignorance, but I'm curious where one can find information on Maryland's Duo AuthAPI? I've seen it mentioned on here a few times with respect to usage with ECP but I'm having trouble finding information about it.


Thanks!


--
Brandon McKean
IT / Systems
Linux Administrator


________________________________
From: users <users-bounces at shibboleth.net> on behalf of Wessel, Keith <kwessel at illinois.edu>
Sent: Tuesday, March 27, 2018 5:14:35 PM
To: Shib Users
Subject: RE: Best way to protect ECP endpoints

Scott,

Alright, I feel quite stupid! I never tried just commenting out the Apache Location block for the ECP endpoint and hitting it to see what happens. Works like a charm: prompts for authentication, honors cookies, and even uses Maryland's Duo AuthAPI to do a second factor.

Not too often that I can fix something by unconfiguring things.

Thanks, and sorry for the silly question.

Keith

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Tuesday, March 27, 2018 3:43 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Best way to protect ECP endpoints

On 3/27/18, 4:38 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

> Looking at the docs on the wiki, it appears things haven't changed too much since V2:

I guess that depends what you think about the differences, but in practice auto-configuring and enabling it with no external login is a pretty major change.

> First, as we plan to move our IdP to AWS, we'll be getting Apache out
> of the picture, fronting Jetty with an Amazon elastic load balancer instead of an httpd. Seems like the perfect opportunity to move to container-level auth.

Strong no. The IdP does authentication, just let it.

> Second, we'd love if our ECP endpoint would have a chance to honor IdP
> cookies of existing valid sessions before passing requests on to perform HTTP basic auth.

It does, there just aren't any clients likely to support it.

> I know the first item is doable. One sentence on the above web page
> confuses me, though: "If you are only using password-based
> authentication, there is really nothing further for you to configure." Is this implying that I can just set up container-based HTTP basic auth in Jetty and add the endpoint to my web.xml?

No, it's saying you don't have to do that anymore.

> The last couple blocks in web.xml seem to imply this -- theones before
> support for legacy login.sjp. Or is there a way for the IdP to handle
> HTTP basic auth for the ECP endpoint without configuring anything container-level, using the same authn configuration that it uses to validate passwords submitted through the UI?

Yes, that's what it does.

> If the latter is true, it seems that honoring of cookies would also be doable.

It does,

> Question is what is the basic recommendation for setting up ECP these
> days if you're doing password authentication on your ECP endpoint?

The recommendation is to do nothing. The problem is MFA, which is why I asked Maryland to license their Duo AuthAPI integration.

-- Scott


--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=eLbWYnpnzycBCgmb7vCI4uqNEB9RSjOdn_5nBEmmeq0&r=iZ_ekq9_90q96juMacb0Sg&m=F1MCm2_skYF4vBPa6_3S0xfsuiDyypN63sTsvTQxNMM&s=HrKZgbg1-gTwx8EVzsIDne3obdWLx3TdggwIpzT5gmU&e=
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=eLbWYnpnzycBCgmb7vCI4uqNEB9RSjOdn_5nBEmmeq0&r=iZ_ekq9_90q96juMacb0Sg&m=F1MCm2_skYF4vBPa6_3S0xfsuiDyypN63sTsvTQxNMM&s=HrKZgbg1-gTwx8EVzsIDne3obdWLx3TdggwIpzT5gmU&e=
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180328/937e1c6c/attachment.html>

More information about the users mailing list