MFA - TOTP plugin
Joseph Fischetti
Joseph.Fischetti at marist.edu
Mon Dec 9 13:14:27 EST 2019
> Please don't take any of my comments as criticisms, I was just trying to explain why you had to do that work to begin with. But in any case, I assume you don't object to us evaluating it for inclusion.
No worries, I sent the email for input. That was the whole idea.
I have no objections at all. Please feel free to reach out to me offline if there's anything I can do (or anything that should be done differently).
Joe Fischetti
Linux System Administrator
Marist College
E-mail: joseph.fischetti at marist.edu
Cell: 914-552-0129
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Monday, December 9, 2019 12:23 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: MFA - TOTP plugin
[EXTERNAL EMAIL]
On 12/9/19, 10:59 AM, "users on behalf of Joseph Fischetti" <users-bounces at shibboleth.net on behalf of Joseph.Fischetti at marist.edu> wrote:
> I completely understand the point that there isn't any token
> management worked into the solution. The main reason that I
> (personally) feel it's out of scope is because the IdP is an identity
> provider, not an identity manager. It's up to the deployer to handle
> password management outside of the IdP, so token/seed management should be the same way.
That's always been our purist view, but increasingly people don't buy those boundaries in a lot of cases, so I've had to start evaluating new feature additions in a more holistic way than in the past.
Believe me, we get plenty of people complaining we don't do password management, and some of the UI hooks were done with that at least in mind.
> For what it's worth... I already have a token enrollment tool built
> that would be straightforward enough to implement (with QR codes and
> verification etc), but it would just require the IdP's ability to
> write back to the directory (which I don't like the idea of).
I don't either. I think it's easy to make that leg pluggable but I also had hoped by now there might be some kind of standardized API for these functions, and that hasn't really happened.
Please don't take any of my comments as criticisms, I was just trying to explain why you had to do that work to begin with. But in any case, I assume you don't object to us evaluating it for inclusion.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list