Shibb IdP, Google Apps, Google MFA (Authenticator)

Greg Haverkamp gahaverkamp at
Fri Oct 11 18:47:55 EDT 2019

There isn't (currently) a good way to do it, at least so far as I'm aware.
I go hunting every now and then.  The project that you're referencing
allows you to use Google Authenticator (the app), not Google's MFA
_services_.  It does it by storing OATH token secrets on its own.
(Similarly, if you're just looking for an OTP solution, we run LinOTP
integrated with Shibboleth, and someone else has posted here that they use
PrivacyIDEA -- a fork of LinOTP -- with Shibboleth).

I did have my deputy CIO contact me not long ago after someone posted to an
EDUCAUSE list that they were doing it.  From what I could tell, they (Wake
Forest) are fronting the Shibboleth IdP with the Shibboleth SP, and they've
got that SP configured with Google's SAML IdP.  So, basically, they're
doing external authentication using Google.  (i.e., not just MFA; they've
delegated all authentication, including look-and-feel, to Google.)

That said, Google Cloud Platform's Identity Platform product (which is
_not_ Google Cloud Identity) promises two-factor "coming soon".  Identity
Platform makes available a RESTful API that can be called to perform
authentication, which should allow it to be offloaded.  It would require
replicating accounts to Identity Platform, and it's not yet clear what
"two-factor" will mean.  I've asked my Google liaisons, who have weekly
meetings with our Google reps, to ask.  I figure they might do some widget
sort of thing like Auth0 or Firebase (since that's where it appears to come
from) or something, but I don't know.


On Fri, Oct 11, 2019 at 3:36 PM IAM David Bantz <dabantz at> wrote:

> Has anyone has found a good way to use Google's MFA for Google Apps with
> institutional SSO (IdP)?
> My mail admins tell me that Google MFA cannot be used with SSO; if so that
> seems a choice rather than any fundamental issue.
> I see a 4-year old reference to Google authenticator authentication
> module for Shibboleth IdP v3
> but did not see
> updates or indication of adoption as a strategy.
> (Yes, we have Duo integration with our Shibb IdP, but we're not able to
> license Duo for all students.)
> David Bantz
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list