Shibb IdP, Google Apps, Google MFA (Authenticator)
ajs at stolaf.edu
Mon Oct 14 11:06:00 EDT 2019
One could front the IdP with a reverse proxy that uses mod-openidc pointing
to Google and use the RemoteUser flow.
On Fri, Oct 11, 2019 at 5:48 PM Greg Haverkamp <gahaverkamp at lbl.gov> wrote:
> There isn't (currently) a good way to do it, at least so far as I'm
> aware. I go hunting every now and then. The project that you're
> referencing allows you to use Google Authenticator (the app), not Google's
> MFA _services_. It does it by storing OATH token secrets on its own.
> (Similarly, if you're just looking for an OTP solution, we run LinOTP
> integrated with Shibboleth, and someone else has posted here that they use
> PrivacyIDEA -- a fork of LinOTP -- with Shibboleth).
> I did have my deputy CIO contact me not long ago after someone posted to
> an EDUCAUSE list that they were doing it. From what I could tell, they
> (Wake Forest) are fronting the Shibboleth IdP with the Shibboleth SP, and
> they've got that SP configured with Google's SAML IdP. So, basically,
> they're doing external authentication using Google. (i.e., not just MFA;
> they've delegated all authentication, including look-and-feel, to Google.)
> That said, Google Cloud Platform's Identity Platform product (which is
> _not_ Google Cloud Identity) promises two-factor "coming soon". Identity
> Platform makes available a RESTful API that can be called to perform
> authentication, which should allow it to be offloaded. It would require
> replicating accounts to Identity Platform, and it's not yet clear what
> "two-factor" will mean. I've asked my Google liaisons, who have weekly
> meetings with our Google reps, to ask. I figure they might do some widget
> sort of thing like Auth0 or Firebase (since that's where it appears to come
> from) or something, but I don't know.
> On Fri, Oct 11, 2019 at 3:36 PM IAM David Bantz <dabantz at alaska.edu>
>> Has anyone has found a good way to use Google's MFA for Google Apps with
>> institutional SSO (IdP)?
>> My mail admins tell me that Google MFA cannot be used with SSO; if so
>> that seems a choice rather than any fundamental issue.
>> I see a 4-year old reference to Google authenticator authentication
>> module for Shibboleth IdP v3
>> https://github.com/korteke/Shibboleth-IdP3-TOTP-Auth but did not see
>> updates or indication of adoption as a strategy.
>> (Yes, we have Duo integration with our Shibb IdP, but we're not able to
>> license Duo for all students.)
>> David Bantz
>> UA OIT IAM
>> For Consortium Member technical support, see
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
System Administrator | IT
*Office: *507-786-3227 <(507)786-3227>
1510 St. Olaf Avenue Northfield, MN 55057
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users