Shibb IdP, Google Apps, Google MFA (Authenticator)

Tony Skalski ajs at stolaf.edu
Mon Oct 14 11:06:00 EDT 2019 

One could front the IdP with a reverse proxy that uses mod-openidc pointing
to Google and use the RemoteUser flow.

On Fri, Oct 11, 2019 at 5:48 PM Greg Haverkamp <gahaverkamp at lbl.gov> wrote:

> There isn't (currently) a good way to do it, at least so far as I'm
> aware.  I go hunting every now and then.  The project that you're
> referencing allows you to use Google Authenticator (the app), not Google's
> MFA _services_.  It does it by storing OATH token secrets on its own.
> (Similarly, if you're just looking for an OTP solution, we run LinOTP
> integrated with Shibboleth, and someone else has posted here that they use
> PrivacyIDEA -- a fork of LinOTP -- with Shibboleth).
>
> I did have my deputy CIO contact me not long ago after someone posted to
> an EDUCAUSE list that they were doing it.  From what I could tell, they
> (Wake Forest) are fronting the Shibboleth IdP with the Shibboleth SP, and
> they've got that SP configured with Google's SAML IdP.  So, basically,
> they're doing external authentication using Google.  (i.e., not just MFA;
> they've delegated all authentication, including look-and-feel, to Google.)
>
> That said, Google Cloud Platform's Identity Platform product (which is
> _not_ Google Cloud Identity) promises two-factor "coming soon".  Identity
> Platform makes available a RESTful API that can be called to perform
> authentication, which should allow it to be offloaded.  It would require
> replicating accounts to Identity Platform, and it's not yet clear what
> "two-factor" will mean.  I've asked my Google liaisons, who have weekly
> meetings with our Google reps, to ask.  I figure they might do some widget
> sort of thing like Auth0 or Firebase (since that's where it appears to come
> from) or something, but I don't know.
>
> Greg
>
> On Fri, Oct 11, 2019 at 3:36 PM IAM David Bantz <dabantz at alaska.edu>
> wrote:
>
>> Has anyone has found a good way to use Google's MFA for Google Apps with
>> institutional SSO (IdP)?
>>
>> My mail admins tell me that Google MFA cannot be used with SSO; if so
>> that seems a choice rather than any fundamental issue.
>>
>> I see a 4-year old reference to Google authenticator authentication
>> module for Shibboleth IdP v3
>> https://github.com/korteke/Shibboleth-IdP3-TOTP-Auth but did not see
>> updates or indication of adoption as a strategy.
>>
>> (Yes, we have Duo integration with our Shibb IdP, but we're not able to
>> license Duo for all students.)
>>
>> David Bantz
>> UA OIT IAM
>> --
>> For Consortium Member technical support, see
>> https://wiki.shibboleth.net/confluence/x/coFAAg
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net



-- 
*Tony Skalski*
System Administrator | IT

*Office: *507-786-3227 <(507)786-3227>
1510 St. Olaf Avenue Northfield, MN 55057
stolaf.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191014/3f232a86/attachment.html>

More information about the users mailing list